Problem with cloudflare_ruleset custom cache key with exclude_origin true - block count changed from 1 to 0

[laliconfigcat]

Confirmation

• My issue isn't already found on the issue tracker.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform version: 1.5.0
Cloudflare provider version: 4.15.0

Affected resource(s)

cloudflare_ruleset

Terraform configuration files

resource "cloudflare_ruleset" "cache_rule" {
  zone_id = ""
  name    = "name"
  kind    = "zone"
  phase   = "http_request_cache_settings"

  rules {
    action = "set_cache_settings"
    action_parameters {
      edge_ttl {
        mode    = "override_origin"
        default = 3600
      }
      browser_ttl {
        mode = "respect_origin"
      }
      serve_stale {
        disable_stale_while_updating = true
      }
      cache_key {
        ignore_query_strings_order = false
        cache_deception_armor      = true
        custom_key {
          query_string {
            exclude = ["*"]
          }
          header {
            include = []
            check_presence = []
            exclude_origin = true
          }
          user {
            device_type = false
            geo         = false
            lang        = false
          }
          host {
            resolved = false
          }
        }
      }
      origin_error_page_passthru = false
    }
    expression = "..."
    enabled    = true
  }
}

Link to debug output

https://gist.github.com/laliconfigcat/a2f076249596a3d8e68427a8144be22b

Panic output

No response

Expected output

The cloudflare_ruleset should be created.

Actual output

When applying changes to module.test_cache_rules.cloudflare_ruleset.cache_rule, provider "provider["registry.terraform.io/cloudflare/cloudflare"]" produced an unexpected new value: .rules[0].action_parameters[0].cache_key[0].custom_key[0].header: block count changed from 1 to 0.

This is a bug in the provider, which should be reported in the provider's own issue tracker.

Steps to reproduce

1. Try setting a cloudflare_ruleset with a header like this:

header {
  include = []
  check_presence = []
  exclude_origin = true
}

2. The provider fails with

When applying changes to module.test_cache_rules.cloudflare_ruleset.cache_rule, provider "provider[\"registry.terraform.io/cloudflare/cloudflare\"]" produced an unexpected new value: .rules[0].action_parameters[0].cache_key[0].custom_key[0].header: block count changed from 1 to 0.

This is a bug in the provider, which should be reported in the provider's own issue tracker.

Additional factoids

I'd like to add a cache rule where the header exclude_origin is set to true, but I don't want to include anything or add anything to the check_presence arrays.
I checked the code and it seems that the exclude_origin header can only be set if I add anything to the include or check_presence arrays. If the include and check_presence lists are empty, the provider ignores the whole header block:
https://github.com/cloudflare/terraform-provider-cloudflare/blob/master/internal/framework/service/rulesets/resource.go#L530

Am I doing something wrong? How could I set exclude_origin from the header without adding something to the include and check_presence arrays?

References

No response

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[github-actions]

Thank you for reporting this issue! For maintainers to dig into issues it is required that all issues include the entirety of TF_LOG=DEBUG output to be provided. The only parts that should be redacted are your user credentials in the X-Auth-Key, X-Auth-Email and Authorization HTTP headers. Details such as zone or account identifiers are not considered sensitive but can be redacted if you are very cautious. This log file provides additional context from Terraform, the provider and the Cloudflare API that helps in debugging issues. Without it, maintainers are very limited in what they can do and may hamper diagnosis efforts.

This issue has been marked with triage/needs-information and is unlikely to receive maintainer attention until the log file is provided making this a complete bug report.