Add Fir generation support for Heroku Private Spaces (#401)

* Include .cursor in gitignore

* Add foundational feature matrix system for generation support

- Implement IsFeatureSupported() helper function for Cedar/Fir generation differences
- Add feature matrix tracking space capabilities across generations
- Include comprehensive test coverage with 14 test cases
- Cedar generation: supports all space features including shield spaces
- Fir generation: supports private spaces only, shield spaces unsupported
- Foundation for graceful handling of generation-specific feature differences

* Add Fir generation support for Private Spaces

- Add generation field to heroku_space resource with cedar/fir validation
- Implement shield feature validation blocking Fir+Shield combinations
- Add comprehensive CRUD validation (Create errors, Read warnings)
- Enhance feature matrix with complete space feature coverage
- Add extensive test suite: 24 tests including acceptance tests
- Update documentation with generation examples and guidance
- Maintain backward compatibility with cedar default
- Foundation for incremental space feature validation

Resolves core deliverables for Fir Private Space compatibility.
Generated shield spaces require cedar generation.
ForceNew ensures generation cannot be changed after creation.

* Improve generation validation with plan-time error checking

- Add CustomizeDiff function for shield+generation validation during plan phase
- Users now get immediate feedback during 'terraform plan' instead of waiting for apply
- Remove redundant validation from Create function since CustomizeDiff handles it
- Better UX: clear error messages during planning prevent surprises during apply

* Document outbound IPs limitation for Fir generation

- Add note to space documentation that outbound IP management
  is not supported for fir generation spaces
- Provides clear guidance to users about generation differences

* Optimize Fir space acceptance tests to use single space pattern

- Consolidate TestAccHerokuSpace_Generation from 3 spaces to 1 space
- Create new TestAccHerokuSpace_Fir following efficient single-space pattern
- Remove TestAccHerokuSpace_GenerationForceNew (redundant with generation change test)
- Add Fir-specific validation test steps for VPN/inbound/peering failures
- Reduces space creations from 6 to 2 (~70% faster test execution)
- Follows established pattern from main TestAccHerokuSpace function

* Update docs/resources/space.md

Co-authored-by: Sandy Lai <[email protected]>
Signed-off-by: Johnny Winn <[email protected]>

Update docs/resources/space.md

Co-authored-by: Sandy Lai <[email protected]>
Signed-off-by: Johnny Winn <[email protected]>

Update docs/resources/space.md

Co-authored-by: Sandy Lai <[email protected]>
Signed-off-by: Johnny Winn <[email protected]>

Update docs/resources/space.md

Co-authored-by: Sandy Lai <[email protected]>
Signed-off-by: Johnny Winn <[email protected]>

Update docs/resources/space.md

Co-authored-by: Sandy Lai <[email protected]>
Signed-off-by: Johnny Winn <[email protected]>

Update docs/resources/space.md

Co-authored-by: Sandy Lai <[email protected]>
Signed-off-by: Johnny Winn <[email protected]>

Update docs/resources/space.md

Co-authored-by: Sandy Lai <[email protected]>
Signed-off-by: Johnny Winn <[email protected]>

Update docs/resources/space.md

Co-authored-by: Sandy Lai <[email protected]>
Signed-off-by: Johnny Winn <[email protected]>

Update docs/resources/space.md

Co-authored-by: Sandy Lai <[email protected]>
Signed-off-by: Johnny Winn <[email protected]>

Update docs/resources/space.md

Co-authored-by: Sandy Lai <[email protected]>
Signed-off-by: Johnny Winn <[email protected]>

Update docs/resources/space.md

Co-authored-by: Sandy Lai <[email protected]>
Signed-off-by: Johnny Winn <[email protected]>

Update heroku/resource_heroku_space.go

Co-authored-by: Sandy Lai <[email protected]>
Signed-off-by: Johnny Winn <[email protected]>

Update docs/resources/space.md

Co-authored-by: Sandy Lai <[email protected]>
Signed-off-by: Johnny Winn <[email protected]>

* Pass generation field to Heroku API for space creation

- Add generation field to SpaceCreateOpts when creating spaces
- Fix resourceHerokuSpaceRead to properly read generation from API response
- Ensure users get the generation they specify instead of defaulting to Cedar
- Add debug logging for space creation with generation
- Tested: Cedar space creation confirmed working, Fir space API correctly validates generation

