`cloudflare_zero_trust_access_policy` does not support OIDC claims

[userbradley]

Confirmation

• [x] This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• [x] I have searched the issue tracker and my issue isn't already found.
• [x] I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

terraform {
  required_providers {
    cloudflare = {
      source  = "cloudflare/cloudflare"
      version = "5.5.0"
    }
  }
}

Affected resource(s)

• cloudflare_zero_trust_access_policy
• cloudflare_zero_trust_access_group

Terraform configuration files

resource "cloudflare_zero_trust_access_policy" "mealie-1" {
  account_id = "c59e9360984172f96136a60b22bc3052"
  decision   = "allow"
  name       = "mealie 2"
  include = [
    {
      oidc = {
        identity_provider_id : "495e2702-de5f-49d4-9252-a6a7461583e9"
        claim_name : "groups"
        claim_value : "mealie"
      }
      login_method = {
        id = "495e2702-de5f-49d4-9252-a6a7461583e9"
      }
    }
  ]
}

Link to debug output

https://gist.github.com/userbradley/5eb34b37ee52250456be629282a01d79

Panic output

No response

Expected output

Should create a rule that accepts OIDC claims, and a specific auth provider. Note the below was manually made in the UI

Actual output

It did not create the include for OIDC, instead said 0 changes to make

Steps to reproduce

1. Create OIDC provider in zerotrust
2. Create policy and name it
3. Create an include of OIDC Claim and set the claim_name to groups and the claim_value to anything you want
4. Try to use the data "cloudflare_zero_trust_access_policy" tf block to view the OIDC claims

Additional factoids

Making an API request to the Policies API returns this functionality, but it just seems the tf provider does not have this functionality

{
  "result": {
    "created_at": "2025-06-13T13:19:23Z",
    "decision": "allow",
    "exclude": [],
    "id": "cf26e00f-0063-4ec9-803f-88e45e311206",
    "include": [
      {
        "oidc": {
          "identity_provider_id": "495e2702-de5f-49d4-9252-a6a7461583e9",
          "claim_name": "groups",
          "claim_value": "mealie"
        }
      },
      {
        "login_method": {
          "id": "495e2702-de5f-49d4-9252-a6a7461583e9"
        }
      }
    ],
    "name": "Mealie",
    "require": [],
    "session_duration": "24h",
    "uid": "cf26e00f-0063-4ec9-803f-88e45e311206",
    "updated_at": "2025-06-13T13:31:36Z",
    "reusable": true,
    "app_count": 0
  },
  "success": true,
  "errors": [],
  "messages": []
}

References

No response

[helin-tgraf]

We are facing the same issue. Right now, I run this as a null resource. It would be nice if the Cloudflare team could provide a fix for this issue.

[GreenStage]

Should be fixed in v5.7.

Note that the correct tf configuration for your use case should be:

resource "cloudflare_zero_trust_access_policy" "p1" {
  decision   = "allow"
  account_id = "c59e9360984172f96136a60b22bc3052"
  name       = "mealie 2"
  include = [
    {
      oidc = {
        identity_provider_id :  "495e2702-de5f-49d4-9252-a6a7461583e9"
        claim_name : "groups"
        claim_value : "mealie"
      }
    },
    {
      login_method = {
        id = "495e2702-de5f-49d4-9252-a6a7461583e9
      }
    }
  ]
}

v5.6 was missing validation, and allowing an incorrect config being provisioned. V5.7 will now check a valid include config (max 1 attribute per object in the include array)

[KaydeeDee]

Hi there - with the fix in 5.7, I'm closing this issue. Please let us know if you see it come back up!