From f86526f1c88f21b12ef26bf9b6c35e25dfd018da Mon Sep 17 00:00:00 2001
From: Denis Mishin <dmishin@pomerium.com>
Date: Wed, 8 Jan 2025 18:03:49 -0500
Subject: [PATCH 1/6] use standard timetypes

---
 example/main.tf                      |  13 +--
 go.mod                               |   1 +
 go.sum                               |   2 +
 internal/provider/convert.go         |  19 ++--
 internal/provider/route.go           |   3 +
 internal/provider/route_model.go     |  75 ++++++-------
 internal/provider/settings_model.go  | 153 ++++++++++++++-------------
 internal/provider/settings_schema.go |  10 ++
 8 files changed, 148 insertions(+), 128 deletions(-)

diff --git a/example/main.tf b/example/main.tf
index a51bd23..736a39d 100644
--- a/example/main.tf
+++ b/example/main.tf
@@ -36,6 +36,7 @@ resource "pomerium_settings" "settings" {
     api_key = "key"
     url     = "http://localhost"
   }
+  timeout_idle = "5m"
 }
 
 resource "pomerium_policy" "test_policy" {
@@ -74,18 +75,18 @@ data "pomerium_namespace" "existing_namespace" {
   id = pomerium_namespace.test_namespace.id
 }
 
-data "pomerium_route" "existing_route" {
-  id = pomerium_route.test_route.id
-}
+# data "pomerium_route" "existing_route" {
+#   id = pomerium_route.test_route.id
+# }
 
 # Output examples
 output "namespace_name" {
   value = data.pomerium_namespace.existing_namespace.name
 }
 
-output "route_from" {
-  value = data.pomerium_route.existing_route.from
-}
+# output "route_from" {
+#   value = data.pomerium_route.existing_route.from
+# }
 
 output "all_namespaces" {
   value = data.pomerium_namespaces.all_namespaces.namespaces
diff --git a/go.mod b/go.mod
index b537128..22ac609 100644
--- a/go.mod
+++ b/go.mod
@@ -38,6 +38,7 @@ require (
 	github.com/hashicorp/go-set/v3 v3.0.0 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
+	github.com/hashicorp/terraform-plugin-framework-timetypes v0.5.0 // indirect
 	github.com/hashicorp/terraform-registry-address v0.2.3 // indirect
 	github.com/hashicorp/terraform-svchost v0.1.1 // indirect
 	github.com/hashicorp/yamux v0.1.1 // indirect
diff --git a/go.sum b/go.sum
index ce9d984..d80c2f5 100644
--- a/go.sum
+++ b/go.sum
@@ -134,6 +134,8 @@ github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hashicorp/terraform-plugin-framework v1.13.0 h1:8OTG4+oZUfKgnfTdPTJwZ532Bh2BobF4H+yBiYJ/scw=
 github.com/hashicorp/terraform-plugin-framework v1.13.0/go.mod h1:j64rwMGpgM3NYXTKuxrCnyubQb/4VKldEKlcG8cvmjU=
+github.com/hashicorp/terraform-plugin-framework-timetypes v0.5.0 h1:v3DapR8gsp3EM8fKMh6up9cJUFQ2iRaFsYLP8UJnCco=
+github.com/hashicorp/terraform-plugin-framework-timetypes v0.5.0/go.mod h1:c3PnGE9pHBDfdEVG9t1S1C9ia5LW+gkFR0CygXlM8ak=
 github.com/hashicorp/terraform-plugin-framework-validators v0.16.0 h1:O9QqGoYDzQT7lwTXUsZEtgabeWW96zUBh47Smn2lkFA=
 github.com/hashicorp/terraform-plugin-framework-validators v0.16.0/go.mod h1:Bh89/hNmqsEWug4/XWKYBwtnw3tbz5BAy1L1OgvbIaY=
 github.com/hashicorp/terraform-plugin-go v0.25.0 h1:oi13cx7xXA6QciMcpcFi/rwA974rdTxjqEhXJjbAyks=
diff --git a/internal/provider/convert.go b/internal/provider/convert.go
index d6a7568..f55fd27 100644
--- a/internal/provider/convert.go
+++ b/internal/provider/convert.go
@@ -4,8 +4,8 @@ import (
 	"context"
 	"fmt"
 	"reflect"
-	"time"
 
+	"github.com/hashicorp/terraform-plugin-framework-timetypes/timetypes"
 	"github.com/hashicorp/terraform-plugin-framework/attr"
 	"github.com/hashicorp/terraform-plugin-framework/diag"
 	"github.com/hashicorp/terraform-plugin-framework/path"
@@ -90,25 +90,26 @@ func ToStringSlice(ctx context.Context, dst *[]string, list types.List, diagnost
 }
 
 // ToDuration converts a types.String containing a duration to a durationpb.Duration and handles diagnostics internally
-func ToDuration(dst **durationpb.Duration, src types.String, field string, diagnostics *diag.Diagnostics) {
+func ToDuration(dst **durationpb.Duration, src timetypes.GoDuration, field string, diagnostics *diag.Diagnostics) {
 	if src.IsNull() {
 		*dst = nil
 		return
 	}
 
-	if d, err := time.ParseDuration(src.ValueString()); err == nil {
-		*dst = durationpb.New(d)
-	} else {
-		diagnostics.AddError("invalid "+field, err.Error())
+	d, diags := src.ValueGoDuration()
+	diagnostics.Append(diags...)
+	if diagnostics.HasError() {
+		return
 	}
+	*dst = durationpb.New(d)
 }
 
 // FromDuration converts a durationpb.Duration to a types.String
-func FromDuration(d *durationpb.Duration) types.String {
+func FromDuration(d *durationpb.Duration) timetypes.GoDuration {
 	if d == nil {
-		return types.StringNull()
+		return timetypes.NewGoDurationNull()
 	}
-	return types.StringValue(d.AsDuration().String())
+	return timetypes.NewGoDurationValue(d.AsDuration())
 }
 
 // GoStructToPB converts a Go struct to a protobuf Struct.
diff --git a/internal/provider/route.go b/internal/provider/route.go
index a98f716..bfe4a3d 100644
--- a/internal/provider/route.go
+++ b/internal/provider/route.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/hashicorp/terraform-plugin-framework-timetypes/timetypes"
 	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
@@ -121,10 +122,12 @@ func (r *RouteResource) Schema(_ context.Context, _ resource.SchemaRequest, resp
 			"timeout": schema.StringAttribute{
 				Description: "Timeout.",
 				Optional:    true,
+				CustomType:  timetypes.GoDurationType{},
 			},
 			"idle_timeout": schema.StringAttribute{
 				Description: "Idle timeout.",
 				Optional:    true,
+				CustomType:  timetypes.GoDurationType{},
 			},
 			"allow_websockets": schema.BoolAttribute{
 				Description: "Allow websockets.",
diff --git a/internal/provider/route_model.go b/internal/provider/route_model.go
index d74352f..e8e64f1 100644
--- a/internal/provider/route_model.go
+++ b/internal/provider/route_model.go
@@ -3,6 +3,7 @@ package provider
 import (
 	"context"
 
+	"github.com/hashicorp/terraform-plugin-framework-timetypes/timetypes"
 	"github.com/hashicorp/terraform-plugin-framework/attr"
 	"github.com/hashicorp/terraform-plugin-framework/diag"
 	"github.com/hashicorp/terraform-plugin-framework/types"
@@ -11,41 +12,41 @@ import (
 
