cloudflare · maltere · Apr 9, 2026
@@ -0,0 +1,176 @@
+package vulnerability_scanner_credential_test
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log"
+	"os"
+	"testing"
+
+	"github.com/cloudflare/cloudflare-go/v6"
+	"github.com/cloudflare/cloudflare-go/v6/vulnerability_scanner"
+	"github.com/cloudflare/terraform-provider-cloudflare/internal/acctest"
+	"github.com/cloudflare/terraform-provider-cloudflare/internal/utils"
+	"github.com/hashicorp/terraform-plugin-log/tflog"
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/knownvalue"
+	"github.com/hashicorp/terraform-plugin-testing/plancheck"
+	"github.com/hashicorp/terraform-plugin-testing/terraform"
+	"github.com/hashicorp/terraform-plugin-testing/tfjsonpath"
+)
+
+func TestMain(m *testing.M) {
+	resource.TestMain(m)
+}
+
+func init() {
+	resource.AddTestSweepers("cloudflare_vulnerability_scanner_credential", &resource.Sweeper{
+		Name: "cloudflare_vulnerability_scanner_credential",
+		F:    testSweepVulnerabilityScannerCredential,
+	})
+}
+
+func testSweepVulnerabilityScannerCredential(r string) error {
+	ctx := context.Background()
+	client := acctest.SharedClient()
+
+	accountID := os.Getenv("CLOUDFLARE_ACCOUNT_ID")
+	if accountID == "" {
+		return errors.New("CLOUDFLARE_ACCOUNT_ID must be set")
+	}
+
+	// List credential sets, then delete all credentials within each set.
+	csPage, err := client.VulnerabilityScanner.CredentialSets.List(
+		ctx,
+		vulnerability_scanner.CredentialSetListParams{
+			AccountID: cloudflare.F(accountID),
+		},
+	)
+	if err != nil {
+		tflog.Error(ctx, fmt.Sprintf("Failed to fetch Vulnerability Scanner Credential Sets: %s", err))
+		return nil
+	}
+
+	if csPage == nil || len(csPage.Result) == 0 {
+		log.Print("[DEBUG] No Vulnerability Scanner Credential Sets to sweep credentials from")
+		return nil
+	}
+
+	for _, cs := range csPage.Result {
+		credPage, err := client.VulnerabilityScanner.CredentialSets.Credentials.List(
+			ctx,
+			cs.ID,
+			vulnerability_scanner.CredentialSetCredentialListParams{
+				AccountID: cloudflare.F(accountID),
+			},
+		)
+		if err != nil {
+			tflog.Error(ctx, fmt.Sprintf("Failed to fetch credentials for set %s: %s", cs.ID, err))
+			continue
+		}
+
+		if credPage == nil || len(credPage.Result) == 0 {
+			continue
+		}
+
+		for _, cred := range credPage.Result {
+			tflog.Info(ctx, fmt.Sprintf("Deleting Vulnerability Scanner Credential %s", cred.ID))
+			//nolint:errcheck
+			client.VulnerabilityScanner.CredentialSets.Credentials.Delete(
+				ctx,
+				cs.ID,
+				cred.ID,
+				vulnerability_scanner.CredentialSetCredentialDeleteParams{
+					AccountID: cloudflare.F(accountID),
+				},
+			)
+		}
+	}
+
+	return nil
+}
+
+func TestAccVulnerabilityScannerCredential_Basic(t *testing.T) {
+	rnd := utils.GenerateRandomResourceName()
+	name := fmt.Sprintf("cloudflare_vulnerability_scanner_credential.%s", rnd)
+	accountID := os.Getenv("CLOUDFLARE_ACCOUNT_ID")
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.TestAccPreCheck(t)
+			acctest.TestAccPreCheck_AccountID(t)
+		},
+		ProtoV6ProviderFactories: acctest.TestAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			// Create
+			{
+				Config: testAccVulnerabilityScannerCredentialBasic(rnd, accountID, rnd, "header", "x-api-key", "test-token-123"),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(name, "name", rnd),
+					resource.TestCheckResourceAttr(name, "location", "header"),
