AccessApplication resource fails to upgrade from v5 to v6 due to invalid 'cors_headers'

[ollaw]

Describe what happened

For the migration between v5 and v6 Provider, I'm trying to migrate the AccessApplication resource. Following the migration guide the resource was renamed to ZeroTrustAccessApplication (but the old resource still exists, even if deprecated).

Sample program

From this code with pulumi-cloudflare v5.49.1

import pulumi_cloudflare as cloudflare 

cloudflare.AccessApplication(
    "my-app",
    cors_headers=[
        cloudflare.AccessApplicationCorsHeaderArgs(
            allow_credentials=True,
            allowed_methods=[
                "GET",
                "POST",
                "OPTIONS",
            ],
            allowed_origins=["my.app.it"],
            max_age=10,
        )
    ],
    domain="my.app.it",
    name="my-name",
    session_duration="24h",
    type="self_hosted",
    zone_id="abcedf13245",
    allowed_idps=["idp1","idp2" ...],
)

To this with pulumi-cloudflare v6.4.0

import pulumi_cloudflare as cloudflare 

cloudflare.AccessApplication( 
    "my-app",
    cors_headers=cloudflare.AccessApplicationCorsHeadersArgs(
        allow_credentials=True,
        allowed_methods=[
            "GET",
            "POST",
            "OPTIONS",
        ],
        allowed_origins=["my.app.it"],
        max_age=10,
    ),
    domain="my.app.it",
    name="my-name",
    session_duration="24h",
    type="self_hosted",
    zone_id="abcedf13245",
    allowed_idps=["idp1","idp2" ...],
)

Same happens with ZeroTrustAccessApplication.

Log output

error: [pf/tfbridge] Error calling EncodePropertyMap: objectEncoder failed on property "cors_headers":
Expected an Object PropertyValue, found [] ("{[{map[allowAllHeaders:{false} allowAllMethods:{false} allowAllOrigins:{false} allowCredentials:{true} allowedHeaders:{[]} allowedMethods:{[{GET} {OPTIONS} {POST}]} allowedOrigins:{[{*****.****.it}]} maxAge:{10}]}]}")

Affected Resource(s)

AccessApplication but there are many more.

Output of pulumi about

CLI
Version 3.178.0 Go Version go1.24.4 Go Compiler gc

Plugins KIND NAME VERSION resource archive 0.3.3 resource auth0 3.22.0 resource aws 6.83.0 resource cloudamqp 3.22.0 resource cloudflare 6.4.0 resource command 1.1.0 resource confluentcloud 2.32.0 resource datadog 4.52.0 resource kubernetes 4.23.0 resource mysql 0.0.11 resource postgresql 3.15.2 language python 3.178.0 resource rabbitmq 3.3.10 resource random 4.18.2 resource time 0.1.1 resource vault 7.1.0

Host
OS ubuntu Version 24.04 Arch x86_64

This project is written in python: executable='/home/gabrieleolla/projects/artemide/pulumi/projects/.venv/bin/python' version='3.11.11'

