cloudflare_zero_trust_device_profiles & cloudflare_zero_trust_local_fallback_domain state upgraders

[SirCortly]

Contains state upgrader work for cloudflare_zero_trust_local_fallback_domain and zero_trust_device_default_profile since one depends on the other.

cloudflare_zero_trust_device_profiles:

========================================
State Migration Methods for Specified Resources
========================================

Resources using provider's UpgradeState/MoveState:
  zero_trust_device_default_profile

Targeting specific resources: zero_trust_device_default_profile
Target arguments: -target=module.zero_trust_device_default_profile


========================================
E2E Migration Test
========================================

Step 0: Initializing test resources
Running tests with:
  User:       cort-terraform-test@cfapi.net
  Account ID: 4e0db82a94b7cc78653ac27dc4f653e9
  Zone ID:    28fea702d1075b10ba9c8620b86218ec
  Domain:     cort.terraform.cfapi.net
  Provider:   Local (../cloudflare-terraform-next)

Running init script...

========================================
Syncing Test Resources
========================================

Filtering to specific resources: zero_trust_device_default_profile
Syncing resource files from testdata...
  ✓ zero_trust_device_default_profile/zero_trust_device_default_profile.tf (from zero_trust_device_default_profile_e2e.tf)
  ✓ zero_trust_device_default_profile/versions.tf

  Total: 2 files synced

Configuring terraform variables...


✓ Saved configuration
    Account ID: 4e0db82a94b7cc78653ac27dc4f653e9
    Zone ID: 28fea702d1075b10ba9c8620b86218ec
    Domain: cort.terraform.cfapi.net
    File: v4/terraform.tfvars

Scanning for import annotations...

Updating main.tf with module references...
  ↻ Updated main.tf with 1 module references


========================================
✓ Sync Complete!
========================================

Summary:
  - Terraform v4 configs: /Users/cortlyons/development/cloudflare/sdk-repos/internal/terraform-devstack/tf-migrate/e2e/tf/v4
  - Modules: 1
  - Files synced: 2

Configuring remote backend...
✓ Backend configured

  ✓ Provider installation preserved
  ✓ Backend already configured

Next steps:
  cd tf/v4 && terraform apply

Note: Configuration is automatically loaded from terraform.tfvars
      State is managed remotely in R2

✓ Test resources initialized


========================================
Setting up local provider
========================================

Using provider from: ../cloudflare-terraform-next
Building provider...
  Building in: ../cloudflare-terraform-next
  Output: ../cloudflare-terraform-next/terraform-provider-cloudflare
✓ Provider built successfully: ../cloudflare-terraform-next/terraform-provider-cloudflare
✓ Created dev overrides config: /Users/cortlyons/development/cloudflare/sdk-repos/internal/terraform-devstack/tf-migrate/.terraformrc-tf-migrate
✓ Local provider will be used for v5 testing

Note: v4 tests will use the registry provider (v4.x)
      v5 tests will use the local provider with dev overrides

Step 1: Testing v4 configurations
Running terraform init in v4/...
Found local state file, backing up and using remote state...
✓ Terraform init successful (remote state loaded from R2)
Running terraform plan in v4/...
✓ Terraform plan shows no changes

Running terraform apply in v4/...
✓ Terraform apply successful
  Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Syncing state from remote...
✓ Local state file synced from R2
Capturing v4 state...
✓ Saved v4 state to tmp/v4-state.json


Step 2: Running migration
Running ./scripts/migrate...
Building tf-migrate binary...
✓ Binary built successfully

========================================
Running v4 to v5 Migration
========================================

Preparing output directory...
  ✓ Preserved v5 provider installation (.terraform/)
  ✓ Preserved v5 dependency lock file (.terraform.lock.hcl)
Copying only targeted resources: zero_trust_device_default_profile
    ✓ Copied root file: provider.tf
    ✓ Copied root file: terraform.tfvars
    ✓ Copied root file: terraform.tfstate

    ✓ Copied module: zero_trust_device_default_profile
Creating filtered main.tf...
✓ Copied targeted resources to migrated-v4_to_v5/
✓ Updated provider.tf to use ~> 5.0 and removed backend config
Filtering state file to only include targeted resources...
✓ Filtered state to 1 resources from targeted modules

Migrating configuration files...
Skipping state transformation - using provider's state upgrader
Cloudflare Terraform Provider Migration Tool
============================================

Configuration directory: /Users/cortlyons/development/cloudflare/sdk-repos/internal/terraform-devstack/tf-migrate/e2e/migrated-v4_to_v5
Output directory: in-place
✓ Using Cloudflare API credentials (API key + email)