 // RouteModel represents the shared model for route resources and data sources
 type RouteModel struct {
-	ID                               types.String `tfsdk:"id"`
-	Name                             types.String `tfsdk:"name"`
-	From                             types.String `tfsdk:"from"`
-	To                               types.List   `tfsdk:"to"`
-	NamespaceID                      types.String `tfsdk:"namespace_id"`
-	Policies                         types.List   `tfsdk:"policies"`
-	StatName                         types.String `tfsdk:"stat_name"`
-	Prefix                           types.String `tfsdk:"prefix"`
-	Path                             types.String `tfsdk:"path"`
-	Regex                            types.String `tfsdk:"regex"`
-	PrefixRewrite                    types.String `tfsdk:"prefix_rewrite"`
-	RegexRewritePattern              types.String `tfsdk:"regex_rewrite_pattern"`
-	RegexRewriteSubstitution         types.String `tfsdk:"regex_rewrite_substitution"`
-	HostRewrite                      types.String `tfsdk:"host_rewrite"`
-	HostRewriteHeader                types.String `tfsdk:"host_rewrite_header"`
-	HostPathRegexRewritePattern      types.String `tfsdk:"host_path_regex_rewrite_pattern"`
-	HostPathRegexRewriteSubstitution types.String `tfsdk:"host_path_regex_rewrite_substitution"`
-	RegexPriorityOrder               types.Int64  `tfsdk:"regex_priority_order"`
-	Timeout                          types.String `tfsdk:"timeout"`
-	IdleTimeout                      types.String `tfsdk:"idle_timeout"`
-	AllowWebsockets                  types.Bool   `tfsdk:"allow_websockets"`
-	AllowSPDY                        types.Bool   `tfsdk:"allow_spdy"`
-	TLSSkipVerify                    types.Bool   `tfsdk:"tls_skip_verify"`
-	TLSUpstreamServerName            types.String `tfsdk:"tls_upstream_server_name"`
-	TLSDownstreamServerName          types.String `tfsdk:"tls_downstream_server_name"`
-	TLSUpstreamAllowRenegotiation    types.Bool   `tfsdk:"tls_upstream_allow_renegotiation"`
-	SetRequestHeaders                types.Map    `tfsdk:"set_request_headers"`
-	RemoveRequestHeaders             types.List   `tfsdk:"remove_request_headers"`
-	SetResponseHeaders               types.Map    `tfsdk:"set_response_headers"`
-	PreserveHostHeader               types.Bool   `tfsdk:"preserve_host_header"`
-	PassIdentityHeaders              types.Bool   `tfsdk:"pass_identity_headers"`
-	KubernetesServiceAccountToken    types.String `tfsdk:"kubernetes_service_account_token"`
-	IDPClientID                      types.String `tfsdk:"idp_client_id"`
-	IDPClientSecret                  types.String `tfsdk:"idp_client_secret"`
-	ShowErrorDetails                 types.Bool   `tfsdk:"show_error_details"`
+	ID                               types.String         `tfsdk:"id"`
+	Name                             types.String         `tfsdk:"name"`
+	From                             types.String         `tfsdk:"from"`
+	To                               types.List           `tfsdk:"to"`
+	NamespaceID                      types.String         `tfsdk:"namespace_id"`
+	Policies                         types.List           `tfsdk:"policies"`
+	StatName                         types.String         `tfsdk:"stat_name"`
+	Prefix                           types.String         `tfsdk:"prefix"`
+	Path                             types.String         `tfsdk:"path"`
+	Regex                            types.String         `tfsdk:"regex"`
+	PrefixRewrite                    types.String         `tfsdk:"prefix_rewrite"`
+	RegexRewritePattern              types.String         `tfsdk:"regex_rewrite_pattern"`
+	RegexRewriteSubstitution         types.String         `tfsdk:"regex_rewrite_substitution"`
+	HostRewrite                      types.String         `tfsdk:"host_rewrite"`
+	HostRewriteHeader                types.String         `tfsdk:"host_rewrite_header"`
+	HostPathRegexRewritePattern      types.String         `tfsdk:"host_path_regex_rewrite_pattern"`
+	HostPathRegexRewriteSubstitution types.String         `tfsdk:"host_path_regex_rewrite_substitution"`
+	RegexPriorityOrder               types.Int64          `tfsdk:"regex_priority_order"`
+	Timeout                          timetypes.GoDuration `tfsdk:"timeout"`
+	IdleTimeout                      timetypes.GoDuration `tfsdk:"idle_timeout"`
+	AllowWebsockets                  types.Bool           `tfsdk:"allow_websockets"`
+	AllowSPDY                        types.Bool           `tfsdk:"allow_spdy"`
+	TLSSkipVerify                    types.Bool           `tfsdk:"tls_skip_verify"`
+	TLSUpstreamServerName            types.String         `tfsdk:"tls_upstream_server_name"`
+	TLSDownstreamServerName          types.String         `tfsdk:"tls_downstream_server_name"`
+	TLSUpstreamAllowRenegotiation    types.Bool           `tfsdk:"tls_upstream_allow_renegotiation"`
+	SetRequestHeaders                types.Map            `tfsdk:"set_request_headers"`
+	RemoveRequestHeaders             types.List           `tfsdk:"remove_request_headers"`
+	SetResponseHeaders               types.Map            `tfsdk:"set_response_headers"`
+	PreserveHostHeader               types.Bool           `tfsdk:"preserve_host_header"`
+	PassIdentityHeaders              types.Bool           `tfsdk:"pass_identity_headers"`
+	KubernetesServiceAccountToken    types.String         `tfsdk:"kubernetes_service_account_token"`
+	IDPClientID                      types.String         `tfsdk:"idp_client_id"`
+	IDPClientSecret                  types.String         `tfsdk:"idp_client_secret"`
+	ShowErrorDetails                 types.Bool           `tfsdk:"show_error_details"`
 }
 
 func ConvertRouteToPB(
@@ -134,8 +135,8 @@ func ConvertRouteFromPB(
 	dst.HostPathRegexRewritePattern = types.StringPointerValue(src.HostPathRegexRewritePattern)
 	dst.HostPathRegexRewriteSubstitution = types.StringPointerValue(src.HostPathRegexRewriteSubstitution)
 	dst.RegexPriorityOrder = types.Int64PointerValue(src.RegexPriorityOrder)
-	dst.Timeout = types.StringValue(src.Timeout.String())
-	dst.IdleTimeout = types.StringValue(src.IdleTimeout.String())
+	dst.Timeout = FromDuration(src.Timeout)
+	dst.IdleTimeout = FromDuration(src.IdleTimeout)
 	dst.AllowWebsockets = types.BoolPointerValue(src.AllowWebsockets)
 	dst.AllowSPDY = types.BoolPointerValue(src.AllowSpdy)
 	dst.TLSSkipVerify = types.BoolPointerValue(src.TlsSkipVerify)
diff --git a/internal/provider/settings_model.go b/internal/provider/settings_model.go
index 5598a0c..ae10a46 100644
--- a/internal/provider/settings_model.go
+++ b/internal/provider/settings_model.go
@@ -3,88 +3,89 @@ package provider
 import (
 	"context"
 
