cloudflare_zone_setting idempotency issue (reports diff but doesn't say which and in fact there isn't)

[zwindler]

Confirmation

• [x] This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• [x] I have searched the issue tracker and my issue isn't already found.
• [x] I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

tofu -v
OpenTofu v1.9.1
on darwin_arm64
+ provider registry.opentofu.org/cloudflare/cloudflare v5.5.0
+ provider registry.opentofu.org/hashicorp/cloudflare v5.5.0

Affected resource(s)

• cloudflare_zone_setting

Terraform configuration files

resource "cloudflare_zone_setting" "test_net_ciphers" {
  zone_id    = "xxxxxxxxx"
  setting_id = "ciphers"
  value = [
    "ECDHE-ECDSA-CHACHA20-POLY1305",
    "ECDHE-RSA-CHACHA20-POLY1305",
    "ECDHE-RSA-AES128-GCM-SHA256",
    "ECDHE-ECDSA-AES256-GCM-SHA384",
    "ECDHE-RSA-AES256-GCM-SHA384",
    "ECDHE-ECDSA-AES128-GCM-SHA256",
  ]
}

Link to debug output

https://gist.github.com/zwindler/ae72abb089b79493c90356f008fa7534

Panic output

No response

Expected output

I'm trying to import ciphers zone settings in my terraform code. Import worked alright but for some reason the terraform provider sees a difference but there doesn't seem to be any

OpenTofu will perform the following actions:

  # cloudflare_zone_setting.test_net_ciphers will be updated in-place
  ~ resource "cloudflare_zone_setting" "test_net_ciphers" {
        id         = "ciphers"
        # (4 unchanged attributes hidden)
    }

Calling the API gives the exact same configuration (in the same order)

cd /Users/dgermain/sources/Infra.Terraform/cloudflare && curl -s -X GET "https://api.cloudflare.com/client/v4/zones/xxxxxx/settings/ciphers" \
  -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
  -H "Content-Type: application/json" | jq '.result.value'
[
  "ECDHE-ECDSA-CHACHA20-POLY1305",
  "ECDHE-RSA-CHACHA20-POLY1305",
  "ECDHE-RSA-AES128-GCM-SHA256",
  "ECDHE-ECDSA-AES256-GCM-SHA384",
  "ECDHE-RSA-AES256-GCM-SHA384",
  "ECDHE-ECDSA-AES128-GCM-SHA256"
]

And from the TF_LOG=DEBUG

{"result":{"id":"ciphers","value":["ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-AES128-GCM-SHA256"],"modified_on":null,"editable":true},"success":true,"errors":[],"messages":[]}

Actual output

OpenTofu will perform the following actions:

cloudflare_zone_setting.test_net_ciphers will be updated in-place

~ resource "cloudflare_zone_setting" "test_net_ciphers" { id = "ciphers" # (4 unchanged attributes hidden) }

Steps to reproduce

1. Create a ciphers zone setting in the console
2. Import the zone setting in TF
3. tofu plan

Additional factoids

trying to add id will fail because it's a read only attribute

tofu plan
╷
│ Error: Invalid Configuration for Read-Only Attribute
│ 
│   with cloudflare_zone_setting.test_net_ciphers,
│   on zone_settings.tf line 7, in resource "cloudflare_zone_setting" "test_net_ciphers":
│    7:   id = "ciphers"
│ 
│ Cannot set value for this attribute as the provider has marked it as read-only. Remove the configuration line setting the value.
│ 
│ Refer to the provider documentation or contact the provider developers for additional information about configurable and read-only attributes that are supported.

References

Maybe related to:

• https://github.com/cloudflare/terraform-provider-cloudflare/issues/5320

[marksieczkowski]

I am getting the

│ Cannot set value for this attribute as the provider has marked it as read-only. Remove the configuration line setting the value.
│ 
│ Refer to the provider documentation or contact the provider developers for additional information about configurable and read-only attributes that are supported.

error for multiple zone settings. However I CAN edit the settings by the UI or API call directly.

I see in the doc there is an editable attribute which is read only and it is described as Whether or not this setting can be modified for this zone (based on your Cloudflare plan level).. It appears my plan level is not being determined properly.

[danielnperry]

Im receiving a similar issue when importing the ciphers zone setting. I am using Terraform v1.11.4 & Cloudflare v5.5.

The ciphers resource block:

resource "cloudflare_zone_setting" "ciphers" {
  zone_id    = cloudflare_zone.this.id
  setting_id = "ciphers"
  value = [
    "ECDHE-ECDSA-AES128-GCM-SHA256",
    "ECDHE-ECDSA-CHACHA20-POLY1305",
    "ECDHE-RSA-AES128-GCM-SHA256",
    "ECDHE-RSA-CHACHA20-POLY1305",
    "ECDHE-ECDSA-AES256-GCM-SHA384",
    "ECDHE-RSA-AES256-GCM-SHA384",
    "ECDHE-ECDSA-AES128-SHA256",
    "ECDHE-RSA-AES128-SHA256",
    "ECDHE-ECDSA-AES256-SHA384",
    "ECDHE-RSA-AES256-SHA384"
  ]
}

