Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ruleset for account with kind custom should not use entrypoint #1242

Closed
2 tasks done
vences opened this issue Oct 11, 2021 · 1 comment · Fixed by #1245
Closed
2 tasks done

Ruleset for account with kind custom should not use entrypoint #1242

vences opened this issue Oct 11, 2021 · 1 comment · Fixed by #1245
Labels
kind/bug Categorizes issue or PR as related to a bug. triage/accepted Indicates an issue or PR is ready to be actively worked on. workflow/pr-attached Indicates the issue has PR(s) attached.

Comments

@vences
Copy link
Contributor

vences commented Oct 11, 2021

Confirmation

  • My issue isn't already found on the issue tracker.
  • I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

➜ terraform -v
Terraform v1.0.8
on darwin_amd64
+ provider registry.terraform.io/cloudflare/cloudflare v3.1.0

Affected resource(s)

The ressource cloudflare_ruleset is affected by that bug when you are using the account level and kind custom.
The way the creation seem to be implemented is not working for the kind Custom. Currently right after the creation of the rulesets, the entrypoint is called, in the case of Custom rules that endpoint is not relevant and the following endpoint should be used instead: PUT -> /client/v4/accounts/<account>/rulesets/<rulesets_id>

Terraform configuration files

resource "cloudflare_ruleset" "account_custom_firewall" {
  account_id  = var.cloudflare_account_id
  name        = "Custom Ruleset for my account"
  description = "SID and Exposed Credentials"
  kind        = "custom"
  phase       = "http_request_firewall_custom"

  rules {
    action = "block"
    expression = "(http.host eq \"httpbin.vence.fun\" && http.request.uri.query eq \"session-id=true\") && (http.cookie contains \"sid=\") && (not(any(http.request.headers[\"cookie\"][*] ~ \"sid=[-,a-zA-Z0-9]{1,128}\")))"
    description = "SID"
    enabled = true
  }
}

resource "cloudflare_ruleset" "account_custom_firewall_root" {
  account_id  = var.cloudflare_account_id
  name        = "Firewall Custom root"
  description = ""
  kind        = "root"
  phase       = "http_request_firewall_custom"

  depends_on = [cloudflare_ruleset.account_custom_firewall]

  rules {
    action = "execute"
    action_parameters {
      id = cloudflare_ruleset.account_custom_firewall.id
    }
    expression = "(cf.zone.name eq \"vence.fun\")"
    description = ""
    enabled = true
  }
}

Debug output

The logs from the terraform in DEBUG mode is as followed:

2021-10-11T14:11:11.175+0100 [DEBUG] Adding temp file log sink: /var/folders/nc/rqxx96yx24z2kk4w9twdjcg00000gp/T/terraform-log804018957
2021-10-11T14:11:11.176+0100 [INFO]  Terraform version: 1.0.8
2021-10-11T14:11:11.176+0100 [INFO]  Go runtime version: go1.16.4
2021-10-11T14:11:11.176+0100 [INFO]  CLI args: []string{"/Users/venceslas/bin/terraform", "apply", "-target", "cloudflare_ruleset.account_custom_firewall_root"}
2021-10-11T14:11:11.176+0100 [DEBUG] Attempting to open CLI config file: /Users/venceslas/dev/tf/tf-provider
2021-10-11T14:11:11.176+0100 [INFO]  Loading CLI configuration from /Users/venceslas/dev/tf/tf-provider
2021-10-11T14:11:11.178+0100 [DEBUG] Not reading CLI config directory because config location is overridden by environment variable
2021-10-11T14:11:11.178+0100 [DEBUG] Explicit provider installation configuration is set
2021-10-11T14:11:11.179+0100 [INFO]  CLI command args: []string{"apply", "-target", "cloudflare_ruleset.account_custom_firewall_root"}
2021-10-11T14:11:11.200+0100 [DEBUG] New state was assigned lineage "1d3519b2-1145-7b6a-2d9e-77aaf32cd91f"
2021-10-11T14:11:11.324+0100 [DEBUG] Provider registry.terraform.io/cloudflare/cloudflare is overridden to load from /Users/venceslas/go/src/github.com/cloudflare/terraform-provider-cloudflare
2021-10-11T14:11:11.327+0100 [INFO]  Failed to read plugin lock file .terraform/plugins/darwin_amd64/lock.json: open .terraform/plugins/darwin_amd64/lock.json: no such file or directory
2021-10-11T14:11:11.332+0100 [INFO]  backend/local: starting Apply operation
2021-10-11T14:11:11.343+0100 [DEBUG] created provider logger: level=debug
2021-10-11T14:11:11.343+0100 [INFO]  provider: configuring client automatic mTLS
2021-10-11T14:11:11.381+0100 [DEBUG] provider: starting plugin: path=/Users/venceslas/go/src/github.com/cloudflare/terraform-provider-cloudflare/terraform-provider-cloudflare_99.0.0 args=[/Users/venceslas/go/src/github.com/cloudflare/terraform-provider-cloudflare/terraform-provider-cloudflare_99.0.0]
2021-10-11T14:11:11.384+0100 [DEBUG] provider: plugin started: path=/Users/venceslas/go/src/github.com/cloudflare/terraform-provider-cloudflare/terraform-provider-cloudflare_99.0.0 pid=27936
2021-10-11T14:11:11.384+0100 [DEBUG] provider: waiting for RPC address: path=/Users/venceslas/go/src/github.com/cloudflare/terraform-provider-cloudflare/terraform-provider-cloudflare_99.0.0
2021-10-11T14:11:11.536+0100 [INFO]  provider.terraform-provider-cloudflare_99.0.0: configuring server automatic mTLS: timestamp=2021-10-11T14:11:11.535+0100
2021-10-11T14:11:11.625+0100 [DEBUG] provider.terraform-provider-cloudflare_99.0.0: plugin address: address=/var/folders/nc/rqxx96yx24z2kk4w9twdjcg00000gp/T/plugin3948317464 network=unix timestamp=2021-10-11T14:11:11.625+0100
2021-10-11T14:11:11.625+0100 [DEBUG] provider: using plugin: version=5
2021-10-11T14:11:11.736+0100 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2021-10-11T14:11:11.738+0100 [DEBUG] provider: plugin process exited: path=/Users/venceslas/go/src/github.com/cloudflare/terraform-provider-cloudflare/terraform-provider-cloudflare_99.0.0 pid=27936
2021-10-11T14:11:11.738+0100 [DEBUG] provider: plugin exited
2021-10-11T14:11:11.739+0100 [INFO]  terraform: building graph: GraphTypeValidate
2021-10-11T14:11:11.741+0100 [DEBUG] ProviderTransformer: "cloudflare_ruleset.zone_level_managed_waf" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-11T14:11:11.741+0100 [DEBUG] ProviderTransformer: "cloudflare_ruleset.zone_level_managed_waf_2" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-11T14:11:11.741+0100 [DEBUG] ProviderTransformer: "cloudflare_ip_list.example" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-11T14:11:11.741+0100 [DEBUG] ProviderTransformer: "cloudflare_ruleset.account_managed_waf" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-11T14:11:11.741+0100 [DEBUG] ProviderTransformer: "cloudflare_ruleset.terraform_standard_headers" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-11T14:11:11.741+0100 [DEBUG] ProviderTransformer: "cloudflare_ruleset.account_custom_firewall" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-11T14:11:11.741+0100 [DEBUG] ProviderTransformer: "cloudflare_ruleset.account_custom_firewall_root" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-11T14:11:11.742+0100 [DEBUG] ReferenceTransformer: "cloudflare_ruleset.zone_level_managed_waf" references: [var.cloudflare_zone_id]