+	"github.com/hashicorp/terraform-plugin-framework-timetypes/timetypes"
 	"github.com/hashicorp/terraform-plugin-framework/diag"
 	"github.com/hashicorp/terraform-plugin-framework/types"
 	"github.com/pomerium/enterprise-client-go/pb"
 )
 
 type SettingsModel struct {
-	AccessLogFields                                   types.List    `tfsdk:"access_log_fields"`
-	Address                                           types.String  `tfsdk:"address"`
-	AuthenticateCallbackPath                          types.String  `tfsdk:"authenticate_callback_path"`
-	AuthenticateServiceURL                            types.String  `tfsdk:"authenticate_service_url"`
-	AuthorizeLogFields                                types.List    `tfsdk:"authorize_log_fields"`
-	AuthorizeServiceURL                               types.String  `tfsdk:"authorize_service_url"`
-	Autocert                                          types.Bool    `tfsdk:"autocert"`
-	AutocertDir                                       types.String  `tfsdk:"autocert_dir"`
-	AutocertMustStaple                                types.Bool    `tfsdk:"autocert_must_staple"`
-	AutocertUseStaging                                types.Bool    `tfsdk:"autocert_use_staging"`
-	CacheServiceURL                                   types.String  `tfsdk:"cache_service_url"`
-	CertificateAuthority                              types.String  `tfsdk:"certificate_authority"`
-	CertificateAuthorityFile                          types.String  `tfsdk:"certificate_authority_file"`
-	CertificateAuthorityKeyPairID                     types.String  `tfsdk:"certificate_authority_key_pair_id"`
-	ClientCA                                          types.String  `tfsdk:"client_ca"`
-	ClientCAFile                                      types.String  `tfsdk:"client_ca_file"`
-	ClientCAKeyPairID                                 types.String  `tfsdk:"client_ca_key_pair_id"`
-	CookieDomain                                      types.String  `tfsdk:"cookie_domain"`
-	CookieExpire                                      types.String  `tfsdk:"cookie_expire"`
-	CookieHTTPOnly                                    types.Bool    `tfsdk:"cookie_http_only"`
-	CookieName                                        types.String  `tfsdk:"cookie_name"`
-	CookieSameSite                                    types.String  `tfsdk:"cookie_same_site"`
-	CookieSecret                                      types.String  `tfsdk:"cookie_secret"`
-	CookieSecure                                      types.Bool    `tfsdk:"cookie_secure"`
-	DarkmodePrimaryColor                              types.String  `tfsdk:"darkmode_primary_color"`
-	DarkmodeSecondaryColor                            types.String  `tfsdk:"darkmode_secondary_color"`
-	DatabrokerServiceURL                              types.String  `tfsdk:"databroker_service_url"`
-	DefaultUpstreamTimeout                            types.String  `tfsdk:"default_upstream_timeout"`
-	DNSLookupFamily                                   types.String  `tfsdk:"dns_lookup_family"`
-	ErrorMessageFirstParagraph                        types.String  `tfsdk:"error_message_first_paragraph"`
-	FaviconURL                                        types.String  `tfsdk:"favicon_url"`
-	GoogleCloudServerlessAuthenticationServiceAccount types.String  `tfsdk:"google_cloud_serverless_authentication_service_account"`
-	GRPCAddress                                       types.String  `tfsdk:"grpc_address"`
-	GRPCInsecure                                      types.Bool    `tfsdk:"grpc_insecure"`
-	HTTPRedirectAddr                                  types.String  `tfsdk:"http_redirect_addr"`
-	IdentityProviderAuth0                             types.Object  `tfsdk:"identity_provider_auth0"`
-	IdentityProviderAzure                             types.Object  `tfsdk:"identity_provider_azure"`
-	IdentityProviderCognito                           types.Object  `tfsdk:"identity_provider_cognito"`
-	IdentityProviderGitHub                            types.Object  `tfsdk:"identity_provider_github"`
-	IdentityProviderGitLab                            types.Object  `tfsdk:"identity_provider_gitlab"`
-	IdentityProviderGoogle                            types.Object  `tfsdk:"identity_provider_google"`
-	IdentityProviderOkta                              types.Object  `tfsdk:"identity_provider_okta"`
-	IdentityProviderOneLogin                          types.Object  `tfsdk:"identity_provider_onelogin"`
-	IdentityProviderPing                              types.Object  `tfsdk:"identity_provider_ping"`
-	IdentityProviderRefreshInterval                   types.String  `tfsdk:"identity_provider_refresh_interval"`
-	IdentityProviderRefreshTimeout                    types.String  `tfsdk:"identity_provider_refresh_timeout"`
-	IdpClientID                                       types.String  `tfsdk:"idp_client_id"`
-	IdpClientSecret                                   types.String  `tfsdk:"idp_client_secret"`
-	IdpProvider                                       types.String  `tfsdk:"idp_provider"`
-	IdpProviderURL                                    types.String  `tfsdk:"idp_provider_url"`
-	IdpRefreshDirectoryInterval                       types.String  `tfsdk:"idp_refresh_directory_interval"`
-	IdpRefreshDirectoryTimeout                        types.String  `tfsdk:"idp_refresh_directory_timeout"`
-	IdpServiceAccount                                 types.String  `tfsdk:"idp_service_account"`
-	InsecureServer                                    types.Bool    `tfsdk:"insecure_server"`
-	InstallationID                                    types.String  `tfsdk:"installation_id"`
-	JWTClaimsHeaders                                  types.Map     `tfsdk:"jwt_claims_headers"`
-	LogLevel                                          types.String  `tfsdk:"log_level"`
-	LogoURL                                           types.String  `tfsdk:"logo_url"`
-	MetricsAddress                                    types.String  `tfsdk:"metrics_address"`
-	PassIdentityHeaders                               types.Bool    `tfsdk:"pass_identity_headers"`
-	PrimaryColor                                      types.String  `tfsdk:"primary_color"`
-	ProxyLogLevel                                     types.String  `tfsdk:"proxy_log_level"`
-	RequestParams                                     types.Map     `tfsdk:"request_params"`
-	Scopes                                            types.List    `tfsdk:"scopes"`
-	SecondaryColor                                    types.String  `tfsdk:"secondary_color"`
-	SetResponseHeaders                                types.Map     `tfsdk:"set_response_headers"`
-	SkipXFFAppend                                     types.Bool    `tfsdk:"skip_xff_append"`
-	TimeoutIdle                                       types.String  `tfsdk:"timeout_idle"`
-	TimeoutRead                                       types.String  `tfsdk:"timeout_read"`
-	TimeoutWrite                                      types.String  `tfsdk:"timeout_write"`
-	TracingDatadogAddress                             types.String  `tfsdk:"tracing_datadog_address"`
-	TracingJaegerAgentEndpoint                        types.String  `tfsdk:"tracing_jaeger_agent_endpoint"`
-	TracingJaegerCollectorEndpoint                    types.String  `tfsdk:"tracing_jaeger_collector_endpoint"`
-	TracingProvider                                   types.String  `tfsdk:"tracing_provider"`
-	TracingSampleRate                                 types.Float64 `tfsdk:"tracing_sample_rate"`
-	TracingZipkinEndpoint                             types.String  `tfsdk:"tracing_zipkin_endpoint"`
+	AccessLogFields                                   types.List           `tfsdk:"access_log_fields"`