Output of the Terraform Plan:

  ~ resource "cloudflare_zone_setting" "ciphers" {
        editable   = true
        id         = "ciphers"
        setting_id = "ciphers"
        value      = [
            "ECDHE-ECDSA-AES128-GCM-SHA256",
            "ECDHE-ECDSA-CHACHA20-POLY1305",
            "ECDHE-RSA-AES128-GCM-SHA256",
            "ECDHE-RSA-CHACHA20-POLY1305",
            "ECDHE-ECDSA-AES256-GCM-SHA384",
            "ECDHE-RSA-AES256-GCM-SHA384",
            "ECDHE-ECDSA-AES128-SHA256",
            "ECDHE-RSA-AES128-SHA256",
            "ECDHE-ECDSA-AES256-SHA384",
            "ECDHE-RSA-AES256-SHA384",
        ]
        zone_id    = "redacted"
    }

Upon running sifting through the output after running TF_LOG=debug terraform apply, this interesting error appeared.

Stack trace from the terraform-provider-cloudflare_v5.5.0 plugin:

panic: interface conversion: attr.Value is basetypes.ListValue, not basetypes.TupleValue

[musa-cf]

@zwindler For the id readOnly error, try using setting_id instead. We are actively looking into this issue now and will have an update soon. Thanks for reporting!

[zwindler]

Yes, I had guessed "id" was not the field to use, but since I also tried that I thought that "additional factoid" was a good place to give an exhaustive report

But my code is now without "id", you can rest assured :)

resource "cloudflare_zone_setting" "test_net_ciphers" {
  zone_id    = "xxxxxxxxx"
  setting_id = "ciphers"
  value = [
    "ECDHE-ECDSA-CHACHA20-POLY1305",
    "ECDHE-RSA-CHACHA20-POLY1305",
    "ECDHE-RSA-AES128-GCM-SHA256",
    "ECDHE-ECDSA-AES256-GCM-SHA384",
    "ECDHE-RSA-AES256-GCM-SHA384",
    "ECDHE-ECDSA-AES128-GCM-SHA256",
  ]
}

Thank you for your time :)

[danielnperry]

Hello again! I tested this on v5.6 of the provider and the issue still persists. Hope this debug helps.

2025-06-25T15:22:34.888+1000 [DEBUG] provider.terraform-provider-cloudflare_v5.6.0: plugin address: address=/var/folders/8q/3lz8r9xn34bbknggtgkk4gmw0000gn/T/plugin2466453560 network=unix timestamp="2025-06-25T15:22:34.888+1000"
2025-06-25T15:22:34.896+1000 [DEBUG] UpgradeResourceState: ignoring dynamic block: map[string]interface {}{"type":[]interface {}{"list", "string"}, "value":[]interface {}{"ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-RSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-AES128-SHA256", "ECDHE-RSA-AES128-SHA256", "ECDHE-ECDSA-AES256-SHA384", "ECDHE-RSA-AES256-SHA384"}}
module.this.cloudflare_zone_setting.ciphers: Modifying... [id=ciphers]
2025-06-25T15:22:34.902+1000 [INFO]  Starting apply for module.this.cloudflare_zone_setting.ciphers
2025-06-25T15:22:34.902+1000 [DEBUG] module.this.cloudflare_zone_setting.ciphers: applying the planned Update change
2025-06-25T15:22:34.905+1000 [DEBUG] provider.terraform-provider-cloudflare_v5.6.0: panic: interface conversion: attr.Value is basetypes.ListValue, not basetypes.TupleValue

[coredump]

kinda ending in a loop too if you import a setting. It tries to remove the id field but also will fail if the id field isn't set. I am assuming that the field should be setting_id and needs to be changed somewhere on the provider

[danielnperry]

Tested on v5.7 and the issue persists.

Debug Output

Stack trace from the terraform-provider-cloudflare_v5.7.0 plugin:

panic: interface conversion: attr.Value is basetypes.ListValue, not basetypes.TupleValue

