diff --git a/internal/services/zero_trust_access_group/resource_test.go b/internal/services/zero_trust_access_group/resource_test.go
index 361751fcbf..2654211ed1 100644
--- a/internal/services/zero_trust_access_group/resource_test.go
+++ b/internal/services/zero_trust_access_group/resource_test.go
@@ -77,7 +77,7 @@ var (
 	accessGroup cloudflare.AccessGroup
 )
 
-func TestAccCloudflareAccessGroup_ConfigBasicZone(t *testing.T) {
+func TestAccCloudflareAccessGroup_ConfigBasicAccount(t *testing.T) {
 	rnd := utils.GenerateRandomResourceName()
 	name := fmt.Sprintf("cloudflare_zero_trust_access_group.%s", rnd)
 
@@ -95,13 +95,13 @@ func TestAccCloudflareAccessGroup_ConfigBasicZone(t *testing.T) {
 					testAccCheckCloudflareAccessGroupExists(name, cloudflare.AccountIdentifier(accountID), &accessGroup),
 					resource.TestCheckResourceAttr(name, consts.AccountIDSchemaKey, accountID),
 					resource.TestCheckResourceAttr(name, "name", rnd),
-					resource.TestCheckResourceAttr(name, "include.0.email.0", email),
-					resource.TestCheckResourceAttr(name, "include.0.email_domain.0", "example.com"),
-					resource.TestCheckResourceAttr(name, "include.0.any_valid_service_token", "true"),
-					resource.TestCheckResourceAttr(name, "include.0.ip.0", "192.0.2.1/32"),
-					resource.TestCheckResourceAttr(name, "include.0.ip.1", "192.0.2.2/32"),
-					resource.TestCheckResourceAttr(name, "include.0.ip_list.0", "e3a0f205-c525-4e48-a293-ba5d1f00e638"),
-					resource.TestCheckResourceAttr(name, "include.0.ip_list.1", "5d54cd30-ce52-46e4-9a46-a47887e1a167"),
+					resource.TestCheckResourceAttr(name, "include.0.email.email", email),
+					resource.TestCheckResourceAttr(name, "include.0.email_domain.domain", "example.com"),
+					resource.TestCheckResourceAttrSet(name, "include.0.any_valid_service_token.%"),
+					resource.TestCheckResourceAttr(name, "include.0.ip.ip", "192.0.2.1/32"),
+					resource.TestCheckResourceAttr(name, "include.1.ip.ip", "192.0.2.2/32"),
+					resource.TestCheckResourceAttr(name, "include.0.ip_list.id", "e3a0f205-c525-4e48-a293-ba5d1f00e638"),
+					resource.TestCheckResourceAttr(name, "include.1.ip_list.id", "5d54cd30-ce52-46e4-9a46-a47887e1a167"),
 				),
 			},
 			{
@@ -110,20 +110,20 @@ func TestAccCloudflareAccessGroup_ConfigBasicZone(t *testing.T) {
 					testAccCheckCloudflareAccessGroupExists(name, cloudflare.AccountIdentifier(accountID), &accessGroup),
 					resource.TestCheckResourceAttr(name, consts.AccountIDSchemaKey, accountID),
 					resource.TestCheckResourceAttr(name, "name", rnd),
-					resource.TestCheckResourceAttr(name, "include.0.email.0", email),
-					resource.TestCheckResourceAttr(name, "include.0.email_domain.0", "example.com"),
-					resource.TestCheckResourceAttr(name, "include.0.any_valid_service_token", "true"),
-					resource.TestCheckResourceAttr(name, "include.0.ip.0", "192.0.2.1/32"),
-					resource.TestCheckResourceAttr(name, "include.0.ip.1", "192.0.2.2/32"),
-					resource.TestCheckResourceAttr(name, "include.0.ip_list.0", "e3a0f205-c525-4e48-a293-ba5d1f00e638"),
-					resource.TestCheckResourceAttr(name, "include.0.ip_list.1", "5d54cd30-ce52-46e4-9a46-a47887e1a167"),
+					resource.TestCheckResourceAttr(name, "include.0.email.email", email),
+					resource.TestCheckResourceAttr(name, "include.0.email_domain.domain", "example.com"),
+					resource.TestCheckResourceAttrSet(name, "include.0.any_valid_service_token.%"),
+					resource.TestCheckResourceAttr(name, "include.0.ip.ip", "192.0.2.1/32"),
+					resource.TestCheckResourceAttr(name, "include.1.ip.ip", "192.0.2.2/32"),
+					resource.TestCheckResourceAttr(name, "include.0.ip_list.id", "e3a0f205-c525-4e48-a293-ba5d1f00e638"),
