Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cloudflare_ruleset trigger permanent diff #2606

Closed
2 tasks done
xWhiteTonicx opened this issue Jul 10, 2023 · 3 comments
Closed
2 tasks done

cloudflare_ruleset trigger permanent diff #2606

xWhiteTonicx opened this issue Jul 10, 2023 · 3 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. triage/debug-log-attached Indicates an issue or PR has a complete Terraform debug log. triage/needs-information Indicates an issue needs more information in order to work on it.

Comments

@xWhiteTonicx
Copy link

Confirmation

  • My issue isn't already found on the issue tracker.
  • I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform v1.3.4
on darwin_arm64

  • provider registry.terraform.io/cloudflare/cloudflare v4.9.0

Your version of Terraform is out of date! The latest version
is 1.5.2.

Affected resource(s)

cloudflare_ruleset

Terraform configuration files

variable "custom_http_firewall_ruleset" {
  type = map(list(object({
    action      = string
    description = optional(string, null)
    expression  = string
    enabled     = optional(bool, true)
    action_parameters = optional(object({
      phases                     = optional(list(string), null)
      products                   = optional(list(string), null)
      cache                      = optional(bool, null)
      cookie_fields              = optional(list(string), null)
      host_header                = optional(string, null)
      increment                  = optional(number, null)
      origin_error_page_passthru = optional(bool, null)
      request_fields             = optional(list(string), null)
      respect_strong_etags       = optional(bool, null)
      response_fields            = optional(list(string), null)
      rules                      = optional(map(string), null)
    }), {})

  })))
  default = {
    default = [
      {
        action = "skip"
        description = "********"
        expression  = "(ip.src eq ******)"
        action_parameters = {
          products = ["uaBlock", "bic", "hot", "securityLevel", "rateLimit", "zoneLockdown", "waf"]
        }
      },
      {
        action = "skip"
        action_parameters = {
          phases   = ["http_ratelimit", "http_request_firewall_managed", "http_request_sbfm"]
          products = ["uaBlock", "bic", "hot", "securityLevel", "rateLimit", "waf"]
        }
        description = "*******"
        expression  = "(ip.src in {**********})"
      },
      {
        action      = "block"
        description = "********"
        expression  = "http.request.full_uri contains \"*******\" and \nnot (\n  http.request.uri.path eq \"/network_stats\" or\n  http.request.uri.path eq \"/address\" or\n  http.request.uri.path matches \"/address/*\" or\n  http.request.uri.path eq \"/contract_verification\" or\n  http.request.uri.path matches \"/contract_verification/*\"\n)"
      },
      {
        action      = "block"
        description = "********"
        expression  = "http.request.full_uri contains \"*******\" and\nnot (\n  http.request.uri.path eq \"/network_stats\" or\n  http.request.uri.path eq \"/address\" or\n  http.request.uri.path matches \"/address/*\" or\n  http.request.uri.path eq \"/contract_verification\" or\n  http.request.uri.path matches \"/contract_verification/*\"\n)"
      }
    ]
  }
}


resource "cloudflare_ruleset" "this_http_firewall" {
  for_each = var.custom_http_firewall_ruleset
  kind     = "zone"
  name     = each.key
  phase    = "http_request_firewall_custom"
  zone_id  = data.cloudflare_zone.this.zone_id

  dynamic "rules" {
    for_each = each.value

    content {
      action      = lookup(rules.value, "action", null)
      description = lookup(rules.value, "description", null)
      expression  = rules.value.expression
      enabled     = lookup(rules.value, "enabled", true)

      dynamic "logging" {
        for_each = rules.value.action == "skip" ? [1] : []
        content {
          enabled = true
        }
      }

      dynamic "action_parameters" {
        for_each = lookup(rules.value, "action_parameters", null) == null ? [] : [rules.value.action_parameters]
        content {
          cache                      = lookup(action_parameters.value, "cache", null)
          cookie_fields              = lookup(action_parameters.value, "cookie_fields", null)
          host_header                = lookup(action_parameters.value, "host_header", null)
          increment                  = lookup(action_parameters.value, "increment", null)
          origin_error_page_passthru = lookup(action_parameters.value, "origin_error_page_passthru", null)
          phases                     = lookup(action_parameters.value, "phases", null)
          products                   = lookup(action_parameters.value, "products", null)
          request_fields             = lookup(action_parameters.value, "request_fields", null)
          respect_strong_etags       = lookup(action_parameters.value, "respect_strong_etags", null)
          response_fields            = lookup(action_parameters.value, "response_fields", null)
          rules                      = lookup(action_parameters.value, "rules", null)
        }
      }
    }
  }
}

Link to debug output

https://gist.github.com/xWhiteTonicx/3a72277abe3d6b34db9b60093084be5c

Panic output

No response

Expected output

successful apply

Actual output


│ Error: Provider produced inconsistent result after apply

│ When applying changes to cloudflare_ruleset.this_http_firewall["default"],
│ provider "provider["registry.terraform.io/cloudflare/cloudflare"]"
│ produced an unexpected new value: .rules[2].action_parameters: block count
│ changed from 1 to 0.

│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.


│ Error: Provider produced inconsistent result after apply

│ When applying changes to cloudflare_ruleset.this_http_firewall["default"],
│ provider "provider["registry.terraform.io/cloudflare/cloudflare"]"
│ produced an unexpected new value: .rules[3].action_parameters: block count
│ changed from 1 to 0.

│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.

Steps to reproduce

  1. Apply plan with same resource and variable
  2. Receive errors

Additional factoids

Second apply: https://gist.github.com/xWhiteTonicx/daefcd279622158043fb776d4783ea30

References

No response

@xWhiteTonicx xWhiteTonicx added kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jul 10, 2023
@github-actions
Copy link
Contributor

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added the triage/debug-log-attached Indicates an issue or PR has a complete Terraform debug log. label Jul 10, 2023
@github-actions
Copy link
Contributor

Thank you for opening this issue and sorry to hear you're hitting issues. Unfortunately, the reproduction case provided contains HCL dynamic expressions. Examples of these are:

Maintainers don't accept these as reproduction cases since using these constructs and expressions can hold their own logic bugs which are outside of the provider and not able to be diagnosed.

For maintainers to triage this issue, we recommend providing a minimal reproduction test case that is only contains the impacted resources and can be easily reproduced in an isolated environment. Without providing this, maintainers are limited in what support they can provide.

@github-actions github-actions bot added the triage/needs-information Indicates an issue needs more information in order to work on it. label Jul 10, 2023
@junze-smg
Copy link
Contributor

hey @xWhiteTonicx, i saw you closed the issue yourself. Have you figured out a solution? We're having the same issue right now. Thanks for your input.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. triage/debug-log-attached Indicates an issue or PR has a complete Terraform debug log. triage/needs-information Indicates an issue needs more information in order to work on it.
Projects
None yet
Development

No branches or pull requests

2 participants