chore: zero trust access application config issues #6179
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fix: fix zero trust access application state migration
tamas-jozsa
changed the title
musa-cf
approved these changes
Sep 15, 2025
Merged
tamas-jozsa
added a commit
that referenced
this pull request
Sep 17, 2025
* fix: ruleset migration issues (#6163) * Revert "fix: ruleset migration issues (#6163)" (#6165) This reverts commit 44b653c. * chore: enable mconn tests (#6166) * fix: magic connector tests * chore: remove skip * fix: ruleset migration issues (#6168) * feat: grit to go (#6162) * feat: grit to go * fix: unused import in load_balancer_monitor * chore: remove debugging printf statement --------- Co-authored-by: Musa Jundi <musa@cloudflare.com> * fix: lb and lb pool config migration (#6170) * fix: cloudflare_load_balancer transformation issues (#6171) * Test improvements (#6172) * chore: add sweeper for logpush job * chore: define ci test product groups * chore: limit max retries (#6173) * fix: fix grit in migration tests (#6175) * fix: ruleset migration in nogrit (#6174) * chore: point transformations to gh/next (#6177) * chore: zero trust config issues (#6179) fix: fix zero trust access application state migration * fix: lb monitor state migration (#6180) * fix: lb monitor state * fix: build * fix(migrate): improve `zone_setting` migrations (#6169) Improves how zone settings are migrated from v4 -> v5 of the provider by adding two new flags: - `--zone-settings-module` for handling a common pattern in the v4 provider where `zone_settings_override` is wrapped in a module and settings are passed in as module input variables. When provided, we will expand the vars into `zone_setting` resources and imports at the call site. - `--skip-imports` for skipping import generation, which is useful in cases where imports could be generated in invalid locations (read: outside the root module). Module definition: `modules/zone_settings/main.tf` ```hcl resource "cloudflare_zone_settings_override" "zone_settings" { zone_id = var.zone_id settings { security_level = var.security_level ssl = var.ssl } } ``` Module call: `sites/example_com/main.tf` ```hcl module "zone_settings" { source = "../modules/zone_settings" zone_id = cloudflare_zone.example_com.id security_level = "high" ssl = "origin_pull" } ``` When the `--zone-settings-module` flag is set, the migrator tool will replace module calls with inline zone setting definitions and their imports. ```hcl resource "cloudflare_zone_setting" "zone_settings_zone_settings_security_level" { zone_id = cloudflare_zone.example_com.id setting_id = "security_level" value = "high" } resource "cloudflare_zone_setting" "zone_settings_zone_settings_ssl" { zone_id = cloudflare_zone.example_com.id setting_id = "ssl" value = "origin_pull" } import { to = cloudflare_zone_setting.zone_settings_zone_settings_security_level id = "${cloudflare_zone.example_com.id}/security_level" } import { to = cloudflare_zone_setting.zone_settings_zone_settings_ssl id = "${cloudflare_zone.example_com.id}/ssl" } ``` Import generation can be skipped entirely with the `--skip-imports` flag. * fix: remove 'disable_railgun' from state after v4 migration (#6186) * fix: handling of nested arrays in ruleset migration (#6187) * fix: handling of nested arrays in ruleset migration * chore: fix test data for transformation * chore: compare better (#6192) * fix: ruleset state (#6191) * fix(zone_setting): ensure clean state after migrate (#6190) * fix(zone_setting): ensure clean state after migrate Fixes an issue with the migrate flow for `cloudflare_zone_setting` where we weren't removing all settings from state after migrating from v4 -> v5. The root cause was indexes shifting in slices while deleting items (forward deletes vs backward deletes). - updates state removal method for cleaning up `cloudflare_zone_setting` resources to delete items in reverse * test(zone_setting): ensure attribute order Fixes an issue with migrated attribute order revealed in flaky tests. --------- Co-authored-by: Vaishak Dinesh <vaishakpdinesh@gmail.com> * fix: variable interpolation (#6193) * fix: variable interpolation * chore: missed page rule migrations test * chore: restore deleted test cases * fix(workers_script): fix incorect model type of `run_worker_first` attribute (#6199) * fix: remove zone settings with null values (#6201) * docs(list_item): add import documentation (#6202) List item uses custom code for imports so its invisible to codegen. Since docs are generated automatically, any custom docs changes will be ovewritten with every release. This patch updates the generator script to first create any missing examples that couldn't be codegen'd, then it runs `tfplugindocs` which ensures that import examples are appended to the generated markdown docs. Changes: - adds manual `import.sh` for `cloudflare_list_item` * fix(migrate): block transformations (#6203) * Revert "fix: variable interpolation (#6193)" This reverts commit 332de8d. * fix(migrate): block transformation * fix(migrate): lb and lb pools * fix(migrate): fix main_module value migration (#6204) * ci(page_rule): disable parallel tests (#6205) Fixes flaky `page_rule` tests in CI. Parallel tests causes issues with it's strange `priority` behavior. Changes: - set `parallel=1` for `page_rule` tests * ci: skip flaky tests (#6206) Skipping consistently failing tests due to cert conflicts. - `TestMigrateZeroTrustAccessMTLSCertificate_Basic` - `TestAccCloudflareAccessMutualTLSHostnameSettings_Account` - `TestAccCloudflareAccessMutualTLSHostnameSettings_Update` - `TestAccCloudflareAccessMutualTLSHostnameSettings_BooleanCombinations` - `TestAccCloudflareAccessMutualTLSHostnameSettings_Import` * release: 5.10.1 --------- Co-authored-by: Musa Jundi <musa@cloudflare.com> Co-authored-by: Vaishak Dinesh <vaishakpdinesh@gmail.com> Co-authored-by: Tamás Józsa <jtomi92@gmail.com> Co-authored-by: Michael Girouard <206137+mgirouard@users.noreply.github.com> Co-authored-by: Cina Saffary <cina@cloudflare.com> Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com>
pvail-cf
pushed a commit
to pvail-cf/terraform-provider-cloudflare
that referenced
this pull request
Sep 17, 2025
* fix: ruleset migration issues (cloudflare#6163) * Revert "fix: ruleset migration issues (cloudflare#6163)" (cloudflare#6165) This reverts commit 44b653c. * chore: enable mconn tests (cloudflare#6166) * fix: magic connector tests * chore: remove skip * fix: ruleset migration issues (cloudflare#6168) * feat: grit to go (cloudflare#6162) * feat: grit to go * fix: unused import in load_balancer_monitor * chore: remove debugging printf statement --------- Co-authored-by: Musa Jundi <musa@cloudflare.com> * fix: lb and lb pool config migration (cloudflare#6170) * fix: cloudflare_load_balancer transformation issues (cloudflare#6171) * Test improvements (cloudflare#6172) * chore: add sweeper for logpush job * chore: define ci test product groups * chore: limit max retries (cloudflare#6173) * fix: fix grit in migration tests (cloudflare#6175) * fix: ruleset migration in nogrit (cloudflare#6174) * chore: point transformations to gh/next (cloudflare#6177) * chore: zero trust config issues (cloudflare#6179) fix: fix zero trust access application state migration * fix: lb monitor state migration (cloudflare#6180) * fix: lb monitor state * fix: build * fix(migrate): improve `zone_setting` migrations (cloudflare#6169) Improves how zone settings are migrated from v4 -> v5 of the provider by adding two new flags: - `--zone-settings-module` for handling a common pattern in the v4 provider where `zone_settings_override` is wrapped in a module and settings are passed in as module input variables. When provided, we will expand the vars into `zone_setting` resources and imports at the call site. - `--skip-imports` for skipping import generation, which is useful in cases where imports could be generated in invalid locations (read: outside the root module). Module definition: `modules/zone_settings/main.tf` ```hcl resource "cloudflare_zone_settings_override" "zone_settings" { zone_id = var.zone_id settings { security_level = var.security_level ssl = var.ssl } } ``` Module call: `sites/example_com/main.tf` ```hcl module "zone_settings" { source = "../modules/zone_settings" zone_id = cloudflare_zone.example_com.id security_level = "high" ssl = "origin_pull" } ``` When the `--zone-settings-module` flag is set, the migrator tool will replace module calls with inline zone setting definitions and their imports. ```hcl resource "cloudflare_zone_setting" "zone_settings_zone_settings_security_level" { zone_id = cloudflare_zone.example_com.id setting_id = "security_level" value = "high" } resource "cloudflare_zone_setting" "zone_settings_zone_settings_ssl" { zone_id = cloudflare_zone.example_com.id setting_id = "ssl" value = "origin_pull" } import { to = cloudflare_zone_setting.zone_settings_zone_settings_security_level id = "${cloudflare_zone.example_com.id}/security_level" } import { to = cloudflare_zone_setting.zone_settings_zone_settings_ssl id = "${cloudflare_zone.example_com.id}/ssl" } ``` Import generation can be skipped entirely with the `--skip-imports` flag. * fix: remove 'disable_railgun' from state after v4 migration (cloudflare#6186) * fix: handling of nested arrays in ruleset migration (cloudflare#6187) * fix: handling of nested arrays in ruleset migration * chore: fix test data for transformation * chore: compare better (cloudflare#6192) * fix: ruleset state (cloudflare#6191) * fix(zone_setting): ensure clean state after migrate (cloudflare#6190) * fix(zone_setting): ensure clean state after migrate Fixes an issue with the migrate flow for `cloudflare_zone_setting` where we weren't removing all settings from state after migrating from v4 -> v5. The root cause was indexes shifting in slices while deleting items (forward deletes vs backward deletes). - updates state removal method for cleaning up `cloudflare_zone_setting` resources to delete items in reverse * test(zone_setting): ensure attribute order Fixes an issue with migrated attribute order revealed in flaky tests. --------- Co-authored-by: Vaishak Dinesh <vaishakpdinesh@gmail.com> * fix: variable interpolation (cloudflare#6193) * fix: variable interpolation * chore: missed page rule migrations test * chore: restore deleted test cases * fix(workers_script): fix incorect model type of `run_worker_first` attribute (cloudflare#6199) * fix: remove zone settings with null values (cloudflare#6201) * docs(list_item): add import documentation (cloudflare#6202) List item uses custom code for imports so its invisible to codegen. Since docs are generated automatically, any custom docs changes will be ovewritten with every release. This patch updates the generator script to first create any missing examples that couldn't be codegen'd, then it runs `tfplugindocs` which ensures that import examples are appended to the generated markdown docs. Changes: - adds manual `import.sh` for `cloudflare_list_item` * fix(migrate): block transformations (cloudflare#6203) * Revert "fix: variable interpolation (cloudflare#6193)" This reverts commit 332de8d. * fix(migrate): block transformation * fix(migrate): lb and lb pools * fix(migrate): fix main_module value migration (cloudflare#6204) * ci(page_rule): disable parallel tests (cloudflare#6205) Fixes flaky `page_rule` tests in CI. Parallel tests causes issues with it's strange `priority` behavior. Changes: - set `parallel=1` for `page_rule` tests * ci: skip flaky tests (cloudflare#6206) Skipping consistently failing tests due to cert conflicts. - `TestMigrateZeroTrustAccessMTLSCertificate_Basic` - `TestAccCloudflareAccessMutualTLSHostnameSettings_Account` - `TestAccCloudflareAccessMutualTLSHostnameSettings_Update` - `TestAccCloudflareAccessMutualTLSHostnameSettings_BooleanCombinations` - `TestAccCloudflareAccessMutualTLSHostnameSettings_Import` * release: 5.10.1 --------- Co-authored-by: Musa Jundi <musa@cloudflare.com> Co-authored-by: Vaishak Dinesh <vaishakpdinesh@gmail.com> Co-authored-by: Tamás Józsa <jtomi92@gmail.com> Co-authored-by: Michael Girouard <206137+mgirouard@users.noreply.github.com> Co-authored-by: Cina Saffary <cina@cloudflare.com> Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fix: fix zero trust access application state migration
Changes being requested
Additional context & links