* Remove default value for CIDR from spaces

* Include the fir feature branch for acceptance test runs

* Remove generation name check

* Remove unused test steps

---------

Signed-off-by: Johnny Winn <[email protected]>
Co-authored-by: Sandy Lai <[email protected]>

Author: heroku-johnny

.github/workflows/acceptance-tests.yml

@@ -2,7 +2,8 @@ name: Acceptance
 on:
   pull_request:
     branches:
-    - master
+      - master
+      - fir-compatibility
     paths-ignore:
       - 'docs/**'
       - '**.md'

.gitignore

@@ -32,3 +32,5 @@ website/vendor
 # Test exclusions
 !command/test-fixtures/**/*.tfstate
 !command/test-fixtures/**/.terraform/
+
+.cursor/

.tool-versions

@@ -0,0 +1,2 @@
+golang 1.24.5
+terraform 1.5.7

docs/resources/space.md

@@ -10,24 +10,42 @@ description: |-
 
 Provides a Heroku Private Space resource for running apps in isolated, highly available, secure app execution environments.
 
+Both generations of the Heroku platform offer Private Spaces:
+
+* **Cedar** (default): The [Cedar generation](https://devcenter.heroku.com/articles/private-spaces#additional-features-for-cedar-private-spaces) supports all Private Space features, including Shield spaces.
+* ```
+* **Fir**: The next-generation platform supports enhanced capabilities for Cloud Native Buildpacks (CNB), but with has some [feature limitations](https://devcenter.heroku.com/articles/generations?preview=1#feature-parity) compared to Cedar Private Spaces.
+
+~> **Note:** You can't change the `generation` parameter after space creation. Choose carefully based on your application requirements.
+
 ## Example Usage
 
