Summary
tf-migrate v1.0.1 reports success generating a removed {} block for cloudflare_zone_settings_override during Phase 1 (state cleanup), but the source .tf file is left unmodified except for whitespace formatting.
This is the same symptom class as #289 (closed, for cloudflare_zero_trust_split_tunnel).
Reproducer
A .tf file containing only:
resource "cloudflare_zone_settings_override" "widerivers_com" {
zone_id = "444f5d541a6bf40a524b9a78cb223c93"
settings {
http3 = "on"
webp = "on"
early_hints = "on"
brotli = "on"
always_use_https = "on"
ssl = "strict"
min_tls_version = "1.2"
tls_1_3 = "zrt"
security_level = "high"
}
}Plus a versions.tf requiring cloudflare/cloudflare ~> 4.50 and a v4 lock file.
Steps
tf-migrate --source-version v4 --target-version v5 --log-level debug migrate
Expected
The resource block is commented out (or moved to .backup) and a removed {} block is added:
removed {
from = cloudflare_zone_settings_override.widerivers_com
lifecycle { destroy = false }
}Observed
Tool prints:
✓ cloudflare-zone-settings.tf — commented out 1 resource block(s), added removed {} block(s)
Phase 1 complete.
But diff between original and migrated file shows ONLY whitespace changes in pre-existing comments (http3 = "on" # ... → http3 = "on" # ...). The resource block remains intact and active. No removed {} block is added.
A .backup file is created, but its contents differ from the modified file only in the same whitespace.
Environment
- tf-migrate v1.0.1 (released 2026-04-30)
- macOS arm64
- Source provider:
cloudflare/cloudflare ~> 4.50 (resolved to v4.52.7)
- Target: v5
Workaround
Manually add the removed {} block + comment out the resource, then re-run tf-migrate (Phase 2 then proceeds normally).
Why this matters
Phase 1 cleanup is documented as a hard prerequisite for Phase 2 in tf-migrate's own output. Silent failure here means users following the documented flow have no idea Phase 1 didn't actually happen, and a subsequent terraform plan against v5 will fail (or worse, half-succeed with mismatched state).
Same symptom class as #289. Suggest the fix from #289's discussion (hard error vs silent skip) be applied to all unstabilized resources, or at minimum updated to print a "SKIPPED: cloudflare_zone_settings_override needs manual Phase 1 cleanup — see " line instead of "✓ ... commented out".
Summary
tf-migrate v1.0.1reports success generating aremoved {}block forcloudflare_zone_settings_overrideduring Phase 1 (state cleanup), but the source.tffile is left unmodified except for whitespace formatting.This is the same symptom class as #289 (closed, for
cloudflare_zero_trust_split_tunnel).Reproducer
A
.tffile containing only:Plus a
versions.tfrequiringcloudflare/cloudflare ~> 4.50and a v4 lock file.Steps
Expected
The resource block is commented out (or moved to
.backup) and aremoved {}block is added:Observed
Tool prints:
But
diffbetween original and migrated file shows ONLY whitespace changes in pre-existing comments (http3 = "on" # ...→http3 = "on" # ...). The resource block remains intact and active. Noremoved {}block is added.A
.backupfile is created, but its contents differ from the modified file only in the same whitespace.Environment
cloudflare/cloudflare ~> 4.50(resolved to v4.52.7)Workaround
Manually add the
removed {}block + comment out the resource, then re-run tf-migrate (Phase 2 then proceeds normally).Why this matters
Phase 1 cleanup is documented as a hard prerequisite for Phase 2 in tf-migrate's own output. Silent failure here means users following the documented flow have no idea Phase 1 didn't actually happen, and a subsequent
terraform planagainst v5 will fail (or worse, half-succeed with mismatched state).Same symptom class as #289. Suggest the fix from #289's discussion (hard error vs silent skip) be applied to all unstabilized resources, or at minimum updated to print a "SKIPPED: cloudflare_zone_settings_override needs manual Phase 1 cleanup — see " line instead of "✓ ... commented out".