Skip to content

zero_trust_gateway_settings v4->v5 migration #114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
SirCortly wants to merge 2 commits into
base: main
Choose a base branch
from
Open

zero_trust_gateway_settings v4->v5 migration #114

SirCortly wants to merge 2 commits into from

Conversation

@SirCortly
Copy link
Collaborator

@SirCortly SirCortly commented Jan 14, 2026
edited
Loading

A few things to note:

  • There is a perpetual drift issue which seems to be an issue in the V5 provider which is caused by the block_page attributes being set as null in state when they are not defined in the HCL but the READ API returns default, non null values.

  • Both the ssh_session_log and payload_log attributes are removed in V5, which were being used to make requests against the following endpoints. In V5, there doesn't seem to be any resources which make requests against the same endpoints. We probably need to follow up with the service team to confirm that users aren't going to lose important configuration by removing these deprecated attributes without anything else to migrate the settings to:

/accounts/{account_id}/gateway/audit_ssh_settings
/accounts/{account_id}/dlp/payload_log

╰─➤  ./scripts/run-e2e-tests.sh --resources zero_trust_gateway_settings                                                                                                                                                 
Building binaries...
go build -v -o bin/tf-migrate ./cmd/tf-migrate
go build -v -o bin/e2e-runner ./cmd/e2e-runner

Targeting specific resources: zero_trust_gateway_settings
Target arguments: -target=module.zero_trust_gateway_settings


========================================
E2E Migration Test
========================================

Step 0: Initializing test resources
Running tests with:
  User:       cort-terraform-test@cfapi.net
  Account ID: 4e0db82a94b7cc78653ac27dc4f653e9
  Zone ID:    28fea702d1075b10ba9c8620b86218ec
  Domain:     cort.terraform.cfapi.net
  Provider:   Registry (latest)

Running init script...

========================================
Syncing Test Resources
========================================

Filtering to specific resources: zero_trust_gateway_settings
Syncing resource files from testdata...
  ✓ zero_trust_gateway_settings/zero_trust_gateway_settings.tf (from zero_trust_gateway_settings_e2e.tf)
  ✓ zero_trust_gateway_settings/versions.tf

  Total: 2 files synced

Configuring terraform variables...


✓ Saved configuration
    Account ID: 4e0db82a94b7cc78653ac27dc4f653e9
    Zone ID: 28fea702d1075b10ba9c8620b86218ec
    Domain: cort.terraform.cfapi.net
    File: v4/terraform.tfvars

Updating main.tf with module references...
  ↻ Updated main.tf with 1 module references


========================================
✓ Sync Complete!
========================================

Summary:
  - Terraform v4 configs: /Users/cortlyons/development/cloudflare/sdk-repos/internal/terraform-devstack/tf-migrate/e2e/tf/v4
  - Modules: 1
  - Files synced: 2

Configuring remote backend...
✓ Backend configured

  ✓ Provider installation preserved
  ✓ Backend already configured

Next steps:
  cd tf/v4 && terraform apply

Note: Configuration is automatically loaded from terraform.tfvars
      State is managed remotely in R2

✓ Test resources initialized

Step 1: Testing v4 configurations
Running terraform init in v4/...
Found local state file, backing up and using remote state...
✓ Terraform init successful (remote state loaded from R2)
Running terraform plan in v4/...
✓ Terraform plan successful
  Plan: 0 to add, 1 to change, 0 to destroy.

Detailed changes:

  # module.zero_trust_gateway_settings.cloudflare_teams_account.e2e_comprehensive will be updated in-place
  ~ resource "cloudflare_teams_account" "e2e_comprehensive" {
        id                                     = "4e0db82a94b7cc78653ac27dc4f653e9"
        # (6 unchanged attributes hidden)


Running terraform apply in v4/...
✓ Terraform apply successful
  Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
Syncing state from remote...
✓ Local state file synced from R2
Capturing v4 state...
✓ Saved v4 state to tmp/v4-state.json


Step 2: Running migration
Running ./scripts/migrate...
Building tf-migrate binary...
✓ Binary built successfully

========================================
Running v4 to v5 Migration
========================================

Preparing output directory...
  ✓ Preserved v5 provider installation (.terraform/)
  ✓ Preserved v5 dependency lock file (.terraform.lock.hcl)
Copying only targeted resources: zero_trust_gateway_settings
    ✓ Copied root file: provider.tf
    ✓ Copied root file: terraform.tfvars
    ✓ Copied root file: terraform.tfstate

    ✓ Copied module: zero_trust_gateway_settings
Creating filtered main.tf...
✓ Copied targeted resources to migrated-v4_to_v5/
✓ Updated provider.tf to use ~> 5.0 and removed backend config
Filtering state file to only include targeted resources...
✓ Filtered state to 1 resources from targeted modules

Migrating all files (including modules and state)...
Cloudflare Terraform Provider Migration Tool
============================================

Configuration directory: /Users/cortlyons/development/cloudflare/sdk-repos/internal/terraform-devstack/tf-migrate/e2e/migrated-v4_to_v5
Output directory: in-place
✓ Using Cloudflare API credentials (API key + email)

Found 4 configuration files to migrate
[1/4] Processing main.tf... ✓
[2/4] Processing provider.tf... ✓
[3/4] Processing versions.tf... ✓
[4/4] Processing zero_trust_gateway_settings.tf... ✓
2026-01-15T14:12:20.116-0700 [WARN]  tf-migrate: Migrator does not implement ResourceRenamer interface - cross-file references may not be updated: migrator="*queue.V4ToV5Migrator"
2026-01-15T14:12:20.117-0700 [WARN]  tf-migrate: Migrator implements ResourceRenamer but returned empty type names: old="" new=""                                                                                                            
2026-01-15T14:12:20.117-0700 [WARN]  tf-migrate: Migrator does not implement ResourceRenamer interface - cross-file references may not be updated: migrator="*zone_setting.V4ToV5Migrator"                                                   
2026-01-15T14:12:20.117-0700 [WARN]  tf-migrate: Migrator does not implement ResourceRenamer interface - cross-file references may not be updated: migrator="*zero_trust_gateway_certificate.V4ToV5Migrator"                                 
                                                                                                                                                                                                                                             
Applying cross-file reference updates (23 updates across 4 files)...
✓ Updated cross-file references (23 updates applied)

Processing state file: terraform.tfstate... ✓
✓ Migration complete (includes state and cross-module reference updates)


========================================
✓ Migration Complete!
========================================

Results:
  Input (v4):  /Users/cortlyons/development/cloudflare/sdk-repos/internal/terraform-devstack/tf-migrate/e2e/tf/v4
  Output (v5): /Users/cortlyons/development/cloudflare/sdk-repos/internal/terraform-devstack/tf-migrate/e2e/migrated-v4_to_v5

Next steps:
  cd /Users/cortlyons/development/cloudflare/sdk-repos/internal/terraform-devstack/tf-migrate/e2e/migrated-v4_to_v5
  terraform init
  terraform plan

✓ Migration successful

Step 3: Testing v5 configurations
Running terraform init in migrated-v4_to_v5/...
Cleaning v5 .terraform directory for fresh init...
✓ Terraform init successful
Running terraform plan in v5/...
⚠ Migration produced drift - v5 config wants to make changes
  Plan: 2 to add, 1 to change, 0 to destroy.

Detailed changes:

  # module.zero_trust_gateway_settings.cloudflare_zero_trust_device_settings.e2e_comprehensive_device_settings will be created
  + resource "cloudflare_zero_trust_device_settings" "e2e_comprehensive_device_settings" {
      + account_id                            = "4e0db82a94b7cc78653ac27dc4f653e9"
      + disable_for_time                      = 600
      + gateway_proxy_enabled                 = true
      + gateway_udp_proxy_enabled             = true
      + root_certificate_installation_enabled = true
      + use_zt_virtual_ip                     = false
    }

  # module.zero_trust_gateway_settings.cloudflare_zero_trust_gateway_logging.e2e_comprehensive_logging will be created
  + resource "cloudflare_zero_trust_gateway_logging" "e2e_comprehensive_logging" {
      + account_id            = "4e0db82a94b7cc78653ac27dc4f653e9"
      + redact_pii            = true
      + settings_by_rule_type = {
          + dns  = {
              + log_all    = true
              + log_blocks = false
            }
          + http = {
              + log_all    = true
              + log_blocks = true
            }
          + l4   = {
              + log_all    = false
              + log_blocks = true
            }
        }
    }

