Properly send Access policy purpose justification settings

[jroyal]

fixes #2813

Probably need to update tests, but wanted to push this up real quick. I've tested this a lot locally and I'm not sure why we had the nil guards to start with. Removing them allows terraform to understand when the value is either missing or updated. If there is something i'm missing about why they should exist let me know.

[github-actions]

changelog detected ✅

[jroyal]

I can't figure out how to get a test case to fail for the thing I fixed. The problem was that the state was matching the config (and so the tests pass), but the actual policy in Cloudflare was wrong. The existing tests should catch it if the value itself is missing, but maybe @jacobbednarz you have a recommendation about how I can update the tests for this specific use case?

[jacobbednarz]

generally you'd need to rely on a custom API call (example: https://github.com/cloudflare/terraform-provider-cloudflare/blob/master/internal/sdkv2provider/resource_cloudflare_access_group_test.go#L555) and perform your own checks. i do wonder if this sort of check belongs in the provider though or if there is something on the service side we could do instead. up to you to make the call either way.

[jacobbednarz]

just sorting out entitlement issue for the acceptance tests and we should be good here

=== RUN   TestAccCloudflareAccessPolicy_IsolationRequired
    resource_cloudflare_access_policy_test.go:956: Step 1/1 error: Error running apply: exit status 1
        
        Error: error creating Access Policy for ID "": error from makeRequest: access.api.error.invalid_request: url_browser_isolation_enabled is not enabled for the account (12130)
        
          with cloudflare_access_policy.zslnphkgmr,
          on terraform_plugin_test.tf line 8, in resource "cloudflare_access_policy" "zslnphkgmr":
           8:     resource "cloudflare_access_policy" "zslnphkgmr" {
        
--- FAIL: TestAccCloudflareAccessPolicy_IsolationRequired (11.61s)

[jroyal]

The account is correctly entitled, but it's missing a prereq step. To make use of that flag we need to have a setting enabled in the account.

In the zt dash, settings > browser isolation > clientless web isolation > enable

TBH I'm not sure if this is something we should do out of band or as a part of a test? If I need to add it to the test let me know and I'll figure out how to do that.

[jacobbednarz]

thanks @jroyal 🙇 i've manually toggled it for now but if there is an API for it, i'd love to make it a part of the acceptance test flow so that we aren't reliant on any manual steps for the test suite to run but not a blocker here.

acceptance tests all looking good now 👏

TF_ACC=1 go test ./internal/sdkv2provider -v -run "^TestAccCloudflareAccessPolicy_" -count 1 -timeout 120m -parallel 1
=== RUN   TestAccCloudflareAccessPolicy_ServiceToken
--- PASS: TestAccCloudflareAccessPolicy_ServiceToken (17.31s)
=== RUN   TestAccCloudflareAccessPolicy_AnyServiceToken
--- PASS: TestAccCloudflareAccessPolicy_AnyServiceToken (12.37s)
=== RUN   TestAccCloudflareAccessPolicy_WithZoneID
--- PASS: TestAccCloudflareAccessPolicy_WithZoneID (29.44s)
=== RUN   TestAccCloudflareAccessPolicy_Group
--- PASS: TestAccCloudflareAccessPolicy_Group (12.06s)
=== RUN   TestAccCloudflareAccessPolicy_MTLS
--- PASS: TestAccCloudflareAccessPolicy_MTLS (11.70s)
=== RUN   TestAccCloudflareAccessPolicy_CommonName
--- PASS: TestAccCloudflareAccessPolicy_CommonName (11.48s)
=== RUN   TestAccCloudflareAccessPolicy_EmailDomain
--- PASS: TestAccCloudflareAccessPolicy_EmailDomain (11.25s)
=== RUN   TestAccCloudflareAccessPolicy_Emails
--- PASS: TestAccCloudflareAccessPolicy_Emails (11.25s)
=== RUN   TestAccCloudflareAccessPolicy_Everyone
--- PASS: TestAccCloudflareAccessPolicy_Everyone (12.00s)
=== RUN   TestAccCloudflareAccessPolicy_IPs
--- PASS: TestAccCloudflareAccessPolicy_IPs (11.98s)
=== RUN   TestAccCloudflareAccessPolicy_AuthMethod
--- PASS: TestAccCloudflareAccessPolicy_AuthMethod (15.97s)
=== RUN   TestAccCloudflareAccessPolicy_Geo
--- PASS: TestAccCloudflareAccessPolicy_Geo (11.04s)
=== RUN   TestAccCloudflareAccessPolicy_Okta
--- PASS: TestAccCloudflareAccessPolicy_Okta (11.42s)
=== RUN   TestAccCloudflareAccessPolicy_PurposeJustification
--- PASS: TestAccCloudflareAccessPolicy_PurposeJustification (17.21s)
=== RUN   TestAccCloudflareAccessPolicy_ApprovalGroup
--- PASS: TestAccCloudflareAccessPolicy_ApprovalGroup (12.23s)
=== RUN   TestAccCloudflareAccessPolicy_ExternalEvaluation
--- PASS: TestAccCloudflareAccessPolicy_ExternalEvaluation (11.28s)
=== RUN   TestAccCloudflareAccessPolicy_IsolationRequired
--- PASS: TestAccCloudflareAccessPolicy_IsolationRequired (11.87s)
PASS
ok  	github.com/cloudflare/terraform-provider-cloudflare/internal/sdkv2provider	232.828s

[github-actions]

This functionality has been released in v4.17.0 of the Terraform Cloudflare Provider.

Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!