Migrate cloudflare_zero_trust_access_application state from v5 to v6#1570
Merged
guineveresaenger merged 3 commits intoMay 11, 2026
Merged
Conversation
Captures v5 (5.49.0) state for cloudflare:index:AccessApplication so the upgrade path to v6 ZeroTrustAccessApplication can be tested. Recording uses bookmark + accountId to sidestep the inactive shared test zone; the migration logic is type-agnostic so any access-app state shape exercises it. Also tightens testProgram: skips with a clear message when CLOUDFLARE_ACCOUNT_ID is unset (instead of silently failing with diff noise from baked-in IDs in the recording), and reads cloudflare-domain from CLOUDFLARE_DOMAIN env so the hardcoded pulumi-cloudflare-demo.com default can be overridden. See #1165.
v5 stored cors_headers as a list (ListNestedBlock) and policies as a
list of strings; v6 expects cors_headers as a single object and
policies as [{id}]. Without a PreStateUpgradeHook the bridge encoder
fails with `objectEncoder failed on property "cors_headers": Expected
an Object PropertyValue, found []`.
Adds the hook (resources.go), a version-reminder test
(resources_test.go) matching the pattern from #1549/#1172, and a
hand-crafted state file + TestZeroTrustAccessApplicationFromState that
exercises the populated-array branches (corsHeaders array → object,
policies string array → object array) which the recorded bookmark test
can't reach because Cloudflare normalizes those fields away for
bookmark-type apps.
Fixes #1165.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
guineveresaenger
force-pushed
the
worktree-fix-zero-trust-access-application-1165
branch
from
233fb0a to
256a005
Compare
Does the PR have any schema changes?Looking good! No breaking changes found. Maintainer note: consult the runbook for dealing with any breaking changes. |
corymhall
approved these changes
May 11, 2026
guineveresaenger
deleted the
worktree-fix-zero-trust-access-application-1165
branch
Contributor
|
This PR has been shipped in release v6.16.0. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PreStateUpgradeHookthat strips emptycorsHeaders: []and wraps string-arraypoliciesto[{id}]so v5 state decodes through the v6 bridge encoder.Fixes #1165.
Fixes #1284.
Test plan
TestZeroTrustAccessApplicationUpgradepasses (recorded baseline)TestZeroTrustAccessApplicationFromStatepasses (hand-crafted populated state)TestZeroTrustAccessApplicationVersionReminderpasses🤖 Generated with Claude Code