terraform-provider-cloudflare
terraform-provider-cloudflare copied to clipboard
Published
20 hours ago •
cloudflare
cloudflare
Drift in `cloudflare_ruleset` after import for 5.3.0 provider migration
Confirmation
- [x] This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
- [x] I have searched the issue tracker and my issue isn't already found.
- [x] I have replicated my issue using the latest version of the provider and it is still present.
Terraform and Cloudflare provider version
Terraform version: 1.10.4 Cloudflare provider version: 5.3.0 (latest)
Affected resource(s)
cloudflare_ruleset
Terraform configuration files
resource "cloudflare_ruleset" "com_managed_waf" {
zone_id = local.cloudflare_<redacted>_com_zone_id
kind = "zone"
name = "default"
phase = "http_request_firewall_managed"
description = "<redacted> managed WAF ruleset"
rules = [{
action = "execute"
action_parameters = {
id = "efb7b8c949ac4650a09736fc376e9aee"
overrides = {
rules = [{
action = "log"
enabled = true
id = "ee922cf00077462d9f2f7330b114b839"
},
{
action = "block"
enabled = false
id = "7aeb2faf29284398aeb782e54875e938"
},
{
action = "log"
enabled = false
id = "7babab188b3c40ae87b93ec451f4fd5b"
},
{
action = "log"
enabled = false
id = "23ee7cebe6e8443e99ecf932ab579455"
},
{
action = "block"
enabled = false
id = "76f9871c8e88445b807c9ebcd440c742"
},
{
action = "block"
enabled = false
id = "cd7bd3dbe8fd4add9926ad50068b2a17"
},
{
action = "block"
enabled = false
id = "34da2a5e0a95425d9b0e44f07c641d63"
},
{
action = "block"
enabled = false
id = "2fe273498e964f0bb20ac022d5a14a5e"
},
{
action = "block"
enabled = false
id = "47631a04883d4d7cab6bd7b83478adcb"
},
{
action = "block"
enabled = false
id = "977ad8daef224ecdbe475c7ab3ab3365"
},
{
action = "block"
enabled = false
id = "bdd776b4f296477f960acc346dfa618e"
},
{
action = "log"
enabled = false
id = "49449f901cab4a01b2591ab836babcca"
},
{
action = "log"
enabled = false
id = "d6f6d394cb01400284cfb7971e7aed1e"
},
{
action = "log"
enabled = false
id = "d9aeff22f1024655937e5b033a61fbc5"
},
{
action = "log"
enabled = false
id = "525329e705aa4fa596e126366d02615e"
},
{
action = "log"
enabled = false
id = "8bb4bf582f704b61980fceff442561a8"
},
{
action = "block"
enabled = false
id = "15b0616fe67a439a8a3852410cadd290"
},
{
action = "block"
enabled = false
id = "00bee3de44184f7f8a6ad10910f04e13"
},
{
action = "block"
enabled = false
id = "7b1cfed7fd4047c6949c4d054751ef80"
},
{
action = "block"
enabled = false
id = "d8c7dbf00ec546e48e3c4340486c3ee2"
},
{
action = "block"
enabled = false
id = "ff8b8608c2c14bf5b3de621b6fc2309c"
},
{
action = "block"
enabled = false
id = "71b7793c77e24287861b82f0ec97cf32"
},
{
action = "block"
enabled = false
id = "40cba5ee3a014208958da0855ddfd8e3"
},
{
action = "block"
enabled = false
id = "5dd38056f4cd43fca7f198e6384f1856"
},
{
action = "block"
enabled = false
id = "d384de3d016d414dbf4d14caaa83212b"
},
{
action = "log"
enabled = false
id = "aa3411d5505b4895b547d68950a28587"
},
{
action = "block"
enabled = false
id = "ac89e3a915594a139fc370dece6a8e28"
}]
}
}
enabled = true
expression = "true"
ref = "07c50802450b4b8a9962f51e81976a03"
},
{
action = "execute"
action_parameters = {
id = "4814384a9e5d4991b9815dcfc25d2f1f"
overrides = {
categories = [{
category = "paranoia-level-2"
enabled = false
},
{
category = "paranoia-level-3"
enabled = false
},
{
category = "paranoia-level-4"
enabled = false
}]
rules = [{
action = "block"
id = "6179ae15870a4bb7b2d480d4843b323c"
score_threshold = 60
}]
}
}
enabled = true
expression = "true"
ref = "eea529872e874abba951de0c353548e2"
},
{
action = "execute"
action_parameters = {
id = "c2e184081120413c86c3ab7e14069605"
}
enabled = true
expression = "true"
ref = "b77cf76bfe99453a8ca27bfcd26a3b94"
}]
Link to debug output
Too much sensitive data to include.
Panic output
No response
Expected output
No changes
Actual output
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# cloudflare_ruleset.com_managed_waf will be updated in-place
~ resource "cloudflare_ruleset" "com_managed_waf" {
id = "8c9e9d346b7242bfbcf3b5ae11b58379"
name = "default"
~ rules = [
~ {
~ id = "07c50802450b4b8a9962f51e81976a03" -> (known after apply)
# (6 unchanged attributes hidden)
},
~ {
~ id = "eea529872e874abba951de0c353548e2" -> (known after apply)
# (6 unchanged attributes hidden)
},
~ {
~ id = "b77cf76bfe99453a8ca27bfcd26a3b94" -> (known after apply)
# (6 unchanged attributes hidden)
},
]
# (4 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Steps to reproduce
- Upgrade provider to 5.3.0 using
terraform init -upgrade - Remove original resource from the state because there isn't a grit pattern for
cloudflare_rulesetstate changes - Import the resource back into the state
terraform import cloudflare_ruleset.com_managed_waf zone/<zone_id>/<ruleset_id> - Run plan
terraform plan - Observe diff for
id - Run
terraform apply - Run
terraform planagain - Observe diff for
id
Additional factoids
The Terraform environment that contains this resource has other instances of the cloudflare_ruleset resource. The others did not encounter this issue following their removal from the state and their import.
The diff was originally also including the ref field. I came upon this issue, which bears a striking resemblance to my own issue, but in the 4.x.x provider. That issue was resolved with the release of version 4.48.0, which calls out explicitly setting a ref string to prevent id changes, but even after doing that, which did remove the ref from the drift, the id is still slated for update permanently.
References
No response