Current Stack: organization/bolla/bolla.production

TYPE URN pulumi:pulumi:Stack urn:pulumi:bolla.production::bolla::pulumi:pulumi:Stack::bolla-bolla.production pulumi:providers:aws urn:pulumi:bolla.production::bolla::pulumi:providers:aws::default_6_83_0 prima:cloudflare:Access urn:pulumi:bolla.production::bolla::prima:cloudflare:Access::bolla-production pulumi:providers:pulumi urn:pulumi:bolla.production::bolla::pulumi:providers:pulumi::default pulumi:pulumi:StackReference urn:pulumi:bolla.production::bolla::pulumi:pulumi:StackReference::organization/core/core.production pulumi:providers:cloudflare urn:pulumi:bolla.production::bolla::pulumi:providers:cloudflare::default_5_49_1 cloudflare:index/accessServiceToken:AccessServiceToken urn:pulumi:bolla.production::bolla::cloudflare:index/accessServiceToken:AccessServiceToken::crash-bolla-access-token cloudflare:index/accessServiceToken:AccessServiceToken urn:pulumi:bolla.production::bolla::cloudflare:index/accessServiceToken:AccessServiceToken::borat-bolla-access-token cloudflare:index/accessServiceToken:AccessServiceToken urn:pulumi:bolla.production::bolla::cloudflare:index/accessServiceToken:AccessServiceToken::fantozzi-bolla-access-token cloudflare:index/accessServiceToken:AccessServiceToken urn:pulumi:bolla.production::bolla::cloudflare:index/accessServiceToken:AccessServiceToken::emiglio-bolla-access-token cloudflare:index/accessServiceToken:AccessServiceToken urn:pulumi:bolla.production::bolla::cloudflare:index/accessServiceToken:AccessServiceToken::starsky-bolla-access-token cloudflare:index/accessApplication:AccessApplication urn:pulumi:bolla.production::bolla::prima:cloudflare:Access$cloudflare:index/accessApplication:AccessApplication::bolla-production-application cloudflare:index/accessGroup:AccessGroup urn:pulumi:bolla.production::bolla::cloudflare:index/accessGroup:AccessGroup::crash-bolla-access-group cloudflare:index/accessGroup:AccessGroup urn:pulumi:bolla.production::bolla::cloudflare:index/accessGroup:AccessGroup::borat-bolla-access-group cloudflare:index/accessGroup:AccessGroup urn:pulumi:bolla.production::bolla::cloudflare:index/accessGroup:AccessGroup::fantozzi-bolla-access-group cloudflare:index/accessGroup:AccessGroup urn:pulumi:bolla.production::bolla::cloudflare:index/accessGroup:AccessGroup::emiglio-bolla-access-group cloudflare:index/accessGroup:AccessGroup urn:pulumi:bolla.production::bolla::cloudflare:index/accessGroup:AccessGroup::starsky-bolla-access-group cloudflare:index/accessPolicy:AccessPolicy urn:pulumi:bolla.production::bolla::prima:cloudflare:Access$cloudflare:index/accessPolicy:AccessPolicy::bolla-production-allow-service-tokens-policy

Found no pending operations associated with bolla.production

Backend
Name L-PA-PW0CVKL1 URL s3://********** User gabrieleolla Organizations
Token type personal

Dependencies: NAME VERSION black 25.1.0 flake8 7.3.0 isort 6.0.1 mypy 1.17.0 prima-pulumi 1.18.1 types-boto3-s3control 1.39.2

Pulumi locates its logs in /tmp by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[t0yv0]

Thanks for letting us know @ollaw - this is one of several issues where the provider needs an explicit state migration for this resource but is currently lacking one. Very not ideal I understand but while this awaits engineering availability you can work around by editing the state manually pulumi stack export --file stack.json, editing the value to match the schema and pulumi stack import --file stack.json.

[ollaw]

while this awaits engineering availability

Is this something that could be addressed in an upcoming release? I saw that for Terraform, they’re suggesting the use of a custom tool (Grit, if I recall correctly) to migrate the state. I’m curious to see what the approach will be for Pulumi.

[t0yv0]

Yes, upstream is using https://docs.grit.io to migrate sources but have provided no facilities to migrate the state. One alternative to migrating the state is importing it from the cloud - that's recommended upstream and it can work for Pulumi as well, if you update the sources correctly.

Unfortunately something like grit.io is more complicated for Pulumi since multiple programming languages are implicated, not just HCL/Terraform.

[somatorio]

Very not ideal I understand but while this awaits engineering availability you can work around by editing the state manually pulumi stack export --file stack.json, editing the value to match the schema and pulumi stack import --file stack.json.

That would be removing "corsHeaders": [], from the outputs for this one in case someone wondering