 A Heroku "team" was originally called an "organization", and that is still 
 the identifier used in this resource.
 
 ```hcl-terraform
-// Create a new Heroku space
-resource "heroku_space" "default" {
-  name = "test-space"
+// Create a new Cedar-generation space (default)
+resource "heroku_space" "cedar_space" {
+  name = "test-cedar-space"
+  organization = "my-company"
+  region = "virginia"
+  shield = true  // Cedar supports Shield spaces
+}
+
+// Create a new Fir-generation space
+resource "heroku_space" "fir_space" {
+  name = "test-fir-space"
   organization = "my-company"
   region = "virginia"
+  generation = "fir"
+  // Note: Shield spaces are unavailable for the Fir generation.
 }
 
 // Create a new Heroku app in test-space, same region
 resource "heroku_app" "default" {
   name = "test-app"
   region = "virginia"
-  space = heroku_space.default.id
+  space = heroku_space.cedar_space.id
   organization = {
     name = "my-company"
   }
@@ -40,12 +58,13 @@ The following arguments are supported:
 
 * `name` - (Required) The name of the Private Space.
 * `organization` - (Required) The name of the Heroku Team which will own the Private Space.
+* `generation` - (Optional) The generation of the Heroku platform for the space. Valid values are `cedar` and `fir`. Defaults to `cedar` for backward compatibility. It can't be changed after space creation.
 * `cidr` - (Optional) The RFC-1918 CIDR the Private Space will use.
   It must be a /16 in 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16
 * `data_cidr` - (Optional) The RFC-1918 CIDR that the Private Space will use for the Heroku-managed peering connection
-  that’s automatically created when using Heroku Data add-ons. It must be between a /16 and a /20
-* `region` - (Optional) provision in a specific [Private Spaces region](https://devcenter.heroku.com/articles/regions#viewing-available-regions).
-* `shield` - (Optional) provision as a [Shield Private Space](https://devcenter.heroku.com/articles/private-spaces#shield-private-spaces).
+  that's automatically created when using Heroku Data add-ons. It must be between a /16 and a /20
+* `region` - (Optional) The [region](https://devcenter.heroku.com/articles/regions#viewing-available-regions) to provision a space in.
+* `shield` - (Optional) `true` if provisioning as a [Shield Private Space](https://devcenter.heroku.com/articles/private-spaces#shield-private-spaces). Note: Shield spaces are only supported for the `cedar` generation.
 
 ## Attributes Reference
 
@@ -54,10 +73,11 @@ The following attributes are exported:
 * `id` - The ID (UUID) of the space.
 * `name` - The space's name.
 * `organization` - The space's Heroku Team.
+* `generation` - The generation of the Heroku platform for the space (`cedar` or `fir`).
 * `region` - The space's region.
 * `cidr` - The space's CIDR.
 * `data_cidr` - The space's Data CIDR.
-* `outbound_ips` - The space's stable outbound [NAT IPs](https://devcenter.heroku.com/articles/platform-api-reference#space-network-address-translation).
+* `outbound_ips` - The space's stable outbound [NAT IPs](https://devcenter.heroku.com/articles/platform-api-reference#space-network-address-translation). Note: Outbound IP management is not supported for `fir` generation spaces.
 
 ## Import
 

heroku/heroku_supported_features.go

@@ -0,0 +1,64 @@
+package heroku
+
+// Feature matrix system for graceful handling of generation differences
+// between Cedar and Fir generations in Terraform Provider Heroku.
+
+// featureMatrix defines which features are supported for each generation and resource type.
+// This is the single source of truth for feature availability based on the
+// unsupported features data from Platform API's 3.sdk Generation endpoints.
+var featureMatrix = map[string]map[string]map[string]bool{
+	"cedar": {
+		"space": {
+			"private":               true, // All spaces are private
+			"shield":                true, // Cedar supports shield spaces
+			"trusted_ip_ranges":     true,
+			"private_vpn":           true,
+			"outbound_rules":        true,
+			"private_space_logging": true,
+			"outbound_ips":          true, // Cedar supports outbound IPs
+			"vpn_connection":        true, // Cedar supports VPN connections
+			"inbound_ruleset":       true, // Cedar supports inbound rulesets
+			"peering_connection":    true, // Cedar supports IPv4 peering
+		},
+	},
+	"fir": {
+		"space": {
+			"private":               true,  // All spaces are private
+			"shield":                false, // Fir does not support shield spaces
+			"trusted_ip_ranges":     false, // trusted_ip_ranges
+			"private_vpn":           false, // private_vpn
+			"outbound_rules":        false, // outbound_rules
+			"private_space_logging": false, // private_space_logging
+			"outbound_ips":          false, // space_outbound_ips
+			"vpn_connection":        false, // VPN connections not supported
+			"inbound_ruleset":       false, // Inbound rulesets not supported
+			"peering_connection":    false, // IPv4 peering not supported
+		},
+	},
+}
+
+// IsFeatureSupported checks if a feature is supported for a given generation and resource type.
+// Returns true if the feature is supported, false otherwise.
+//
+// Parameters:
+//   - generation: "cedar" or "fir"
+//   - resourceType: "space", "app", "build", etc.
+//   - feature: "shield", "trusted_ip_ranges", "private_vpn", etc.
+//
+// Example:
+//
+//	if IsFeatureSupported("fir", "space", "shield") {
+//	    // proceed with shield configuration