+	Address                                           types.String         `tfsdk:"address"`
+	AuthenticateCallbackPath                          types.String         `tfsdk:"authenticate_callback_path"`
+	AuthenticateServiceURL                            types.String         `tfsdk:"authenticate_service_url"`
+	AuthorizeLogFields                                types.List           `tfsdk:"authorize_log_fields"`
+	AuthorizeServiceURL                               types.String         `tfsdk:"authorize_service_url"`
+	Autocert                                          types.Bool           `tfsdk:"autocert"`
+	AutocertDir                                       types.String         `tfsdk:"autocert_dir"`
+	AutocertMustStaple                                types.Bool           `tfsdk:"autocert_must_staple"`
+	AutocertUseStaging                                types.Bool           `tfsdk:"autocert_use_staging"`
+	CacheServiceURL                                   types.String         `tfsdk:"cache_service_url"`
+	CertificateAuthority                              types.String         `tfsdk:"certificate_authority"`
+	CertificateAuthorityFile                          types.String         `tfsdk:"certificate_authority_file"`
+	CertificateAuthorityKeyPairID                     types.String         `tfsdk:"certificate_authority_key_pair_id"`
+	ClientCA                                          types.String         `tfsdk:"client_ca"`
+	ClientCAFile                                      types.String         `tfsdk:"client_ca_file"`
+	ClientCAKeyPairID                                 types.String         `tfsdk:"client_ca_key_pair_id"`
+	CookieDomain                                      types.String         `tfsdk:"cookie_domain"`
+	CookieExpire                                      timetypes.GoDuration `tfsdk:"cookie_expire"`
+	CookieHTTPOnly                                    types.Bool           `tfsdk:"cookie_http_only"`
+	CookieName                                        types.String         `tfsdk:"cookie_name"`
+	CookieSameSite                                    types.String         `tfsdk:"cookie_same_site"`
+	CookieSecret                                      types.String         `tfsdk:"cookie_secret"`
+	CookieSecure                                      types.Bool           `tfsdk:"cookie_secure"`
+	DarkmodePrimaryColor                              types.String         `tfsdk:"darkmode_primary_color"`
+	DarkmodeSecondaryColor                            types.String         `tfsdk:"darkmode_secondary_color"`
+	DatabrokerServiceURL                              types.String         `tfsdk:"databroker_service_url"`
+	DefaultUpstreamTimeout                            timetypes.GoDuration `tfsdk:"default_upstream_timeout"`
+	DNSLookupFamily                                   types.String         `tfsdk:"dns_lookup_family"`
+	ErrorMessageFirstParagraph                        types.String         `tfsdk:"error_message_first_paragraph"`
+	FaviconURL                                        types.String         `tfsdk:"favicon_url"`
+	GoogleCloudServerlessAuthenticationServiceAccount types.String         `tfsdk:"google_cloud_serverless_authentication_service_account"`
+	GRPCAddress                                       types.String         `tfsdk:"grpc_address"`
+	GRPCInsecure                                      types.Bool           `tfsdk:"grpc_insecure"`
+	HTTPRedirectAddr                                  types.String         `tfsdk:"http_redirect_addr"`
+	IdentityProviderAuth0                             types.Object         `tfsdk:"identity_provider_auth0"`
+	IdentityProviderAzure                             types.Object         `tfsdk:"identity_provider_azure"`
+	IdentityProviderCognito                           types.Object         `tfsdk:"identity_provider_cognito"`
+	IdentityProviderGitHub                            types.Object         `tfsdk:"identity_provider_github"`
+	IdentityProviderGitLab                            types.Object         `tfsdk:"identity_provider_gitlab"`
+	IdentityProviderGoogle                            types.Object         `tfsdk:"identity_provider_google"`
+	IdentityProviderOkta                              types.Object         `tfsdk:"identity_provider_okta"`
+	IdentityProviderOneLogin                          types.Object         `tfsdk:"identity_provider_onelogin"`
+	IdentityProviderPing                              types.Object         `tfsdk:"identity_provider_ping"`
+	IdentityProviderRefreshInterval                   timetypes.GoDuration `tfsdk:"identity_provider_refresh_interval"`
+	IdentityProviderRefreshTimeout                    timetypes.GoDuration `tfsdk:"identity_provider_refresh_timeout"`
+	IdpClientID                                       types.String         `tfsdk:"idp_client_id"`
+	IdpClientSecret                                   types.String         `tfsdk:"idp_client_secret"`
+	IdpProvider                                       types.String         `tfsdk:"idp_provider"`
+	IdpProviderURL                                    types.String         `tfsdk:"idp_provider_url"`
+	IdpRefreshDirectoryInterval                       timetypes.GoDuration `tfsdk:"idp_refresh_directory_interval"`
+	IdpRefreshDirectoryTimeout                        timetypes.GoDuration `tfsdk:"idp_refresh_directory_timeout"`
+	IdpServiceAccount                                 types.String         `tfsdk:"idp_service_account"`
+	InsecureServer                                    types.Bool           `tfsdk:"insecure_server"`
+	InstallationID                                    types.String         `tfsdk:"installation_id"`
+	JWTClaimsHeaders                                  types.Map            `tfsdk:"jwt_claims_headers"`
+	LogLevel                                          types.String         `tfsdk:"log_level"`
+	LogoURL                                           types.String         `tfsdk:"logo_url"`
+	MetricsAddress                                    types.String         `tfsdk:"metrics_address"`
+	PassIdentityHeaders                               types.Bool           `tfsdk:"pass_identity_headers"`
+	PrimaryColor                                      types.String         `tfsdk:"primary_color"`
+	ProxyLogLevel                                     types.String         `tfsdk:"proxy_log_level"`
+	RequestParams                                     types.Map            `tfsdk:"request_params"`
+	Scopes                                            types.List           `tfsdk:"scopes"`
+	SecondaryColor                                    types.String         `tfsdk:"secondary_color"`
+	SetResponseHeaders                                types.Map            `tfsdk:"set_response_headers"`
+	SkipXFFAppend                                     types.Bool           `tfsdk:"skip_xff_append"`
+	TimeoutIdle                                       timetypes.GoDuration `tfsdk:"timeout_idle"`
+	TimeoutRead                                       timetypes.GoDuration `tfsdk:"timeout_read"`
+	TimeoutWrite                                      timetypes.GoDuration `tfsdk:"timeout_write"`
+	TracingDatadogAddress                             types.String         `tfsdk:"tracing_datadog_address"`
+	TracingJaegerAgentEndpoint                        types.String         `tfsdk:"tracing_jaeger_agent_endpoint"`
+	TracingJaegerCollectorEndpoint                    types.String         `tfsdk:"tracing_jaeger_collector_endpoint"`
+	TracingProvider                                   types.String         `tfsdk:"tracing_provider"`
+	TracingSampleRate                                 types.Float64        `tfsdk:"tracing_sample_rate"`
+	TracingZipkinEndpoint                             types.String         `tfsdk:"tracing_zipkin_endpoint"`
 }
 
