Skip to content

cloudflare_zero_trust resources should implement moved for migrations/breaking changes #6295

New issue
New issue
Open
Open
cloudflare_zero_trust resources should implement moved for migrations/breaking changes#6295
Labels
kind/bugCategorizes issue or PR as related to a bug.kind/enhancementCategorizes issue or PR as related to improving an existing feature.version/5Categorizes issue or PR as related to version 5 of the provider.
@simonha9

Description

@simonha9
simonha9
opened on Oct 2, 2025

Confirmation

  • This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
  • I have searched the issue tracker and my issue isn't already found.
  • I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform: 1.9.x
Cloudflare Provider (old) 4.4.2
new 5.10

Affected resource(s)

cloudflare_zero_trust resources

Terraform configuration files

# consider
resource cloudflare_access_application app {
...
}

Link to debug output

not sure if we want this public

Panic output

Error: Move Resource State Not Supported
│ 
│ The "cloudflare_zero_trust_access_identity_provider" resource type does not
│ support moving resource state across resource types.
│ (and 10 more similar warnings elsewhere)

Expected output

I should be able to do this

old

resource cloudflare_access_application app {
...
}

new

resource cloudflare_zero_trust_access_application app {
...
}

moved {
from = cloudflare_access_application.app
to = cloudflare_zero_trust_access_application.app
}

Actual output

Error: Move Resource State Not Supported
│ 
│ The "cloudflare_zero_trust_access_identity_provider" resource type does not
│ support moving resource state across resource types.
│ (and 10 more similar warnings elsewhere)

and I was forced to do this

# Instead, I had to do the below in 2 steps which is more room for error
removed = {
...
cloudflare_access_application.app
}

and 
import {
cloudflare_zero_trust_access_application.app
id = app.id # or something like this
}

Steps to reproduce

  1. be on cloudflare provider v4
  2. unfortunately have to upgrade to v5
  3. try to follow migration guide, have terraform tell you the syntax is wrong :(

Additional factoids

When upgrading from 4.4.2 -> 5.10 (or even 4.4.2 -> 4.latest it was a huge pain to migrate the resources including cloudflare_access_application -> cloudflare_zero_trust_access_application, access policies, access_groups, etc. Following https://registry.terraform.io/providers/cloudflare/cloudflare/5.5.0/docs/guides/version-5-upgrade did not produce a clean terraform plan, and doing such renames requires the user to remove and reimport the resources which is a huge pain. Instead, the moved block should be implemented to tell terraform that these resources are the same and are just renamed.

The current behaviour looks something like this:

Error: Move Resource State Not Supported
│ 
│ The "cloudflare_zero_trust_access_identity_provider" resource type does not
│ support moving resource state across resource types.
│ (and 10 more similar warnings elsewhere)

References

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.kind/enhancementCategorizes issue or PR as related to improving an existing feature.version/5Categorizes issue or PR as related to version 5 of the provider.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions