diff --git a/.changelog/1602.txt b/.changelog/1602.txt new file mode 100644 index 0000000000..b98ae5957b --- /dev/null +++ b/.changelog/1602.txt @@ -0,0 +1,3 @@ +```release-note:bug +resource/cloudflare_access_application: Fix inability to update `http_only_cookie_attribute` to false +``` diff --git a/internal/provider/resource_cloudflare_access_application.go b/internal/provider/resource_cloudflare_access_application.go index ca1bbcfc83..9efd67777b 100644 --- a/internal/provider/resource_cloudflare_access_application.go +++ b/internal/provider/resource_cloudflare_access_application.go @@ -40,7 +40,7 @@ func resourceCloudflareAccessApplicationCreate(ctx context.Context, d *schema.Re EnableBindingCookie: d.Get("enable_binding_cookie").(bool), CustomDenyMessage: d.Get("custom_deny_message").(string), CustomDenyURL: d.Get("custom_deny_url").(string), - HttpOnlyCookieAttribute: d.Get("http_only_cookie_attribute").(bool), + HttpOnlyCookieAttribute: cloudflare.BoolPtr(d.Get("http_only_cookie_attribute").(bool)), SameSiteCookieAttribute: d.Get("same_site_cookie_attribute").(string), LogoURL: d.Get("logo_url").(string), SkipInterstitial: d.Get("skip_interstitial").(bool), @@ -48,10 +48,6 @@ func resourceCloudflareAccessApplicationCreate(ctx context.Context, d *schema.Re ServiceAuth401Redirect: d.Get("service_auth_401_redirect").(bool), } - if value, ok := d.GetOk("http_only_cookie_attribute"); ok { - newAccessApplication.HttpOnlyCookieAttribute = value.(bool) - } - if len(allowedIDPList) > 0 { newAccessApplication.AllowedIdps = allowedIDPList } @@ -121,7 +117,7 @@ func resourceCloudflareAccessApplicationRead(ctx context.Context, d *schema.Reso d.Set("custom_deny_message", accessApplication.CustomDenyMessage) d.Set("custom_deny_url", accessApplication.CustomDenyURL) d.Set("allowed_idps", accessApplication.AllowedIdps) - d.Set("http_only_cookie_attribute", accessApplication.HttpOnlyCookieAttribute) + d.Set("http_only_cookie_attribute", cloudflare.Bool(accessApplication.HttpOnlyCookieAttribute)) d.Set("same_site_cookie_attribute", accessApplication.SameSiteCookieAttribute) d.Set("skip_interstitial", accessApplication.SkipInterstitial) d.Set("logo_url", accessApplication.LogoURL) @@ -152,7 +148,7 @@ func resourceCloudflareAccessApplicationUpdate(ctx context.Context, d *schema.Re EnableBindingCookie: d.Get("enable_binding_cookie").(bool), CustomDenyMessage: d.Get("custom_deny_message").(string), CustomDenyURL: d.Get("custom_deny_url").(string), - HttpOnlyCookieAttribute: d.Get("http_only_cookie_attribute").(bool), + HttpOnlyCookieAttribute: cloudflare.BoolPtr(d.Get("http_only_cookie_attribute").(bool)), SameSiteCookieAttribute: d.Get("same_site_cookie_attribute").(string), LogoURL: d.Get("logo_url").(string), SkipInterstitial: d.Get("skip_interstitial").(bool), diff --git a/internal/provider/resource_cloudflare_access_application_test.go b/internal/provider/resource_cloudflare_access_application_test.go index 2fb784d66c..7845a8e602 100644 --- a/internal/provider/resource_cloudflare_access_application_test.go +++ b/internal/provider/resource_cloudflare_access_application_test.go @@ -221,7 +221,7 @@ func TestAccCloudflareAccessApplication_WithHttpOnlyCookieAttribute(t *testing.T CheckDestroy: testAccCheckCloudflareAccessApplicationDestroy, Steps: []resource.TestStep{ { - Config: testAccCloudflareAccessApplicationConfigWithHttpOnlyCookieAttribute(rnd, zoneID, domain), + Config: testAccCloudflareAccessApplicationConfigWithHTTPOnlyCookieAttribute(rnd, zoneID, domain), Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr(name, "zone_id", zoneID), resource.TestCheckResourceAttr(name, "name", rnd), @@ -235,6 +235,32 @@ func TestAccCloudflareAccessApplication_WithHttpOnlyCookieAttribute(t *testing.T }) } +func TestAccCloudflareAccessApplication_WithHTTPOnlyCookieAttributeSetToFalse(t *testing.T) { + rnd := generateRandomResourceName() + name := fmt.Sprintf("cloudflare_access_application.