 func ConvertSettingsToPB(
diff --git a/internal/provider/settings_schema.go b/internal/provider/settings_schema.go
index 61a9af1..1da6e13 100644
--- a/internal/provider/settings_schema.go
+++ b/internal/provider/settings_schema.go
@@ -3,6 +3,7 @@ package provider
 import (
 	_ "embed"
 
+	"github.com/hashicorp/terraform-plugin-framework-timetypes/timetypes"
 	"github.com/hashicorp/terraform-plugin-framework-validators/objectvalidator"
 	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
@@ -71,14 +72,17 @@ var SettingsResourceSchema = schema.Schema{
 		"timeout_read": schema.StringAttribute{
 			Optional:    true,
 			Description: "Timeout read",
+			CustomType:  timetypes.GoDurationType{},
 		},
 		"timeout_write": schema.StringAttribute{
 			Optional:    true,
 			Description: "Timeout write",
+			CustomType:  timetypes.GoDurationType{},
 		},
 		"timeout_idle": schema.StringAttribute{
 			Optional:    true,
 			Description: "Timeout idle",
+			CustomType:  timetypes.GoDurationType{},
 		},
 		"authenticate_service_url": schema.StringAttribute{
 			Optional:    true,
@@ -116,6 +120,7 @@ var SettingsResourceSchema = schema.Schema{
 		"cookie_expire": schema.StringAttribute{
 			Optional:    true,
 			Description: "Cookie expire",
+			CustomType:  timetypes.GoDurationType{},
 		},
 		"idp_client_id": schema.StringAttribute{
 			Optional:    true,
@@ -147,10 +152,12 @@ var SettingsResourceSchema = schema.Schema{
 		"idp_refresh_directory_timeout": schema.StringAttribute{
 			Optional:    true,
 			Description: "IDP refresh directory timeout",
+			CustomType:  timetypes.GoDurationType{},
 		},
 		"idp_refresh_directory_interval": schema.StringAttribute{
 			Optional:    true,
 			Description: "IDP refresh directory interval",
+			CustomType:  timetypes.GoDurationType{},
 		},
 		"request_params": schema.MapAttribute{
 			ElementType: types.StringType,
@@ -186,6 +193,7 @@ var SettingsResourceSchema = schema.Schema{
 		"default_upstream_timeout": schema.StringAttribute{
 			Optional:    true,
 			Description: "Default upstream timeout",
+			CustomType:  timetypes.GoDurationType{},
 		},
 		"metrics_address": schema.StringAttribute{
 			Optional:    true,
@@ -443,10 +451,12 @@ var SettingsResourceSchema = schema.Schema{
 		"identity_provider_refresh_interval": schema.StringAttribute{
 			Optional:    true,
 			Description: "Identity provider refresh interval",
+			CustomType:  timetypes.GoDurationType{},
 		},
 		"identity_provider_refresh_timeout": schema.StringAttribute{
 			Optional:    true,
 			Description: "Identity provider refresh timeout",
+			CustomType:  timetypes.GoDurationType{},
 		},
 		"access_log_fields": schema.ListAttribute{
 			Optional:    true,

From 5941ec203ada6fd30b775867ea3600eedfe40ba9 Mon Sep 17 00:00:00 2001
From: Denis Mishin <dmishin@pomerium.com>
Date: Wed, 8 Jan 2025 18:07:37 -0500
Subject: [PATCH 2/6] fix tests

---
 internal/provider/convert_test.go | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/internal/provider/convert_test.go b/internal/provider/convert_test.go
index 65fe506..54ffb2f 100644
--- a/internal/provider/convert_test.go
+++ b/internal/provider/convert_test.go
@@ -6,6 +6,7 @@ import (
 	"time"
 
 	"github.com/google/go-cmp/cmp"
+	"github.com/hashicorp/terraform-plugin-framework-timetypes/timetypes"
 	"github.com/hashicorp/terraform-plugin-framework/attr"
 	"github.com/hashicorp/terraform-plugin-framework/diag"
 	"github.com/hashicorp/terraform-plugin-framework/types"
@@ -58,22 +59,22 @@ func TestFromDurationP(t *testing.T) {
 	tests := []struct {
 		name     string
 		input    *durationpb.Duration
-		expected types.String
+		expected timetypes.GoDuration
 	}{
 		{
 			name:     "nil duration",
 			input:    nil,
-			expected: types.StringNull(),
+			expected: timetypes.NewGoDurationNull(),
 		},
 		{
 			name:     "zero duration",
 			input:    durationpb.New(0),
-			expected: types.StringValue("0s"),
+			expected: timetypes.NewGoDurationValueFromStringMust("0s"),
 		},
 		{
 			name:     "normal duration",
 			input:    durationpb.New(time.Hour + time.Minute),
-			expected: types.StringValue("1h1m0s"),
+			expected: timetypes.NewGoDurationValueFromStringMust("1h1m0s"),
 		},
 	}
 

From 3d0704861c1b3be9a7e1d5f01a4a3c33d21ccd89 Mon Sep 17 00:00:00 2001
From: Denis Mishin <dmishin@pomerium.com>
Date: Wed, 8 Jan 2025 18:29:43 -0500
Subject: [PATCH 3/6] fix lint

---
 internal/provider/convert.go        |  2 +-
 internal/provider/route_model.go    |  4 ++--
 internal/provider/settings_model.go | 18 +++++++++---------
 3 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/internal/provider/convert.go b/internal/provider/convert.go
index f55fd27..e8a95f6 100644
--- a/internal/provider/convert.go
+++ b/internal/provider/convert.go
@@ -90,7 +90,7 @@ func ToStringSlice(ctx context.Context, dst *[]string, list types.List, diagnost
 }
 
 // ToDuration converts a types.String containing a duration to a durationpb.Duration and handles diagnostics internally
-func ToDuration(dst **durationpb.Duration, src timetypes.GoDuration, field string, diagnostics *diag.Diagnostics) {
+func ToDuration(dst **durationpb.Duration, src timetypes.GoDuration, diagnostics *diag.Diagnostics) {
 	if src.IsNull() {
 		*dst = nil
 		return
diff --git a/internal/provider/route_model.go b/internal/provider/route_model.go
index e8e64f1..3b447f3 100644
--- a/internal/provider/route_model.go
+++ b/internal/provider/route_model.go
@@ -72,8 +72,8 @@ func ConvertRouteToPB(
 	pbRoute.HostPathRegexRewritePattern = src.HostPathRegexRewritePattern.ValueStringPointer()
 	pbRoute.HostPathRegexRewriteSubstitution = src.HostPathRegexRewriteSubstitution.ValueStringPointer()
 	pbRoute.RegexPriorityOrder = src.RegexPriorityOrder.ValueInt64Pointer()
-	ToDuration(&pbRoute.Timeout, src.Timeout, "timeout", &diagnostics)
-	ToDuration(&pbRoute.IdleTimeout, src.IdleTimeout, "idle_timeout", &diagnostics)
+	ToDuration(&pbRoute.Timeout, src.Timeout, &diagnostics)
+	ToDuration(&pbRoute.IdleTimeout, src.IdleTimeout, &diagnostics)
 	pbRoute.AllowWebsockets = src.AllowWebsockets.ValueBoolPointer()
 	pbRoute.AllowSpdy = src.AllowSPDY.ValueBoolPointer()
 	pbRoute.TlsSkipVerify = src.TLSSkipVerify.ValueBoolPointer()
diff --git a/internal/provider/settings_model.go b/internal/provider/settings_model.go
index ae10a46..54dece7 100644
--- a/internal/provider/settings_model.go
+++ b/internal/provider/settings_model.go
@@ -113,7 +113,7 @@ func ConvertSettingsToPB(
 	pbSettings.ClientCaFile = src.ClientCAFile.ValueStringPointer()
 	pbSettings.ClientCaKeyPairId = src.ClientCAKeyPairID.ValueStringPointer()
 	pbSettings.CookieDomain = src.CookieDomain.ValueStringPointer()
-	ToDuration(&pbSettings.CookieExpire, src.CookieExpire, "cookie_expire", &diagnostics)
+	ToDuration(&pbSettings.CookieExpire, src.CookieExpire, &diagnostics)
 	pbSettings.CookieHttpOnly = src.CookieHTTPOnly.ValueBoolPointer()
 	pbSettings.CookieName = src.CookieName.ValueStringPointer()
 	pbSettings.CookieSameSite = src.CookieSameSite.ValueStringPointer()
@@ -122,7 +122,7 @@ func ConvertSettingsToPB(
 	pbSettings.DarkmodePrimaryColor = src.DarkmodePrimaryColor.ValueStringPointer()
 	pbSettings.DarkmodeSecondaryColor = src.DarkmodeSecondaryColor.ValueStringPointer()
 	pbSettings.DatabrokerServiceUrl = src.DatabrokerServiceURL.ValueStringPointer()
-	ToDuration(&pbSettings.DefaultUpstreamTimeout, src.DefaultUpstreamTimeout, "default_upstream_timeout", &diagnostics)
+	ToDuration(&pbSettings.DefaultUpstreamTimeout, src.DefaultUpstreamTimeout, &diagnostics)
 	pbSettings.DnsLookupFamily = src.DNSLookupFamily.ValueStringPointer()
 	pbSettings.ErrorMessageFirstParagraph = src.ErrorMessageFirstParagraph.ValueStringPointer()
 	pbSettings.FaviconUrl = src.FaviconURL.ValueStringPointer()
@@ -131,14 +131,14 @@ func ConvertSettingsToPB(
 	pbSettings.GrpcInsecure = src.GRPCInsecure.ValueBoolPointer()
 	pbSettings.HttpRedirectAddr = src.HTTPRedirectAddr.ValueStringPointer()
 	IdentityProviderSettingsToPB(ctx, pbSettings, src, &diagnostics)
-	ToDuration(&pbSettings.IdentityProviderRefreshInterval, src.IdentityProviderRefreshInterval, "identity_provider_refresh_interval", &diagnostics)
-	ToDuration(&pbSettings.IdentityProviderRefreshTimeout, src.IdentityProviderRefreshTimeout, "identity_provider_refresh_timeout", &diagnostics)
+	ToDuration(&pbSettings.IdentityProviderRefreshInterval, src.IdentityProviderRefreshInterval, &diagnostics)
+	ToDuration(&pbSettings.IdentityProviderRefreshTimeout, src.IdentityProviderRefreshTimeout, &diagnostics)
 	pbSettings.IdpClientId = src.IdpClientID.ValueStringPointer()
 	pbSettings.IdpClientSecret = src.IdpClientSecret.ValueStringPointer()
 	pbSettings.IdpProvider = src.IdpProvider.ValueStringPointer()
 	pbSettings.IdpProviderUrl = src.IdpProviderURL.ValueStringPointer()
-	ToDuration(&pbSettings.IdpRefreshDirectoryInterval, src.IdpRefreshDirectoryInterval, "idp_refresh_directory_interval", &diagnostics)
-	ToDuration(&pbSettings.IdpRefreshDirectoryTimeout, src.IdpRefreshDirectoryTimeout, "idp_refresh_directory_timeout", &diagnostics)
+	ToDuration(&pbSettings.IdpRefreshDirectoryInterval, src.IdpRefreshDirectoryInterval, &diagnostics)
+	ToDuration(&pbSettings.IdpRefreshDirectoryTimeout, src.IdpRefreshDirectoryTimeout, &diagnostics)
 	pbSettings.IdpServiceAccount = src.IdpServiceAccount.ValueStringPointer()
 	pbSettings.InsecureServer = src.InsecureServer.ValueBoolPointer()
 	pbSettings.InstallationId = src.InstallationID.ValueStringPointer()
@@ -154,9 +154,9 @@ func ConvertSettingsToPB(
 	pbSettings.SecondaryColor = src.SecondaryColor.ValueStringPointer()
 	ToStringMap(ctx, &pbSettings.SetResponseHeaders, src.SetResponseHeaders, &diagnostics)
 	pbSettings.SkipXffAppend = src.SkipXFFAppend.ValueBoolPointer()
-	ToDuration(&pbSettings.TimeoutIdle, src.TimeoutIdle, "timeout_idle", &diagnostics)
-	ToDuration(&pbSettings.TimeoutRead, src.TimeoutRead, "timeout_read", &diagnostics)
-	ToDuration(&pbSettings.TimeoutWrite, src.TimeoutWrite, "timeout_write", &diagnostics)
+	ToDuration(&pbSettings.TimeoutIdle, src.TimeoutIdle, &diagnostics)
+	ToDuration(&pbSettings.TimeoutRead, src.TimeoutRead, &diagnostics)
+	ToDuration(&pbSettings.TimeoutWrite, src.TimeoutWrite, &diagnostics)
 	pbSettings.TracingDatadogAddress = src.TracingDatadogAddress.ValueStringPointer()
 	pbSettings.TracingJaegerAgentEndpoint = src.TracingJaegerAgentEndpoint.ValueStringPointer()
 	pbSettings.TracingJaegerCollectorEndpoint = src.TracingJaegerCollectorEndpoint.ValueStringPointer()

From 64823f3513ce82e9fe09963edc99a2a8dbd50600 Mon Sep 17 00:00:00 2001
From: Denis Mishin <dmishin@pomerium.com>
Date: Wed, 8 Jan 2025 19:43:30 -0500
Subject: [PATCH 4/6] add test for unknown duration

---
 internal/provider/convert.go      |  3 +-
 internal/provider/convert_test.go | 50 +++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+), 2 deletions(-)

diff --git a/internal/provider/convert.go b/internal/provider/convert.go
index e8a95f6..8ad80bf 100644
--- a/internal/provider/convert.go
+++ b/internal/provider/convert.go
@@ -50,7 +50,6 @@ func FromStringMap(m map[string]string) types.Map {
 
 // ToStringList converts a types.List to Settings_StringList and handles diagnostics internally
 func ToStringList(ctx context.Context, dst **pb.Settings_StringList, list types.List, diagnostics *diag.Diagnostics) {
-	// Handle null list case first
 	if list.IsNull() {
 		*dst = nil
 		return
@@ -91,7 +90,7 @@ func ToStringSlice(ctx context.Context, dst *[]string, list types.List, diagnost
 
 // ToDuration converts a types.String containing a duration to a durationpb.Duration and handles diagnostics internally
 func ToDuration(dst **durationpb.Duration, src timetypes.GoDuration, diagnostics *diag.Diagnostics) {
-	if src.IsNull() {
+	if src.IsNull() || src.IsUnknown() {
 		*dst = nil
 		return
 	}
diff --git a/internal/provider/convert_test.go b/internal/provider/convert_test.go
index 54ffb2f..713027f 100644
--- a/internal/provider/convert_test.go
+++ b/internal/provider/convert_test.go
@@ -86,6 +86,56 @@ func TestFromDurationP(t *testing.T) {
 	}
 }
 
+func TestToDuration(t *testing.T) {
+	tests := []struct {
+		name        string
+		input       timetypes.GoDuration
+		expected    *durationpb.Duration
+		expectError bool
+	}{
+		{
+			name:     "null duration",
+			input:    timetypes.NewGoDurationNull(),
+			expected: nil,
+		},
+		{
+			name:     "unknown duration",
+			input:    timetypes.NewGoDurationUnknown(),
+			expected: nil,
+		},
+		{
+			name:     "zero duration",
+			input:    timetypes.NewGoDurationValueFromStringMust("0s"),
+			expected: durationpb.New(0),
+		},
+		{
+			name:     "normal duration",
+			input:    timetypes.NewGoDurationValueFromStringMust("1h1m0s"),
+			expected: durationpb.New(time.Hour + time.Minute),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			var result *durationpb.Duration
+			diagnostics := diag.Diagnostics{}
+			provider.ToDuration(&result, tt.input, &diagnostics)
+
+			if tt.expectError {
+				assert.True(t, diagnostics.HasError())
+				return
+			}
+
+			assert.False(t, diagnostics.HasError())
+			if tt.expected == nil {
+				assert.Nil(t, result)
+			} else {
+				assert.Equal(t, tt.expected.AsDuration(), result.AsDuration())
+			}
+		})
+	}
+}
+
 func TestToStringList(t *testing.T) {
 	ctx := context.Background()
 	tests := []struct {