2021-10-11T14:11:11.742+0100 [DEBUG] ReferenceTransformer: "cloudflare_ruleset.zone_level_managed_waf_2" references: [var.cloudflare_zone_id]
2021-10-11T14:11:11.743+0100 [DEBUG] ReferenceTransformer: "cloudflare_ruleset.account_custom_firewall_root" references: [cloudflare_ruleset.account_custom_firewall var.cloudflare_account_id cloudflare_ruleset.account_custom_firewall]
2021-10-11T14:11:11.743+0100 [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/cloudflare/cloudflare\"]" references: [var.cloudflare_account_id var.cloudflare_token var.cloudflare_email]
2021-10-11T14:11:11.743+0100 [DEBUG] ReferenceTransformer: "cloudflare_ip_list.example" references: [var.cloudflare_account_id]
2021-10-11T14:11:11.746+0100 [DEBUG] ReferenceTransformer: "cloudflare_ruleset.account_managed_waf" references: [var.cloudflare_account_id]
2021-10-11T14:11:11.746+0100 [DEBUG] ReferenceTransformer: "var.cloudflare_account_id" references: []
2021-10-11T14:11:11.746+0100 [DEBUG] ReferenceTransformer: "cloudflare_ruleset.terraform_standard_headers" references: [var.cloudflare_zone_id]
2021-10-11T14:11:11.746+0100 [DEBUG] ReferenceTransformer: "cloudflare_ruleset.account_custom_firewall" references: [var.cloudflare_account_id]
2021-10-11T14:11:11.746+0100 [DEBUG] ReferenceTransformer: "var.cloudflare_email" references: []
2021-10-11T14:11:11.746+0100 [DEBUG] ReferenceTransformer: "var.cloudflare_zone" references: []
2021-10-11T14:11:11.746+0100 [DEBUG] ReferenceTransformer: "var.cloudflare_zone_id" references: []
2021-10-11T14:11:11.746+0100 [DEBUG] ReferenceTransformer: "var.cloudflare_api_token" references: []
2021-10-11T14:11:11.746+0100 [DEBUG] ReferenceTransformer: "var.cloudflare_token" references: []
2021-10-11T14:11:11.746+0100 [DEBUG] Removing "cloudflare_ip_list.example", filtered by targeting.
2021-10-11T14:11:11.746+0100 [DEBUG] Removing "cloudflare_ruleset.account_managed_waf", filtered by targeting.
2021-10-11T14:11:11.746+0100 [DEBUG] Removing "cloudflare_ruleset.terraform_standard_headers", filtered by targeting.
2021-10-11T14:11:11.746+0100 [DEBUG] Removing "var.cloudflare_zone", filtered by targeting.
2021-10-11T14:11:11.746+0100 [DEBUG] Removing "var.cloudflare_zone_id", filtered by targeting.
2021-10-11T14:11:11.747+0100 [DEBUG] Removing "var.cloudflare_api_token", filtered by targeting.
2021-10-11T14:11:11.747+0100 [DEBUG] Removing "cloudflare_ruleset.zone_level_managed_waf", filtered by targeting.
2021-10-11T14:11:11.747+0100 [DEBUG] Removing "cloudflare_ruleset.zone_level_managed_waf_2", filtered by targeting.
2021-10-11T14:11:11.747+0100 [DEBUG] Starting graph walk: walkValidate
2021-10-11T14:11:11.749+0100 [DEBUG] created provider logger: level=debug
2021-10-11T14:11:11.749+0100 [INFO]  provider: configuring client automatic mTLS
2021-10-11T14:11:11.790+0100 [DEBUG] provider: starting plugin: path=/Users/venceslas/go/src/github.com/cloudflare/terraform-provider-cloudflare/terraform-provider-cloudflare_99.0.0 args=[/Users/venceslas/go/src/github.com/cloudflare/terraform-provider-cloudflare/terraform-provider-cloudflare_99.0.0]
2021-10-11T14:11:11.795+0100 [DEBUG] provider: plugin started: path=/Users/venceslas/go/src/github.com/cloudflare/terraform-provider-cloudflare/terraform-provider-cloudflare_99.0.0 pid=27937
2021-10-11T14:11:11.795+0100 [DEBUG] provider: waiting for RPC address: path=/Users/venceslas/go/src/github.com/cloudflare/terraform-provider-cloudflare/terraform-provider-cloudflare_99.0.0
2021-10-11T14:11:11.822+0100 [INFO]  provider.terraform-provider-cloudflare_99.0.0: configuring server automatic mTLS: timestamp=2021-10-11T14:11:11.821+0100
2021-10-11T14:11:11.891+0100 [DEBUG] provider.terraform-provider-cloudflare_99.0.0: plugin address: network=unix address=/var/folders/nc/rqxx96yx24z2kk4w9twdjcg00000gp/T/plugin3303274992 timestamp=2021-10-11T14:11:11.891+0100
