terraform-provider-cloudflare
terraform-provider-cloudflare copied to clipboard
cloudflare
'invalid JSON: unknown field "id"' when updating Cloudflare Managed rulesets
Confirmation
- [X] This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
- [X] I have searched the issue tracker and my issue isn't already found.
- [X] I have replicated my issue using the latest version of the provider and it is still present.
Terraform and Cloudflare provider version
$ terraform -v
Terraform v1.9.5
on darwin_arm64
+ provider registry.terraform.io/cloudflare/cloudflare v4.41.0
+ provider registry.terraform.io/hashicorp/aws v5.66.0
Affected resource(s)
- cloudflare_ruleset
Terraform configuration files
locals {
zone_id = "<REDACTED>"
cf_managed_ruleset_id = "efb7b8c949ac4650a09736fc376e9aee"
cf_owasp_ruleset_id = "4814384a9e5d4991b9815dcfc25d2f1f"
cf_creds_ruleset_id = "c2e184081120413c86c3ab7e14069605"
}
resource "cloudflare_ruleset" "zone_level_managed_waf" {
zone_id = local.zone_id
name = "default"
description = "Zone-Level WAF Managed Rules config"
kind = "zone"
phase = "http_request_firewall_managed"
# Cloudflare Managed Ruleset
rules {
description = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
action = "log"
expression = "true"
enabled = true
action_parameters {
id = local.cf_managed_ruleset_id
version = "latest"
overrides {
rules {
action = "log"
enabled = true
id = "3b0c61407d0b4f7d87e516472116d2fe"
}
rules {
action = "block"
enabled = false
id = "8840c3fa2c7947f6b10176ceb8f65558"
}
rules {
action = "block"
enabled = false
id = "7aeb2faf29284398aeb782e54875e938"
}
rules {
action = "log"
enabled = false
id = "7babab188b3c40ae87b93ec451f4fd5b"
}
rules {
action = "block"
enabled = false
id = "8ac6964456494da6b098a93c35f86fc9"
}
rules {
action = "log"
enabled = false
id = "23ee7cebe6e8443e99ecf932ab579455"
}
rules {
action = "block"
enabled = false
id = "76f9871c8e88445b807c9ebcd440c742"
}
rules {
action = "block"
enabled = false
id = "cd7bd3dbe8fd4add9926ad50068b2a17"
}
rules {
action = "block"
enabled = false
id = "34da2a5e0a95425d9b0e44f07c641d63"
}
rules {
action = "block"
enabled = false
id = "2fe273498e964f0bb20ac022d5a14a5e"
}
rules {
action = "block"
enabled = false
id = "47631a04883d4d7cab6bd7b83478adcb"
}
rules {
action = "block"
enabled = false
id = "977ad8daef224ecdbe475c7ab3ab3365"
}
rules {
action = "block"
enabled = false
id = "bdd776b4f296477f960acc346dfa618e"
}
rules {
action = "log"
enabled = false
id = "49449f901cab4a01b2591ab836babcca"
}
rules {
action = "log"
enabled = false
id = "d6f6d394cb01400284cfb7971e7aed1e"
}
rules {
action = "log"
enabled = false
id = "d9aeff22f1024655937e5b033a61fbc5"
}
rules {
action = "log"
enabled = false
id = "525329e705aa4fa596e126366d02615e"
}
rules {
action = "log"
enabled = false
id = "8bb4bf582f704b61980fceff442561a8"
}
rules {
action = "block"
enabled = false
id = "15b0616fe67a439a8a3852410cadd290"
}
rules {
action = "block"
enabled = false
id = "00bee3de44184f7f8a6ad10910f04e13"
}
rules {
action = "block"
enabled = false
id = "7b1cfed7fd4047c6949c4d054751ef80"
}
rules {
action = "block"
enabled = false
id = "d8c7dbf00ec546e48e3c4340486c3ee2"
}
rules {
action = "block"
enabled = false
id = "ff8b8608c2c14bf5b3de621b6fc2309c"
}
rules {
action = "block"
enabled = false
id = "71b7793c77e24287861b82f0ec97cf32"
}
rules {
action = "block"
enabled = false
id = "40cba5ee3a014208958da0855ddfd8e3"
}
rules {
action = "block"
enabled = false
id = "5dd38056f4cd43fca7f198e6384f1856"
}
rules {
action = "block"
enabled = false
id = "d384de3d016d414dbf4d14caaa83212b"
}
rules {
action = "block"
enabled = false
id = "4a6e23c2acfe4b979b8c4d856d4d8e84"
}
rules {
action = "block"
enabled = false
id = "55b100786189495c93744db0e1efdffb"
}
rules {
action = "block"
enabled = false
id = "db1f213645904ab9b16b227b4a6a7b3a"
}
rules {
action = "block"
enabled = false
id = "6a05218f9dba40ed8eb4e89b12e7bc07"
}
rules {
action = "log"
enabled = false
id = "aa3411d5505b4895b547d68950a28587"
}
rules {
action = "block"
enabled = false
id = "ac89e3a915594a139fc370dece6a8e28"
}
rules {
action = "log"
enabled = false
id = "5de7edfa648c4d6891dc3e7f84534ffa"
}
rules {
action = "log"
enabled = false
id = "a5f1081bb2a3413e88ac88c0d36f0fb0"
}
rules {
action = "block"
enabled = false
id = "5ac122b3972c4247a247f3271045f374"
}
rules {
action = "block"
enabled = false
id = "230867e5cb844fe092f1e1b4e504c459"
