Terraform plan gen showing changes to all existing records with cloudflare provider version >=4.41.0

[maheedharTumpudi]

Confirmation

• This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• I have searched the issue tracker and my issue isn't already found.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

terraform version : 1.9.8
cloudflare provider version : 4.46.0

Affected resource(s)

cloudflare_record

Terraform configuration files

module "cusip-com-cname-record" {
  source = "git::https://github.<org>.com/neteng/dns-modules.git//cloudflare//cname-record"
  email-address = data.aws_ssm_parameter.email-address.value
  api-key       = data.aws_ssm_parameter.api-key.value

  cname-records = {
          "cusip.com/1/test1._domainkey" = {
            zone-id = local.cusip-com
            name    = "test1._domainkey"
            value   = "target1.amazonses.com"
            ttl     = 600
          }
          "cusip.com/1/test2._domainkey" = {
            zone-id = local.cusip-com
            name    = "test2._domainkey"
            value   = "target2.amazonses.com"
            ttl     = 600
          }
}

Link to debug output

******************************* TERRAFORM INIT *******************************

Initializing modules...
Downloading git::https://github.factset.com/neteng/dns-modules.git for cusip-com-a-record...

• cusip-com-a-record in .terraform/modules/cusip-com-a-record/cloudflare/a-record
  Downloading git::https://github.factset.com/neteng/dns-modules.git for cusip-com-cname-record...
• cusip-com-cname-record in .terraform/modules/cusip-com-cname-record/cloudflare/cname-record
  Downloading git::https://github.factset.com/neteng/dns-modules.git for cusip-com-mx-record...
• cusip-com-mx-record in .terraform/modules/cusip-com-mx-record/cloudflare/mx-record
  Downloading git::https://github.factset.com/neteng/dns-modules.git for cusip-com-ns-record...
• cusip-com-ns-record in .terraform/modules/cusip-com-ns-record/cloudflare/ns-record
  Downloading git::https://github.factset.com/neteng/dns-modules.git for cusip-com-srv-record...
• cusip-com-srv-record in .terraform/modules/cusip-com-srv-record/cloudflare/srv-record
  Downloading git::https://github.factset.com/neteng/dns-modules.git for cusip-com-txt-record...
• cusip-com-txt-record in .terraform/modules/cusip-com-txt-record/cloudflare/txt-record

Initializing the backend...

Successfully configured the backend "s3"! Terraform will automatically
use this backend unless the backend configuration changes.

Initializing provider plugins...

• Finding latest version of hashicorp/aws...
• Finding latest version of cloudflare/cloudflare...
• Installing hashicorp/aws v5.76.0...
• Installed hashicorp/aws v5.76.0 (signed by HashiCorp)
• Installing cloudflare/cloudflare v4.46.0...
• Installed cloudflare/cloudflare v4.46.0 (self-signed, key ID )

Partner and community providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://www.terraform.io/docs/cli/plugins/signing.html

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.

Panic output

No response

Expected output

As these records already exist
I expect terraform plan to give - No changes. Your infrastructure matches the configuration.

Actual output

Though there are no changes to the configurations in .tf files the terraform plan gen is still showing changes as below:

module.cusip-com-cname-record.cloudflare_record.cname-record["cusip.com/1/test1._domainkey"] will be updated in-place
~ resource "cloudflare_record" "cname-record" {
id = ""
name = "test1._domainkey"
tags = []
+ value = "target1.amazonses.com"
# (10 unchanged attributes hidden)
}

module.cusip-com-cname-record.cloudflare_record.cname-record["cusip.com/1/test2._domainkey"] will be updated in-place
~ resource "cloudflare_record" "cname-record" {
id = ""
name = "test2._domainkey"
tags = []
+ value = "target2.amazonses.com"
# (10 unchanged attributes hidden)
}
Plan: 0 to add, 2 to change, 0 to destroy.

Steps to reproduce

1. Use cloudflare provider >= 4.41.0
2. Run terraform plan

Additional factoids

This issue is observed only with the terraform cloudflare provider versions >= 4.41.0 . It was working fine until we were using cloudflare provider of version 4.40.0

References

No response

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[github-actions]

Thank you for reporting this issue! For maintainers to dig into issues it is required that all issues include the entirety of TF_LOG=DEBUG output to be provided. The only parts that should be redacted are your user credentials in the X-Auth-Key, X-Auth-Email and Authorization HTTP headers. Details such as zone or account identifiers are not considered sensitive but can be redacted if you are very cautious. This log file provides additional context from Terraform, the provider and the Cloudflare API that helps in debugging issues. Without it, maintainers are very limited in what they can do and may hamper diagnosis efforts.

This issue has been marked with triage/needs-information and is unlikely to receive maintainer attention until the log file is provided making this a complete bug report.

[jacobbednarz]

value was deprecated in favour of content in v4.39.0 and a bug was fixed in the handling of v4.41.0 so this is expected. you need to update your configuration/module appropriately once the values have been correctly saved to state.

[maheedharTumpudi]

@jacobbednarz as the bug is fixed in v4.41.0 it should basically accept the existing configuration that has value attribute right? but why is it still showing changes even though nothing changed

[jacobbednarz]

only if you've run an apply since the changes. you'll also want to check your module abstraction to make sure that isn't interfering by not posing through the correct values.