cloudflare_ruleset trigger permanent diff

[xWhiteTonicx]

Confirmation

• My issue isn't already found on the issue tracker.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform v1.3.4
on darwin_arm64

• provider registry.terraform.io/cloudflare/cloudflare v4.9.0

Your version of Terraform is out of date! The latest version
is 1.5.2.

Affected resource(s)

cloudflare_ruleset

Terraform configuration files

variable "custom_http_firewall_ruleset" {
  type = map(list(object({
    action      = string
    description = optional(string, null)
    expression  = string
    enabled     = optional(bool, true)
    action_parameters = optional(object({
      phases                     = optional(list(string), null)
      products                   = optional(list(string), null)
      cache                      = optional(bool, null)
      cookie_fields              = optional(list(string), null)
      host_header                = optional(string, null)
      increment                  = optional(number, null)
      origin_error_page_passthru = optional(bool, null)
      request_fields             = optional(list(string), null)
      respect_strong_etags       = optional(bool, null)
      response_fields            = optional(list(string), null)
      rules                      = optional(map(string), null)
    }), {})

  })))
  default = {
    default = [
      {
        action = "skip"
        description = "********"
        expression  = "(ip.src eq ******)"
        action_parameters = {
          products = ["uaBlock", "bic", "hot", "securityLevel", "rateLimit", "zoneLockdown", "waf"]
        }
      },
      {
        action = "skip"
        action_parameters = {
          phases   = ["http_ratelimit", "http_request_firewall_managed", "http_request_sbfm"]
          products = ["uaBlock", "bic", "hot", "securityLevel", "rateLimit", "waf"]
        }
        description = "*******"
        expression  = "(ip.src in {**********})"
      },
      {
        action      = "block"
        description = "********"
        expression  = "http.request.full_uri contains \"*******\" and \nnot (\n  http.request.uri.path eq \"/network_stats\" or\n  http.request.uri.path eq \"/address\" or\n  http.request.uri.path matches \"/address/*\" or\n  http.request.uri.path eq \"/contract_verification\" or\n  http.request.uri.path matches \"/contract_verification/*\"\n)"
      },
      {
        action      = "block"
        description = "********"
        expression  = "http.request.full_uri contains \"*******\" and\nnot (\n  http.request.uri.path eq \"/network_stats\" or\n  http.request.uri.path eq \"/address\" or\n  http.request.uri.path matches \"/address/*\" or\n  http.request.uri.path eq \"/contract_verification\" or\n  http.request.uri.path matches \"/contract_verification/*\"\n)"
      }
    ]
  }
}


resource "cloudflare_ruleset" "this_http_firewall" {
  for_each = var.custom_http_firewall_ruleset
  kind     = "zone"
  name     = each.key
  phase    = "http_request_firewall_custom"
  zone_id  = data.cloudflare_zone.this.zone_id

  dynamic "rules" {
    for_each = each.value

    content {
      action      = lookup(rules.value, "action", null)
      description = lookup(rules.value, "description", null)
      expression  = rules.value.expression
      enabled     = lookup(rules.value, "enabled", true)

      dynamic "logging" {
        for_each = rules.value.action == "skip" ? [1] : []
        content {
          enabled = true
        }
      }

      dynamic "action_parameters" {
        for_each = lookup(rules.value, "action_parameters", null) == null ? [] : [rules.value.action_parameters]
        content {
          cache                      = lookup(action_parameters.value, "cache", null)
          cookie_fields              = lookup(action_parameters.value, "cookie_fields", null)
          host_header                = lookup(action_parameters.value, "host_header", null)
          increment                  = lookup(action_parameters.value, "increment", null)
          origin_error_page_passthru = lookup(action_parameters.value, "origin_error_page_passthru", null)
          phases                     = lookup(action_parameters.value, "phases", null)
          products                   = lookup(action_parameters.value, "products", null)
          request_fields             = lookup(action_parameters.value, "request_fields", null)
          respect_strong_etags       = lookup(action_parameters.value, "respect_strong_etags", null)
          response_fields            = lookup(action_parameters.value, "response_fields", null)
          rules                      = lookup(action_parameters.value, "rules", null)
        }
      }
    }
  }
}

Link to debug output

https://gist.github.com/xWhiteTonicx/3a72277abe3d6b34db9b60093084be5c

Panic output

No response

Expected output

successful apply

Actual output

╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to cloudflare_ruleset.this_http_firewall["default"],
│ provider "provider["registry.terraform.io/cloudflare/cloudflare"]"
│ produced an unexpected new value: .rules[2].action_parameters: block count
│ changed from 1 to 0.
│
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵
╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to cloudflare_ruleset.this_http_firewall["default"],
│ provider "provider["registry.terraform.io/cloudflare/cloudflare"]"
│ produced an unexpected new value: .rules[3].action_parameters: block count
│ changed from 1 to 0.
│
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.

Steps to reproduce

1. Apply plan with same resource and variable
2. Receive errors

Additional factoids

Second apply: https://gist.github.com/xWhiteTonicx/daefcd279622158043fb776d4783ea30

References

No response

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[github-actions]

Thank you for opening this issue and sorry to hear you're hitting issues. Unfortunately, the reproduction case provided contains HCL dynamic expressions. Examples of these are:

• Conditionals
• For loops
• Dynamic blocks
• Modules and module references

Maintainers don't accept these as reproduction cases since using these constructs and expressions can hold their own logic bugs which are outside of the provider and not able to be diagnosed.

For maintainers to triage this issue, we recommend providing a minimal reproduction test case that is only contains the impacted resources and can be easily reproduced in an isolated environment. Without providing this, maintainers are limited in what support they can provide.

[junze-smg]

hey @xWhiteTonicx, i saw you closed the issue yourself. Have you figured out a solution? We're having the same issue right now. Thanks for your input.