goroutine 21 [running]:
github.com/cloudflare/terraform-provider-cloudflare/internal/apijson.encoder.newTerraformTypeEncoder.func8({0x106bb9b38?, 0x140015e4fc0?})
        github.com/cloudflare/terraform-provider-cloudflare/internal/apijson/encoder.go:413 +0x128
github.com/cloudflare/terraform-provider-cloudflare/internal/apijson.encoder.newTerraformTypeEncoder.(*encoder).terraformUnwrappedDynamicEncoder.func21({0x106bf0c38?, 0x14001184380?}, {0x106bb9b38?, 0x140015e4fc0?})
        github.com/cloudflare/terraform-provider-cloudflare/internal/apijson/encoder.go:342 +0xc4
github.com/cloudflare/terraform-provider-cloudflare/internal/apijson.encoder.newTerraformTypeEncoder.(*encoder).terraformUnwrappedDynamicEncoder.encoder.handleNullAndUndefined.func31({0x10685e0a0?, 0x14001184380?, 0x10685e0a0?}, {0x10693ba20?, 0x140015e4fc0?, 0x1028a83c4?})
        github.com/cloudflare/terraform-provider-cloudflare/internal/apijson/encoder.go:376 +0x28c
github.com/cloudflare/terraform-provider-cloudflare/internal/apijson.encoder.newTerraformTypeEncoder.func12({0x1068a24e0?, 0x140010f77e8?, 0x1061d8560?}, {0x1068a24e0?, 0x140010f7878?, 0x10291e180?})
        github.com/cloudflare/terraform-provider-cloudflare/internal/apijson/encoder.go:443 +0x354
github.com/cloudflare/terraform-provider-cloudflare/internal/apijson.(*encoder).newStructTypeEncoder.func3({0x106912300?, 0x140010f77a0?, 0x106912300?}, {0x106912300?, 0x140010f7830?, 0x14001500008?})
        github.com/cloudflare/terraform-provider-cloudflare/internal/apijson/encoder.go:563 +0x2c8
github.com/cloudflare/terraform-provider-cloudflare/internal/apijson.(*encoder).marshal(0x1400008cb68?, {0x106912300?, 0x140010f77a0?}, {0x106912300?, 0x140010f7830?})
        github.com/cloudflare/terraform-provider-cloudflare/internal/apijson/encoder.go:101 +0x14c
github.com/cloudflare/terraform-provider-cloudflare/internal/apijson.MarshalForPatch({0x106912300, 0x140010f77a0}, {0x106912300, 0x140010f7830})
        github.com/cloudflare/terraform-provider-cloudflare/internal/apijson/encoder.go:49 +0x68
github.com/cloudflare/terraform-provider-cloudflare/internal/services/zone_setting.ZoneSettingModel.MarshalJSONForUpdate(...)
        github.com/cloudflare/terraform-provider-cloudflare/internal/services/zone_setting/model.go:31
github.com/cloudflare/terraform-provider-cloudflare/internal/services/zone_setting.(*ZoneSettingResource).Update(0x14001116198, {0x106badf68, 0x140010f38c0}, {{{{0x106c2cd58, 0x140012a54d0}, {0x105f21b80, 0x140012a4f30}}, {0x106c5a6d0, 0x14001085130}}, {{{0x106c2cd58, ...}, ...}, ...}, ...}, ...)
        github.com/cloudflare/terraform-provider-cloudflare/internal/services/zone_setting/resource.go:117 +0x258
github.com/hashicorp/terraform-plugin-framework/internal/fwserver.(*Server).UpdateResource(0x1400018b688, {0x106badf68, 0x140010f38c0}, 0x1400008d398, 0x1400008d368)
        github.com/hashicorp/[email protected]/internal/fwserver/server_updateresource.go:150 +0x768
github.com/hashicorp/terraform-plugin-framework/internal/fwserver.(*Server).ApplyResourceChange(0x1400018b688, {0x106badf68, 0x140010f38c0}, 0x14000ad22a0, 0x1400008d5d8)
        github.com/hashicorp/[email protected]/internal/fwserver/server_applyresourcechange.go:118 +0x140
github.com/hashicorp/terraform-plugin-framework/internal/proto6server.(*Server).ApplyResourceChange(0x1400018b688, {0x106badf68?, 0x140010f37d0?}, 0x14000b30460)
        github.com/hashicorp/[email protected]/internal/proto6server/server_applyresourcechange.go:71 +0x434
github.com/hashicorp/terraform-plugin-go/tfprotov6/tf6server.(*server).ApplyResourceChange(0x140001974a0, {0x106badf68?, 0x140010f2120?}, 0x140001dac00)
        github.com/hashicorp/[email protected]/tfprotov6/tf6server/server.go:941 +0x2a8
github.com/hashicorp/terraform-plugin-go/tfprotov6/internal/tfplugin6._Provider_ApplyResourceChange_Handler({0x106ac8aa0, 0x140001974a0}, {0x106badf68, 0x140010f2120}, 0x140001dab80, 0x0)
        github.com/hashicorp/[email protected]/tfprotov6/internal/tfplugin6/tfplugin6_grpc.pb.go:687 +0x1c0
google.golang.org/grpc.(*Server).processUnaryRPC(0x14000110200, {0x106badf68, 0x14000b161e0}, 0x140011943c0, 0x1400108e7b0, 0x10a058628, 0x0)
        google.golang.org/[email protected]/server.go:1405 +0xca8
google.golang.org/grpc.(*Server).handleStream(0x14000110200, {0x106bae868, 0x14000b7a000}, 0x140011943c0)
        google.golang.org/[email protected]/server.go:1815 +0x910
google.golang.org/grpc.(*Server).serveStreams.func2.1()
        google.golang.org/[email protected]/server.go:1035 +0x84
created by google.golang.org/grpc.(*Server).serveStreams.func2 in goroutine 55
        google.golang.org/[email protected]/server.go:1046 +0x13c

Error: The terraform-provider-cloudflare_v5.7.0 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

2025-07-16T10:01:12.524+1000 [DEBUG] provider: plugin exited

[KaydeeDee]

This issue should be fixed in the last release. Let me know if you see it come up again or have any issues!