feat(zone_setting): v4 to v5 migration (#84)

Author: tamas-jozsa

e2e/drift-exemptions.yaml

@@ -45,6 +45,54 @@ exemptions:
       - '\+ country_code = '
     enabled: true
 
+  # Zone setting migrations: one-to-many transformation
+  # The v4 cloudflare_zone_settings_override resource is deleted from state and splits
+  # into multiple v5 cloudflare_zone_setting resources. This causes expected initial
+  # drift where all v5 resources need to be created via terraform apply.
+  - name: "zone_setting_migration_drift"
+    description: "Allow zone_setting resources to be created after migration (one-to-many transformation)"
+    resource_types:
+      - "cloudflare_zone_setting"
+    patterns:
+      - "will be created"
+      - "\\+ resource"
+      - "cloudflare_zone_setting"
+      - "zone_setting"
+      - "\\+ editable"
+      - "\\+ enabled"
+      - "\\+ id"
+      - "\\+ modified_on"
+      - "\\+ setting_id"
+      - "\\+ time_remaining"
+      - "\\+ value"
+      - "\\+ zone_id"
+      - "known after apply"
+      - "~ value"
+      - "~ editable"
+      - "~ modified_on"
+      - "\\+ strict_transport_security"
+      - "\\+ include_subdomains"
+      - "\\+ max_age"
+      - "\\+ nosniff"
+      - "\\+ preload"
+    enabled: true
+
+  # Some zone settings may not be supported on all plans/zones (e.g., 0rtt on free plans)
+  # These settings will show ongoing drift as the API doesn't accept the value
+  - name: "zone_setting_unsupported_features"
+    description: "Ignore zone settings that aren't supported on this zone's plan or have API bugs"
+    resource_types:
+      - "cloudflare_zone_setting"
+    attributes:
+      - "value"
+    patterns:
+      - "0rtt"
+      - "with_name_mapping_zero_rtt"
+      - "tls_1_3"
+      - "with_interpolation_tls_1_3"
+      - 'zrt.*on'
+    enabled: true
+
   # Example: Ignore specific resource types
   # - name: "zone_dnssec_computed"
   #   description: "Ignore computed changes in zone DNSSEC resources"

integration/v4_to_v5/integration_test.go

@@ -34,6 +34,7 @@ import (
 	_ "github.com/cloudflare/tf-migrate/internal/resources/zero_trust_dlp_custom_profile"
 	_ "github.com/cloudflare/tf-migrate/internal/resources/zero_trust_gateway_policy"
 	_ "github.com/cloudflare/tf-migrate/internal/resources/zero_trust_list"
+	_ "github.com/cloudflare/tf-migrate/internal/resources/zone_setting"
 )
 
 // TestMain explicitly registers migrations for this version path

integration/v4_to_v5/testdata/zone_setting/expected/terraform.tfstate

@@ -0,0 +1,54 @@
+{
+  "lineage": "test-zone-settings-override",
+  "outputs": {},
+  "resources": [
+    {
+      "instances": [
+        {}
+      ],
+      "mode": "managed",
+      "name": "minimal",
+      "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]",
+      "type": "cloudflare_zone_setting"
+    },
+    {
+      "instances": [
+        {}
+      ],
+      "mode": "managed",
+      "name": "with_integers",
+      "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]",
+      "type": "cloudflare_zone_setting"
+    },
+    {
+      "instances": [
+        {}
+      ],
+      "mode": "managed",
+      "name": "with_minify",
+      "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]",
+      "type": "cloudflare_zone_setting"
+    },
+    {
+      "instances": [
+        {}
+      ],
+      "mode": "managed",
+      "name": "with_security_header",
+      "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]",
+      "type": "cloudflare_zone_setting"
+    },
+    {
+      "instances": [
+        {}
+      ],
+      "mode": "managed",
+      "name": "comprehensive",
+      "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]",
+      "type": "cloudflare_zone_setting"
+    }
+  ],
+  "serial": 1,
+  "terraform_version": "1.5.0",
+  "version": 4
+}

