terraform-provider-cloudflare
terraform-provider-cloudflare copied to clipboard
cloudflare
Multiple Gsuite groups in cloudflare_access_policy cause access.api.error.invalid_request
Confirmation
- [X] My issue isn't already found on the issue tracker.
- [X] I have replicated my issue using the latest version of the provider and it is still present.
Terraform and Cloudflare provider version
Terraform v1.2.4
on linux_amd64
+ provider registry.terraform.io/cloudflare/cloudflare v3.18.0
Affected resource(s)
- cloudflare_access_policy
Terraform configuration files
locals {
google_groups = [
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]"
]
}
resource "cloudflare_access_policy" "prod" {
account_id = var.cloudflare_account_id
application_id = cloudflare_access_application.prod.id
name = "Prod"
decision = "allow"
precedence = "1"
include {
gsuite {
email = local.google_groups
identity_provider_id = var.google_workspace_idp_id
}
}
require {
group = [cloudflare_access_group.sentinelone_enabled.id, cloudflare_access_group.jumpcloud_enabled.id]
}
}
Debug output
2022-07-05T03:55:05.583Z [DEBUG] provider.terraform-provider-cloudflare_v3.18.0: Cloudflare API Request Details:
---[ REQUEST ]---------------------------------------
PUT /client/v4/accounts/<REDACTED>/access/apps/<REDACTED>/policies/<REDACTED> HTTP/1.1
Host: api.cloudflare.com
User-Agent: terraform/1.2.4 terraform-plugin-sdk/2.10.1 terraform-provider-cloudflare/dev
Content-Length: 1947
Authorization: Bearer *****
Content-Type: application/json
Accept-Encoding: gzip
{
"id": "<REDACTED>",
"precedence": 1,
"decision": "allow",
"created_at": null,
"updated_at": null,
"name": "Prod",
"purpose_justification_required": false,
"purpose_justification_prompt": "",
"approval_required": false,
"approval_groups": null,
"include": [
{
"gsuite": {
"email": "[email protected]",
"identity_provider_id": "<REDACTED>"
}
},
{
"gsuite": {
"email": "[email protected]",
"identity_provider_id": "<REDACTED>"
}
},
{
"gsuite": {
"email": "[email protected]",
"identity_provider_id": "<REDACTED>"
}
},
{
"gsuite": {
"email": "[email protected]",
"identity_provider_id": "<REDACTED>"
}
},
{
"gsuite": {
"email": "[email protected]",
"identity_provider_id": "<REDACTED>"
}
},
{
"gsuite": {
"email": "[email protected]",
"identity_provider_id": "<REDACTED>"
}
},
{
"gsuite": {
"email": "[email protected]",
"identity_provider_id": "<REDACTED>"
}
},
{
"gsuite": {
"email": "[email protected]",
"identity_provider_id": "<REDACTED>"
}
},
{
"gsuite": {
"email": "[email protected]",
"identity_provider_id": "<REDACTED>"
}
},
{
"gsuite": {
"email": "[email protected]",
"identity_provider_id": "<REDACTED>"
}
},
{
"gsuite": {
"email": "[email protected]",
"identity_provider_id": "<REDACTED>"
}
},
{
"gsuite": {
"email": "[email protected]",
"identity_provider_id": "<REDACTED>"
}
},
{
"gsuite": {
"email": "[email protected]",
"identity_provider_id": "<REDACTED>"
}
},
{
"gsuite": {
"email": "[email protected]",
"identity_provider_id": "<REDACTED>"
}
}
],
"exclude": null,
"require": null
}
2022-07-05T03:55:07.401Z [DEBUG] provider.terraform-provider-cloudflare_v3.18.0: Cloudflare API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 400 Bad Request
Cf-Cache-Status: DYNAMIC
Cf-Ray: <REDACTED>
Content-Security-Policy: frame-ancestors 'none'; default-src https: 'unsafe-inline'
Content-Type: application/json; charset=UTF-8
Date: Tue, 05 Jul 2022 03:55:07 GMT
Expect-Ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
Set-Cookie: <REDACTED>; SameSite=Lax; path=/; expires=Tue, 05-Jul-22 06:25:08 GMT; HttpOnly
Set-Cookie: <REDACTED>; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Envoy-Upstream-Service-Time: 469
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block
{
"result": null,
"success": false,
"errors": [
{
"code": 12130,
"message": "access.api.error.invalid_request"
}
],
"messages": []
}
Panic output
No response
Expected output
Updating the cloudflare_access_policy with a list of allowed Google Groups instead of deferring to cloudflare_access_groups should succeed.