2021-10-11T14:11:11.891+0100 [DEBUG] provider: using plugin: version=5
2021-10-11T14:11:11.978+0100 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2021-10-11T14:11:11.980+0100 [DEBUG] provider: plugin process exited: path=/Users/venceslas/go/src/github.com/cloudflare/terraform-provider-cloudflare/terraform-provider-cloudflare_99.0.0 pid=27937
2021-10-11T14:11:11.980+0100 [DEBUG] provider: plugin exited
2021-10-11T14:11:11.980+0100 [INFO]  backend/local: apply calling Plan
2021-10-11T14:11:11.980+0100 [INFO]  terraform: building graph: GraphTypePlan
2021-10-11T14:11:11.981+0100 [DEBUG] ProviderTransformer: "cloudflare_ruleset.account_custom_firewall (expand)" (*terraform.nodeExpandPlannableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-11T14:11:11.981+0100 [DEBUG] ProviderTransformer: "cloudflare_ruleset.account_custom_firewall_root (expand)" (*terraform.nodeExpandPlannableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-11T14:11:11.981+0100 [DEBUG] ProviderTransformer: "cloudflare_ruleset.zone_level_managed_waf (expand)" (*terraform.nodeExpandPlannableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-11T14:11:11.981+0100 [DEBUG] ProviderTransformer: "cloudflare_ruleset.account_managed_waf (expand)" (*terraform.nodeExpandPlannableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-11T14:11:11.981+0100 [DEBUG] ProviderTransformer: "cloudflare_ip_list.example (expand)" (*terraform.nodeExpandPlannableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-11T14:11:11.981+0100 [DEBUG] ProviderTransformer: "cloudflare_ruleset.zone_level_managed_waf_2 (expand)" (*terraform.nodeExpandPlannableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-11T14:11:11.981+0100 [DEBUG] ProviderTransformer: "cloudflare_ruleset.terraform_standard_headers (expand)" (*terraform.nodeExpandPlannableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-11T14:11:11.982+0100 [DEBUG] ReferenceTransformer: "cloudflare_ruleset.zone_level_managed_waf (expand)" references: [var.cloudflare_zone_id]
2021-10-11T14:11:11.984+0100 [DEBUG] ReferenceTransformer: "cloudflare_ruleset.account_managed_waf (expand)" references: [var.cloudflare_account_id]
2021-10-11T14:11:11.984+0100 [DEBUG] ReferenceTransformer: "cloudflare_ruleset.account_custom_firewall_root (expand)" references: [cloudflare_ruleset.account_custom_firewall (expand) var.cloudflare_account_id cloudflare_ruleset.account_custom_firewall (expand)]
2021-10-11T14:11:11.984+0100 [DEBUG] ReferenceTransformer: "var.cloudflare_zone_id" references: []
2021-10-11T14:11:11.984+0100 [DEBUG] ReferenceTransformer: "var.cloudflare_api_token" references: []
2021-10-11T14:11:11.984+0100 [DEBUG] ReferenceTransformer: "var.cloudflare_email" references: []
2021-10-11T14:11:11.984+0100 [DEBUG] ReferenceTransformer: "cloudflare_ip_list.example (expand)" references: [var.cloudflare_account_id]
2021-10-11T14:11:11.984+0100 [DEBUG] ReferenceTransformer: "cloudflare_ruleset.zone_level_managed_waf_2 (expand)" references: [var.cloudflare_zone_id]
2021-10-11T14:11:11.984+0100 [DEBUG] ReferenceTransformer: "var.cloudflare_zone" references: []
2021-10-11T14:11:11.984+0100 [DEBUG] ReferenceTransformer: "cloudflare_ruleset.terraform_standard_headers (expand)" references: [var.cloudflare_zone_id]
2021-10-11T14:11:11.984+0100 [DEBUG] ReferenceTransformer: "var.cloudflare_account_id" references: []
2021-10-11T14:11:11.984+0100 [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/cloudflare/cloudflare\"]" references: [var.cloudflare_email var.cloudflare_account_id var.cloudflare_token]
2021-10-11T14:11:11.984+0100 [DEBUG] ReferenceTransformer: "cloudflare_ruleset.account_custom_firewall (expand)" references: [var.cloudflare_account_id]
2021-10-11T14:11:11.984+0100 [DEBUG] ReferenceTransformer: "var.cloudflare_token" references: []
2021-10-11T14:11:11.985+0100 [DEBUG] Removing "cloudflare_ruleset.zone_level_managed_waf (expand)", filtered by targeting.
2021-10-11T14:11:11.985+0100 [DEBUG] Removing "cloudflare_ruleset.account_managed_waf (expand)", filtered by targeting.