%s", rnd) + + resource.Test(t, resource.TestCase{ + PreCheck: func() { + testAccessAccPreCheck(t) + }, + ProviderFactories: providerFactories, + CheckDestroy: testAccCheckCloudflareAccessApplicationDestroy, + Steps: []resource.TestStep{ + { + Config: testAccCloudflareAccessApplicationConfigWithHTTPOnlyCookieAttributeSetToFalse(rnd, zoneID, domain), + Check: resource.ComposeTestCheckFunc( + resource.TestCheckResourceAttr(name, "zone_id", zoneID), + resource.TestCheckResourceAttr(name, "name", rnd), + resource.TestCheckResourceAttr(name, "domain", fmt.Sprintf("%s.%s", rnd, domain)), + resource.TestCheckResourceAttr(name, "type", "self_hosted"), + resource.TestCheckResourceAttr(name, "session_duration", "24h"), + resource.TestCheckResourceAttr(name, "http_only_cookie_attribute", "false"), + ), + }, + }, + }) +} + func TestAccCloudflareAccessApplication_WithSameSiteCookieAttribute(t *testing.T) { rnd := generateRandomResourceName() name := fmt.Sprintf("cloudflare_access_application.%s", rnd) @@ -430,7 +456,7 @@ resource "cloudflare_access_application" "%[1]s" { `, rnd, zoneID, domain, accountID) } -func testAccCloudflareAccessApplicationConfigWithHttpOnlyCookieAttribute(rnd, zoneID, domain string) string { +func testAccCloudflareAccessApplicationConfigWithHTTPOnlyCookieAttribute(rnd, zoneID, domain string) string { return fmt.Sprintf(` resource "cloudflare_access_application" "%[1]s" { zone_id = "%[2]s" @@ -443,6 +469,19 @@ resource "cloudflare_access_application" "%[1]s" { `, rnd, zoneID, domain) } +func testAccCloudflareAccessApplicationConfigWithHTTPOnlyCookieAttributeSetToFalse(rnd, zoneID, domain string) string { + return fmt.Sprintf(` +resource "cloudflare_access_application" "%[1]s" { + zone_id = "%[2]s" + name = "%[1]s" + domain = "%[1]s.%[3]s" + type = "self_hosted" + session_duration = "24h" + http_only_cookie_attribute = false +} +`, rnd, zoneID, domain) +} + func testAccCloudflareAccessApplicationConfigSameSiteCookieAttribute(rnd, zoneID, domain string) string { return fmt.Sprintf(` resource "cloudflare_access_application" "%[1]s" { @@ -517,6 +556,7 @@ func testAccCheckCloudflareAccessApplicationDestroy(s *terraform.State) error { return fmt.Errorf("AccessApplication still exists") } } + } return nil diff --git a/internal/provider/schema_cloudflare_access_application.go b/internal/provider/schema_cloudflare_access_application.go index 7b81d119f0..3440c8b5af 100644 --- a/internal/provider/schema_cloudflare_access_application.go +++ b/internal/provider/schema_cloudflare_access_application.go @@ -133,7 +133,7 @@ func resourceCloudflareAccessApplicationSchema() map[string]*schema.Schema { "http_only_cookie_attribute": { Type: schema.TypeBool, Optional: true, - Computed: true, + Default: true, }, "same_site_cookie_attribute": { Type: schema.TypeString, diff --git a/website/docs/r/access_application.html.markdown b/website/docs/r/access_application.html.markdown index 9dfbacf5b1..321f688bc2 100644 --- a/website/docs/r/access_application.html.markdown +++ b/website/docs/r/access_application.html.markdown @@ -72,7 +72,7 @@ The following arguments are supported: dashboard. * `same_site_cookie_attribute` - (Optional) Defines the same-site cookie setting for access tokens. Valid values are `none`, `lax`, and `strict`. -* `http_only_cookie_attribute` - (Optional) Option to add the `HttpOnly` cookie flag to access tokens. +* `http_only_cookie_attribute` - (Optional) Option to add the `HttpOnly` cookie flag to access tokens. Defaults to `true`. * `service_auth_401_redirect` - (Optional) Option to return a 401 status code in service authentication rules on failed requests.