Found 4 configuration files to migrate
[1/4] Processing main.tf... ✓
[2/4] Processing provider.tf... ✓
[3/4] Processing versions.tf... ✓
[4/4] Processing zero_trust_device_default_profile.tf... ✓
2026-02-26T14:59:15.194-0700 [WARN]  tf-migrate: Migrator does not implement ResourceRenamer interface - cross-file references may not be updated: migrator="*zero_trust_gateway_certificate.V4ToV5Migrator"
2026-02-26T14:59:15.194-0700 [WARN]  tf-migrate: Migrator does not implement ResourceRenamer interface - cross-file references may not be updated: migrator="*queue.V4ToV5Migrator"                                                                                
2026-02-26T14:59:15.194-0700 [WARN]  tf-migrate: Migrator does not implement ResourceRenamer interface - cross-file references may not be updated: migrator="*load_balancer_pools.V4ToV5Migrator"                                                                  
2026-02-26T14:59:15.194-0700 [WARN]  tf-migrate: Migrator does not implement ResourceRenamer interface - cross-file references may not be updated: migrator="*rulesets.V4ToV5Migrator"                                                                             
2026-02-26T14:59:15.194-0700 [WARN]  tf-migrate: Migrator does not implement ResourceRenamer interface - cross-file references may not be updated: migrator="*zone_setting.V4ToV5Migrator"                                                                         
2026-02-26T14:59:15.194-0700 [WARN]  tf-migrate: Migrator does not implement ResourceRenamer interface - cross-file references may not be updated: migrator="*zero_trust_split_tunnel.V4ToV5Migrator"                                                              
                                                                                                                                                                                                                                                                   
Applying cross-file reference updates (29 updates across 4 files)...
✓ Updated cross-file references (29 updates applied)
✓ Migration complete (config transformed, state will be upgraded by provider)


========================================
✓ Migration Complete!
========================================

Results:
  Input (v4):  /Users/cortlyons/development/cloudflare/sdk-repos/internal/terraform-devstack/tf-migrate/e2e/tf/v4
  Output (v5): /Users/cortlyons/development/cloudflare/sdk-repos/internal/terraform-devstack/tf-migrate/e2e/migrated-v4_to_v5

Next steps:
  cd /Users/cortlyons/development/cloudflare/sdk-repos/internal/terraform-devstack/tf-migrate/e2e/migrated-v4_to_v5
  terraform init
  terraform plan

✓ Migration successful

Step 3: Testing v5 configurations
Running terraform init in migrated-v4_to_v5/...
Cleaning v5 .terraform directory for fresh init...
Removing .terraform.lock.hcl to allow dev_overrides...
✓ Terraform init successful
Running terraform plan in v5/...
✓ Terraform plan shows only computed value refreshes (ignored with --apply-exemptions)
Running terraform apply in v5/...
✓ Terraform apply successful
Capturing v5 state...
✓ Saved v5 state to tmp/v5-state.json

Step 4: Verifying stable state (v5 plan after apply)
Running terraform plan again to check for ongoing drift...
✓ No ongoing drift detected - migration achieved stable state!



========================================
✓ E2E Test Complete!
========================================

Summary:

  Step 1: v4 terraform apply
    Status: ✓ SUCCESS

  Step 2: Migration (v4 → v5)
    Status: ✓ SUCCESS

  Step 3: v5 plan (before apply)
    Status: ⚠ Changes detected but all exempted
    Result: 0 real changes (0 exempted)
    Terraform: Plan: 0 to add, 0 to change, 0 to destroy.

  Step 4: v5 terraform apply
    Status: ✓ SUCCESS

  Step 5: v5 plan (after apply)
    Status: ✓ SUCCESS - Stable state achieved
    Result: No changes detected

cloudflare_zero_trust_local_fallback_domain:

========================================
State Migration Methods for Specified Resources
========================================

Resources using provider's UpgradeState/MoveState:
  zero_trust_local_fallback_domain

Targeting specific resources: zero_trust_local_fallback_domain
Target arguments: -target=module.zero_trust_local_fallback_domain


========================================
E2E Migration Test
========================================

Step 0: Initializing test resources
Running tests with:
  User:       cort-terraform-test@cfapi.net
  Account ID: 4e0db82a94b7cc78653ac27dc4f653e9
  Zone ID:    28fea702d1075b10ba9c8620b86218ec
  Domain:     cort.terraform.cfapi.net
  Provider:   Local (../cloudflare-terraform-next)

Running init script...

========================================
Syncing Test Resources
========================================

Filtering to specific resources: zero_trust_local_fallback_domain
Syncing resource files from testdata...
  ✓ zero_trust_local_fallback_domain/zero_trust_local_fallback_domain.tf (from zero_trust_local_fallback_domain_e2e.tf)
  ✓ zero_trust_local_fallback_domain/versions.tf

  Total: 2 files synced

Configuring terraform variables...