From 7ecb622b0440d0119ada2b8a961c96425778bbe8 Mon Sep 17 00:00:00 2001
From: Denis Mishin <dmishin@pomerium.com>
Date: Wed, 8 Jan 2025 19:44:51 -0500
Subject: [PATCH 5/6] add missing route fields to data source

---
 example/main.tf                        | 100 ++++++++++++++++++--
 internal/provider/route.go             |  18 +++-
 internal/provider/route_data_source.go | 122 +++++++++++++++++++++++++
 internal/provider/route_model.go       |   7 +-
 4 files changed, 232 insertions(+), 15 deletions(-)

diff --git a/example/main.tf b/example/main.tf
index 736a39d..0a08fde 100644
--- a/example/main.tf
+++ b/example/main.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     pomerium = {
       source  = "pomerium/pomerium"
-      version = "0.0.1"
+      version = "0.0.2"
     }
   }
 }
@@ -68,6 +68,92 @@ resource "pomerium_key_pair" "test_key_pair" {
   key          = file("test.host-key.pem")
 }
 
+# Example route with prefix matching
+resource "pomerium_route" "prefix_route" {
+  name           = "prefix-route"
+  namespace_id   = pomerium_namespace.test_namespace.id
+  from           = "https://prefix.localhost.pomerium.io"
+  to             = ["https://target-service.internal"]
+  prefix         = "/api/"
+  prefix_rewrite = "/v1/"
+  policies       = [pomerium_policy.test_policy.id]
+
+  timeout      = "30s"
+  idle_timeout = "5m"
+
+  set_request_headers = {
+    "X-Custom-Header" = "custom-value"
+  }
+  remove_request_headers = ["Referer"]
+  set_response_headers = {
+    "Strict-Transport-Security" = "max-age=31536000"
+  }
+
+  allow_websockets      = true
+  preserve_host_header  = true
+  pass_identity_headers = true
+}
+
+# Example route with path matching
+resource "pomerium_route" "path_route" {
+  name         = "path-route"
+  namespace_id = pomerium_namespace.test_namespace.id
+  from         = "https://path.localhost.pomerium.io"
+  to           = ["https://path-service.internal"]
+  path         = "/exact/path/match"
+
+  tls_skip_verify            = true
+  tls_upstream_server_name   = "internal-name"
+  tls_downstream_server_name = "external-name"
+}
+
+# Example route with regex matching and rewriting
+resource "pomerium_route" "regex_route" {
+  name                       = "regex-route"
+  namespace_id               = pomerium_namespace.test_namespace.id
+  from                       = "https://regex.localhost.pomerium.io"
+  to                         = ["https://regex-service.internal"]
+  regex                      = "^/users/([0-9]+)/profile$"
+  regex_rewrite_pattern      = "^/users/([0-9]+)/profile$"
+  regex_rewrite_substitution = "/api/v1/profiles/$1"
+  regex_priority_order       = 100
+}
+
+# Example route with host rewriting
+resource "pomerium_route" "host_route" {
+  name                                 = "host-route"
+  namespace_id                         = pomerium_namespace.test_namespace.id
+  from                                 = "https://host.localhost.pomerium.io"
+  to                                   = ["https://host-service.internal"]
+  host_rewrite                         = "internal-host"
+  host_path_regex_rewrite_pattern      = "^/service/([^/]+)(/.*)$"
+  host_path_regex_rewrite_substitution = "$1.internal$2"
+}
+
+# Example route with OAuth/OIDC configuration
+resource "pomerium_route" "oauth_route" {
+  name         = "oauth-route"
+  namespace_id = pomerium_namespace.test_namespace.id
+  from         = "https://oauth.localhost.pomerium.io"
+  to           = ["https://protected-service.internal"]
+
+  idp_client_id      = "custom-client-id"
+  idp_client_secret  = "custom-client-secret"
+  show_error_details = true
+}
+
+# Example route with Kubernetes integration
+resource "pomerium_route" "kubernetes_route" {
+  name         = "kubernetes-route"
+  namespace_id = pomerium_namespace.test_namespace.id
+  from         = "https://k8s.localhost.pomerium.io"
+  to           = ["https://kubernetes-service.internal"]
+
+  kubernetes_service_account_token = "eyJhbGciOiJS..."
+  allow_spdy                       = true
+  tls_upstream_allow_renegotiation = true
+}
+
 # Data source examples
 data "pomerium_namespaces" "all_namespaces" {}
 
@@ -75,18 +161,18 @@ data "pomerium_namespace" "existing_namespace" {
   id = pomerium_namespace.test_namespace.id
 }
 
-# data "pomerium_route" "existing_route" {
-#   id = pomerium_route.test_route.id
-# }
+data "pomerium_route" "existing_route" {
+  id = pomerium_route.test_route.id
+}
 
 # Output examples
 output "namespace_name" {
   value = data.pomerium_namespace.existing_namespace.name
 }
 
-# output "route_from" {
-#   value = data.pomerium_route.existing_route.from
-# }
+output "route_from" {
+  value = data.pomerium_route.existing_route.from
+}
 
 output "all_namespaces" {
   value = data.pomerium_namespaces.all_namespaces.namespaces
diff --git a/internal/provider/route.go b/internal/provider/route.go
index bfe4a3d..b22f0e5 100644
--- a/internal/provider/route.go
+++ b/internal/provider/route.go
@@ -74,6 +74,7 @@ func (r *RouteResource) Schema(_ context.Context, _ resource.SchemaRequest, resp
 			"stat_name": schema.StringAttribute{
 				Description: "Name of the stat.",
 				Optional:    true,
+				Computed:    true,
 			},
 			"prefix": schema.StringAttribute{
 				Description: "Prefix.",
@@ -123,11 +124,13 @@ func (r *RouteResource) Schema(_ context.Context, _ resource.SchemaRequest, resp
 				Description: "Timeout.",
 				Optional:    true,
 				CustomType:  timetypes.GoDurationType{},
+				Computed:    true,
 			},
 			"idle_timeout": schema.StringAttribute{
 				Description: "Idle timeout.",
 				Optional:    true,
 				CustomType:  timetypes.GoDurationType{},
+				Computed:    true,
 			},
 			"allow_websockets": schema.BoolAttribute{
 				Description: "Allow websockets.",
@@ -191,6 +194,7 @@ func (r *RouteResource) Schema(_ context.Context, _ resource.SchemaRequest, resp
 			"show_error_details": schema.BoolAttribute{
 				Description: "Show error details.",
 				Optional:    true,
+				Computed:    true,
 			},
 		},
 	}
@@ -237,7 +241,11 @@ func (r *RouteResource) Create(ctx context.Context, req resource.CreateRequest,
 		return
 	}
 
-	plan.ID = types.StringValue(respRoute.Route.Id)
+	diags = ConvertRouteFromPB(&plan, respRoute.Route)
+	resp.Diagnostics.Append(diags...)
+	if diags.HasError() {
+		return
+	}
 
 	tflog.Trace(ctx, "Created a route", map[string]interface{}{
 		"id":   plan.ID.ValueString(),
@@ -286,7 +294,7 @@ func (r *RouteResource) Update(ctx context.Context, req resource.UpdateRequest,
 		return
 	}
 
