Skip to content

feat: migrate zero_trust_access_group migrations #6013

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 28, 2025
Merged

feat: migrate zero_trust_access_group migrations #6013

merged 1 commit into from
Aug 28, 2025
+2,812 −1

Conversation

tamas-jozsa
Copy link
Contributor

@tamas-jozsa tamas-jozsa commented Aug 25, 2025
edited
Loading

Summary

Implements comprehensive v4→v5 migration support for zero trust access group resources,
handling both configuration syntax transformations and state schema upgrades for the breaking
changes in rule structure.

  • Config Migration: HCL AST transformations from v4 array-based to v5 object-based rules
  • State Upgrades: Schema version 0→1 upgrade with complete rule restructuring
  • Provider Rules: Complex identity provider transformations (Azure AD, GitHub, GSuite,
    Okta)
  • Migration Tests: Comprehensive test coverage for all transformation scenarios
  • Plan Validation: Custom ordering-aware plan checks for post-migration validation

Migration Scenarios Covered

v4 Rule Format v5 Result Migration Type
email = ["[email protected]", "[email protected]"] Multiple `email = { email =
"[email protected]" }` objects Array expansion
everyone = true, certificate = true Separate everyone = {}, certificate = {} objects
Boolean to empty objects
azure = [{ id = ["group1", "group2"] }] Multiple azure_ad = { id = "group1" } objects
Provider rename + expansion
github = [{ teams = ["team1", "team2"] }] Multiple `github_organization = { team =
"team1" }` objects Provider rename + expansion
common_names = ["cert1", "cert2"] Multiple common_name = { common_name = "cert1" }
objects Attribute rename + expansion

Key Changes

Config Transformation (cmd/migrate/zero_trust_access_group.go)

  • Comprehensive HCL AST transformation handling all v4→v5 rule format changes
  • Processes include, exclude, and require rule blocks consistently
  • Expands array-based attributes into individual rule objects with nested structures
  • Handles complex identity provider block transformations with array expansion
  • Maintains deterministic ordering matching state migration for consistency

State Upgrade Functions (internal/services/zero_trust_access_group/migrations.go)

  • Implements ResourceWithUpgradeState interface for v0→v1 schema migration
  • Handles JSON state parsing and transformation to new v5 structure
  • Creates clean rule objects with only relevant fields initialized
  • Processes migration in fixed order to ensure deterministic results
  • Supports both account-scoped and zone-scoped access groups

Migration Tests (internal/services/zero_trust_access_group/migrations_test.go)

  • 8 comprehensive test scenarios covering all transformation types
  • Uses modern Terraform testing patterns with statecheck and knownvalue assertions
  • Tests basic rules, complex expansions, identity providers, and mixed scenarios
  • Validates both config transformation and state migration in 3-step process
  • Includes zone-scoped testing for complete coverage

Custom Test Helpers (internal/acctest/zero_trust_access_group.go)

  • ExpectEmptyPlanExceptZeroTrustAccessGroupOrdering - Custom plan checker
  • Handles expected ordering differences between v4 and v5 rule representations
  • Allows provider migration artifacts while catching actual configuration drift
  • ZeroTrustAccessGroupMigrationTestStep - Specialized migration test helper

Schema Definition (internal/services/zero_trust_access_group/schema.go)

  • Schema version bumped to 1 with v0 schema preserved for migration
  • Object size validators ensuring each rule object contains exactly one rule type
  • Comprehensive attribute coverage for all supported identity providers and rule types

Test Results

All migration tests passing with proper validation of:

  • Array expansion (emails, IPs, domains) → individual nested objects
  • Boolean transformation (everyone, certificate) → empty objects
  • Identity provider expansion (Azure AD, GitHub, GSuite, Okta) with team/group arrays
  • Resource name transformation (azure→azure_ad, github→github_organization)
  • Mixed complex scenarios with include/exclude/require combinations

The migration maintains full backward compatibility while enabling the new v5 object-based rule
structure that provides better type safety and validation.

  • I understand that this repository is auto-generated and my pull request may not be merged

Changes being requested

Additional context & links

@tamas-jozsa tamas-jozsa force-pushed the zero_trust_access_group_migrate branch 4 times, most recently from 4d39fc6 to 052a269 Compare August 26, 2025 13:49
mgirouard
mgirouard reviewed Aug 26, 2025
View reviewed changes
mgirouard
mgirouard reviewed Aug 26, 2025
View reviewed changes
@tamas-jozsa tamas-jozsa force-pushed the zero_trust_access_group_migrate branch 3 times, most recently from d521eec to c332f98 Compare August 27, 2025 10:11
@tamas-jozsa
feat: implement comprehensive v4 to v5 migration for zero_trust_acce…
c63bd93 
…ss_group resources

  - Add config transformation from v4 array-based rules to v5 object-based rules
  - Implement state upgrade functions for schema v0 to v1 migration
  - Handle complex provider rule expansions (azure to azure_ad, github to github_organization)
  - Transform boolean attributes to empty objects (everyone, certificate, etc.)
  - Expand array attributes into multiple rule objects (email, ip, groups, etc.)
  - Add comprehensive migration tests covering all transformation scenarios
  - Include custom plan checks to handle ordering differences post-migration
@tamas-jozsa tamas-jozsa force-pushed the zero_trust_access_group_migrate branch from c332f98 to c63bd93 Compare August 28, 2025 07:09
@tamas-jozsa tamas-jozsa merged commit 892b2ed into next Aug 28, 2025
2 of 4 checks passed
@tamas-jozsa tamas-jozsa deleted the zero_trust_access_group_migrate branch August 28, 2025 07:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mgirouard mgirouard mgirouard left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tamas-jozsa @mgirouard