+					resource.TestCheckResourceAttr(name, "include.1.ip_list.id", "5d54cd30-ce52-46e4-9a46-a47887e1a167"),
 				),
 			},
 		},
 	})
 }
 
-func TestAccCloudflareAccessGroup_ConfigBasicAccount(t *testing.T) {
+func TestAccCloudflareAccessGroup_ConfigBasicZone(t *testing.T) {
 	rnd := utils.GenerateRandomResourceName()
 	name := fmt.Sprintf("cloudflare_zero_trust_access_group.%s", rnd)
 
@@ -140,21 +140,21 @@ func TestAccCloudflareAccessGroup_ConfigBasicAccount(t *testing.T) {
 					testAccCheckCloudflareAccessGroupExists(name, cloudflare.ZoneIdentifier(zoneID), &accessGroup),
 					resource.TestCheckResourceAttr(name, consts.ZoneIDSchemaKey, zoneID),
 					resource.TestCheckResourceAttr(name, "name", rnd),
-					resource.TestCheckResourceAttr(name, "include.0.email.0", email),
-					resource.TestCheckResourceAttr(name, "include.0.email_domain.0", "example.com"),
-					resource.TestCheckResourceAttr(name, "include.0.any_valid_service_token", "true"),
-					resource.TestCheckResourceAttr(name, "include.0.ip.0", "192.0.2.1/32"),
-					resource.TestCheckResourceAttr(name, "include.0.ip.1", "192.0.2.2/32"),
-					resource.TestCheckResourceAttr(name, "include.0.ip_list.0", "e3a0f205-c525-4e48-a293-ba5d1f00e638"),
-					resource.TestCheckResourceAttr(name, "include.0.ip_list.1", "5d54cd30-ce52-46e4-9a46-a47887e1a167"),
-					resource.TestCheckResourceAttr(name, "include.0.saml.0.attribute_name", "Name1"),
-					resource.TestCheckResourceAttr(name, "include.0.saml.0.attribute_value", "Value1"),
-					resource.TestCheckResourceAttr(name, "include.0.saml.1.attribute_name", "Name2"),
-					resource.TestCheckResourceAttr(name, "include.0.saml.1.attribute_value", "Value2"),
-					resource.TestCheckResourceAttr(name, "include.0.azure.0.id.0", "group1"),
-					resource.TestCheckResourceAttr(name, "include.0.azure.0.identity_provider_id", "1234"),
-					resource.TestCheckResourceAttr(name, "include.0.azure.1.id.0", "group2"),
-					resource.TestCheckResourceAttr(name, "include.0.azure.1.identity_provider_id", "5678"),
+					resource.TestCheckResourceAttr(name, "include.0.email.email", email),
+					resource.TestCheckResourceAttr(name, "include.0.email_domain.domain", "example.com"),
+					resource.TestCheckResourceAttrSet(name, "include.0.any_valid_service_token.%"),
+					resource.TestCheckResourceAttr(name, "include.0.ip.ip", "192.0.2.1/32"),
+					resource.TestCheckResourceAttr(name, "include.1.ip.ip", "192.0.2.2/32"),
+					resource.TestCheckResourceAttr(name, "include.0.ip_list.id", "e3a0f205-c525-4e48-a293-ba5d1f00e638"),
+					resource.TestCheckResourceAttr(name, "include.1.ip_list.id", "5d54cd30-ce52-46e4-9a46-a47887e1a167"),
+					resource.TestCheckResourceAttr(name, "include.0.saml.attribute_name", "Name1"),
+					resource.TestCheckResourceAttr(name, "include.0.saml.attribute_value", "Value1"),
+					resource.TestCheckResourceAttr(name, "include.1.saml.attribute_name", "Name2"),
+					resource.TestCheckResourceAttr(name, "include.1.saml.attribute_value", "Value2"),
+					resource.TestCheckResourceAttr(name, "include.0.azure_ad.id", "group1"),
+					resource.TestCheckResourceAttr(name, "include.0.azure_ad.identity_provider_id", "1234"),
+					resource.TestCheckResourceAttr(name, "include.1.azure_ad.id", "group2"),
+					resource.TestCheckResourceAttr(name, "include.1.azure_ad.identity_provider_id", "5678"),
 				),
 			},
 			{
@@ -163,21 +163,21 @@ func TestAccCloudflareAccessGroup_ConfigBasicAccount(t *testing.T) {
 					testAccCheckCloudflareAccessGroupExists(name, cloudflare.ZoneIdentifier(zoneID), &accessGroup),
 					resource.TestCheckResourceAttr(name, consts.ZoneIDSchemaKey, zoneID),
 					resource.TestCheckResourceAttr(name, "name", rnd),
