cloudflare_list always seen as a change when using dynamic lists

[acookcode]

Confirmation

• My issue isn't already found on the issue tracker.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform v1.2.2
on darwin_arm64

• provider registry.terraform.io/cloudflare/cloudflare v3.20.0

Affected resource(s)

cloudflare_list

Terraform configuration files

variable "cloudflare_test_allowlist" {
  description = "Temp Testing IP list"
  type        = map(string)
  default = {
    "73.98.124.7"  = "ip_address_01"
    "73.98.124.8"  = "ip_address_02"
    "73.98.124.9"  = "ip_address_03"
    "73.98.124.10" = "ip_address_04"
    "73.98.124.11" = "ip_address_05"
  }
}

resource "cloudflare_list" "test_allowlist" {
  account_id  = var.cloudflare_account_id
  name        = "test_allowlist"
  kind        = "ip"
  description = "Testing IP list"

  dynamic "item" {
    for_each = var.cloudflare_test_allowlist
    content {
      value {
        ip = item.key
      }
      comment = item.value
    }
  }
}

Debug output

adam@172-1-93-205 cloudflare_test % terraform plan
2022-08-09T10:06:52.970+0800 [INFO] Terraform version: 1.2.2
2022-08-09T10:06:52.970+0800 [DEBUG] using github.com/hashicorp/go-tfe v1.0.0
2022-08-09T10:06:52.970+0800 [DEBUG] using github.com/hashicorp/hcl/v2 v2.12.0
2022-08-09T10:06:52.970+0800 [DEBUG] using github.com/hashicorp/terraform-config-inspect v0.0.0-20210209133302-4fd17a0faac2
2022-08-09T10:06:52.970+0800 [DEBUG] using github.com/hashicorp/terraform-svchost v0.0.0-20200729002733-f050f53b9734
2022-08-09T10:06:52.970+0800 [DEBUG] using github.com/zclconf/go-cty v1.10.0
2022-08-09T10:06:52.970+0800 [INFO] Go runtime version: go1.18.1
2022-08-09T10:06:52.970+0800 [INFO] CLI args: []string{"terraform", "plan"}
2022-08-09T10:06:52.970+0800 [DEBUG] Attempting to open CLI config file: /Users/adam/.terraformrc
2022-08-09T10:06:52.970+0800 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2022-08-09T10:06:52.970+0800 [INFO] Loading CLI configuration from /Users/adam/.terraform.d/credentials.tfrc.json
2022-08-09T10:06:52.970+0800 [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2022-08-09T10:06:52.970+0800 [DEBUG] ignoring non-existing provider search directory /Users/adam/.terraform.d/plugins
2022-08-09T10:06:52.970+0800 [DEBUG] ignoring non-existing provider search directory /Users/adam/Library/Application Support/io.terraform/plugins
2022-08-09T10:06:52.970+0800 [DEBUG] ignoring non-existing provider search directory /Library/Application Support/io.terraform/plugins
2022-08-09T10:06:52.971+0800 [INFO] CLI command args: []string{"plan"}
2022-08-09T10:06:52.971+0800 [DEBUG] New state was assigned lineage "ec7e507e-6558-590b-4596-057b9cff597d"
2022-08-09T10:06:52.985+0800 [DEBUG] checking for provisioner in "."
2022-08-09T10:06:52.985+0800 [DEBUG] checking for provisioner in "/opt/homebrew/bin"
2022-08-09T10:06:52.985+0800 [INFO] backend/local: starting Plan operation
2022-08-09T10:06:52.986+0800 [DEBUG] created provider logger: level=debug
2022-08-09T10:06:52.986+0800 [INFO] provider: configuring client automatic mTLS
2022-08-09T10:06:52.996+0800 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0 args=[.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0]
2022-08-09T10:06:52.998+0800 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0 pid=5267
2022-08-09T10:06:52.998+0800 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0
2022-08-09T10:06:53.007+0800 [INFO] provider.terraform-provider-cloudflare_v3.20.0: configuring server automatic mTLS: timestamp=2022-08-09T10:06:53.007+0800
2022-08-09T10:06:53.016+0800 [DEBUG] provider: using plugin: version=5
2022-08-09T10:06:53.016+0800 [DEBUG] provider.terraform-provider-cloudflare_v3.20.0: plugin address: address=/var/folders/31/kkl5c_s10k9cd5l4_4xz85f00000gn/T/plugin3155495202 network=unix timestamp=2022-08-09T10:06:53.016+0800
2022-08-09T10:06:53.037+0800 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2022-08-09T10:06:53.037+0800 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0 pid=5267
2022-08-09T10:06:53.037+0800 [DEBUG] provider: plugin exited
2022-08-09T10:06:53.037+0800 [DEBUG] Building and walking validate graph
2022-08-09T10:06:53.037+0800 [DEBUG] ProviderTransformer: "cloudflare_list.test_allowlist" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2022-08-09T10:06:53.037+0800 [DEBUG] ReferenceTransformer: "cloudflare_list.test_allowlist" references: [var.cloudflare_account_id var.cloudflare_test_allowlist]
