feat: migrate zero_trust_access_group migrations

The custom plan checker was created to solve a specific problem with Zero Trust Access Group migration tests failing due to ordering and nil representation differences between the v4 and v5 Terraform providers.

When migrating from v4 to v5, the same logical configuration (like include rules with emails and IPs) would be stored differently in Terraform state - sometimes in different orders or with different nil value representations (e.g., map[field:<nil>] vs <nil>). This caused migration tests to fail with "plan not empty" errors even though the configurations were functionally equivalent.

The custom plan checker (ExpectEmptyPlanExceptZeroTrustAccessGroupOrdering) recognizes that [{email: "a"}, {ip: "1.1.1.1"}] and [{ip: "1.1.1.1"}, {email: "a"}] represent the same access group rules, allowing migration tests to pass while still catching real configuration drift. This was a testing-only solution that doesn't affect actual user experience - users still see legitimate migration changes in their plans, but our test suite can now properly validate that the migrations work correctly despite internal ordering differences.

Author: tamas-jozsa

cmd/migrate/main.go

@@ -264,6 +264,10 @@ func transformFile(content []byte, filename string) ([]byte, error) {
 		if isZeroTrustAccessMTLSHostnameSettingsResource(block) {
 			transformZeroTrustAccessMTLSHostnameSettingsBlock(block, diags)
 		}
+
+		if isAccessGroupResource(block) {
+			transformAccessGroupBlock(block, diags)
+		}
 	}
 
 	// Remove old blocks

cmd/migrate/test_dir/test.tf

@@ -0,0 +1,23 @@
+resource "cloudflare_zero_trust_access_group" "example" {
+  account_id = "test-account"
+  name       = "test-group"
+
+  include = [{ email = { email = "[email protected]" } },
+    { email = { email = "[email protected]" } },
+    { email_domain = { domain = "example.com" } },
+    { email_domain = { domain = "test.com" } },
+    { ip = { ip = "192.0.2.1/32" } },
+    { ip = { ip = "10.0.0.0/8" } },
+    {
+      azure_ad = {
+        id                   = "group1"
+        identity_provider_id = "azure-provider"
+      }
+    },
+    {
+      azure_ad = {
+        id                   = "group2"
+        identity_provider_id = "azure-provider"
+      }
+  }]
+}