-					resource.TestCheckResourceAttr(name, "include.0.email.0", email),
-					resource.TestCheckResourceAttr(name, "include.0.email_domain.0", "example.com"),
-					resource.TestCheckResourceAttr(name, "include.0.any_valid_service_token", "true"),
-					resource.TestCheckResourceAttr(name, "include.0.ip.0", "192.0.2.1/32"),
-					resource.TestCheckResourceAttr(name, "include.0.ip.1", "192.0.2.2/32"),
-					resource.TestCheckResourceAttr(name, "include.0.ip_list.0", "e3a0f205-c525-4e48-a293-ba5d1f00e638"),
-					resource.TestCheckResourceAttr(name, "include.0.ip_list.1", "5d54cd30-ce52-46e4-9a46-a47887e1a167"),
-					resource.TestCheckResourceAttr(name, "include.0.saml.0.attribute_name", "Name1"),
-					resource.TestCheckResourceAttr(name, "include.0.saml.0.attribute_value", "Value1"),
-					resource.TestCheckResourceAttr(name, "include.0.saml.1.attribute_name", "Name2"),
-					resource.TestCheckResourceAttr(name, "include.0.saml.1.attribute_value", "Value2"),
-					resource.TestCheckResourceAttr(name, "include.0.azure.0.id.0", "group1"),
-					resource.TestCheckResourceAttr(name, "include.0.azure.0.identity_provider_id", "1234"),
-					resource.TestCheckResourceAttr(name, "include.0.azure.1.id.0", "group2"),
-					resource.TestCheckResourceAttr(name, "include.0.azure.1.identity_provider_id", "5678"),
+					resource.TestCheckResourceAttr(name, "include.0.email.email", email),
+					resource.TestCheckResourceAttr(name, "include.0.email_domain.domain", "example.com"),
+					resource.TestCheckResourceAttrSet(name, "include.0.any_valid_service_token.%"),
+					resource.TestCheckResourceAttr(name, "include.0.ip.ip", "192.0.2.1/32"),
+					resource.TestCheckResourceAttr(name, "include.1.ip.ip", "192.0.2.2/32"),
+					resource.TestCheckResourceAttr(name, "include.0.ip_list.id", "e3a0f205-c525-4e48-a293-ba5d1f00e638"),
+					resource.TestCheckResourceAttr(name, "include.1.ip_list.id", "5d54cd30-ce52-46e4-9a46-a47887e1a167"),
+					resource.TestCheckResourceAttr(name, "include.0.saml.attribute_name", "Name1"),
+					resource.TestCheckResourceAttr(name, "include.0.saml.attribute_value", "Value1"),
+					resource.TestCheckResourceAttr(name, "include.1.saml.attribute_name", "Name2"),
+					resource.TestCheckResourceAttr(name, "include.1.saml.attribute_value", "Value2"),
+					resource.TestCheckResourceAttr(name, "include.0.azure_ad.id", "group1"),
+					resource.TestCheckResourceAttr(name, "include.0.azure_ad.identity_provider_id", "1234"),
+					resource.TestCheckResourceAttr(name, "include.1.azure_ad.id", "group2"),
+					resource.TestCheckResourceAttr(name, "include.1.azure_ad.identity_provider_id", "5678"),
 				),
 			},
 		},
@@ -203,12 +203,12 @@ func TestAccCloudflareAccessGroup_ConfigEmailList(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckCloudflareAccessGroupExists(name, cloudflare.AccountIdentifier(accountID), &accessGroup),
 					resource.TestCheckResourceAttr(name, "name", rnd),
-					resource.TestCheckResourceAttrSet(name, "include.0.email_list.0"),
+					resource.TestCheckResourceAttrSet(name, "include.0.email_list.id"),
 
 					// Check that the email list is destroyed
 					resource.TestCheckResourceAttr(emailListName, "name", rnd2),
 					resource.TestCheckResourceAttr(emailListName, "type", "EMAIL"),
-					resource.TestCheckResourceAttr(emailListName, "items.0", "test@example.com"),
+					resource.TestCheckResourceAttr(emailListName, "items.0.value", "test@example.com"),
 				),
 			},
 		},
@@ -233,9 +233,9 @@ func TestAccCloudflareAccessGroup_Exclude(t *testing.T) {
 					testAccCheckCloudflareAccessGroupExists(name, cloudflare.AccountIdentifier(accountID), &accessGroup),
 					resource.TestCheckResourceAttr(name, consts.AccountIDSchemaKey, accountID),