2022-08-09T10:06:53.037+0800 [DEBUG] ReferenceTransformer: "var.cloudflare_test_allowlist" references: []
2022-08-09T10:06:53.037+0800 [DEBUG] ReferenceTransformer: "var.cloudflare_account_id" references: []
2022-08-09T10:06:53.037+0800 [DEBUG] ReferenceTransformer: "provider["registry.terraform.io/cloudflare/cloudflare"]" references: []
2022-08-09T10:06:53.038+0800 [DEBUG] Starting graph walk: walkValidate
2022-08-09T10:06:53.038+0800 [DEBUG] created provider logger: level=debug
2022-08-09T10:06:53.038+0800 [INFO] provider: configuring client automatic mTLS
2022-08-09T10:06:53.046+0800 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0 args=[.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0]
2022-08-09T10:06:53.047+0800 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0 pid=5268
2022-08-09T10:06:53.048+0800 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0
2022-08-09T10:06:53.054+0800 [INFO] provider.terraform-provider-cloudflare_v3.20.0: configuring server automatic mTLS: timestamp=2022-08-09T10:06:53.054+0800
2022-08-09T10:06:53.063+0800 [DEBUG] provider: using plugin: version=5
2022-08-09T10:06:53.063+0800 [DEBUG] provider.terraform-provider-cloudflare_v3.20.0: plugin address: address=/var/folders/31/kkl5c_s10k9cd5l4_4xz85f00000gn/T/plugin3189152904 network=unix timestamp=2022-08-09T10:06:53.063+0800
2022-08-09T10:06:53.085+0800 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2022-08-09T10:06:53.086+0800 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0 pid=5268
2022-08-09T10:06:53.086+0800 [DEBUG] provider: plugin exited
2022-08-09T10:06:53.086+0800 [INFO] backend/local: plan calling Plan
2022-08-09T10:06:53.086+0800 [DEBUG] Building and walking plan graph for NormalMode
2022-08-09T10:06:53.086+0800 [DEBUG] ProviderTransformer: "cloudflare_list.test_allowlist (expand)" (*terraform.nodeExpandPlannableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2022-08-09T10:06:53.086+0800 [DEBUG] ReferenceTransformer: "cloudflare_list.test_allowlist (expand)" references: [var.cloudflare_account_id var.cloudflare_test_allowlist]
2022-08-09T10:06:53.086+0800 [DEBUG] ReferenceTransformer: "var.cloudflare_test_allowlist" references: []
2022-08-09T10:06:53.086+0800 [DEBUG] ReferenceTransformer: "var.cloudflare_account_id" references: []
2022-08-09T10:06:53.086+0800 [DEBUG] ReferenceTransformer: "provider["registry.terraform.io/cloudflare/cloudflare"]" references: []
2022-08-09T10:06:53.086+0800 [DEBUG] Starting graph walk: walkPlan
2022-08-09T10:06:53.086+0800 [DEBUG] created provider logger: level=debug
2022-08-09T10:06:53.086+0800 [INFO] provider: configuring client automatic mTLS
2022-08-09T10:06:53.094+0800 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0 args=[.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0]
2022-08-09T10:06:53.096+0800 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0 pid=5269
2022-08-09T10:06:53.096+0800 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0
2022-08-09T10:06:53.101+0800 [INFO] provider.terraform-provider-cloudflare_v3.20.0: configuring server automatic mTLS: timestamp=2022-08-09T10:06:53.101+0800
2022-08-09T10:06:53.110+0800 [DEBUG] provider: using plugin: version=5
2022-08-09T10:06:53.110+0800 [DEBUG] provider.terraform-provider-cloudflare_v3.20.0: plugin address: network=unix address=/var/folders/31/kkl5c_s10k9cd5l4_4xz85f00000gn/T/plugin3283029592 timestamp=2022-08-09T10:06:53.110+0800
2022-08-09T10:06:53.133+0800 [WARN] ValidateProviderConfig from "provider["registry.terraform.io/cloudflare/cloudflare"]" changed the config value, but that value is unused
2022-08-09T10:06:53.134+0800 [INFO] ReferenceTransformer: reference not found: "var.cloudflare_account_id"
2022-08-09T10:06:53.134+0800 [INFO] ReferenceTransformer: reference not found: "var.cloudflare_test_allowlist"
2022-08-09T10:06:53.134+0800 [DEBUG] ReferenceTransformer: "cloudflare_list.test_allowlist" references: []
cloudflare_list.test_allowlist: Refreshing state... [id=2c65c75f4b724f7bbddbc537d7d2519a]
2022-08-09T10:06:53.135+0800 [DEBUG] provider.terraform-provider-cloudflare_v3.20.0: Cloudflare API Request Details:
---[ REQUEST ]---------------------------------------
GET /client/v4/accounts/8cc2631692db56d2454d5f0f3c800a7d/rules/lists/2c65c75f4b724f7bbddbc537d7d2519a HTTP/1.1
Host: api.cloudflare.com
User-Agent: terraform/1.2.2 terraform-plugin-sdk/2.10.1 terraform-provider-cloudflare/dev
Authorization: [redacted]
Content-Type: application/json
Accept-Encoding: gzip

