Cloudflare Ruleset Resource - Custom WAF Rule - Skip

[jhough-teleflora]

Confirmation

• My issue isn't already found on the issue tracker.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform v1.5.5
on windows_amd64

• provider registry.terraform.io/cloudflare/cloudflare v4.12.0
• provider registry.terraform.io/hashicorp/azurerm v3.0.0

Affected resource(s)

cloudflare_ruleset

Terraform configuration files

terraform {
	required_providers {
		# Cloudflare provider
		cloudflare = {
		source  = "cloudflare/cloudflare"
		version = "~> 4.0"
		}
		# Azure rm provider
		azurerm = {
			source  = "hashicorp/azurerm"
			version = "=3.0.0"
		}
	}
	# Terraform state file backend management
	backend "azurerm" {
		subscription_id   = "REDACTED"
		resource_group_name = "REDACTED"
		storage_account_name = "REDACTED"
		container_name = "REDACTED"
		key = "REDACTED"
	}
}

# Authentication
provider "cloudflare" {
  api_token = var.cloudflare_api_token
}

# Variables
variable "cloudflare_api_token" {
  	type = string
	sensitive   = true
}

# Add single custom rule to WEB zone
resource "cloudflare_ruleset" "zone_custom_firewall" {
  zone_id     = "REDACTED"
  name        = "Test Rule"
  kind        = "zone"
  phase       = "http_request_firewall_custom"
  rules {
    action = "skip"
    action_parameters {
        ruleset = "REDACTED"  # Current default firewall_custom ID
    }
    expression = "(not cf.edge.server_port in {80 443})"
    description = "Test"
  }
}

Link to debug output

https://gist.github.com/jhough-teleflora/53ced569d8f5be375abb8748ede39d92

Panic output

No response

Expected output

I expected that the custom WAF rule would be created with the provided configuration.
A rule with the name "Test Rule", action would be "skip".

The end goal is to create a custom rule that skips the remaining custom rules once the expression is met.
In the web console, this would be the equivalent of selecting "Skip" as the action and checking the "All remaining custom rules" box under the "WAF components to skip" section.

Actual output

After Terraform attempted the modification, Terraform threw an error saying that the ruleset ID given was an "unknown variant".

Steps to reproduce

1. Create a cloudflare_ruleset resource that has the action "skip" and attempts to skip the remaining custom WAF rules.
2. Run "terraform apply".

Additional factoids

I have tried the above process with deleting the "firewall_custom" ruleset through the api first, then creating this rule and had the same issue.

This could be that I was missing the documentation for this but I could not find any documentation for this specific use case.

References

No response

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[github-actions]

Thank you for reporting this issue! For maintainers to dig into issues it is required that all issues include the entirety of TF_LOG=DEBUG output to be provided. The only parts that should be redacted are your user credentials in the X-Auth-Key, X-Auth-Email and Authorization HTTP headers. Details such as zone or account identifiers are not considered sensitive but can be redacted if you are very cautious. This log file provides additional context from Terraform, the provider and the Cloudflare API that helps in debugging issues. Without it, maintainers are very limited in what they can do and may hamper diagnosis efforts.

This issue has been marked with triage/needs-information and is unlikely to receive maintainer attention until the log file is provided making this a complete bug report.

[jhough-teleflora]

Added the requested output in the "Link to debug output" section.

[jacobbednarz]

that is not the expected debug output. you will need to prefix the terraform operation with TF_LOG=DEBUG (from the issue template) to get the correct output.

[jhough-teleflora]

Issue#1390 references what I needed to create the skip ruleset:
#1390

I will report that I ran into a bug in the provider. Here is the error I received when successfully creating the ruleset:

╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to cloudflare_ruleset.zone_custom_firewall, provider "provider["registry.terraform.io/cloudflare/cloudflare"]" produced an
│ unexpected new value: .rules[0].logging: block count changed from 0 to 1.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

[zpbonjour]

EDIT: Found the solution!!
ruleset = "current"
I updated my now fully working example at the bottom.

@jhough-teleflora Using a combo of the Cloudflare API docs and the Terraform module docs I was also not able to create a custom rule that skips "all remaining custom rules".

