terraform-provider-cloudflare icon indicating copy to clipboard operation
terraform-provider-cloudflare copied to clipboard
verified publisher icon cloudflare

`cloudflare_zero_trust_access_identity_provider` permanent drift

Open devodev opened this issue 6 months ago • 4 comments

Confirmation

  • [x] This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
  • [x] I have searched the issue tracker and my issue isn't already found.
  • [x] I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform v1.12.1 on windows_amd64

  • provider registry.terraform.io/cloudflare/cloudflare v5.5.0
  • provider registry.terraform.io/siderolabs/talos v0.8.1

Affected resource(s)

  • cloudflare_zero_trust_access_identity_provider

Terraform configuration files

resource "cloudflare_zero_trust_access_identity_provider" "google_cloud_identity" {
  account_id = var.account_id
  name       = "MY_DOMAIN"
  type       = "google-apps"

  config = {
    apps_domain  = "MY_DOMAIN"
    client_id    = "MY_CLIENT_ID.apps.googleusercontent.com"
    pkce_enabled = true
  }
}

Link to debug output

https://gist.github.com/devodev/5997dcc91915bea58c39861921a476bb

Panic output

No response

Expected output

Should be no drift

Actual output

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.cloudflare_zerotrust.cloudflare_zero_trust_access_identity_provider.google_cloud_identity will be updated in-place
  ~ resource "cloudflare_zero_trust_access_identity_provider" "google_cloud_identity" {
      ~ config      = {
          ~ redirect_url = **"https://MY_DOMAIN.cloudflareaccess.com/cdn-cgi/access/callback"** -> (known after apply)
          + sign_request = false
            # (3 unchanged attributes hidden)
        }
        id          = "REDACTED"
        name        = "MY_DOMAIN"
      ~ scim_config = {
          ~ enabled                  = false -> (known after apply)
          + identity_update_behavior = (known after apply)
          + scim_base_url            = (known after apply)
          ~ seat_deprovision         = false -> (known after apply)
          + secret                   = (sensitive value)
          ~ user_deprovision         = false -> (known after apply)
        } -> (known after apply)
        # (2 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Steps to reproduce

Keep running terraform plan/apply with above TF config

Additional factoids

Working OK in 5.1.0, stops working in 5.2.0+

References

Seems like the same issue as this one for ruleset: https://github.com/cloudflare/terraform-provider-cloudflare/issues/5390 And fixed in: https://github.com/cloudflare/terraform-provider-cloudflare/pull/5391

devodev avatar Jun 08 '25 16:06 devodev

I got the same issue. I hope this permanent drift will be resolved soon (or I would be happy to try to fix this).

hgsgtk avatar Jun 09 '25 11:06 hgsgtk

This one will be fixed by #5645. Thanks!

jhutchings1 avatar Jun 09 '25 21:06 jhutchings1

On 5.6.0 I have constant drift because of config.redirect_url

Kiblyn11 avatar Jun 18 '25 17:06 Kiblyn11

On 5.6.0 I have constant drift because of config.redirect_url

@Kiblyn11 Can you open a new issue for that if it's not known? Want to make sure we don't lose it. Thanks!

jhutchings1 avatar Jun 19 '25 00:06 jhutchings1

This should be fixed in 5.7

GreenStage avatar Jul 15 '25 13:07 GreenStage

This issue hasn't been updated in a while. If it's still reproducing, please comment to let us know. Thank you!

github-actions[bot] avatar Sep 13 '25 16:09 github-actions[bot]