 					resource.TestCheckResourceAttr(name, "name", rnd),
-					resource.TestCheckResourceAttr(name, "include.0.email.0", email),
-					resource.TestCheckResourceAttr(name, "include.0.email_domain.0", "example.com"),
-					resource.TestCheckResourceAttr(name, "exclude.0.email.0", email),
+					resource.TestCheckResourceAttr(name, "include.0.email.email", email),
+					resource.TestCheckResourceAttr(name, "include.0.email_domain.domain", "example.com"),
+					resource.TestCheckResourceAttr(name, "exclude.0.email.email", email),
 				),
 			},
 		},
@@ -260,9 +260,9 @@ func TestAccCloudflareAccessGroup_Require(t *testing.T) {
 					testAccCheckCloudflareAccessGroupExists(name, cloudflare.AccountIdentifier(accountID), &accessGroup),
 					resource.TestCheckResourceAttr(name, consts.AccountIDSchemaKey, accountID),
 					resource.TestCheckResourceAttr(name, "name", rnd),
-					resource.TestCheckResourceAttr(name, "include.0.email.0", email),
-					resource.TestCheckResourceAttr(name, "include.0.email_domain.0", "example.com"),
-					resource.TestCheckResourceAttr(name, "require.0.email.0", email),
+					resource.TestCheckResourceAttr(name, "include.0.email.email", email),
+					resource.TestCheckResourceAttr(name, "include.0.email_domain.domain", "example.com"),
+					resource.TestCheckResourceAttr(name, "require.0.email.email", email),
 				),
 			},
 		},
@@ -287,13 +287,12 @@ func TestAccCloudflareAccessGroup_FullConfig(t *testing.T) {
 					testAccCheckCloudflareAccessGroupExists(name, cloudflare.AccountIdentifier(accountID), &accessGroup),
 					resource.TestCheckResourceAttr(name, consts.AccountIDSchemaKey, accountID),
 					resource.TestCheckResourceAttr(name, "name", rnd),
-					resource.TestCheckResourceAttr(name, "include.0.email.0", email),
-					resource.TestCheckResourceAttr(name, "include.0.email_domain.0", "example.com"),
-					resource.TestCheckResourceAttr(name, "exclude.0.email.0", email),
-					resource.TestCheckResourceAttr(name, "require.0.email.0", email),
-					resource.TestCheckResourceAttr(name, "include.0.common_names.0", "common"),
-					resource.TestCheckResourceAttr(name, "include.0.common_names.1", "name"),
-					resource.TestCheckNoResourceAttr(name, "include.0.common_name.0"),
+					resource.TestCheckResourceAttr(name, "include.0.email.email", email),
+					resource.TestCheckResourceAttr(name, "include.0.email_domain.domain", "example.com"),
+					resource.TestCheckResourceAttr(name, "exclude.0.email.email", email),
+					resource.TestCheckResourceAttr(name, "require.0.email.email", email),
+					resource.TestCheckResourceAttr(name, "include.0.common_name.common_name", "common"),
+					resource.TestCheckResourceAttr(name, "include.1.common_name.common_name", "name"),
 				),
 			},
 		},
@@ -320,9 +319,9 @@ func TestAccCloudflareAccessGroup_WithIDP(t *testing.T) {
 					testAccCheckCloudflareAccessGroupExists(groupName, cloudflare.AccountIdentifier(accountID), &accessGroup),
 					resource.TestCheckResourceAttr(groupName, consts.AccountIDSchemaKey, accountID),
 					resource.TestCheckResourceAttr(groupName, "name", rnd),
-					resource.TestCheckResourceAttrSet(groupName, "include.0.github.0.identity_provider_id"),
-					resource.TestCheckResourceAttr(groupName, "include.0.github.0.name", githubOrg),
-					resource.TestCheckResourceAttr(groupName, "include.0.github.0.teams.0", team),
+					resource.TestCheckResourceAttrSet(groupName, "include.0.github_organization.identity_provider_id"),
+					resource.TestCheckResourceAttr(groupName, "include.0.github_organization.name", githubOrg),
+					resource.TestCheckResourceAttr(groupName, "include.0.github_organization.team", team),
 				),
 			},
 		},
