Upgrade forces cloudflare_access_policy replacement

[covracer]

Confirmation

• This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• I have searched the issue tracker and my issue isn't already found.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform v1.5.5
on linux_amd64
+ provider registry.terraform.io/cloudflare/cloudflare v4.40.0
+ provider registry.terraform.io/hashicorp/aws v5.64.0
+ provider registry.terraform.io/nlamirault/papertrail v0.1.7

Affected resource(s)

cloudflare_access_policy

Terraform configuration files

resource "cloudflare_access_policy" "tokens" {
  application_id   = cloudflare_access_application.mine.id
  decision         = "non_identity"
  name             = "my-tokens"
  precedence       = 2
  session_duration = "24h"
  zone_id          = "abc123"
  include {
    any_valid_service_token = true
  }
}

Link to debug output

None

Panic output

No response

Expected output

No changes. Your infrastructure matches the configuration.

Warning: Deprecated Resource...

Actual output

  # cloudflare_access_policy.tokens must be replaced                                           
-/+ resource "cloudflare_access_policy" "tokens" {                                             
      - account_id                     = "def456" -> null # forces replacement
      - approval_required              = false -> null 
      ~ id                             = "some-uuid" -> (known after apply)
      - isolation_required             = false -> null                                        
        name                           = "my-tokens"
      - purpose_justification_required = false -> null                                        
        # (5 unchanged attributes hidden)
                                                                                              
      ~ include {                                                                             
          - certificate             = false -> null   
          - common_names            = [] -> null                                               
          - device_posture          = [] -> null                                               
          - email                   = [] -> null                                              
          - email_domain            = [] -> null                  
          - email_list              = [] -> null
          - everyone                = false -> null                                       
          - geo                     = [] -> null                                           
          - group                   = [] -> null                                           
          - ip                      = [] -> null
          - ip_list                 = [] -> null   
          - login_method            = [] -> null
          - service_token           = [] -> null
            # (1 unchanged attribute hidden)                                                  
        }                                                                                     
    }

Steps to reproduce

Define and apply resource with provider version 4.32.0. Then upgrade to version 4.40.0.

terraform plan -target=cloudflare_access_policy.tokens

Additional factoids

No response

References

No response

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[github-actions]

Thank you for reporting this issue! For maintainers to dig into issues it is required that all issues include the entirety of TF_LOG=DEBUG output to be provided. The only parts that should be redacted are your user credentials in the X-Auth-Key, X-Auth-Email and Authorization HTTP headers. Details such as zone or account identifiers are not considered sensitive but can be redacted if you are very cautious. This log file provides additional context from Terraform, the provider and the Cloudflare API that helps in debugging issues. Without it, maintainers are very limited in what they can do and may hamper diagnosis efforts.

This issue has been marked with triage/needs-information and is unlikely to receive maintainer attention until the log file is provided making this a complete bug report.

[jacobbednarz]

you've selected that you're running the latest version here however, 4.41.0 is newer and has the fix you're after here - https://github.com/cloudflare/terraform-provider-cloudflare/blob/master/CHANGELOG.md#4410-september-4th-2024

[covracer]

D'oh I overlooked a version pin. Thanks!

I ended up just moving to the new resource name with a state rm of the old name, and import with zone/. I may try to update the docs with that.

[covracer]

Ah I see #3338 removed the documentation on importing zone-specific policies. The preferred way to relate applications to policies is now on the application side instead of the policy side. I'll try to adapt to that too.

[jacobbednarz]

let me know if there is anything else but this looks sorted now.