integration/v4_to_v5/testdata/zone_setting/expected/zone_setting.tf

@@ -0,0 +1,167 @@
+# Zone Settings Migration Test - Safe settings for all plans
+# Covers migration patterns without plan-restricted features
+
+variable "cloudflare_account_id" {
+  description = "Cloudflare account ID"
+  type        = string
+}
+
+variable "cloudflare_zone_id" {
+  description = "Cloudflare zone ID"
+  type        = string
+}
+
+variable "cloudflare_domain" {
+  description = "Cloudflare domain for testing"
+  type        = string
+}
+
+locals {
+  primary_zone_id = var.cloudflare_zone_id
+  cache_ttls      = [14400, 28800, 43200]
+}
+
+
+
+
+# Test Cases 4-6: Removed - Invalid Pattern
+# Multiple zone_settings_override resources for the same zone will conflict
+# In v4, cloudflare_zone_settings_override manages ALL settings for a zone
+# Having multiple such resources causes them to overwrite each other
+# This pattern is not supported and should not be used
+
+# Test Case 7: Conditional creation
+locals {
+  enable_advanced_settings = true
+  enable_test_settings     = false
+}
+
+
+
+
+
+
+
+
+resource "cloudflare_zone_setting" "minimal_always_online" {
+  zone_id    = var.cloudflare_zone_id
+  setting_id = "always_online"
+  value      = "on"
+}
+resource "cloudflare_zone_setting" "minimal_brotli" {
+  zone_id    = var.cloudflare_zone_id
+  setting_id = "brotli"
+  value      = "on"
+}
+resource "cloudflare_zone_setting" "with_integers_browser_cache_ttl" {
+  zone_id    = var.cloudflare_zone_id
+  setting_id = "browser_cache_ttl"
+  value      = 14400
+}
+resource "cloudflare_zone_setting" "with_integers_challenge_ttl" {
+  zone_id    = var.cloudflare_zone_id
+  setting_id = "challenge_ttl"
+  value      = 1800
+}
+resource "cloudflare_zone_setting" "with_security_header_ssl" {
+  zone_id    = var.cloudflare_zone_id
+  setting_id = "ssl"
+  value      = "flexible"
+}
+resource "cloudflare_zone_setting" "with_security_header_security_header" {
+  zone_id    = var.cloudflare_zone_id
+  setting_id = "security_header"
+  value = {
+    strict_transport_security = {
+      enabled            = true
+      include_subdomains = true
+      max_age            = 86400
+      nosniff            = true
+      preload            = true
+    }
+  }
+}
+resource "cloudflare_zone_setting" "conditional_enabled_rocket_loader" {
+  zone_id    = var.cloudflare_zone_id
+  setting_id = "rocket_loader"
+  value      = "on"
+  count      = local.enable_advanced_settings ? 1 : 0
+}
+resource "cloudflare_zone_setting" "conditional_enabled_websockets" {
+  zone_id    = var.cloudflare_zone_id
+  setting_id = "websockets"
+  value      = "on"
+  count      = local.enable_advanced_settings ? 1 : 0
+}
+resource "cloudflare_zone_setting" "conditional_disabled_browser_check" {
+  zone_id    = var.cloudflare_zone_id
+  setting_id = "browser_check"
+  value      = "on"
+  count      = local.enable_test_settings ? 1 : 0
+}
+resource "cloudflare_zone_setting" "with_functions_browser_cache_ttl" {
+  zone_id    = var.cloudflare_zone_id
+  setting_id = "browser_cache_ttl"
+  value      = lookup({ "default" = 14400, "custom" = 28800 }, "default")
+}
+resource "cloudflare_zone_setting" "with_functions_cache_level" {
+  zone_id    = var.cloudflare_zone_id
+  setting_id = "cache_level"
+  value      = "aggressive"
+}
+resource "cloudflare_zone_setting" "with_interpolation_automatic_https_rewrites" {
+  zone_id    = local.primary_zone_id
+  setting_id = "automatic_https_rewrites"
+  value      = "on"
+}
+resource "cloudflare_zone_setting" "with_interpolation_min_tls_version" {
+  zone_id    = local.primary_zone_id
+  setting_id = "min_tls_version"
+  value      = "1.2"
+}
+resource "cloudflare_zone_setting" "with_lifecycle_always_online" {
+  zone_id    = var.cloudflare_zone_id
+  setting_id = "always_online"
+  value      = "on"
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+resource "cloudflare_zone_setting" "with_lifecycle_ipv6" {
+  zone_id    = var.cloudflare_zone_id
+  setting_id = "ipv6"
+  value      = "on"
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+resource "cloudflare_zone_setting" "with_ignore_changes_email_obfuscation" {
+  zone_id    = var.cloudflare_zone_id
+  setting_id = "email_obfuscation"
+  value      = "on"
+}
+resource "cloudflare_zone_setting" "with_ignore_changes_server_side_exclude" {
+  zone_id    = var.cloudflare_zone_id
+  setting_id = "server_side_exclude"
+  value      = "on"
+}
+resource "cloudflare_zone_setting" "with_name_mapping_http2" {
+  zone_id    = var.cloudflare_zone_id
+  setting_id = "http2"
+  value      = "on"
+}
+resource "cloudflare_zone_setting" "with_name_mapping_http3" {
+  zone_id    = var.cloudflare_zone_id
+  setting_id = "http3"
+  value      = "on"
+}
+resource "cloudflare_zone_setting" "with_deprecated_always_online" {
+  zone_id    = var.cloudflare_zone_id
+  setting_id = "always_online"
+  value      = "on"
+}
+resource "cloudflare_zone_setting" "with_deprecated_brotli" {
+  zone_id    = var.cloudflare_zone_id
+  setting_id = "brotli"
+  value      = "on"
+}