-----------------------------------------------------: timestamp=2022-08-09T10:06:53.135+0800
2022-08-09T10:06:53.488+0800 [DEBUG] provider.terraform-provider-cloudflare_v3.20.0: Cloudflare API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 200 OK
Cf-Cache-Status: DYNAMIC
Cf-Ray: 737cef5e8e478b59-HKG
Content-Type: application/json; charset=UTF-8
Date: Tue, 09 Aug 2022 02:06:53 GMT
Expect-Ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
Set-Cookie: __cflb=0H28vgHxwvgAQtjUGU4vq74ZFe3sNVUZbsTyd7ZTmdX; SameSite=Lax; path=/; expires=Tue, 09-Aug-22 04:36:54 GMT; HttpOnly
Set-Cookie: __cfruid=f99b296391565531d72c03d73a9870b740726d6d-1660010813; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Vary: Accept-Encoding
X-Envoy-Upstream-Service-Time: 1

{
"result": {
"id": "2c65c75f4b724f7bbddbc537d7d2519a",
"name": "test_allowlist",
"description": "Testing IP list",
"kind": "ip",
"num_items": 5,
"num_referencing_filters": 0,
"created_on": "2022-08-09T01:43:24Z",
"modified_on": "2022-08-09T01:50:31Z"
},
"success": true,
"errors": [],
"messages": []
}

-----------------------------------------------------: timestamp=2022-08-09T10:06:53.487+0800
2022-08-09T10:06:53.491+0800 [DEBUG] provider.terraform-provider-cloudflare_v3.20.0: Cloudflare API Request Details:
---[ REQUEST ]---------------------------------------
GET /client/v4/accounts/8cc2631692db56d2454d5f0f3c800a7d/rules/lists/2c65c75f4b724f7bbddbc537d7d2519a/items HTTP/1.1
Host: api.cloudflare.com
User-Agent: terraform/1.2.2 terraform-plugin-sdk/2.10.1 terraform-provider-cloudflare/dev
Authorization: [redacted]
Content-Type: application/json
Accept-Encoding: gzip

-----------------------------------------------------: timestamp=2022-08-09T10:06:53.488+0800
2022-08-09T10:06:53.754+0800 [DEBUG] provider.terraform-provider-cloudflare_v3.20.0: Cloudflare API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 200 OK
Cf-Cache-Status: DYNAMIC
Cf-Ray: 737cef609875b428-HKG
Content-Type: application/json; charset=UTF-8
Date: Tue, 09 Aug 2022 02:06:53 GMT
Expect-Ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
Set-Cookie: __cflb=0H28vgHxwvgAQtjUGU4vq74ZFe3sNVUZbsTyd7ZTmdX; SameSite=Lax; path=/; expires=Tue, 09-Aug-22 04:36:54 GMT; HttpOnly
Set-Cookie: __cfruid=f99b296391565531d72c03d73a9870b740726d6d-1660010813; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Vary: Accept-Encoding
X-Envoy-Upstream-Service-Time: 6

{
"result": [
{
"id": "16d3a8e47cef4f219df2e9176699c39e",
"ip": "73.98.124.7",
"comment": "ip_address_01",
"created_on": "2022-08-09T01:43:24Z",
"modified_on": "2022-08-09T01:50:31Z"
},
{
"id": "3132512d7c8649cc83cf31804f5c1e69",
"ip": "73.98.124.8",
"comment": "ip_address_02",
"created_on": "2022-08-09T01:43:24Z",
"modified_on": "2022-08-09T01:50:31Z"
},
{
"id": "586a0f04a0184e3e843da0b4cb1c078c",
"ip": "73.98.124.9",
"comment": "ip_address_03",
"created_on": "2022-08-09T01:43:24Z",
"modified_on": "2022-08-09T01:50:31Z"
},
{
"id": "52bc40da6c5a4b45a8536ee9c0b13364",
"ip": "73.98.124.10",
"comment": "ip_address_04",
"created_on": "2022-08-09T01:43:24Z",
"modified_on": "2022-08-09T01:50:31Z"
},
{
"id": "35c0263fd2b64911b9a9a04eb2051a3c",
"ip": "73.98.124.11",
"comment": "ip_address_05",
"created_on": "2022-08-09T01:43:24Z",
"modified_on": "2022-08-09T01:50:31Z"
}
],
"success": true,
"errors": [],
"messages": []
}

-----------------------------------------------------: timestamp=2022-08-09T10:06:53.754+0800
2022-08-09T10:06:53.759+0800 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2022-08-09T10:06:53.759+0800 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0 pid=5269
2022-08-09T10:06:53.759+0800 [DEBUG] provider: plugin exited
2022-08-09T10:06:53.760+0800 [DEBUG] building apply graph to check for errors
2022-08-09T10:06:53.760+0800 [DEBUG] ProviderTransformer: "cloudflare_list.test_allowlist (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2022-08-09T10:06:53.760+0800 [DEBUG] ProviderTransformer: "cloudflare_list.test_allowlist" (*terraform.NodeApplyableResourceInstance) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2022-08-09T10:06:53.760+0800 [DEBUG] ReferenceTransformer: "provider["registry.terraform.io/cloudflare/cloudflare"]" references: []
2022-08-09T10:06:53.760+0800 [DEBUG] ReferenceTransformer: "cloudflare_list.test_allowlist (expand)" references: []
2022-08-09T10:06:53.760+0800 [DEBUG] ReferenceTransformer: "var.cloudflare_account_id" references: []
2022-08-09T10:06:53.760+0800 [DEBUG] ReferenceTransformer: "var.cloudflare_test_allowlist" references: []
2022-08-09T10:06:53.760+0800 [DEBUG] ReferenceTransformer: "cloudflare_list.test_allowlist" references: [var.cloudflare_account_id var.cloudflare_test_allowlist]
2022-08-09T10:06:53.760+0800 [INFO] backend/local: plan operation completed

