Security fixes from audit:
- Escape user-supplied strings (ext_relation_id, interface_name) with
url.PathEscape before interpolating into API URL paths, preventing
path traversal via crafted values like "../admin" or "foo/bar"
- Mark auth token URL attributes as Sensitive in both
virtfusion_user_auth_token and virtfusion_user_server_auth_token
resources, since the URL embeds the signed token
- Truncate raw API error response bodies to 500 bytes in error messages
to prevent leaking sensitive data from verbose Laravel error responses
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Complete rewrite of the VirtFusion Terraform provider with full API coverage:
- 20 managed resources (server, build, SSH key, user, firewall, IP blocks, etc.)
- 30 data sources (hypervisors, packages, servers, IP blocks, self-service, etc.)
- New HTTP client with proper error handling, query parameter support, and
automatic multipage pagination via GetAllPages (fetches all pages from
Laravel-style paginated endpoints and merges into a single response)
- Fixed type mismatches against live API: ServerData.Suspended (int→bool),
IPBlockData.Type (string→int), PackageData json tags (primaryStorage, etc.),
ServerData nested CPU/Settings/Resources structure, HypervisorGroupResources
array response
- Configurable results-per-page (default 300) on all list data sources
- Migrated CI from GitHub Actions to Gitea Actions
- Updated goreleaser config, go.mod dependencies, and examples
Verified against live VirtFusion instance at cp.vps.ezscale.tech:
all data sources return correct data with full pagination support.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