In the Cloudflare docs the Skip action is applied to phases and products, not a ruleset or list of rulesets. So the action_parameters.ruleset block will not work instead it needs to be action_parameters.phases and/or action_parameters.products. All three are valid.

If I try to add the custom rules phase, I get an error. Which makes sense as I'm adding a rule to the phase and then trying to skip that same phase. 🤷‍♂️
"skip action parameter phase 'http_request_firewall_custom' is not authorized (20120)"

Here's the resource I have right now, but its just missing the custom rules bit. I would love some input from the team here to help get that last setting applied. It there in the Cloudflare UI, but I can't find an API option for it.
Works now!

resource "cloudflare_ruleset" "zone_level_custom_ruleset" {
  for_each    = var.zone_ids
  zone_id     = each.value
  name        = "${each.key} Webserver Self Calls"
  kind        = "zone"
  phase       = "http_request_firewall_custom"
  rules {
    description = "${each.key} Webserver Self Calls"
    action      = "skip"
    action_parameters {
      ruleset = "current"
      phases = ["http_request_firewall_managed", "http_ratelimit", "http_request_sbfm"]
      products = ["bic","zoneLockdown"]
    }
    expression = "(ip.src eq ${var.aws_webserver_ip_address})"
    enabled    = true
    logging {
      enabled = true
    }
  }
}

[github-actions]

Marking this issue as stale due to 30 days of inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 7 days it will automatically be closed. Maintainers can also remove the lifecycle/stale label.
If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[github-actions]

This issue was closed because it has been stalled for 7 days with no activity.

[yeaminr]

I couldn't find a terraform equivalent to "Skip all remaining rules" on the CF dashboard. But below iteration code of terraform inside the action_parameters worked for me as an alternative:

action_parameters {
      rulesets = [for rule in local.waf_managed_ruleset.rules : rule.action_parameters.id]
    }

[devang704]

Hi, I'm working on Cloudflare WAF rules at the zone level. I've created a primary rule to "Deny All," which blocks all traffic to the zone. Now, I want to add another rule that allows requests from a specific IP range for a particular DNS record. However, when I try to create this additional custom WAF rule at the zone level, it isn't being created successfully.

`

This is Deny All

    resource "cloudflare_ruleset" "zone_custom_firewall" {
    zone_id     = "zone-id"
    name        = "Deny All"
    description = "Deny All"
    kind        = "zone"
    phase       = "http_request_firewall_custom"

    rules {
      action = "block"
      expression  = "(ip.src in { 0.0.0.0/0 })"
      description = "Deny All"
      enabled     = true
    }
  }

This is Skip Rule

  resource "cloudflare_ruleset" "zone_custom_firewall_skip" {
    zone_id     = "zone-id"
    name        = "api.saas"
    description = ""
    kind        = "zone"
    phase       = "http_request_firewall_custom"

    rules {
      action = "skip"
      action_parameters {
          ruleset = "current"
          }
      expression = "(ip.src in {123.185.456.169} and http.host eq \"api.saas.example.com\")"
      description = ""
      enabled = true
      logging {
        enabled = true
      }          
    }
  }
  `

[jhough-teleflora]

@devang704 - If those are the exact values you are using for the rules then the issue is with your allow rule.

The source IP address is not a valid IP address -> "123.185.456.169"

255 is the highest value that you can have for any of the octets of an IP address.

[devang704]

Hi This is not the real IP address I just put random IP, The error I am getting is below.

`
Error: failed to create ruleset "http_request_firewall_custom"

with cloudflare_ruleset.zone_custom_firewall_skip,
on main.tf line 1, in resource "cloudflare_ruleset" "zone_custom_firewall_skip":
1: resource "cloudflare_ruleset" "zone_custom_firewall_skip" {

A similar configuration with rules already exists and overwriting will have
unintended consequences. If you are migrating from the Dashboard, you will
need to first import the existing rules using cf-terraforming. You can find
details about how to do this at
https://developers.cloudflare.com/terraform/additional-configurations/ddos-managed-rulesets/#optional-delete-existing-rulesets-to-start-from-scratch`

[jhough-teleflora]

That error is because you are trying to create rules that already exist in Cloudflare. So you can either import the rules that already exist into your tfstates file, or you can delete the custom WAF rules and then run terraform.