2021-10-11T14:11:11.985+0100 [DEBUG] Removing "var.cloudflare_zone_id", filtered by targeting.
2021-10-11T14:11:11.985+0100 [DEBUG] Removing "var.cloudflare_api_token", filtered by targeting.
2021-10-11T14:11:11.985+0100 [DEBUG] Removing "cloudflare_ip_list.example (expand)", filtered by targeting.
2021-10-11T14:11:11.985+0100 [DEBUG] Removing "cloudflare_ruleset.zone_level_managed_waf_2 (expand)", filtered by targeting.
2021-10-11T14:11:11.985+0100 [DEBUG] Removing "var.cloudflare_zone", filtered by targeting.
2021-10-11T14:11:11.985+0100 [DEBUG] Removing "cloudflare_ruleset.terraform_standard_headers (expand)", filtered by targeting.
2021-10-11T14:11:11.985+0100 [DEBUG] Starting graph walk: walkPlan
2021-10-11T14:11:11.986+0100 [DEBUG] created provider logger: level=debug
2021-10-11T14:11:11.986+0100 [INFO]  provider: configuring client automatic mTLS
2021-10-11T14:11:12.013+0100 [DEBUG] provider: starting plugin: path=/Users/venceslas/go/src/github.com/cloudflare/terraform-provider-cloudflare/terraform-provider-cloudflare_99.0.0 args=[/Users/venceslas/go/src/github.com/cloudflare/terraform-provider-cloudflare/terraform-provider-cloudflare_99.0.0]
2021-10-11T14:11:12.016+0100 [DEBUG] provider: plugin started: path=/Users/venceslas/go/src/github.com/cloudflare/terraform-provider-cloudflare/terraform-provider-cloudflare_99.0.0 pid=27940
2021-10-11T14:11:12.016+0100 [DEBUG] provider: waiting for RPC address: path=/Users/venceslas/go/src/github.com/cloudflare/terraform-provider-cloudflare/terraform-provider-cloudflare_99.0.0
2021-10-11T14:11:12.033+0100 [INFO]  provider.terraform-provider-cloudflare_99.0.0: configuring server automatic mTLS: timestamp=2021-10-11T14:11:12.033+0100
2021-10-11T14:11:12.094+0100 [DEBUG] provider.terraform-provider-cloudflare_99.0.0: plugin address: address=/var/folders/nc/rqxx96yx24z2kk4w9twdjcg00000gp/T/plugin1860774706 network=unix timestamp=2021-10-11T14:11:12.094+0100
2021-10-11T14:11:12.094+0100 [DEBUG] provider: using plugin: version=5
2021-10-11T14:11:12.176+0100 [WARN]  ValidateProviderConfig from "provider[\"registry.terraform.io/cloudflare/cloudflare\"]" changed the config value, but that value is unused
2021-10-11T14:11:12.178+0100 [INFO]  provider.terraform-provider-cloudflare_99.0.0: 2021/10/11 14:11:12 [INFO] Cloudflare Client configured for user: <EMAIL>: timestamp=2021-10-11T14:11:12.178+0100
2021-10-11T14:11:12.179+0100 [INFO]  provider.terraform-provider-cloudflare_99.0.0: 2021/10/11 14:11:12 [INFO] Using specified account id 42ac0aa76a8d6368913cdcc93e1df204 in Cloudflare provider: timestamp=2021-10-11T14:11:12.178+0100
2021-10-11T14:11:12.179+0100 [INFO]  provider.terraform-provider-cloudflare_99.0.0: 2021/10/11 14:11:12 [INFO] Cloudflare Client configured for user: <EMAIL>: timestamp=2021-10-11T14:11:12.178+0100
2021-10-11T14:11:12.180+0100 [DEBUG] Resource instance state not found for node "cloudflare_ruleset.account_custom_firewall", instance cloudflare_ruleset.account_custom_firewall
2021-10-11T14:11:12.180+0100 [INFO]  ReferenceTransformer: reference not found: "var.cloudflare_account_id"
2021-10-11T14:11:12.180+0100 [DEBUG] ReferenceTransformer: "cloudflare_ruleset.account_custom_firewall" references: []
2021-10-11T14:11:12.180+0100 [DEBUG] refresh: cloudflare_ruleset.account_custom_firewall: no state, so not refreshing
2021-10-11T14:11:12.187+0100 [DEBUG] Resource instance state not found for node "cloudflare_ruleset.account_custom_firewall_root", instance cloudflare_ruleset.account_custom_firewall_root
2021-10-11T14:11:12.187+0100 [INFO]  ReferenceTransformer: reference not found: "cloudflare_ruleset.account_custom_firewall"
2021-10-11T14:11:12.187+0100 [INFO]  ReferenceTransformer: reference not found: "var.cloudflare_account_id"
2021-10-11T14:11:12.187+0100 [DEBUG] ReferenceTransformer: "cloudflare_ruleset.account_custom_firewall_root" references: []
2021-10-11T14:11:12.187+0100 [DEBUG] refresh: cloudflare_ruleset.account_custom_firewall_root: no state, so not refreshing