integration/v4_to_v5/testdata/zone_setting/input/terraform.tfstate

@@ -0,0 +1,54 @@
+{
+  "lineage": "test-zone-settings-override",
+  "outputs": {},
+  "resources": [
+    {
+      "instances": [
+        {}
+      ],
+      "mode": "managed",
+      "name": "minimal",
+      "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]",
+      "type": "cloudflare_zone_setting"
+    },
+    {
+      "instances": [
+        {}
+      ],
+      "mode": "managed",
+      "name": "with_integers",
+      "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]",
+      "type": "cloudflare_zone_setting"
+    },
+    {
+      "instances": [
+        {}
+      ],
+      "mode": "managed",
+      "name": "with_minify",
+      "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]",
+      "type": "cloudflare_zone_setting"
+    },
+    {
+      "instances": [
+        {}
+      ],
+      "mode": "managed",
+      "name": "with_security_header",
+      "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]",
+      "type": "cloudflare_zone_setting"
+    },
+    {
+      "instances": [
+        {}
+      ],
+      "mode": "managed",
+      "name": "comprehensive",
+      "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]",
+      "type": "cloudflare_zone_setting"
+    }
+  ],
+  "serial": 1,
+  "terraform_version": "1.5.0",
+  "version": 4
+}

integration/v4_to_v5/testdata/zone_setting/input/terraform.tfstate.backup

@@ -0,0 +1,54 @@
+{
+  "lineage": "test-zone-settings-override",
+  "outputs": {},
+  "resources": [
+    {
+      "instances": [
+        {}
+      ],
+      "mode": "managed",
+      "name": "minimal",
+      "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]",
+      "type": "cloudflare_zone_setting"
+    },
+    {
+      "instances": [
+        {}
+      ],
+      "mode": "managed",
+      "name": "with_integers",
+      "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]",
+      "type": "cloudflare_zone_setting"
+    },
+    {
+      "instances": [
+        {}
+      ],
+      "mode": "managed",
+      "name": "with_minify",
+      "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]",
+      "type": "cloudflare_zone_setting"
+    },
+    {
+      "instances": [
+        {}
+      ],
+      "mode": "managed",
+      "name": "with_security_header",
+      "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]",
+      "type": "cloudflare_zone_setting"
+    },
+    {
+      "instances": [
+        {}
+      ],
+      "mode": "managed",
+      "name": "comprehensive",
+      "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]",
+      "type": "cloudflare_zone_setting"
+    }
+  ],
+  "serial": 1,
+  "terraform_version": "1.5.0",
+  "version": 4
+}