Getting "Resource instance managed by newer provider version" while using latest provider version

wollo77 · November 11, 2025, 1:45pm

I want to upgrade a TF state for cloudflare from provider version ~4 to version ~5 and from TF 1.8.5 to 1.13.5.

The upgrade appears to be successful, but now, when I execute terraform plan, I am getting the message:

│ Error: Resource instance managed by newer provider version
│
│ The current state of module.cloudflare_ipa_waf_rules["development-001"].cloudflare_ruleset.zone_level_waf_custom_ruleset was created by a newer provider version than is currently selected. Upgrade the cloudflare provider to work with this state.

The objects causing issues are of the type cloudflare_ruleset. In the verbose log, I am seeing:

2025-11-11T14:11:51.175+0100 [TRACE] upgradeResourceState: can't downgrade state for module.cloudflare_ipa_waf_rules["development-001"].cloudflare_ruleset.zone_level_waf_custom_ruleset from version 1 to 0

Am I missing something here? If I have upgraded the state and I am on a current TF and provider version, why might I get this error? The message implies that I must be using an older version than the state, but it’s actually the other way round.

Not sure if this is related, but the remote state (in S3) is still showing the previously used TF version. Should this already change in the remote state after executing terraform init -upgradeor only after the next apply?

jbardin · November 11, 2025, 6:07pm

Hi @wollo77,

A schema version can only ever increase, so if the provider inadvertently changed the version back to 0, you should file an issue with the provider.

apparentlymart · November 11, 2025, 9:38pm

Indeed, in version 4 of the provider the schema version of this resource type is set to 1:

github.com/cloudflare/terraform-provider-cloudflare

internal/framework/service/rulesets/schema.go

de70c1ddd


      
          func (r *RulesetResource) Schema(ctx context.Context, req resource.SchemaRequest, resp *resource.SchemaResponse) {
          	resp.Schema = schema.Schema{
          		Version: 1,

It seems that for v5 the provider developers switched to an approach of generating the schema automatically based on OpenAPI definitions, but the new auto-generated version of that schema doesn’t set Version and so has effectively set version back to zero again:

github.com/cloudflare/terraform-provider-cloudflare

internal/services/ruleset/schema.go

057b6a79a


      
          func ResourceSchema(ctx context.Context) schema.Schema {
          	return schema.Schema{
          		Attributes: map[string]schema.Attribute{
          			"id": schema.StringAttribute{
          				Description: "The unique ID of the ruleset.",
          				Computed:    true,
          				Validators: []validator.String{
          					stringvalidator.RegexMatches(
          						regexp.MustCompile("^[0-9a-f]{32}$"),
          						"value must be a 32-character hexadecimal string",
          					),
          				},
          				PlanModifiers: []planmodifier.String{stringplanmodifier.UseStateForUnknown()},
          			},
          			"account_id": schema.StringAttribute{
          				Description: "The unique ID of the account.",
          				Optional:    true,
          				Validators: []validator.String{
          					stringvalidator.ExactlyOneOf(path.MatchRoot("zone_id")),
          					stringvalidator.RegexMatches(

This file has been truncated. show original

Some similar challenges were reported for other resource types, though I couldn’t find an existing one for cloudflare_ruleset in particular:

Unless the provider devs make a new release with the schema version number set back to 1, I think the only immediate path to resolve this would be to use terraform state rm to remove the affected objects from the state and then use terraform import to reimport them using the latest version of the provider, at which point the imported objects should use the current version 0.

wollo77 · November 12, 2025, 4:10pm

That is essentially what I had expected, thanks for the confirmation.

I have opened a support ticket with cloudflare and reported this as a bug, let’s hope this will be fixed.

apparentlymart · November 12, 2025, 10:57pm

Cool! Just for the sake of making this discoverable for someone who might find this discussion thread in future, the relevant issue in the provider repository is here:

github.com/cloudflare/terraform-provider-cloudflare

Getting “Resource instance managed by newer provider version” while using latest provider version

opened 04:11PM - 12 Nov 25 UTC

wollo77

kind/bug needs-triage

### Confirmation - [x] This is a bug with an existing resource and is not a fea…ture request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team. - [x] I have searched the issue tracker and my issue isn't already found. - [x] I have replicated my issue using the latest version of the provider and it is still present. ### Terraform and Cloudflare provider version Terraform v1.13.5 provider registry.terraform.io/cloudflare/cloudflare v5.12.0 ### Affected resource(s) cloudflare_ruleset ### Terraform configuration files ```hcl resource "cloudflare_ruleset" "zone_level_waf_custom_ruleset" { kind = "zone" name = "default" phase = "http_request_firewall_custom" zone_id = var.zone_id rules = [ { ref = "block_crimea" action = "block" description = "Block Crimea" enabled = true expression = "ip.geoip.subdivision_1_iso_code eq \"UA-43\"" }, ... ``` ### Link to debug output https://gist.github.com/wollo77/992dd6a4a5480f6172aef31822397655 ### Panic output _No response_ ### Expected output I want to upgrade a TF state for cloudflare from provider version ~4 to version ~5 and from TF 1.8.5 to 1.13.5. The provider should be able to execute terraform plan after upgrading to the v5 provider from v4. ### Actual output The upgrade command executes without issue to be successful, but now, when I execute terraform plan, I am getting the message: ``` │ Error: Resource instance managed by newer provider version │ │ The current state of module.cloudflare_ipa_waf_rules["development-001"].cloudflare_ruleset.zone_level_waf_custom_ruleset was created by a newer provider version than is currently selected. Upgrade the cloudflare provider to work with this state. ``` The objects causing issues are of the type cloudflare_ruleset. In the verbose log, I am seeing: ``` 2025-11-11T14:11:51.175+0100 [TRACE] upgradeResourceState: can't downgrade state for module.cloudflare_ipa_waf_rules["development-001"].cloudflare_ruleset.zone_level_waf_custom_ruleset from version 1 to 0 ``` ### Steps to reproduce Update existing ruleset configuration with necessary changes according to documentation. Execute `terraform init -upgrade`, followed by `terraform plan` ### Additional factoids According to the log, the version of cloudflare_rules went from 1 to 0, but it should only increase with an upgrade to a newer version. Also discussed here on terraform forums: https://discuss.hashicorp.com/t/getting-resource-instance-managed-by-newer-provider-version-while-using-latest-provider-version/76765/4 ### References _No response_

Topic		Replies	Views
Provider version conflict Terraform	8	18838	May 18, 2021
Resource instance managed by newer provider version Terraform	3	6203	January 18, 2024
Error: Unable to Read Previously Saved State for UpgradeResourceState Terraform azure	5	4280	January 19, 2024
Upgrade from 0.11 to latest Terraform	12	4559	May 9, 2023
AWS Provider version update impact Terraform	1	608	December 1, 2021

Getting "Resource instance managed by newer provider version" while using latest provider version

Related topics