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
~ update in-place

Terraform will perform the following actions:

cloudflare_list.test_allowlist will be updated in-place

~ resource "cloudflare_list" "test_allowlist" {
id = "2c65c75f4b724f7bbddbc537d7d2519a"
name = "test_allowlist"
# (3 unchanged attributes hidden)

  ~ item {
      ~ comment = "ip_address_01" -> "ip_address_04"


      ~ value {
          ~ ip = "73.98.124.7" -> "73.98.124.10"
        }
    }
  ~ item {
      ~ comment = "ip_address_02" -> "ip_address_05"


      ~ value {
          ~ ip = "73.98.124.8" -> "73.98.124.11"
        }
    }
  ~ item {
      ~ comment = "ip_address_03" -> "ip_address_01"


      ~ value {
          ~ ip = "73.98.124.9" -> "73.98.124.7"
        }
    }
  ~ item {
      ~ comment = "ip_address_04" -> "ip_address_02"


      ~ value {
          ~ ip = "73.98.124.10" -> "73.98.124.8"
        }
    }
  ~ item {
      ~ comment = "ip_address_05" -> "ip_address_03"


      ~ value {
          ~ ip = "73.98.124.11" -> "73.98.124.9"
        }
    }
}

Plan: 0 to add, 1 to change, 0 to destroy.

Panic output

No response

Expected output

No change to resouces

Actual output

Changes being listed (moving of items in dynamic list)

Steps to reproduce

1. Create a list variable for IP list
2. Create a cloudflare_list resource which uses the variable to create dynamic "items" inside the list
3. Apply to create resource and then see changes occur with each subsequent plan.

Additional factoids

The order appears correct in the state and in CloudFlare UI. Changing the order of the list variable does not appear to change the result.

References

No response

[github-actions]

Thank you for reporting this issue! For maintainers to dig into issues it is required that all issues include the entirety of TF_LOG=DEBUG output to be provided. The only parts that should be redacted are your user credentials in the X-Auth-Key, X-Auth-Email and Authorization HTTP headers. Details such as zone or account identifiers are not considered sensitive but can be redacted if you are very cautious. This log file provides additional context from Terraform, the provider and the Cloudflare API that helps in debugging issues. Without it, maintainers are very limited in what they can do and may hamper diagnosis efforts.

This issue has been marked with triage/needs-information and is unlikely to receive maintainer attention until the log file is provided making this a complete bug report.

[acookcode]

Debug Log:

2022-08-09T10:06:52.970+0800 [INFO] Terraform version: 1.2.2
2022-08-09T10:06:52.970+0800 [DEBUG] using github.com/hashicorp/go-tfe v1.0.0
2022-08-09T10:06:52.970+0800 [DEBUG] using github.com/hashicorp/hcl/v2 v2.12.0
2022-08-09T10:06:52.970+0800 [DEBUG] using github.com/hashicorp/terraform-config-inspect v0.0.0-20210209133302-4fd17a0faac2
2022-08-09T10:06:52.970+0800 [DEBUG] using github.com/hashicorp/terraform-svchost v0.0.0-20200729002733-f050f53b9734
2022-08-09T10:06:52.970+0800 [DEBUG] using github.com/zclconf/go-cty v1.10.0
2022-08-09T10:06:52.970+0800 [INFO] Go runtime version: go1.18.1
2022-08-09T10:06:52.970+0800 [INFO] CLI args: []string{"terraform", "plan"}
2022-08-09T10:06:52.970+0800 [DEBUG] Attempting to open CLI config file: /Users/adam/.terraformrc
2022-08-09T10:06:52.970+0800 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2022-08-09T10:06:52.970+0800 [INFO] Loading CLI configuration from /Users/adam/.terraform.d/credentials.tfrc.json
2022-08-09T10:06:52.970+0800 [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2022-08-09T10:06:52.970+0800 [DEBUG] ignoring non-existing provider search directory /Users/adam/.terraform.d/plugins
2022-08-09T10:06:52.970+0800 [DEBUG] ignoring non-existing provider search directory /Users/adam/Library/Application Support/io.terraform/plugins
2022-08-09T10:06:52.970+0800 [DEBUG] ignoring non-existing provider search directory /Library/Application Support/io.terraform/plugins
2022-08-09T10:06:52.971+0800 [INFO] CLI command args: []string{"plan"}
2022-08-09T10:06:52.971+0800 [DEBUG] New state was assigned lineage "ec7e507e-6558-590b-4596-057b9cff597d"
2022-08-09T10:06:52.985+0800 [DEBUG] checking for provisioner in "."
2022-08-09T10:06:52.985+0800 [DEBUG] checking for provisioner in "/opt/homebrew/bin"
2022-08-09T10:06:52.985+0800 [INFO] backend/local: starting Plan operation
2022-08-09T10:06:52.986+0800 [DEBUG] created provider logger: level=debug
2022-08-09T10:06:52.986+0800 [INFO] provider: configuring client automatic mTLS
2022-08-09T10:06:52.996+0800 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0 args=[.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0]
2022-08-09T10:06:52.998+0800 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0 pid=5267
2022-08-09T10:06:52.998+0800 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0
2022-08-09T10:06:53.007+0800 [INFO] provider.terraform-provider-cloudflare_v3.20.0: configuring server automatic mTLS: timestamp=2022-08-09T10:06:53.007+0800
2022-08-09T10:06:53.016+0800 [DEBUG] provider: using plugin: version=5
2022-08-09T10:06:53.016+0800 [DEBUG] provider.terraform-provider-cloudflare_v3.20.0: plugin address: address=/var/folders/31/kkl5c_s10k9cd5l4_4xz85f00000gn/T/plugin3155495202 network=unix timestamp=2022-08-09T10:06:53.016+0800
2022-08-09T10:06:53.037+0800 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2022-08-09T10:06:53.037+0800 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0 pid=5267
2022-08-09T10:06:53.037+0800 [DEBUG] provider: plugin exited
2022-08-09T10:06:53.037+0800 [DEBUG] Building and walking validate graph
2022-08-09T10:06:53.037+0800 [DEBUG] ProviderTransformer: "cloudflare_list.test_allowlist" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2022-08-09T10:06:53.037+0800 [DEBUG] ReferenceTransformer: "cloudflare_list.test_allowlist" references: [var.cloudflare_account_id var.cloudflare_test_allowlist]
2022-08-09T10:06:53.037+0800 [DEBUG] ReferenceTransformer: "var.cloudflare_test_allowlist" references: []
2022-08-09T10:06:53.037+0800 [DEBUG] ReferenceTransformer: "var.cloudflare_account_id" references: []
2022-08-09T10:06:53.037+0800 [DEBUG] ReferenceTransformer: "provider["registry.terraform.io/cloudflare/cloudflare"]" references: []
2022-08-09T10:06:53.038+0800 [DEBUG] Starting graph walk: walkValidate
2022-08-09T10:06:53.038+0800 [DEBUG] created provider logger: level=debug
2022-08-09T10:06:53.038+0800 [INFO] provider: configuring client automatic mTLS
2022-08-09T10:06:53.046+0800 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0 args=[.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0]
2022-08-09T10:06:53.047+0800 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0 pid=5268
2022-08-09T10:06:53.048+0800 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0
2022-08-09T10:06:53.054+0800 [INFO] provider.terraform-provider-cloudflare_v3.20.0: configuring server automatic mTLS: timestamp=2022-08-09T10:06:53.054+0800
2022-08-09T10:06:53.063+0800 [DEBUG] provider: using plugin: version=5
2022-08-09T10:06:53.063+0800 [DEBUG] provider.terraform-provider-cloudflare_v3.20.0: plugin address: address=/var/folders/31/kkl5c_s10k9cd5l4_4xz85f00000gn/T/plugin3189152904 network=unix timestamp=2022-08-09T10:06:53.063+0800
2022-08-09T10:06:53.085+0800 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2022-08-09T10:06:53.086+0800 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0 pid=5268
2022-08-09T10:06:53.086+0800 [DEBUG] provider: plugin exited
2022-08-09T10:06:53.086+0800 [INFO] backend/local: plan calling Plan
2022-08-09T10:06:53.086+0800 [DEBUG] Building and walking plan graph for NormalMode
2022-08-09T10:06:53.086+0800 [DEBUG] ProviderTransformer: "cloudflare_list.test_allowlist (expand)" (*terraform.nodeExpandPlannableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2022-08-09T10:06:53.086+0800 [DEBUG] ReferenceTransformer: "cloudflare_list.test_allowlist (expand)" references: [var.cloudflare_account_id var.cloudflare_test_allowlist]
2022-08-09T10:06:53.086+0800 [DEBUG] ReferenceTransformer: "var.cloudflare_test_allowlist" references: []
2022-08-09T10:06:53.086+0800 [DEBUG] ReferenceTransformer: "var.cloudflare_account_id" references: []
2022-08-09T10:06:53.086+0800 [DEBUG] ReferenceTransformer: "provider["registry.terraform.io/cloudflare/cloudflare"]" references: []
2022-08-09T10:06:53.086+0800 [DEBUG] Starting graph walk: walkPlan
2022-08-09T10:06:53.086+0800 [DEBUG] created provider logger: level=debug
2022-08-09T10:06:53.086+0800 [INFO] provider: configuring client automatic mTLS
2022-08-09T10:06:53.094+0800 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0 args=[.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0]
2022-08-09T10:06:53.096+0800 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0 pid=5269
2022-08-09T10:06:53.096+0800 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0
2022-08-09T10:06:53.101+0800 [INFO] provider.terraform-provider-cloudflare_v3.20.0: configuring server automatic mTLS: timestamp=2022-08-09T10:06:53.101+0800
2022-08-09T10:06:53.110+0800 [DEBUG] provider: using plugin: version=5
2022-08-09T10:06:53.110+0800 [DEBUG] provider.terraform-provider-cloudflare_v3.20.0: plugin address: network=unix address=/var/folders/31/kkl5c_s10k9cd5l4_4xz85f00000gn/T/plugin3283029592 timestamp=2022-08-09T10:06:53.110+0800
2022-08-09T10:06:53.133+0800 [WARN] ValidateProviderConfig from "provider["registry.terraform.io/cloudflare/cloudflare"]" changed the config value, but that value is unused
2022-08-09T10:06:53.134+0800 [INFO] ReferenceTransformer: reference not found: "var.cloudflare_account_id"
2022-08-09T10:06:53.134+0800 [INFO] ReferenceTransformer: reference not found: "var.cloudflare_test_allowlist"
2022-08-09T10:06:53.134+0800 [DEBUG] ReferenceTransformer: "cloudflare_list.test_allowlist" references: []
cloudflare_list.test_allowlist: Refreshing state... [id=2c65c75f4b724f7bbddbc537d7d2519a]
2022-08-09T10:06:53.135+0800 [DEBUG] provider.terraform-provider-cloudflare_v3.20.0: Cloudflare API Request Details:
---[ REQUEST ]---------------------------------------
GET /client/v4/accounts/8cc2631692db56d2454d5f0f3c800a7d/rules/lists/2c65c75f4b724f7bbddbc537d7d2519a HTTP/1.1
Host: api.cloudflare.com
User-Agent: terraform/1.2.2 terraform-plugin-sdk/2.10.1 terraform-provider-cloudflare/dev
Authorization: [redacted]
Content-Type: application/json
Accept-Encoding: gzip