✓ Saved configuration
    Account ID: 4e0db82a94b7cc78653ac27dc4f653e9
    Zone ID: 28fea702d1075b10ba9c8620b86218ec
    Domain: cort.terraform.cfapi.net
    File: v4/terraform.tfvars

Scanning for import annotations...

Updating main.tf with module references...
  ↻ Updated main.tf with 1 module references


========================================
✓ Sync Complete!
========================================

Summary:
  - Terraform v4 configs: /Users/cortlyons/development/cloudflare/sdk-repos/internal/terraform-devstack/tf-migrate/e2e/tf/v4
  - Modules: 1
  - Files synced: 2

Configuring remote backend...
✓ Backend configured

  ✓ Provider installation preserved
  ✓ Backend already configured

Next steps:
  cd tf/v4 && terraform apply

Note: Configuration is automatically loaded from terraform.tfvars
      State is managed remotely in R2

✓ Test resources initialized


========================================
Setting up local provider
========================================

Using provider from: ../cloudflare-terraform-next
Building provider...
  Building in: ../cloudflare-terraform-next
  Output: ../cloudflare-terraform-next/terraform-provider-cloudflare
✓ Provider built successfully: ../cloudflare-terraform-next/terraform-provider-cloudflare
✓ Created dev overrides config: /Users/cortlyons/development/cloudflare/sdk-repos/internal/terraform-devstack/tf-migrate/.terraformrc-tf-migrate
✓ Local provider will be used for v5 testing

Note: v4 tests will use the registry provider (v4.x)
      v5 tests will use the local provider with dev overrides

Step 1: Testing v4 configurations
Running terraform init in v4/...
Found local state file, backing up and using remote state...
✓ Terraform init successful (remote state loaded from R2)
Running terraform plan in v4/...
✓ Terraform plan successful
  Plan: 0 to add, 1 to change, 0 to destroy.

Detailed changes:

  # module.zero_trust_local_fallback_domain.cloudflare_zero_trust_device_profiles.custom_e2e will be updated in-place
  ~ resource "cloudflare_zero_trust_device_profiles" "custom_e2e" {
        id                    = "4e0db82a94b7cc78653ac27dc4f653e9/92369a78-53f4-44a6-9ae2-d69ce27703cd"
        name                  = "E2E Custom Profile"
      ~ precedence            = 0 -> 876
        # (17 unchanged attributes hidden)
    }


Running terraform apply in v4/...
✓ Terraform apply successful
  Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
Syncing state from remote...
✓ Local state file synced from R2
Capturing v4 state...
✓ Saved v4 state to tmp/v4-state.json


Step 2: Running migration
Running ./scripts/migrate...
Building tf-migrate binary...
✓ Binary built successfully

========================================
Running v4 to v5 Migration
========================================

Preparing output directory...
  ✓ Preserved v5 provider installation (.terraform/)
  ✓ Preserved v5 dependency lock file (.terraform.lock.hcl)
Copying only targeted resources: zero_trust_local_fallback_domain
    ✓ Copied root file: provider.tf
    ✓ Copied root file: terraform.tfvars
    ✓ Copied root file: terraform.tfstate

    ✓ Copied module: zero_trust_local_fallback_domain
Creating filtered main.tf...
✓ Copied targeted resources to migrated-v4_to_v5/
✓ Updated provider.tf to use ~> 5.0 and removed backend config
Filtering state file to only include targeted resources...
✓ Filtered state to 3 resources from targeted modules

Migrating configuration files...
Skipping state transformation - using provider's state upgrader
Cloudflare Terraform Provider Migration Tool
============================================

Configuration directory: /Users/cortlyons/development/cloudflare/sdk-repos/internal/terraform-devstack/tf-migrate/e2e/migrated-v4_to_v5
Output directory: in-place
✓ Using Cloudflare API credentials (API key + email)

