Skip to content

(Phase 0): v4->v5 zero_trust_access_application #52

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
SirCortly wants to merge 4 commits into
base: main
Choose a base branch
from
Open

(Phase 0): v4->v5 zero_trust_access_application #52

SirCortly wants to merge 4 commits into from
+8,761 −80

Conversation

@SirCortly
Copy link
Collaborator

@SirCortly SirCortly commented Dec 4, 2025
edited
Loading

This is a fairly large, complex migration. Migration is mostly complete, the main thing left is fixing up a few patterns of drift in the e2e tests.

If you revert 9ccbb50, all tests are passing. This commit is WIP to resolve V4 empty value defaults to V5 null value default transformations. The integration tests are currently failing and need further investigation. My hunch is that either 1) The config context is not being passed into the state transformations during the integration test or 2) There is an issue with the deeply nested structures in this integration affecting the default value transformations

Including the default value drift described above, the following drift remains:

1. http_only_cookie_attribute Drift (19 resources)                                                                                                        
  - v4 behavior: Sets value to null (removed from state)                                                                                                    
  - v5 behavior: Changes from false → true                                                                                                                  
  - Impact: All self-hosted and SSH apps show this drift                                                                                                    
  - Why: v4 provider appears to remove this attribute when not explicitly set, but v5 expects it to be true by default                                      
                                                                                                                                                            
  2. Empty/Default Value Removal (all resources)                                                                                                            
  - Fields being removed (set to null) when they have empty/default values:                                                                                 
    - allowed_idps = []                                                                                                                                     
    - auto_redirect_to_identity = false                                                                                                                     
    - enable_binding_cookie = false                                                                                                                         
    - options_preflight_bypass = false                                                                                                                      
    - service_auth_401_redirect = false                                                                                                                     
    - skip_interstitial = false                                                                                                                             
    - tags = []                                                                                                                                             
                                                                                                                                                            
  3. SAAS App-specific Issues:                                                                                                                              
  - saas_oidc: scopes array order changed from ["openid", "profile", "email"] to ["openid", "email", "profile"]                                             
  - custom_claims: Empty name_by_idp = {} being removed (set to null)

@SirCortly SirCortly changed the title (Phase 2) WIP: v4->v5 zero_trust_access_application (Phase 0) WIP: v4->v5 zero_trust_access_application Dec 19, 2025
@SirCortly SirCortly force-pushed the cortlyons/v4-to-v5-cloudflare_zero_trust_access_applications branch 8 times, most recently from 3950ce2 to adcadbd Compare December 23, 2025 23:34
@tamas-jozsa tamas-jozsa force-pushed the cortlyons/v4-to-v5-cloudflare_zero_trust_access_applications branch from 9ccbb50 to 9f2e06f Compare December 26, 2025 17:54
@tamas-jozsa tamas-jozsa force-pushed the cortlyons/v4-to-v5-cloudflare_zero_trust_access_applications branch from 9f2e06f to 4fcca91 Compare December 26, 2025 18:24
@tamas-jozsa tamas-jozsa force-pushed the cortlyons/v4-to-v5-cloudflare_zero_trust_access_applications branch from 4fcca91 to f9fadf0 Compare December 26, 2025 18:24
@tamas-jozsa
Copy link
Collaborator

tamas-jozsa commented Dec 26, 2025 

========================================
Running v4 to v5 Migration
========================================

Preparing output directory...
  ✓ Preserved v5 provider installation (.terraform/)
  ✓ Preserved v5 dependency lock file (.terraform.lock.hcl)
Copying only targeted resources: zero_trust_access_application
    ✓ Copied root file: provider.tf
    ✓ Copied root file: terraform.tfvars
    ✓ Copied root file: terraform.tfstate

    ✓ Copied module: zero_trust_access_application
Creating filtered main.tf...
✓ Copied targeted resources to migrated-v4_to_v5/
✓ Updated provider.tf to use ~> 5.0 and removed backend config
Filtering state file to only include targeted resources...
✓ Filtered state to 21 resources from targeted modules

Migrating all files (including modules and state)...
Cloudflare Terraform Provider Migration Tool
============================================

Configuration directory: /Users/tjozsa/cf-repos/sdks/migration-work/agent-b/tf-migrate/e2e/migrated-v4_to_v5
Output directory: in-place
✓ Using Cloudflare API credentials (API key + email)

Found 4 configuration files to migrate
[1/4] Processing main.tf... ✓
[2/4] Processing provider.tf... ✓
[3/4] Processing versions.tf... ✓
[4/4] Processing zero_trust_access_application.tf... ✓

Applying cross-file reference updates (14 updates across 4 files)...
✓ Updated cross-file references (14 updates applied)

Processing state file: terraform.tfstate... ✓
✓ Migration complete (includes state and cross-module reference updates)


========================================
✓ Migration Complete!
========================================

Results:
  Input (v4):  /Users/tjozsa/cf-repos/sdks/migration-work/agent-b/tf-migrate/e2e/tf/v4
  Output (v5): /Users/tjozsa/cf-repos/sdks/migration-work/agent-b/tf-migrate/e2e/migrated-v4_to_v5

Next steps:
  cd /Users/tjozsa/cf-repos/sdks/migration-work/agent-b/tf-migrate/e2e/migrated-v4_to_v5
  terraform init
  terraform plan

✓ Migration successful

Step 3: Testing v5 configurations
Running terraform init in migrated-v4_to_v5/...
Cleaning v5 .terraform directory for fresh init...
✓ Terraform init successful
Running terraform plan in v5/...
✓ Terraform plan shows no changes (expected)
Running terraform apply in v5/...
✓ Terraform apply successful
Capturing v5 state...
✓ Saved v5 state to tmp/v5-state.json

Step 4: Verifying stable state (v5 plan after apply)
Running terraform plan again to check for ongoing drift...
✓ No ongoing drift detected - migration achieved stable state!



========================================
✓ E2E Test Complete!
========================================

Summary:

  Step 1: v4 terraform apply
    Status: ✓ SUCCESS

  Step 2: Migration (v4 → v5)
    Status: ✓ SUCCESS

  Step 3: v5 plan (before apply)
    Status: ✓ No changes needed

  Step 4: v5 terraform apply
    Status: ✓ SUCCESS

  Step 5: v5 plan (after apply)
    Status: ✓ SUCCESS - Stable state achieved
    Result: No changes detected

Logs saved to:
  - /Users/tjozsa/cf-repos/sdks/migration-work/agent-b/tf-migrate/e2e/tmp

@tamas-jozsa tamas-jozsa marked this pull request as ready for review December 26, 2025 21:11
@tamas-jozsa tamas-jozsa changed the title (Phase 0) WIP: v4->v5 zero_trust_access_application (Phase 0): v4->v5 zero_trust_access_application Dec 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SirCortly @tamas-jozsa