-	_, err := r.client.RouteService.SetRoute(ctx, &pb.SetRouteRequest{
+	respRoute, err := r.client.RouteService.SetRoute(ctx, &pb.SetRouteRequest{
 		Route: pbRoute,
 	})
 	if err != nil {
@@ -294,6 +302,12 @@ func (r *RouteResource) Update(ctx context.Context, req resource.UpdateRequest,
 		return
 	}
 
+	diags = ConvertRouteFromPB(&plan, respRoute.Route)
+	resp.Diagnostics.Append(diags...)
+	if diags.HasError() {
+		return
+	}
+
 	resp.Diagnostics.Append(resp.State.Set(ctx, &plan)...)
 }
 
diff --git a/internal/provider/route_data_source.go b/internal/provider/route_data_source.go
index 8cf8db9..a7c90fe 100644
--- a/internal/provider/route_data_source.go
+++ b/internal/provider/route_data_source.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 
+	"github.com/hashicorp/terraform-plugin-framework-timetypes/timetypes"
 	"github.com/hashicorp/terraform-plugin-framework/datasource"
 	"github.com/hashicorp/terraform-plugin-framework/datasource/schema"
 	"github.com/hashicorp/terraform-plugin-framework/types"
@@ -57,6 +58,127 @@ func (d *RouteDataSource) Schema(_ context.Context, _ datasource.SchemaRequest,
 				ElementType: types.StringType,
 				Description: "List of policy IDs associated with the route.",
 			},
+			"stat_name": schema.StringAttribute{
+				Computed:    true,
+				Description: "Name of the stat.",
+			},
+			"prefix": schema.StringAttribute{
+				Computed:    true,
+				Description: "Prefix.",
+			},
+			"path": schema.StringAttribute{
+				Computed:    true,
+				Description: "Path.",
+			},
+			"regex": schema.StringAttribute{
+				Computed:    true,
+				Description: "Regex.",
+			},
+			"prefix_rewrite": schema.StringAttribute{
+				Computed:    true,
+				Description: "Prefix rewrite.",
+			},
+			"regex_rewrite_pattern": schema.StringAttribute{
+				Computed:    true,
+				Description: "Regex rewrite pattern.",
+			},
+			"regex_rewrite_substitution": schema.StringAttribute{
+				Computed:    true,
+				Description: "Regex rewrite substitution.",
+			},
+			"host_rewrite": schema.StringAttribute{
+				Computed:    true,
+				Description: "Host rewrite.",
+			},
+			"host_rewrite_header": schema.StringAttribute{
+				Computed:    true,
+				Description: "Host rewrite header.",
+			},
+			"host_path_regex_rewrite_pattern": schema.StringAttribute{
+				Computed:    true,
+				Description: "Host path regex rewrite pattern.",
+			},
+			"host_path_regex_rewrite_substitution": schema.StringAttribute{
+				Computed:    true,
+				Description: "Host path regex rewrite substitution.",
+			},
+			"regex_priority_order": schema.Int64Attribute{
+				Computed:    true,
+				Description: "Regex priority order.",
+			},
+			"timeout": schema.StringAttribute{
+				Computed:    true,
+				Description: "Timeout.",
+				CustomType:  timetypes.GoDurationType{},
+			},
+			"idle_timeout": schema.StringAttribute{
+				Computed:    true,
+				Description: "Idle timeout.",
+				CustomType:  timetypes.GoDurationType{},
+			},
+			"allow_websockets": schema.BoolAttribute{
+				Computed:    true,
+				Description: "Allow websockets.",
+			},
+			"allow_spdy": schema.BoolAttribute{
+				Computed:    true,
+				Description: "Allow SPDY.",
+			},
+			"tls_skip_verify": schema.BoolAttribute{
+				Computed:    true,
+				Description: "TLS skip verify.",
+			},
+			"tls_upstream_server_name": schema.StringAttribute{
+				Computed:    true,
+				Description: "TLS upstream server name.",
+			},
+			"tls_downstream_server_name": schema.StringAttribute{
+				Computed:    true,
+				Description: "TLS downstream server name.",
+			},
+			"tls_upstream_allow_renegotiation": schema.BoolAttribute{
+				Computed:    true,
+				Description: "TLS upstream allow renegotiation.",
+			},
+			"set_request_headers": schema.MapAttribute{
+				Computed:    true,
+				ElementType: types.StringType,
+				Description: "Set request headers.",
+			},
+			"remove_request_headers": schema.ListAttribute{
+				Computed:    true,
+				ElementType: types.StringType,
+				Description: "Remove request headers.",
+			},
+			"set_response_headers": schema.MapAttribute{
+				Computed:    true,
+				ElementType: types.StringType,
+				Description: "Set response headers.",
+			},
+			"preserve_host_header": schema.BoolAttribute{
+				Computed:    true,
+				Description: "Preserve host header.",
+			},
+			"pass_identity_headers": schema.BoolAttribute{
+				Computed:    true,
+				Description: "Pass identity headers.",
+			},
+			"kubernetes_service_account_token": schema.StringAttribute{
+				Computed:    true,
+				Description: "Kubernetes service account token.",
+			},
+			"idp_client_id": schema.StringAttribute{
+				Computed:    true,
+				Description: "IDP client ID.",
+			},
+			"idp_client_secret": schema.StringAttribute{
+				Computed:    true,
+				Description: "IDP client secret.",
+			},
+			"show_error_details": schema.BoolAttribute{
+				Computed:    true,
+				Description: "Show error details.",
+			},
 		},
 	}
 }
diff --git a/internal/provider/route_model.go b/internal/provider/route_model.go
index 3b447f3..ad747e6 100644
--- a/internal/provider/route_model.go
+++ b/internal/provider/route_model.go
@@ -117,12 +117,7 @@ func ConvertRouteFromPB(
 	}
 	dst.To = types.ListValueMust(types.StringType, toList)
 
-	policiesList := make([]attr.Value, len(src.PolicyIds))
-	for i, v := range src.PolicyIds {
-		policiesList[i] = types.StringValue(v)
-	}
-	dst.Policies = types.ListValueMust(types.StringType, policiesList)
-
+	dst.Policies = FromStringSlice(src.PolicyIds)
 	dst.StatName = types.StringValue(src.StatName)
 	dst.Prefix = types.StringPointerValue(src.Prefix)
 	dst.Path = types.StringPointerValue(src.Path)

From d83587cd5d845d01174d9f68c474c18ffdf48b61 Mon Sep 17 00:00:00 2001
From: Denis Mishin <dmishin@pomerium.com>
Date: Thu, 9 Jan 2025 16:22:30 -0500
Subject: [PATCH 6/6] fix merge

---
 internal/provider/route.go | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/internal/provider/route.go b/internal/provider/route.go
index f7b4fb7..b2a5298 100644
--- a/internal/provider/route.go
+++ b/internal/provider/route.go
@@ -126,19 +126,13 @@ func (r *RouteResource) Schema(_ context.Context, _ resource.SchemaRequest, resp
 				Description: "Timeout.",
 				Optional:    true,
 				CustomType:  timetypes.GoDurationType{},
-<<<<<<< HEAD
 				Computed:    true,
-=======
->>>>>>> main
 			},
 			"idle_timeout": schema.StringAttribute{
 				Description: "Idle timeout.",
 				Optional:    true,
 				CustomType:  timetypes.GoDurationType{},
-<<<<<<< HEAD
 				Computed:    true,
-=======
->>>>>>> main
 			},
 			"allow_websockets": schema.BoolAttribute{
 				Description: "Allow websockets.",