Found 4 configuration files to migrate
[1/4] Processing main.tf... ✓
[2/4] Processing provider.tf... ✓
[3/4] Processing versions.tf... ✓
[4/4] Processing zero_trust_local_fallback_domain.tf... ✓
2026-02-26T15:36:07.220-0700 [WARN]  tf-migrate: Migrator does not implement ResourceRenamer interface - cross-file references may not be updated: migrator="*queue.V4ToV5Migrator"
2026-02-26T15:36:07.220-0700 [WARN]  tf-migrate: Migrator does not implement ResourceRenamer interface - cross-file references may not be updated: migrator="*rulesets.V4ToV5Migrator"                                                                             
2026-02-26T15:36:07.220-0700 [WARN]  tf-migrate: Migrator does not implement ResourceRenamer interface - cross-file references may not be updated: migrator="*zero_trust_split_tunnel.V4ToV5Migrator"                                                              
2026-02-26T15:36:07.220-0700 [WARN]  tf-migrate: Migrator does not implement ResourceRenamer interface - cross-file references may not be updated: migrator="*load_balancer_pools.V4ToV5Migrator"                                                                  
2026-02-26T15:36:07.220-0700 [WARN]  tf-migrate: Migrator does not implement ResourceRenamer interface - cross-file references may not be updated: migrator="*zero_trust_gateway_certificate.V4ToV5Migrator"                                                       
2026-02-26T15:36:07.220-0700 [WARN]  tf-migrate: Migrator does not implement ResourceRenamer interface - cross-file references may not be updated: migrator="*zone_setting.V4ToV5Migrator"                                                                         
                                                                                                                                                                                                                                                                   
Applying cross-file reference updates (29 updates across 4 files)...
✓ Updated cross-file references (29 updates applied)
✓ Migration complete (config transformed, state will be upgraded by provider)


========================================
✓ Migration Complete!
========================================

Results:
  Input (v4):  /Users/cortlyons/development/cloudflare/sdk-repos/internal/terraform-devstack/tf-migrate/e2e/tf/v4
  Output (v5): /Users/cortlyons/development/cloudflare/sdk-repos/internal/terraform-devstack/tf-migrate/e2e/migrated-v4_to_v5

Next steps:
  cd /Users/cortlyons/development/cloudflare/sdk-repos/internal/terraform-devstack/tf-migrate/e2e/migrated-v4_to_v5
  terraform init
  terraform plan

✓ Migration successful

Step 3: Testing v5 configurations
Running terraform init in migrated-v4_to_v5/...
Cleaning v5 .terraform directory for fresh init...
Removing .terraform.lock.hcl to allow dev_overrides...
✓ Terraform init successful
Running terraform plan in v5/...
⚠ Warning: Resource exemption in /Users/cortlyons/development/cloudflare/sdk-repos/internal/terraform-devstack/tf-migrate/e2e/drift-exemptions/zero_trust_local_fallback_domain.yaml specifies resource_types that don't match expected type cloudflare_zero_trust_local_fallback_domain                                                                                                                                                                                                                                              
✓ Terraform plan shows only computed value refreshes (ignored with --apply-exemptions)

Drift exemptions applied:
  - computed_value_refreshes: 3 change(s) exempted
  - precedence_recalculation: 1 change(s) exempted
Running terraform apply in v5/...
✓ Terraform apply successful
Capturing v5 state...
✓ Saved v5 state to tmp/v5-state.json

Step 4: Verifying stable state (v5 plan after apply)
Running terraform plan again to check for ongoing drift...
✓ No ongoing drift detected - migration achieved stable state!


========================================
Drift Report
========================================

✓ Exempted changes in v5 plan (before apply):
The following changes were detected but exempted by drift exemption rules:
  module.zero_trust_local_fallback_domain.cloudflare_zero_trust_device_custom_profile.custom_e2e:
    ~ default                        = false -> (known after apply) [exempted: computed_value_refreshes]
  module.zero_trust_local_fallback_domain.cloudflare_zero_trust_device_custom_profile.custom_e2e:
    + include                        = (known after apply) [exempted: computed_value_refreshes]
  module.zero_trust_local_fallback_domain.cloudflare_zero_trust_device_custom_profile.custom_e2e:
    ~ precedence                     = 876901 -> 1776 [exempted: precedence_recalculation]
  module.zero_trust_local_fallback_domain.cloudflare_zero_trust_device_custom_profile.custom_e2e:
    + target_tests                   = (known after apply) [exempted: computed_value_refreshes]



========================================
✓ E2E Test Complete!
========================================

Summary:

  Step 1: v4 terraform apply
    Status: ✓ SUCCESS

  Step 2: Migration (v4 → v5)
    Status: ✓ SUCCESS

  Step 3: v5 plan (before apply)
    Status: ⚠ Changes detected but all exempted
    Result: 0 real changes (4 exempted)
    Terraform: Plan: 0 to add, 1 to change, 0 to destroy.

  Step 4: v5 terraform apply
    Status: ✓ SUCCESS

  Step 5: v5 plan (after apply)
    Status: ✓ SUCCESS - Stable state achieved
    Result: No changes detected

Logs saved to:
  - /Users/cortlyons/development/cloudflare/sdk-repos/internal/terraform-devstack/tf-migrate/e2e/tmp

[ssicard]

I feel like this isnt the right place for a readme, id vote to delete it.

[SirCortly]

We have a lot of other readmes in the same spot for other resources. We probably need to do a full audit but I am going to leave it for now as it is an existing pattern.