Skip to content

cloudflare_api_token_permission_groups decommissioned in v5, tool doesn't migrate existing usage in cloudflare_api_token resources #298

Open
Open
cloudflare_api_token_permission_groups decommissioned in v5, tool doesn't migrate existing usage in cloudflare_api_token resources#298
Labels
bugSomething isn't working
@carlogarciaau

Description

@carlogarciaau
carlogarciaau
opened on May 13, 2026

tf-migrate version

v1.0.1

Migration path

v4 to v5

Affected resource type(s)

cloudflare_api_token_permission_groups, cloudflare_api_token

Description

The tool is not handling the deprecation of cloudflare_api_token_permission_groups data source properly.
Specifically in the context of a cloudflare_api_token resource, any reference to the above data source is being replaced with incorrect hard-coded permission group id values like DNS Read or DNS Write.

Input configuration

data "cloudflare_api_token_permission_groups" "all" {}

resource "cloudflare_api_token" "example_api_token" {
  name = "example_api_token"

  policy {
    permission_groups = [
      data.cloudflare_api_token_permission_groups.all.permissions["Zone Read"],
      data.cloudflare_api_token_permission_groups.all.permissions["DNS Read"],
      data.cloudflare_api_token_permission_groups.all.permissions["DNS Write"],
    ]
..
..
..

Expected output

Permission_groups properly set. Example like in the provider guide:

resource "cloudflare_api_token" "example_api_token" {
  name       = "workers read-only token"

  policies = [{
    resources = jsonencode({
      "com.cloudflare.api.account.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" = "*",
      "com.cloudflare.api.account.yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" = "*",
    })
    effect = "allow"
    permission_groups = [{
      id = "1a71c399035b4950a1bd1466bbe4f420" // expect replacement for the data source instead of hardcode
      }, {
      id = "8b47d2786a534c08a1f94ee8f9f599ef" // expect replacement for the data source instead of hardcode
    }]

Actual output

resource "cloudflare_api_token" "example_api_token" {
  name = "example_api_token"


  policies = [{
    resources = jsonencode({
      "com.cloudflare.api.account.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" = "*",
      "com.cloudflare.api.account.yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy" = "*",
    })
    effect = "allow"
    permission_groups = [{
      id = "DNS Read"
      }, {
      id = "DNS Write"
      }, {
      id = "Zone Read"
    }]
  }]

Steps to reproduce

Preview changes without modifying files (dry run)

tf-migrate migrate --dry-run --source-version v4 --target-version v5

Apply the migration in-place

tf-migrate migrate --source-version v4 --target-version v5

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions