cloudflare_ruleset: Provider produced inconsistent result after apply

[bhartm3]

Confirmation

• My issue isn't already found on the issue tracker.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to module.zone_settings.cloudflare_ruleset.zone_managed_waf, provider "module.zone_settings.provider[\"registry.terraform.io/cloudflare/cloudflare\"]" produced an unexpected new value: .rules[4].logging: block count changed from 0 to
│ 1.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Affected resource(s)

cloudflare_ruleset

Terraform configuration files

resource "cloudflare_ruleset" "zone_managed_waf" {
  zone_id     = var.cloudflare_zone_id
  name        = "Managed WAF entry point ruleset"
  description = "Account-level WAF Managed Rules config"
  kind        = "zone"
  phase       = "http_request_firewall_managed"

  # Execute Cloudflare Managed Ruleset
  rules {
    action = "execute"
    action_parameters {
      id = "efb7b8c949ac4650a09736fc376e9aee"
      version = "latest"
    }
    expression = "true"
    description = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
    enabled = true
  }

  rules {
    action = "skip"
    action_parameters {
      rules = {
        "4814384a9e5d4991b9815dcfc25d2f1f" = "51b8ffa2e4c04c7a9e7fc4c7ca652210"
      }
    }
    expression = "true"
    description = "Skip"
    enabled = true
  }

  # Execute Cloudflare OWASP Core Ruleset
  rules {
    action = "execute"
    action_parameters {
      id = "4814384a9e5d4991b9815dcfc25d2f1f"
      version = "latest"
    }
    expression = "true"
    description = "Execute Cloudflare OWASP Core Ruleset on my zone-level phase entry point ruleset"
    enabled = true
  }
}

Link to debug output

log contains too much sensitive info (could follow up through support?)

Panic output

No response

Expected output

no error

Actual output

│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to module.zone_settings.cloudflare_ruleset.zone_managed_waf, provider "module.zone_settings.provider["registry.terraform.io/cloudflare/cloudflare"]" produced an unexpected new value: .rules[4].logging: block count changed from 0 to
│ 1.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Steps to reproduce

Apply resource.

Additional factoids

No response

References

No response

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[github-actions]

Thank you for reporting this issue! For maintainers to dig into issues it is required that all issues include the entirety of TF_LOG=DEBUG output to be provided. The only parts that should be redacted are your user credentials in the X-Auth-Key, X-Auth-Email and Authorization HTTP headers. Details such as zone or account identifiers are not considered sensitive but can be redacted if you are very cautious. This log file provides additional context from Terraform, the provider and the Cloudflare API that helps in debugging issues. Without it, maintainers are very limited in what they can do and may hamper diagnosis efforts.

This issue has been marked with triage/needs-information and is unlikely to receive maintainer attention until the log file is provided making this a complete bug report.

[github-actions]

Thank you for opening this issue and sorry to hear you're hitting issues. Unfortunately, the reproduction case provided contains HCL dynamic expressions. Examples of these are:

• Conditionals
• For loops
• Dynamic blocks
• Modules and module references

Maintainers don't accept these as reproduction cases since using these constructs and expressions can hold their own logic bugs which are outside of the provider and not able to be diagnosed.

For maintainers to triage this issue, we recommend providing a minimal reproduction test case that is only contains the impacted resources and can be easily reproduced in an isolated environment. Without providing this, maintainers are limited in what support they can provide.

