5.19.0-beta.1 (2026-03-03)
Disclaimer: Please note that v5.19.0-beta.1 is in Beta and we are still testing it for stability.
Migration Support Release
This release enables automatic state upgraders for v4 to v5 migrations, dramatically simplifying the upgrade path. Combined with the tf-migrate CLI tool for HCL configuration changes, migrating to v5 is now significantly easier than before.
Key Highlights
-
Automatic State Migration: 60+ resources now include built-in state upgraders that automatically transform v4 (SDKv2) state to v5 (Plugin Framework) state during
terraform planorterraform apply. No manual state file editing required. -
tf-migrate CLI Tool: A new CLI tool handles HCL configuration rewrites,
movedblock generation, and cross-file reference updates. Download from tf-migrate releases. -
Grit Deprecation: Grit-based migrations are now deprecated and will be removed in a future release. Use
tf-migrateinstead. -
New Migration Guide: See the version 5 migration guide for the recommended migration path.
Upgrade Path Requirements
| Your Current Version | Action Required |
|---|---|
| v4.x (any version) | Upgrade to v4.52.5 first, then follow the migration guide |
| v5.0 -- v5.16 | Must upgrade to v5.17 or v5.18 first, then upgrade to v5.19+ |
| v5.17 -- v5.18 | Upgrade directly to v5.19+ |
| v5.19+ | Normal minor version upgrade |
Important: Users on v5.16 or earlier using any of the 17 stepping-stone resources must upgrade to v5.17/v5.18 before v5.19 to ensure correct state upgrader execution.
Resources with State Upgraders (v4 to v5 transformation)
The following 61 resources now include state upgraders that automatically transform state from v4 format to v5:
| Category | Resources |
|---|---|
| Zones & DNS | zone, zone_dnssec, zone_subscription, dns_record
|
| Load Balancing | load_balancer, load_balancer_monitor, load_balancer_pool
|
| Cache & Performance | tiered_cache, argo_smart_routing, argo_tiered_caching, page_rule, ruleset
|
| Workers | workers_script, workers_route, workers_kv, workers_kv_namespace, workers_for_platforms_dispatch_namespace
|
| Pages | pages_project
|
| Logs & Analytics | logpush_job, logpull_retention
|
| Security | access_rule, api_shield, api_shield_operation, bot_management, custom_pages, healthcheck
|
| Certificates | certificate_pack, origin_ca_certificate, authenticated_origin_pulls_certificate, authenticated_origin_pulls_settings
|
| Rules & Lists | list, list_item, managed_transforms, regional_hostname, snippet, snippet_rules, url_normalization_settings
|
| Spectrum | spectrum_application
|
| Queues | queue, queue_consumer
|
| R2 | r2_bucket
|
| Notifications | notification_policy, notification_policy_webhooks
|
| API Tokens | api_token
|
| Custom Hostnames | custom_hostname_fallback_origin
|
| Zero Trust Access | zero_trust_access_application, zero_trust_access_group, zero_trust_access_identity_provider, zero_trust_access_mtls_certificate, zero_trust_access_mtls_hostname_settings, zero_trust_access_policy, zero_trust_access_service_token
|
| Zero Trust Devices | zero_trust_device_managed_networks, zero_trust_device_posture_rule, zero_trust_dex_test
|
| Zero Trust DLP | zero_trust_dlp_custom_profile, zero_trust_dlp_predefined_profile
|
| Zero Trust Gateway | zero_trust_gateway_policy, zero_trust_list
|
| Zero Trust Tunnels | zero_trust_tunnel_cloudflared, zero_trust_tunnel_cloudflared_config, zero_trust_tunnel_cloudflared_route
|
Resources with Schema Version Bump (no-op upgraders)
The following 31 resources received schema version bumps to v500 with no-op state upgraders (state format unchanged, version tracking only):
| Category | Resources |
|---|---|
| Account | account_member, address_map
|
| Email Routing | email_routing_address, email_routing_catch_all, email_routing_rule, email_routing_settings
|
| Firewall (Deprecated) | filter, firewall_rule, rate_limit, user_agent_blocking_rule, zone_lockdown
|
| Magic WAN | magic_wan_gre_tunnel, magic_wan_ipsec_tunnel, magic_wan_static_route
|
| SSL/TLS | total_tls
|
| Waiting Room | waiting_room, waiting_room_event, waiting_room_rules, waiting_room_settings
|
| Web3 | web3_hostname
|
| Workers | worker_version, workers_cron_trigger, workers_custom_domain
|
| Zone Settings | zone_cache_variants, zone_setting
|
| Zero Trust | zero_trust_access_key_configuration, zero_trust_access_short_lived_certificate, zero_trust_device_default_profile_certificates, zero_trust_dns_location, zero_trust_gateway_logging, zero_trust_gateway_proxy_endpoint
|
Features
- zero_trust_access_application: Add OAuth configuration support with
oauth_configurationattribute, including dynamic client registration and grant settings
Bug Fixes
- client_certificate: Fix CSR drift with certificate normalization
- custom_origin_trust_store: Fix certificate drift with normalization
- zone_dnssec: Allow computed fields which will change during refresh
Documentation
- Added comprehensive version 5 migration guide
- Deprecated Grit-based migration instructions in the version 5 upgrade guide
- Updated
tf-migrateversion references to v1.0.0-beta.2