-----------------------------------------------------: timestamp=2022-08-09T10:06:53.135+0800
2022-08-09T10:06:53.488+0800 [DEBUG] provider.terraform-provider-cloudflare_v3.20.0: Cloudflare API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 200 OK
Cf-Cache-Status: DYNAMIC
Cf-Ray: 737cef5e8e478b59-HKG
Content-Type: application/json; charset=UTF-8
Date: Tue, 09 Aug 2022 02:06:53 GMT
Expect-Ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
Set-Cookie: __cflb=0H28vgHxwvgAQtjUGU4vq74ZFe3sNVUZbsTyd7ZTmdX; SameSite=Lax; path=/; expires=Tue, 09-Aug-22 04:36:54 GMT; HttpOnly
Set-Cookie: __cfruid=f99b296391565531d72c03d73a9870b740726d6d-1660010813; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Vary: Accept-Encoding
X-Envoy-Upstream-Service-Time: 1

{
"result": {
"id": "2c65c75f4b724f7bbddbc537d7d2519a",
"name": "test_allowlist",
"description": "Testing IP list",
"kind": "ip",
"num_items": 5,
"num_referencing_filters": 0,
"created_on": "2022-08-09T01:43:24Z",
"modified_on": "2022-08-09T01:50:31Z"
},
"success": true,
"errors": [],
"messages": []
}

-----------------------------------------------------: timestamp=2022-08-09T10:06:53.487+0800
2022-08-09T10:06:53.491+0800 [DEBUG] provider.terraform-provider-cloudflare_v3.20.0: Cloudflare API Request Details:
---[ REQUEST ]---------------------------------------
GET /client/v4/accounts/8cc2631692db56d2454d5f0f3c800a7d/rules/lists/2c65c75f4b724f7bbddbc537d7d2519a/items HTTP/1.1
Host: api.cloudflare.com
User-Agent: terraform/1.2.2 terraform-plugin-sdk/2.10.1 terraform-provider-cloudflare/dev
Authorization: [redacted]
Content-Type: application/json
Accept-Encoding: gzip

-----------------------------------------------------: timestamp=2022-08-09T10:06:53.488+0800
2022-08-09T10:06:53.754+0800 [DEBUG] provider.terraform-provider-cloudflare_v3.20.0: Cloudflare API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 200 OK
Cf-Cache-Status: DYNAMIC
Cf-Ray: 737cef609875b428-HKG
Content-Type: application/json; charset=UTF-8
Date: Tue, 09 Aug 2022 02:06:53 GMT
Expect-Ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
Set-Cookie: __cflb=0H28vgHxwvgAQtjUGU4vq74ZFe3sNVUZbsTyd7ZTmdX; SameSite=Lax; path=/; expires=Tue, 09-Aug-22 04:36:54 GMT; HttpOnly
Set-Cookie: __cfruid=f99b296391565531d72c03d73a9870b740726d6d-1660010813; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Vary: Accept-Encoding
X-Envoy-Upstream-Service-Time: 6