  # module.zero_trust_gateway_settings.cloudflare_zero_trust_gateway_settings.e2e_comprehensive will be updated in-place
  ~ resource "cloudflare_zero_trust_gateway_settings" "e2e_comprehensive" {
      ~ created_at = "2025-11-13T16:30:41Z" -> (known after apply)
        id         = "4e0db82a94b7cc78653ac27dc4f653e9"
      ~ settings   = {
          ~ block_page         = {
              - include_context  = false -> null
              - mailto_address   = "" -> null
              - mailto_subject   = "" -> null
              - mode             = "customized_block_page" -> null
                name             = "E2E Test Block Page"
              + read_only        = (known after apply)
              + source_account   = (known after apply)
              - suppress_footer  = false -> null
              - target_uri       = "" -> null
              ~ version          = 6 -> (known after apply)
                # (5 unchanged attributes hidden)
            }
            # (6 unchanged attributes hidden)
        }
      ~ updated_at = "2026-01-15T21:12:14Z" -> (known after apply)
        # (1 unchanged attribute hidden)
    }


What this means:
  The migrated v5 config doesn't match your existing infrastructure.
  This indicates the migration may not be correct.

Affected Resources:
  - zero_trust_gateway_settings

Next steps:
  1. Review the changes above
  2. Check if the migration tool has a bug
  3. Consider using --apply-exemptions if changes are expected
Running terraform apply in v5/...
✓ Terraform apply successful
Capturing v5 state...
✓ Saved v5 state to tmp/v5-state.json

Step 4: Verifying stable state (v5 plan after apply)
Running terraform plan again to check for ongoing drift...
✗ Ongoing drift detected - resources keep changing
  Plan: 0 to add, 1 to change, 0 to destroy.

Detailed ongoing drift:

  # module.zero_trust_gateway_settings.cloudflare_zero_trust_gateway_settings.e2e_comprehensive will be updated in-place
  ~ resource "cloudflare_zero_trust_gateway_settings" "e2e_comprehensive" {
      ~ created_at = "2025-11-13T16:30:41Z" -> (known after apply)
        id         = "4e0db82a94b7cc78653ac27dc4f653e9"
      ~ settings   = {
          ~ block_page         = {
              - include_context  = false -> null
              - mailto_address   = "" -> null
              - mailto_subject   = "" -> null
              - mode             = "customized_block_page" -> null
                name             = "E2E Test Block Page"
              + read_only        = (known after apply)
              + source_account   = (known after apply)
              - suppress_footer  = false -> null
              - target_uri       = "" -> null
              ~ version          = 7 -> (known after apply)
                # (5 unchanged attributes hidden)
            }
            # (6 unchanged attributes hidden)
        }
      ~ updated_at = "2026-01-15T21:12:28Z" -> (known after apply)
        # (1 unchanged attribute hidden)
    }


What this means:
  Your resources are unstable - they change with every apply.
  This is a serious issue that prevents using v5 in production.

Affected Resources:
  - zero_trust_gateway_settings

Next steps:
  1. This is likely a provider or migration tool bug
  2. Review the changes above to understand what's changing
  3. Report this issue with the logs from tmp/


========================================
Drift Report
========================================