Actual output
Updating the cloudflare_access_policy with a list of allowed Google Groups instead of deferring to cloudflare_access_groups fails with
Error: error updating Access Policy for ID "ae8d51bf-329f-4186-b762-741be43c7a57": access.api.error.invalid_request (12130)
Steps to reproduce
- Define resources with
locals {
google_groups = [
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]"
]
}
resource "cloudflare_access_policy" "prod" {
account_id = var.cloudflare_account_id
application_id = cloudflare_access_application.prod.id
name = "Prod"
decision = "allow"
precedence = "1"
include {
group = [for key, group in cloudflare_access_group.role : group.id]
}
require {
group = [cloudflare_access_group.sentinelone_enabled.id, cloudflare_access_group.jumpcloud_enabled.id]
}
}
resource "cloudflare_access_group" "role" {
for_each = toset(local.google_groups)
account_id = var.cloudflare_account_id
name = "Role (${each.key})"
include {
gsuite {
email = [each.key]
identity_provider_id = var.google_workspace_idp_id
}
}
}
- Run
terraform apply - Change resources to
locals {
google_groups = [
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]",
"[email protected]"
]
}
resource "cloudflare_access_policy" "prod" {
account_id = var.cloudflare_account_id
application_id = cloudflare_access_application.prod.id
name = "Prod"
decision = "allow"
precedence = "1"
include {
gsuite {
email = local.google_groups
identity_provider_id = var.google_workspace_idp_id
}
}
require {
group = [cloudflare_access_group.sentinelone_enabled.id, cloudflare_access_group.jumpcloud_enabled.id]
}
}
- Run
terraform applyand see it failing
Additional factoids
No response
References
No response
Thank you for reporting this issue! For maintainers to dig into issues it is required that all issues include the entirety of TF_LOG=DEBUG output to be provided. The only parts that should be redacted are your user credentials in the X-Auth-Key, X-Auth-Email and Authorization HTTP headers. Details such as zone or account identifiers are not considered sensitive but can be redacted if you are very cautious. This log file provides additional context from Terraform, the provider and the Cloudflare API that helps in debugging issues. Without it, maintainers are very limited in what they can do and may hamper diagnosis efforts.
This issue has been marked with triage/needs-information and is unlikely to receive maintainer attention until the log file is provided making this a complete bug report.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Marking this issue as stale due to 90 days of inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 7 days it will automatically be closed. Maintainers can also remove the lifecycle/stale label.
If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!
Bug very much still exists. Just closing the issue doesn't mean the bug magically disappears 🙄
per the automation comments above, this issue is lacking details and context for maintainers to triage. you haven't provided those so the issue was marked stale.
if you'd like to provide the information requested in both the initial issue template and the automation comments, it can be triaged.
The issue is super easy to reproduce and the debug logs have all the relevant information. I can't provide more since there's just too much to redact as you can surely understand 🙏🏻 This is not a community project and we are a paying Cloudflare customer so we would expect our issues to be taken seriously without rejecting them outright due to technicalities.
Marking this issue as stale due to 90 days of inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 7 days it will automatically be closed. Maintainers can also remove the lifecycle/stale label.
If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!
I also see this issue. If i repeatedly run terraform applies, eventually all of my policies will be created. This is very inconvenient as I have resorted to run running the TF Apply 10/11 times to get all of the policies made. Note that I see it with okta groups as well as ip lists.
I wasn't getting much help on here or anywhere else on the web. In my case, I had to increase the backoff limits and retries in the provider configuration. What tipped me off was the api client logging option.
In my case, I was getting stuck in this method in the client library: https://github.com/cloudflare/cloudflare-go/blob/4ec00432f931717f0c166c1962a2913d6947b33e/cloudflare.go#L208
My provider configuration is below that seems to have resolved the issue:
provider "cloudflare" {
max_backoff = 120
min_backoff = 15
retries = 30
rps = 2
api_client_logging = true
}
As another note, Im on TF 1.0.9 With provider version 3.31.0.
From a maintainer side, it would've been nice to see what was lacking in the issue as the automation says that the TF Log is required. The Author provided the relevant portions (in my opinion). Or if I had some better context about what the error codes were (I couldn't find anything about 12130 anywhere...) that would've also been helpful for me.
Marking this issue as stale due to 30 days of inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 7 days it will automatically be closed. Maintainers can also remove the lifecycle/stale label.
If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!
Marking this issue as stale due to 30 days of inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 7 days it will automatically be closed. Maintainers can also remove the lifecycle/stale label.
If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!
Marking this issue as stale due to 30 days of inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 7 days it will automatically be closed. Maintainers can also remove the lifecycle/stale label.
If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!
Marking this issue as stale due to 30 days of inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 7 days it will automatically be closed. Maintainers can also remove the lifecycle/stale label.
If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!
Marking this issue as stale due to 30 days of inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 7 days it will automatically be closed. Maintainers can also remove the lifecycle/stale label.
If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!
Marking this issue as stale due to 30 days of inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 7 days it will automatically be closed. Maintainers can also remove the lifecycle/stale label.
If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!
This issue was closed because it has been stalled for 7 days with no activity.