{
"result": [
{
"id": "16d3a8e47cef4f219df2e9176699c39e",
"ip": "73.98.124.7",
"comment": "ip_address_01",
"created_on": "2022-08-09T01:43:24Z",
"modified_on": "2022-08-09T01:50:31Z"
},
{
"id": "3132512d7c8649cc83cf31804f5c1e69",
"ip": "73.98.124.8",
"comment": "ip_address_02",
"created_on": "2022-08-09T01:43:24Z",
"modified_on": "2022-08-09T01:50:31Z"
},
{
"id": "586a0f04a0184e3e843da0b4cb1c078c",
"ip": "73.98.124.9",
"comment": "ip_address_03",
"created_on": "2022-08-09T01:43:24Z",
"modified_on": "2022-08-09T01:50:31Z"
},
{
"id": "52bc40da6c5a4b45a8536ee9c0b13364",
"ip": "73.98.124.10",
"comment": "ip_address_04",
"created_on": "2022-08-09T01:43:24Z",
"modified_on": "2022-08-09T01:50:31Z"
},
{
"id": "35c0263fd2b64911b9a9a04eb2051a3c",
"ip": "73.98.124.11",
"comment": "ip_address_05",
"created_on": "2022-08-09T01:43:24Z",
"modified_on": "2022-08-09T01:50:31Z"
}
],
"success": true,
"errors": [],
"messages": []
}

-----------------------------------------------------: timestamp=2022-08-09T10:06:53.754+0800
2022-08-09T10:06:53.759+0800 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2022-08-09T10:06:53.759+0800 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.20.0/darwin_arm64/terraform-provider-cloudflare_v3.20.0 pid=5269
2022-08-09T10:06:53.759+0800 [DEBUG] provider: plugin exited
2022-08-09T10:06:53.760+0800 [DEBUG] building apply graph to check for errors
2022-08-09T10:06:53.760+0800 [DEBUG] ProviderTransformer: "cloudflare_list.test_allowlist (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2022-08-09T10:06:53.760+0800 [DEBUG] ProviderTransformer: "cloudflare_list.test_allowlist" (*terraform.NodeApplyableResourceInstance) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2022-08-09T10:06:53.760+0800 [DEBUG] ReferenceTransformer: "provider["registry.terraform.io/cloudflare/cloudflare"]" references: []
2022-08-09T10:06:53.760+0800 [DEBUG] ReferenceTransformer: "cloudflare_list.test_allowlist (expand)" references: []
2022-08-09T10:06:53.760+0800 [DEBUG] ReferenceTransformer: "var.cloudflare_account_id" references: []
2022-08-09T10:06:53.760+0800 [DEBUG] ReferenceTransformer: "var.cloudflare_test_allowlist" references: []
2022-08-09T10:06:53.760+0800 [DEBUG] ReferenceTransformer: "cloudflare_list.test_allowlist" references: [var.cloudflare_account_id var.cloudflare_test_allowlist]
2022-08-09T10:06:53.760+0800 [INFO] backend/local: plan operation completed

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
~ update in-place

Terraform will perform the following actions:

cloudflare_list.test_allowlist will be updated in-place

~ resource "cloudflare_list" "test_allowlist" {
id = "2c65c75f4b724f7bbddbc537d7d2519a"
name = "test_allowlist"
# (3 unchanged attributes hidden)

  ~ item {
      ~ comment = "ip_address_01" -> "ip_address_04"


      ~ value {
          ~ ip = "73.98.124.7" -> "73.98.124.10"
        }
    }
  ~ item {
      ~ comment = "ip_address_02" -> "ip_address_05"


      ~ value {
          ~ ip = "73.98.124.8" -> "73.98.124.11"
        }
    }
  ~ item {
      ~ comment = "ip_address_03" -> "ip_address_01"


      ~ value {
          ~ ip = "73.98.124.9" -> "73.98.124.7"
        }
    }
  ~ item {
      ~ comment = "ip_address_04" -> "ip_address_02"


      ~ value {
          ~ ip = "73.98.124.10" -> "73.98.124.8"
        }
    }
  ~ item {
      ~ comment = "ip_address_05" -> "ip_address_03"


      ~ value {
          ~ ip = "73.98.124.11" -> "73.98.124.9"
        }
    }
}

Plan: 0 to add, 1 to change, 0 to destroy.

[jacobbednarz]

do you see the issue when not using dynamics? under the covers, i think the dynamic uses a map which isn't ordered in Go so this somewhat expected given the schema is using schema.TypeList.

[acookcode]

It does seem to be OK if we don't use the a dynamic list. What gets me is that the changes are consistent - it always maps to those changes. The plan/template that I provided here is an example, we have a list of ~60 items and the changes are always the same positions to the same positions, despite both the dynamic list and the CloudFlare UI showing in the same order.

Additionally, we had the same configuration with the cloudflare_ip_list resource (now deprecated) and this only occurred after migrating to the cloudflare_list resource.

[jacobbednarz]

by the looks, the old resource was using TypeSet as opposed to TypeList in the new which explains this ordered/unordered behaviour. to be honest, I'm surprised TypeSet ever worked there but I'll see what we can do to swap it over.

[acookcode]

That makes sense, TypeSet may just let configuration sit however you first deployed the configuration and then doesn't care. What confused me is why the List would report changes but the CloudFlare UI and the state would match.

[lucashalbert]

+1 I'm experiencing the same issue with perpetual changes using dynamic items with the new cloudflare_list resource.

[lvets]

+1.

I have the exact same issue without using dynamic items in the redirect list resource. It's a bid annoying 😄

[dhalturin]

same problem for cloudflare_list with type item.redirect

[supercraigmiller]

+1
Same problem here for me, also with cloudflare_list and kind = "redirect"

Slight-workaround seems to be having the list items in the terraform to exactly match the order that it was created in (so manually reordering the list in terraform after applying it). It seems to be closely related to alphanumeric sorting allows for a subsequent plan/apply to not require changes.