Real drift detected in v5 plan (before apply):
  } (×9)
                + log_all    = true (×2)
                + log_blocks = true (×2)
                + log_blocks = false
            + http = {
                - mailto_subject   = "" -> null
                ~ version          = 6 -> (known after apply)
        + disable_for_time                      = 600
    # module.zero_trust_gateway_settings.cloudflare_zero_trust_gateway_settings.e2e_comprehensive will be updated in-place
        ~ created_at = "2025-11-13T16:30:41Z" -> (known after apply)
                - include_context  = false -> null
  # (6 unchanged attributes hidden)
        + settings_by_rule_type = {
    # module.zero_trust_gateway_settings.cloudflare_zero_trust_gateway_logging.e2e_comprehensive_logging will be created
        + account_id            = "4e0db82a94b7cc78653ac27dc4f653e9"
        ~ updated_at = "2026-01-15T21:12:14Z" -> (known after apply)
        + gateway_udp_proxy_enabled             = true
                + log_all    = false
    ~ resource "cloudflare_zero_trust_gateway_settings" "e2e_comprehensive" {
        ~ settings   = {
  name             = "E2E Test Block Page"
  # (5 unchanged attributes hidden)
            + l4   = {
        + gateway_proxy_enabled                 = true
        + use_zt_virtual_ip                     = false
            + dns  = {
    # module.zero_trust_gateway_settings.cloudflare_zero_trust_device_settings.e2e_comprehensive_device_settings will be created
    + resource "cloudflare_zero_trust_device_settings" "e2e_comprehensive_device_settings" {
    + resource "cloudflare_zero_trust_gateway_logging" "e2e_comprehensive_logging" {
  id         = "4e0db82a94b7cc78653ac27dc4f653e9"
            ~ block_page         = {
                - mailto_address   = "" -> null
                - mode             = "customized_block_page" -> null
                - target_uri       = "" -> null
        + account_id                            = "4e0db82a94b7cc78653ac27dc4f653e9"
  # (1 unchanged attribute hidden)
        + root_certificate_installation_enabled = true
        + redact_pii            = true
                + read_only        = (known after apply)
                + source_account   = (known after apply)
                - suppress_footer  = false -> null

Affected Resources:
  - zero_trust_gateway_settings

Ongoing drift detected in v5 plan (after apply):
  } (×3)
  id         = "4e0db82a94b7cc78653ac27dc4f653e9"
                - include_context  = false -> null
                - target_uri       = "" -> null
        ~ updated_at = "2026-01-15T21:12:28Z" -> (known after apply)
  # (1 unchanged attribute hidden)
    ~ resource "cloudflare_zero_trust_gateway_settings" "e2e_comprehensive" {
        ~ settings   = {
                - mode             = "customized_block_page" -> null
  name             = "E2E Test Block Page"
                + read_only        = (known after apply)
                + source_account   = (known after apply)
        ~ created_at = "2025-11-13T16:30:41Z" -> (known after apply)
            ~ block_page         = {
                - mailto_address   = "" -> null
  # (5 unchanged attributes hidden)
    # module.zero_trust_gateway_settings.cloudflare_zero_trust_gateway_settings.e2e_comprehensive will be updated in-place
  # (6 unchanged attributes hidden)
                - mailto_subject   = "" -> null
                - suppress_footer  = false -> null
                ~ version          = 7 -> (known after apply)

Affected Resources:
  - zero_trust_gateway_settings



========================================
✗ E2E Test Failed!
========================================

Summary:

  Step 1: v4 terraform apply
    Status: ✓ SUCCESS

  Step 2: Migration (v4 → v5)
    Status: ✓ SUCCESS

  Step 3: v5 plan (before apply)
    Status: ✗ FAILED - Migration produced drift
    Result: 43 real changes detected
    Terraform: Plan: 2 to add, 1 to change, 0 to destroy.

  Step 4: v5 terraform apply
    Status: ✗ FAILED - Applied drift changes

  Step 5: v5 plan (after apply)
    Status: ✗ FAILED - Resources keep changing
    Result: 23 ongoing drift patterns
    Terraform: Plan: 0 to add, 1 to change, 0 to destroy.

Logs saved to:
  - /Users/cortlyons/development/cloudflare/sdk-repos/internal/terraform-devstack/tf-migrate/e2e/tmp

Test failed: Resources are unstable and keep changing
This prevents safe migration to v5 - likely a provider bug
Error: ongoing drift detected - resources keep changing
ongoing drift detected - resources keep changing

cortlyons added 2 commits January 14, 2026 15:14
@SirCortly SirCortly force-pushed the cortlyons/zero_trust_gateway_settings branch from 1e86b21 to f6c81dd Compare January 15, 2026 22:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tamas-jozsa tamas-jozsa tamas-jozsa approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SirCortly @tamas-jozsa