Zero Trust resources renaming

[notdodo]

Hi,

Cloudflare TF provider deprecated the Zero Trust resources (e.g. AccessPolicy, AccessServiceToken, AccessApplication) with a new ZeroTrust prefix.

Obviously when changing the resource on a Pulumi project the outcomes are to recreate the resources.
What do you suggest for avoiding the delete and create of these resources?

[VenelinMartinov]

Hey @notdodo. Thanks for the question.

If I understand you correctly, you'd like to change your existing resources, which are now deprecated, like https://www.pulumi.com/registry/packages/cloudflare/api-docs/accesspolicy/ to the new resources like https://www.pulumi.com/registry/packages/cloudflare/api-docs/zerotrustaccesspolicy/.

I think your best bet would be to delete the existing resources and import them as the new resource type.
Instructions on deleting from state: https://www.pulumi.com/docs/iac/cli/commands/pulumi_state_delete/
Importing: https://www.pulumi.com/docs/iac/cli/commands/pulumi_state_delete/

Hope that helps, let me know if you need any more help here!

[notdodo]

If I understand you correctly, you'd like to change your existing resources, which are now deprecated, like https://www.pulumi.com/registry/packages/cloudflare/api-docs/accesspolicy/ to the new resources like https://www.pulumi.com/registry/packages/cloudflare/api-docs/zerotrustaccesspolicy/.

Yes, exactly.

I think your best bet would be to delete the existing resources and import them as the new resource type.
Instructions on deleting from state: https://www.pulumi.com/docs/iac/cli/commands/pulumi_state_delete/
Importing: https://www.pulumi.com/docs/iac/cli/commands/pulumi_state_delete/

That's what I feared. What about big projects with already lots of resources?
I saw that on the TF provider they are implement the migration using grit https://github.com/cloudflare/terraform-provider-cloudflare/pull/4656/files#diff-21291edb2cd1fbbfdbda74cc5e50f11eb88cd57b03fe99754ed79a7c814f3bd9

[VenelinMartinov]

Thanks for flagging this up @notdodo. I'll discuss with the team how we can help with the migration

[iwahbe]

@notdodo The best way to migrate now is with aliases:

Old:

name: dev-yaml
runtime: yaml
resources:
  network:
    type: cloudflare:AccessPolicy
    properties:
      decision: allow
      name: my-policy
      accountId: ******************
      includes:
        - everyone: true

New:

name: dev-yaml
runtime: yaml
resources:
  network:
    type: cloudflare:ZeroTrustAccessPolicy
    properties:
      decision: allow
      name: my-policy
      accountId: ******************
      includes:
        - everyone: true
    options:
      aliases:
        - "urn:pulumi:dev::dev-yaml::cloudflare:index/accessPolicy:AccessPolicy::network"

Languages besides YAML allow type level aliases, so you don't need to worry about the full URN:

cloudflare.ZeroTrustAccessPolicy("network",
                                 decision="allow",
                                 name="my-policy",
                                 account_id="*******************",
                                 includes=[{"everyone": true}],
                                 opts=pulumi.ResourceOptions(aliases=[pulumi.Alias(type_="cloudflare:index/accessPolicy:AccessPolicy")]))

---

The best option to migrate eventually is with provider level type aliases. We have the ability to add type aliases (like in the python example) at the provider level, so you don't need to bother. You can just change the resource type and it will work.

[iwahbe]

If cloudflare has changed the arguments to these resources or their semantics, then migration will be trickier.

[notdodo]

Hey @iwahbe thank you! didn't know was possible to alias also a resource type; we'll look into it 🙏

[notdodo]

Hei @iwahbe; we migrated some of our stuff using the Alias type_ and everything was good. thank you again.

If you want you can close this issue otherwise can remain open for #986

[iwahbe]

Let's leave it open to track #986.