@@ -349,9 +348,9 @@ func TestAccCloudflareAccessGroup_WithIDPAuthContext(t *testing.T) {
 					testAccCheckCloudflareAccessGroupExists(groupName, cloudflare.AccountIdentifier(accountID), &accessGroup),
 					resource.TestCheckResourceAttr(groupName, consts.AccountIDSchemaKey, accountID),
 					resource.TestCheckResourceAttr(groupName, "name", rnd),
-					resource.TestCheckResourceAttrSet(groupName, "require.0.auth_context.0.identity_provider_id"),
-					resource.TestCheckResourceAttr(groupName, "require.0.auth_context.0.id", ctxID),
-					resource.TestCheckResourceAttr(groupName, "require.0.auth_context.0.ac_id", ctxACID),
+					resource.TestCheckResourceAttrSet(groupName, "require.0.auth_context.identity_provider_id"),
+					resource.TestCheckResourceAttr(groupName, "require.0.auth_context.id", ctxID),
+					resource.TestCheckResourceAttr(groupName, "require.0.auth_context.ac_id", ctxACID),
 				),
 			},
 		},
@@ -382,44 +381,7 @@ func TestAccCloudflareAccessGroup_Updated(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckCloudflareAccessGroupExists(name, cloudflare.AccountIdentifier(accountID), &after),
 					testAccCheckCloudflareAccessGroupIDUnchanged(&before, &after),
-					resource.TestCheckResourceAttr(name, "include.0.email.0", "test-changed@example.com"),
-				),
-			},
-		},
-	})
-}
-
-func TestAccCloudflareAccessGroup_CreateAfterManualDestroy(t *testing.T) {
-	var before, after cloudflare.AccessGroup
-	var initialID string
-	rnd := utils.GenerateRandomResourceName()
-	name := fmt.Sprintf("cloudflare_zero_trust_access_group.%s", rnd)
-
-	resource.Test(t, resource.TestCase{
-		PreCheck: func() {
-			acctest.TestAccPreCheck(t)
-			acctest.TestAccPreCheck_AccountID(t)
-		},
-		ProtoV6ProviderFactories: acctest.TestAccProtoV6ProviderFactories,
-		CheckDestroy:             testAccCheckCloudflareAccessGroupDestroy,
-		Steps: []resource.TestStep{
-			{
-				Config: testAccCloudflareAccessGroupConfigBasic(rnd, email, cloudflare.AccountIdentifier(accountID)),
-				Check: resource.ComposeTestCheckFunc(
-					testAccCheckCloudflareAccessGroupExists(name, cloudflare.AccountIdentifier(accountID), &before),
-					testAccManuallyDeleteAccessGroup(name, &initialID),
-				),
-				ExpectNonEmptyPlan: true,
-			},
-			{
-				Config: testAccCloudflareAccessGroupConfigBasicWithUpdate(rnd, accountID, email),
-				Check: resource.ComposeTestCheckFunc(
-					testAccCheckCloudflareAccessGroupExists(name, cloudflare.AccountIdentifier(accountID), &after),
-					testAccCheckCloudflareAccessGroupRecreated(&before, &after),
-					resource.TestCheckResourceAttr(name, consts.AccountIDSchemaKey, accountID),
-					resource.TestCheckResourceAttr(name, "name", fmt.Sprintf("%s-updated", rnd)),
-					resource.TestCheckResourceAttr(name, "include.0.email.0", email),
-					resource.TestCheckResourceAttr(name, "include.0.email_domain.0", "example.com"),
+					resource.TestCheckResourceAttr(name, "include.0.email.email", "test-changed@example.com"),
 				),
 			},
 		},
@@ -450,9 +412,8 @@ func TestAccCloudflareAccessGroup_UpdatedFromCommonNameToCommonNames(t *testing.
 				Check: resource.ComposeTestCheckFunc(
 					testAccCheckCloudflareAccessGroupExists(name, cloudflare.AccountIdentifier(accountID), &after),
 					testAccCheckCloudflareAccessGroupIDUnchanged(&before, &after),
-					resource.TestCheckResourceAttr(name, "include.0.common_names.0", "common"),
-					resource.TestCheckResourceAttr(name, "include.0.common_names.1", "name"),
-					resource.TestCheckNoResourceAttr(name, "include.0.common_name.0"),
+					resource.TestCheckResourceAttr(name, "include.0.common_name.common_name", "common"),
+					resource.TestCheckResourceAttr(name, "include.1.common_name.common_name", "name"),
 				),
 			},
 		},