}
rules {
action = "block"
enabled = false
id = "505cbd1ba4b24bdcb227d854b8b46cbc"
}
rules {
action = "block"
enabled = false
id = "cb5b6de178d3488d8649da8608b7b3a2"
}
rules {
action = "block"
enabled = false
id = "390b6273c8dc4366b36e52fc6f35c356"
}
rules {
action = "block"
enabled = false
id = "20e34d3164a340dbb5c5d29203ccff90"
}
rules {
action = "block"
enabled = false
id = "b777ce009bb346b39be4886055a71165"
}
rules {
action = "block"
enabled = false
id = "34158d546873469a8f8ccee19139627b"
}
rules {
action = "log"
enabled = false
id = "d8e629b68b5c4bb69b2f01a3ab285f5e"
}
rules {
action = "log"
enabled = false
id = "b84a82ec35064ee8aa204897f775a3b0"
}
rules {
action = "block"
enabled = false
id = "7f41cd9aca1d42f09b4f1477957ee0b0"
}
rules {
action = "block"
enabled = false
id = "7994335d116849f7a0ab6b771d1d0db7"
}
rules {
action = "block"
enabled = false
id = "d653f5ed71a348ea97b9bc5c295fd819"
}
rules {
action = "log"
enabled = false
id = "48e06376fc6347c0bf08b8ccf82d008b"
}
rules {
action = "block"
enabled = false
id = "d52aa57408a144afa35e0fd96e3897dc"
}
rules {
action = "block"
enabled = false
id = "8d9f209f35df412ba4bafe5156335ab1"
}
rules {
action = "block"
enabled = false
id = "8ea0937695984040b528c80a4e6df495"
}
rules {
action = "block"
enabled = false
id = "b1efd337665d49f5950f892971120c4b"
}
}
}
}
# OWASP Core Ruleset
rules {
description = "Execute Cloudflare OWASP Core Ruleset on my zone-level phase entry point ruleset"
action = "log"
expression = "true"
enabled = true
action_parameters {
id = local.cf_owasp_ruleset_id
version = "latest"
overrides {
categories {
category = "paranoia-level-2"
enabled = false
}
categories {
category = "paranoia-level-3"
enabled = false
}
categories {
category = "paranoia-level-4"
enabled = false
}
rules {
action = "managed_challenge"
id = "6179ae15870a4bb7b2d480d4843b323c"
score_threshold = 40
}
}
}
}
# Exposed Credentials Check Ruleset
rules {
action = "log"
expression = "true"
enabled = true
action_parameters {
id = local.cf_creds_ruleset_id
version = "latest"
}
}
}
Link to debug output
https://gist.github.com/codybswaney/af7d334b87eebdb71abbcb881e1ae8c1
Panic output
No response
Expected output
I expected the plan which sets execute to log and enables the three managed rulesets to succeed.
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# cloudflare_ruleset.zone_level_managed_waf will be updated in-place
~ resource "cloudflare_ruleset" "zone_level_managed_waf" {
+ description = "Zone-Level WAF Managed Rules config"
id = "99ad0cfc75634c07a98f2cb2ce6445cb"
name = "default"
# (3 unchanged attributes hidden)
~ rules {
~ action = "execute" -> "log"
+ description = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
~ enabled = false -> true
~ id = "e4d66e73c0924737b51bb3c8a2c6c2d8" -> (known after apply)
~ last_updated = "2024-09-03 17:46:40.190764 +0000 UTC" -> (known after apply)
~ ref = "e4d66e73c0924737b51bb3c8a2c6c2d8" -> (known after apply)
~ version = "1" -> (known after apply)
# (1 unchanged attribute hidden)
# (1 unchanged block hidden)
}
~ rules {
~ action = "execute" -> "log"
+ description = "Execute Cloudflare OWASP Core Ruleset on my zone-level phase entry point ruleset"
~ enabled = false -> true
~ id = "61e46161ae684225bf54765f36ad27d0" -> (known after apply)
~ last_updated = "2024-09-03 17:46:40.190764 +0000 UTC" -> (known after apply)
~ ref = "61e46161ae684225bf54765f36ad27d0" -> (known after apply)
~ version = "1" -> (known after apply)
# (1 unchanged attribute hidden)
# (1 unchanged block hidden)
}
~ rules {
~ action = "execute" -> "log"
~ enabled = false -> true
~ id = "47d79f6692554f239a62339238cf9115" -> (known after apply)
~ last_updated = "2024-09-03 18:24:01.348032 +0000 UTC" -> (known after apply)
~ ref = "47d79f6692554f239a62339238cf9115" -> (known after apply)
~ version = "2" -> (known after apply)
# (2 unchanged attributes hidden)
# (1 unchanged block hidden)
}
}
Actual output
Apply fails with invalid JSON: unknown field "id"
Terraform will perform the following actions:
# cloudflare_ruleset.zone_level_managed_waf will be updated in-place
~ resource "cloudflare_ruleset" "zone_level_managed_waf" {
+ description = "Zone-Level WAF Managed Rules config"
id = "99ad0cfc75634c07a98f2cb2ce6445cb"
name = "default"
# (3 unchanged attributes hidden)
~ rules {
~ action = "execute" -> "log"
+ description = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