[cnk]

I am using cloudflare provide 4.14.0

I have a very similar sounding issue with a different ruleset entrypoint. In my case rerunning terraform apply for unrelated updates always gives me 3 error messages - one for each of my rate limiting rules:

╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to cloudflare_ruleset.rate_limiting, provider "provider[\"registry.terraform.io/cloudflare/cloudflare\"]" produced an
│ unexpected new value: .rules[0].ratelimit[0].requests_to_origin: was null, but now cty.False.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵
╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to cloudflare_ruleset.rate_limiting, provider "provider[\"registry.terraform.io/cloudflare/cloudflare\"]" produced an
│ unexpected new value: .rules[1].ratelimit[0].requests_to_origin: was null, but now cty.False.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵
╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to cloudflare_ruleset.rate_limiting, provider "provider[\"registry.terraform.io/cloudflare/cloudflare\"]" produced an
│ unexpected new value: .rules[2].ratelimit[0].requests_to_origin: was null, but now cty.False.
│
│ This is a bug in the provider, which should be reported in the provider's

The code I am running is

resource "cloudflare_ruleset" "rate_limiting" {
  zone_id     = local.zones[terraform.workspace].zone_id
  name        = "Custom rate limit rules"
  description = "Rate limit rules for api and search"
  kind        = "zone"
  phase       = "http_ratelimit"

  rules {
    action = "managed_challenge"
    ratelimit {
      characteristics = [
        "cf.colo.id",
        "ip.src"
      ]
      period              = 60
      requests_per_period = 30
      mitigation_timeout  = 3600
    }
    expression  = "(http.request.uri.path eq \"/_csp\")"
    description = "CSP POSTS rate limit"
    enabled     = true
  }

  rules {
    action = "managed_challenge"
    ratelimit {
      characteristics = [
        "cf.colo.id",
        "ip.src"
      ]
      period              = 10
      requests_per_period = 5
      mitigation_timeout  = 60
    }
    expression  = "(http.request.uri.path eq \"/search\")"
    description = "Search rate limit"
    enabled     = true
  }

  rules {
    action = "managed_challenge"
    ratelimit {
      characteristics = [
        "cf.colo.id",
        "ip.src"
      ]
      period              = 60
      requests_per_period = 20
      mitigation_timeout  = 60
    }
    expression  = "(http.request.uri.path eq \"/about/news\" and http.request.uri.query matches \"(search=|category=|tag=|year=)\")"
    description = "WWW news search rate limit"
    enabled     = true
  }
}

[jacobbednarz]

@cnk your issue is unrelated to this issue. you are missing the definition in your HCL that the API is returning. in future, i'd recommend a dedicated issue unless your error message or reproduction case is identical.

[atmosx]

Same error here:

resource "cloudflare_ruleset" "ex_add_gps_headers" {
  zone_id     = var.zone_id
  name        = "default"
  description = "Add request GPS longitude and latitude headers"
  kind        = "zone"
  phase       = "http_request_late_transform"

  rules {
    action = "rewrite"
    action_parameters {
      headers {
        name       = "Exp-ip-longitude"
        operation  = "set"
        expression = "ip.src.lon"
      }
      headers {
        name       = "Exp-ip-latitude"
        operation  = "set"
        expression = "ip.src.lat"
      }
    }
    expression  = "((http.host matches \"^(host1|host2|host3|host4).*\"))"
    description = "Add GPS coordinates"
    enabled = true
  }
}

Planning works as expected, applying the change produces the following error:

cloudflare_ruleset.exp_add_gps_headers: Creating...

│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to cloudflare_ruleset.exp_add_gps_headers, provider "provider[\"registry.terraform.io/cloudflare/cloudflare\"]" produced an
│ unexpected new value: .rules[0].action_parameters[0].headers[0].expression: was cty.StringVal("ip.src.lon"), but now cty.StringVal("ip.src.lat").
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
[...]

Cloudflare provider used is v4.14. Note that the change has been applied, but triggers a "replacement" in every run.

[jacobbednarz]

@atmosx ypur issue is also unrelated here. you'll need to check the provider docs as Ruleset headers must be in alphabetical order.

[bhartm3]

Providing the block

    logging {
      enabled = true
    }

for skip rules solves this error for us.

[jacobbednarz]

closing as the original issue hasn't been followed up on and still requires a reproduction case without dynamics.

if this is still an issue, please open a new issue following the issue template to have it triaged.