Edit: The sorting is actually alphanumeric, but you need to remove the special chars like /-_ and then sort the list, so the following is the correct order as Cloudflare sees it:

/product/lamp
/products/apple
/products/table
/product/staple
/product/table

[lvets]

Looked into this a bit more and it seems that the items in the redirect list are sorted alphabetically based on the source_url parameter in the Cloudflare API.
As a workaround, if I sort the items in the cloudflare_list resource as well, all is fine.

[snahelou]

@lvets Could you provide an example ?
The terraform sort function is a lexical sort, and cloudflare seems to use something else:

Terraform sort:

     "220.243.154.0/23",
     "221.122.91.0/24",
     "58.220.95.0/24",
     "64.215.22.0/24",

Cloudflare sort:

     "58.220.95.0/24",
     "64.215.22.0/24",
     "220.243.154.0/23",
     "221.122.91.0/24",

[acookcode]

I wasn't able to get this working alphabetically either. Even matching the templates to the changes when I run a plan doesn't work unfortunately. I had to create a new IP list for some work and now I have two lists that constantly show changes.

[lvets]

@snahelou Your comment is correct, I might've used the wrong wording. If you make the list like the Cloudflare sort, it should work.

What I currently do is to add the items to the list in Terraform, apply config, check Cloudflare API for how it has sorted the list and then edit your Terraform config accordingly.

It's annoying, but luckily we're not editing our lists too much.

@acook-vhs Which Terraform resource are you using?

[acookcode]

I'm using a cloudflare_list where I am populating the item blocks using a dynamic block and pulling values from a variable which is a map(string) formatted like this:

{
 "127.0.0.1" = "Some IP Address",
 "127.0.0.2" = "Some Other IP Address",
}

Dynamic block declaration is:
 dynamic "item" {
    for_each = var.my_ip_list
    content {
      value {
        ip = item.key
      }
      comment = item.value
    }
  }

[acookcode]

I've also confirmed that the layout of my IP address map matches what comes from the CloudFlare API

[guidorapisarda]

I have the exactly same problem. I tried to reorder, change the keys, remove the trailing forwardslash (/32,/20, etc) and i cant match the cloudflare IP sorting criteria. I use a dynamic statement to pull values from a local map formatted like yours, too. :(

I'm using a cloudflare_list where I am populating the item blocks using a dynamic block and pulling values from a variable which is a map(string) formatted like this:

{
 "127.0.0.1" = "Some IP Address",
 "127.0.0.2" = "Some Other IP Address",
}

Dynamic block declaration is:
 dynamic "item" {
    for_each = var.my_ip_list
    content {
      value {
        ip = item.key
      }
      comment = item.value
    }
  }

[briceburg]

I also experienced this and tried both passing an ordered (by IP) map to dynamic as well as unordered. It's broken the same and I've had to revert to using the deprecated cloudflare_ip_list resource.

locals.tf

locals {
  ip_lists = { # IPs may be IPv4 or IPv6 Addresses or CIDRs
    synapsefi = {
      description = "SynapseFI IPs: https://docs.synapsefi.com/api-references/subscriptions"
      items = [
        { ip = "50.112.48.126" },
        { ip = "44.238.232.80" },
        { ip = "35.85.83.81" },
        { ip = "34.217.238.79" },
        { ip = "54.213.248.113" },
        { 
          ip      = "3.143.46.117" 
          comment = "foo"
        },
      ]
  }
}

ordered example

resource "cloudflare_list" "this" {
  for_each    = local.ip_lists
  account_id  = var.account_id
  name        = each.key
  kind        = "ip"
  description = "Terraform Managed. ${each.value.description}"

  dynamic "item" {
    for_each = { for i in each.value.items : i.ip => try(i.comment, null) }
    content {
      value   = { ip = item.key } 
      comment = item.value
    }
  }
}

notice I force ordering in the dynamic block for_each by using ip address as key, as opposed to this unordered example;

unordered example

resource "cloudflare_list" "this" {
  for_each    = local.ip_lists
  account_id  = var.account_id
  name        = each.key
  kind        = "ip"
  description = "Terraform Managed. ${each.value.description}"

  dynamic "item" {
    for_each = each.value.items
    content {
      value   = { ip = item.value.ip } 
      comment = try(item.value.comment, null)
    }
  }
}

neither works. plan cycles changes. the only thing that works is the old resource

legacy cloudflare_ip_list example (works)

resource "cloudflare_ip_list" "this" {
  for_each    = local.ip_lists
  account_id  = var.account_id
  name        = each.key
  kind        = "ip"
  description = "Terraform Managed. ${each.value.description}"

  dynamic "item" {
    for_each = each.value.items
    content {
      value   = item.value.ip
      comment = try(item.value.comment, null)
    }
  }
}

[github-actions]

This functionality has been released in v3.29.0 of the Terraform Cloudflare Provider.

Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[nickpodobiedov]

Seems the same for loop in cloudflare_list_item resources. Provider creates ip addresses with the same ID, when I try to create items with loop. Provider version: 4.15.0.