Unnecessary diff for Tags on cloudflare_record

[leosunmo]

Confirmation

• My issue isn't already found on the issue tracker.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform Version: 1.6.2
Cloudflare Provider version: 4.17.0

Affected resource(s)

cloudflare_record

Terraform configuration files

resource "cloudflare_record" "my-record_A" {
  name    = "*.my-record" # Doubt that the wildcard makes a difference, but that's what we used.
  proxied = true
  type    = "A"
  value   = "192.168.0.1" # Dummy IP, of course
  zone_id = cloudflare_zone.my-zone.id
}

Link to debug output

https://gist.github.com/leosunmo/14cb01727954795c0daf379ff85878b2

Panic output

No response

Expected output

No changes to infrastructure

Actual output

Note: Objects have changed outside of Terraform
Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:
  # cloudflare_record.my-record_A has changed
  ~ resource "cloudflare_record" "my-record_A" {
        id              = "some-id"
        name            = "*.my-record"
      + tags            = []
        # (11 unchanged attributes hidden)
    }

Steps to reproduce

1. Apply a record with no tags declared.
2. Run a drift check, basically terraform plan --refresh-only
3. See that the provider seems to read an empty tag list from the API, generating a diff.

Additional factoids

I didn't spend too much time in the code, neither am I particularly familiar with the Terraform Provider framework.

My 5 minute-effort guess is that the Provider is creating the record with a nil tag slice, but is getting an empty slice in response when doing the read.

I did a quick sanity check in the playground to make sure it even made sense: https://go.dev/play/p/VG8GZH68Fc8

As I said, not super familiar, and didn't modify the code to test if setting the slice to empty would change anything.

References

No response

[leosunmo]

If you really need debug output I can attempt it, but it's a bit more effort in our CI/CD setup.

Edit: Okay I've provided a debug file, hopefully redacting everything sensitive. Not a huge fan of having to provide all of this since it can contain quite a bit of information of our internal DNS setup...

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[github-actions]

Terraform debug log detected ✅

[jacobbednarz]

the drift here comes from the use of -refresh-only (which i don't recommend).

running a normal plan works because terraform can evaluate all the changes in the configuration together. when you add -refresh-only the planning action of each resource is skipped, so there is no changeset to evaluate new resources from.