cloudflare_zero_trust_access_policy has drift w/ gsuite identity_provider_id

[rsyring]

Confirmation

• This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• I have searched the issue tracker and my issue isn't already found.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

❯ terraform --version
Terraform v1.9.7
on linux_amd64

• provider registry.terraform.io/cloudflare/cloudflare v4.43.0

Affected resource(s)

cloudflare_zero_trust_access_policy

Terraform configuration files

resource "cloudflare_zero_trust_access_identity_provider" "google_oauth" {
  account_id = local.acct_id
  name       = "Google OAuth"
  type       = "google"
  config {
    client_id     = var.GOOGLE_CLIENT_ID
    client_secret = var.GOOGLE_CLIENT_SECRET
  }
}


resource "cloudflare_zero_trust_access_application" "cf_app" {
  account_id       = local.acct_id
  name             = "Google Authentication"
  domain           = "redacted.pages.dev"
  type             = "self_hosted"
  session_duration = "720h"
  allowed_idps     = ["${cloudflare_zero_trust_access_identity_provider.google_oauth.id}"]
}


resource "cloudflare_zero_trust_access_policy" "cf_policy" {
  application_id = cloudflare_zero_trust_access_application.cf_app.id
  zone_id        = data.cloudflare_zone.this.zone_id
  name           = "Google oauth allow policy"
  precedence     = "1"
  decision       = "allow"

  include {
    email_domain = ["redacted"]
    gsuite {
      identity_provider_id = cloudflare_zero_trust_access_identity_provider.google_oauth.id
    }
  }
}

Link to debug output

https://gist.github.com/rsyring/c2208f4ea6d1a7337b8985ebae006ccb

Panic output

No response

Expected output

After running terraform apply and not making any changes to the configuration, I expected terraform plan to not show any changes.

Actual output

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # cloudflare_zero_trust_access_policy.cf_policy will be updated in-place
  ~ resource "cloudflare_zero_trust_access_policy" "cf_policy" {
        id                             = "de5a3aa6-6847-41f4-b059-5f1c7a376295"
        name                           = "Google oauth allow policy"
        # (8 unchanged attributes hidden)

      ~ include {
            # (16 unchanged attributes hidden)

          + gsuite {
              + identity_provider_id = "bea60213-50fd-4f9b-a94e-69b0945bdacb"
            }
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Steps to reproduce

1. Setup the config of the cloudflare resources as given above.
2. terraform plan...
3. terraform apply...
4. terraform plan...

Additional factoids

No response

References

No response

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[github-actions]

Terraform debug log detected ✅

[rsyring]

Logs output: https://gist.github.com/rsyring/c2208f4ea6d1a7337b8985ebae006ccb

[BSFishy]

Hi @rsyring can you try adding the email value in the gsuite rule?

According to API docs, both the IDP ID and email are required for the gsuite rule, so this may just be the Terraform schema allows for these values to be optional when they should be required.