~ enabled = false -> true
~ id = "e4d66e73c0924737b51bb3c8a2c6c2d8" -> (known after apply)
~ last_updated = "2024-09-03 17:46:40.190764 +0000 UTC" -> (known after apply)
~ ref = "e4d66e73c0924737b51bb3c8a2c6c2d8" -> (known after apply)
~ version = "1" -> (known after apply)
# (1 unchanged attribute hidden)
# (1 unchanged block hidden)
}
~ rules {
~ action = "execute" -> "log"
+ description = "Execute Cloudflare OWASP Core Ruleset on my zone-level phase entry point ruleset"
~ enabled = false -> true
~ id = "61e46161ae684225bf54765f36ad27d0" -> (known after apply)
~ last_updated = "2024-09-03 17:46:40.190764 +0000 UTC" -> (known after apply)
~ ref = "61e46161ae684225bf54765f36ad27d0" -> (known after apply)
~ version = "1" -> (known after apply)
# (1 unchanged attribute hidden)
# (1 unchanged block hidden)
}
~ rules {
~ action = "execute" -> "log"
~ enabled = false -> true
~ id = "47d79f6692554f239a62339238cf9115" -> (known after apply)
~ last_updated = "2024-09-03 18:24:01.348032 +0000 UTC" -> (known after apply)
~ ref = "47d79f6692554f239a62339238cf9115" -> (known after apply)
~ version = "2" -> (known after apply)
# (2 unchanged attributes hidden)
# (1 unchanged block hidden)
}
}
Plan: 0 to add, 1 to change, 0 to destroy.
cloudflare_ruleset.zone_level_managed_waf: Modifying... [id=99ad0cfc75634c07a98f2cb2ce6445cb]
╷
│ Error: error updating ruleset with ID "99ad0cfc75634c07a98f2cb2ce6445cb"
│
│ with cloudflare_ruleset.zone_level_managed_waf,
│ on waf_managed_rules.tf line 34, in resource "cloudflare_ruleset" "zone_level_managed_waf":
│ 34: resource "cloudflare_ruleset" "zone_level_managed_waf" {
│
│ invalid JSON: unknown field "id"
Steps to reproduce
- Import default entrypoint managed ruleset for phase
http_request_firewall_managed - Try to enable them at
logaction level - Apply
Additional factoids
No response
References
Following the guide at https://developers.cloudflare.com/terraform/additional-configurations/waf-managed-rulesets/
Community Note
Voting for Prioritization
- Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
Volunteering to Work on This Issue
- If you are interested in working on this issue, please leave a comment.
- If this would be your first contribution, please review the contribution guide.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
please include the TF_LOG=DEBUG output, not the terraform operation output to help triaging this one.
Do you still see the issue? There was a incident which was resolved yesterday. https://www.cloudflarestatus.com/incidents/26vtmwm3mgh6
Just noting that there is still an issue. Not sure that I know enough about the cloudflare API to say whether this is a provider issue or an API issue, but if it's a provider issue I'm happy to contribute if you can provide some direction. Thanks!
not working
'# Exposed Credentials Check Ruleset
rules { action = "log" <---------- expression = "true" enabled = true
action_parameters {
id = local.cf_creds_ruleset_id
version = "latest"
}
} }
│ Error: error updating ruleset with ID "0969d7667a314e40ae97d133ba5b1e52" │ │ with cloudflare_ruleset.zone_level_managed_waf, │ on cloudflare_ruleset.tf line 33, in resource "cloudflare_ruleset" "zone_level_managed_waf": │ 33: resource "cloudflare_ruleset" "zone_level_managed_waf" { │ │ invalid JSON: unknown field "id" <---------------
working
'# Exposed Credentials Check Ruleset rules { action = "execute" <----------------- expression = "true" enabled = true
action_parameters {
id = local.cf_creds_ruleset_id
overrides {
action = "log" <--------------------
}
version = "latest"
}
} }
cloudflare_ruleset.zone_level_managed_waf: Modifying... [id=0969d7667a314e40ae97d133ba5b1e52] cloudflare_ruleset.zone_level_managed_waf: Modifications complete after 2s [id=0969d7667a314e40ae97d133ba5b1e52]
Apply complete! Resources: 0 added, 1 changed, 0 destroyed. <------------------
It returns " invalid JSON: unknown field id" if action is not "execute". If you want to override action, override rule should be used (working config). https://developers.cloudflare.com/terraform/additional-configurations/waf-managed-rulesets/#configure-overrides
is there a way to override all the rules to log mode at ruleset level without applying overrides to every specific rule?
This issue hasn't been updated in a while. If it's still reproducing, please comment to let us know. Thank you!