+					resource.TestCheckResourceAttr(name, "location_name", "x-api-key"),
+					resource.TestCheckResourceAttr(name, "value", "test-token-123"),
+					resource.TestCheckResourceAttr(name, "account_id", accountID),
+					resource.TestCheckResourceAttrSet(name, "credential_set_id"),
+				),
+			},
+			// Update name only
+			{
+				Config: testAccVulnerabilityScannerCredentialBasic(rnd, accountID, rnd+"-updated", "header", "x-api-key", "test-token-123"),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(name, plancheck.ResourceActionUpdate),
+						plancheck.ExpectKnownValue(
+							name,
+							tfjsonpath.New("name"),
+							knownvalue.StringExact(rnd+"-updated"),
+						),
+						plancheck.ExpectKnownValue(
+							name,
+							tfjsonpath.New("location"),
+							knownvalue.StringExact("header"),
+						),
+						plancheck.ExpectKnownValue(
+							name,
+							tfjsonpath.New("location_name"),
+							knownvalue.StringExact("x-api-key"),
+						),
+					},
+				},
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(name, "name", rnd+"-updated"),
+					resource.TestCheckResourceAttr(name, "location", "header"),
+					resource.TestCheckResourceAttr(name, "location_name", "x-api-key"),
+				),
+			},
+			// No drift on re-apply
+			{
+				Config: testAccVulnerabilityScannerCredentialBasic(rnd, accountID, rnd+"-updated", "header", "x-api-key", "test-token-123"),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectEmptyPlan(),
+					},
+				},
+			},
+			// Import (3-part path: account_id/credential_set_id/credential_id)
+			{
+				ResourceName:            name,
+				ImportState:             true,
+				ImportStateVerify:       true,
+				ImportStateVerifyIgnore: []string{"value"},
+				ImportStateIdFunc: func(s *terraform.State) (string, error) {
+					credSetResourceName := fmt.Sprintf("cloudflare_vulnerability_scanner_credential_set.%s", rnd)
+					credResourceName := fmt.Sprintf("cloudflare_vulnerability_scanner_credential.%s", rnd)
+					credSetID := s.RootModule().Resources[credSetResourceName].Primary.ID
+					credID := s.RootModule().Resources[credResourceName].Primary.ID
+					return fmt.Sprintf("%s/%s/%s", accountID, credSetID, credID), nil
+				},
+			},
+		},
+	})
+}
+
+func testAccVulnerabilityScannerCredentialBasic(ID, accountID, credName, location, locationName, value string) string {
+	return acctest.LoadTestCase("credentialbasic.tf", ID, accountID, credName, location, locationName, value)
+}
@@ -0,0 +1,14 @@
+
+resource "cloudflare_vulnerability_scanner_credential_set" "%[1]s" {
+  account_id = "%[2]s"
+  name       = "%[1]s-credset"
+}
+
+resource "cloudflare_vulnerability_scanner_credential" "%[1]s" {
+  account_id        = "%[2]s"
+  credential_set_id = cloudflare_vulnerability_scanner_credential_set.%[1]s.id
+  name              = "%[3]s"
+  location          = "%[4]s"
+  location_name     = "%[5]s"
+  value             = "%[6]s"
+}
@@ -0,0 +1,132 @@
+package vulnerability_scanner_credential_set_test
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log"
+	"os"
+	"testing"
+
+	"github.com/cloudflare/cloudflare-go/v6"
+	"github.com/cloudflare/cloudflare-go/v6/vulnerability_scanner"
+	"github.com/cloudflare/terraform-provider-cloudflare/internal/acctest"
+	"github.com/cloudflare/terraform-provider-cloudflare/internal/utils"
+	"github.com/hashicorp/terraform-plugin-log/tflog"
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/knownvalue"
+	"github.com/hashicorp/terraform-plugin-testing/plancheck"