+//	}
+func IsFeatureSupported(generation, resourceType, feature string) bool {
+	if gen, exists := featureMatrix[generation]; exists {
+		if res, exists := gen[resourceType]; exists {
+			if supported, exists := res[feature]; exists {
+				return supported
+			}
+		}
+	}
+
+	// Default to false for any unknown generation/resource/feature combination
+	return false
+}

heroku/heroku_supported_features_test.go

@@ -0,0 +1,178 @@
+package heroku
+
+import (
+	"testing"
+)
+
+func TestIsFeatureSupported(t *testing.T) {
+	testCases := []struct {
+		name         string
+		generation   string
+		resourceType string
+		feature      string
+		expected     bool
+	}{
+		// Cedar generation tests - all space features supported
+		{
+			name:         "Cedar space private should be supported",
+			generation:   "cedar",
+			resourceType: "space",
+			feature:      "private",
+			expected:     true,
+		},
+		{
+			name:         "Cedar space shield should be supported",
+			generation:   "cedar",
+			resourceType: "space",
+			feature:      "shield",
+			expected:     true,
+		},
+		{
+			name:         "Cedar space trusted_ip_ranges should be supported",
+			generation:   "cedar",
+			resourceType: "space",
+			feature:      "trusted_ip_ranges",
+			expected:     true,
+		},
+
+		// Fir generation tests - private supported, shield and others unsupported
+		{
+			name:         "Fir space private should be supported",
+			generation:   "fir",
+			resourceType: "space",
+			feature:      "private",
+			expected:     true,
+		},
+		{
+			name:         "Fir space shield should be unsupported",
+			generation:   "fir",
+			resourceType: "space",
+			feature:      "shield",
+			expected:     false,
+		},
+		{
+			name:         "Fir space trusted_ip_ranges should be unsupported",
+			generation:   "fir",
+			resourceType: "space",
+			feature:      "trusted_ip_ranges",
+			expected:     false,
+		},
+
+		// Unsupported feature tests (features not in matrix)
+		{
+			name:         "Cedar space unknown_feature should be unsupported (not in matrix)",
+			generation:   "cedar",
+			resourceType: "space",
+			feature:      "unknown_feature",
+			expected:     false,
+		},
+		{
+			name:         "Fir space unknown_feature should be unsupported (not in matrix)",
+			generation:   "fir",
+			resourceType: "space",
+			feature:      "unknown_feature",
+			expected:     false,
+		},
+
+		// Unknown resource type tests
+		{
+			name:         "Cedar app features should be unsupported (not implemented yet)",
+			generation:   "cedar",
+			resourceType: "app",
+			feature:      "some_feature",
+			expected:     false,
+		},
+		{
+			name:         "Fir build features should be unsupported (not implemented yet)",
+			generation:   "fir",
+			resourceType: "build",
+			feature:      "some_feature",
+			expected:     false,
+		},
+
+		// Invalid generation tests
+		{
+			name:         "Invalid generation should be unsupported",
+			generation:   "invalid",
+			resourceType: "space",
+			feature:      "shield",
+			expected:     false,
+		},
+		{
+			name:         "Empty generation should be unsupported",
+			generation:   "",
+			resourceType: "space",
+			feature:      "shield",
+			expected:     false,
+		},
+
+		// Edge case tests
+		{
+			name:         "Empty resource type should be unsupported",
+			generation:   "cedar",
+			resourceType: "",
+			feature:      "shield",
+			expected:     false,
+		},
+		{
+			name:         "Empty feature should be unsupported",
+			generation:   "cedar",
+			resourceType: "space",
+			feature:      "",
+			expected:     false,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			result := IsFeatureSupported(tc.generation, tc.resourceType, tc.feature)
+			if result != tc.expected {
+				t.Errorf("IsFeatureSupported(%q, %q, %q) = %v, expected %v",
+					tc.generation, tc.resourceType, tc.feature, result, tc.expected)
+			}
+		})
+	}
+}
+
+// TestFeatureMatrixConsistency ensures the feature matrix is internally consistent
+func TestFeatureMatrixConsistency(t *testing.T) {
+	// Verify that all generations have at least one resource
+	for generation, resources := range featureMatrix {
+		if len(resources) == 0 {
+			t.Errorf("Generation %s has no resources defined", generation)
+		}
+
+		// Verify that all resources have at least one feature
+		for resourceType, features := range resources {
+			if len(features) == 0 {
+				t.Errorf("Generation %s, resource %s has no features defined", generation, resourceType)
+			}
+
+			// Verify that all features are properly set (no nil values)
+			for feature, supported := range features {
+				if feature == "" {
+					t.Errorf("Generation %s, resource %s has empty feature name", generation, resourceType)
+				}
+				// supported is bool, so just verify it's not accidentally unset in a way that would matter
+				_ = supported // This is intentional - we're just ensuring the value exists
+			}
+		}
+	}
+
+	// Verify minimum required features exist for Task 1
+	// Both generations support private spaces
+	if !IsFeatureSupported("cedar", "space", "private") {
+		t.Error("Cedar space private must be supported")
+	}
+	if !IsFeatureSupported("fir", "space", "private") {
+		t.Error("Fir space private must be supported")
+	}
+
+	// Only cedar supports shield spaces
+	if !IsFeatureSupported("cedar", "space", "shield") {
+		t.Error("Cedar space shield must be supported")
+	}
+	if IsFeatureSupported("fir", "space", "shield") {
+		t.Error("Fir space shield must be unsupported")
+	}
+}