+	"github.com/hashicorp/terraform-plugin-testing/tfjsonpath"
+)
+
+func TestMain(m *testing.M) {
+	resource.TestMain(m)
+}
+
+func init() {
+	resource.AddTestSweepers("cloudflare_vulnerability_scanner_credential_set", &resource.Sweeper{
+		Name: "cloudflare_vulnerability_scanner_credential_set",
+		F:    testSweepVulnerabilityScannerCredentialSet,
+	})
+}
+
+func testSweepVulnerabilityScannerCredentialSet(r string) error {
+	ctx := context.Background()
+	client := acctest.SharedClient()
+
+	accountID := os.Getenv("CLOUDFLARE_ACCOUNT_ID")
+	if accountID == "" {
+		return errors.New("CLOUDFLARE_ACCOUNT_ID must be set")
+	}
+
+	page, err := client.VulnerabilityScanner.CredentialSets.List(
+		ctx,
+		vulnerability_scanner.CredentialSetListParams{
+			AccountID: cloudflare.F(accountID),
+		},
+	)
+	if err != nil {
+		tflog.Error(ctx, fmt.Sprintf("Failed to fetch Vulnerability Scanner Credential Sets: %s", err))
+		return nil
+	}
+
+	if page == nil || len(page.Result) == 0 {
+		log.Print("[DEBUG] No Vulnerability Scanner Credential Sets to sweep")
+		return nil
+	}
+
+	for _, cs := range page.Result {
+		tflog.Info(ctx, fmt.Sprintf("Deleting Vulnerability Scanner Credential Set %s", cs.ID))
+		//nolint:errcheck
+		client.VulnerabilityScanner.CredentialSets.Delete(
+			ctx,
+			cs.ID,
+			vulnerability_scanner.CredentialSetDeleteParams{
+				AccountID: cloudflare.F(accountID),
+			},
+		)
+	}
+
+	return nil
+}
+
+func TestAccVulnerabilityScannerCredentialSet_Basic(t *testing.T) {
+	rnd := utils.GenerateRandomResourceName()
+	name := fmt.Sprintf("cloudflare_vulnerability_scanner_credential_set.%s", rnd)
+	accountID := os.Getenv("CLOUDFLARE_ACCOUNT_ID")
+
+	resource.Test(t, resource.TestCase{
+		PreCheck: func() {
+			acctest.TestAccPreCheck(t)
+			acctest.TestAccPreCheck_AccountID(t)
+		},
+		ProtoV6ProviderFactories: acctest.TestAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			// Create
+			{
+				Config: testAccVulnerabilityScannerCredentialSetBasic(rnd, accountID, rnd),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(name, "name", rnd),
+					resource.TestCheckResourceAttr(name, "account_id", accountID),
+				),
+			},
+			// Update name
+			{
+				Config: testAccVulnerabilityScannerCredentialSetBasic(rnd, accountID, rnd+"-updated"),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectResourceAction(name, plancheck.ResourceActionUpdate),
+						plancheck.ExpectKnownValue(
+							name,
+							tfjsonpath.New("name"),
+							knownvalue.StringExact(rnd+"-updated"),
+						),
+					},
+				},
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(name, "name", rnd+"-updated"),
+				),
+			},
+			// No drift on re-apply
+			{
+				Config: testAccVulnerabilityScannerCredentialSetBasic(rnd, accountID, rnd+"-updated"),
+				ConfigPlanChecks: resource.ConfigPlanChecks{
+					PreApply: []plancheck.PlanCheck{
+						plancheck.ExpectEmptyPlan(),
+					},
+				},
+			},
+			// Import
+			{
+				ResourceName:        name,
+				ImportStateIdPrefix: fmt.Sprintf("%s/", accountID),
+				ImportState:         true,
+				ImportStateVerify:   true,
+			},
+		},
+	})
+}
+
+func testAccVulnerabilityScannerCredentialSetBasic(ID, accountID, csName string) string {
+	return acctest.LoadTestCase("credentialsetbasic.tf", ID, accountID, csName)
+}
@@ -0,0 +1,5 @@
+
+resource "cloudflare_vulnerability_scanner_credential_set" "%[1]s" {
+  account_id = "%[2]s"
+  name       = "%[3]s"
+}