2021-10-11T14:11:12.192+0100 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2021-10-11T14:11:12.193+0100 [DEBUG] provider: plugin process exited: path=/Users/venceslas/go/src/github.com/cloudflare/terraform-provider-cloudflare/terraform-provider-cloudflare_99.0.0 pid=27940
2021-10-11T14:11:12.193+0100 [DEBUG] provider: plugin exited
2021-10-11T14:11:12.209+0100 [DEBUG] command: asking for input: "\nDo you want to perform these actions?"
2021-10-11T14:11:36.281+0100 [INFO]  backend/local: apply calling Apply
2021-10-11T14:11:36.281+0100 [INFO]  terraform: building graph: GraphTypeApply
2021-10-11T14:11:36.282+0100 [DEBUG] Resource state not found for node "cloudflare_ruleset.account_custom_firewall_root", instance cloudflare_ruleset.account_custom_firewall_root
2021-10-11T14:11:36.282+0100 [DEBUG] Resource state not found for node "cloudflare_ruleset.account_custom_firewall", instance cloudflare_ruleset.account_custom_firewall
2021-10-11T14:11:36.282+0100 [DEBUG] ProviderTransformer: "cloudflare_ruleset.zone_level_managed_waf (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-11T14:11:36.282+0100 [DEBUG] ProviderTransformer: "cloudflare_ruleset.account_custom_firewall" (*terraform.NodeApplyableResourceInstance) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-11T14:11:36.282+0100 [DEBUG] ProviderTransformer: "cloudflare_ruleset.account_custom_firewall (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-11T14:11:36.283+0100 [DEBUG] ProviderTransformer: "cloudflare_ip_list.example (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-11T14:11:36.283+0100 [DEBUG] ProviderTransformer: "cloudflare_ruleset.zone_level_managed_waf_2 (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-11T14:11:36.283+0100 [DEBUG] ProviderTransformer: "cloudflare_ruleset.account_managed_waf (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-11T14:11:36.283+0100 [DEBUG] ProviderTransformer: "cloudflare_ruleset.account_custom_firewall_root" (*terraform.NodeApplyableResourceInstance) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-11T14:11:36.283+0100 [DEBUG] ProviderTransformer: "cloudflare_ruleset.account_custom_firewall_root (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-11T14:11:36.283+0100 [DEBUG] ProviderTransformer: "cloudflare_ruleset.terraform_standard_headers (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-11T14:11:36.283+0100 [DEBUG] ReferenceTransformer: "cloudflare_ip_list.example (expand)" references: []
2021-10-11T14:11:36.283+0100 [DEBUG] ReferenceTransformer: "var.cloudflare_account_id" references: []
2021-10-11T14:11:36.283+0100 [DEBUG] ReferenceTransformer: "cloudflare_ruleset.terraform_standard_headers (expand)" references: []
2021-10-11T14:11:36.283+0100 [DEBUG] ReferenceTransformer: "cloudflare_ruleset.account_custom_firewall (expand)" references: []
2021-10-11T14:11:36.283+0100 [DEBUG] ReferenceTransformer: "var.cloudflare_api_token" references: []
2021-10-11T14:11:36.283+0100 [DEBUG] ReferenceTransformer: "var.cloudflare_email" references: []
2021-10-11T14:11:36.283+0100 [DEBUG] ReferenceTransformer: "var.cloudflare_zone" references: []
2021-10-11T14:11:36.284+0100 [INFO]  ReferenceTransformer: reference not found: "cloudflare_ruleset.account_custom_firewall#destroy"
2021-10-11T14:11:36.284+0100 [DEBUG] ReferenceTransformer: "cloudflare_ruleset.account_custom_firewall_root" references: [cloudflare_ruleset.account_custom_firewall (expand) cloudflare_ruleset.account_custom_firewall cloudflare_ruleset.account_custom_firewall var.cloudflare_account_id cloudflare_ruleset.account_custom_firewall (expand) cloudflare_ruleset.account_custom_firewall cloudflare_ruleset.account_custom_firewall]
2021-10-11T14:11:36.284+0100 [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/cloudflare/cloudflare\"]" references: [var.cloudflare_token var.cloudflare_email var.cloudflare_account_id]
2021-10-11T14:11:36.284+0100 [DEBUG] ReferenceTransformer: "cloudflare_ruleset.zone_level_managed_waf_2 (expand)" references: []
2021-10-11T14:11:36.284+0100 [DEBUG] ReferenceTransformer: "cloudflare_ruleset.account_managed_waf (expand)" references: []
2021-10-11T14:11:36.284+0100 [DEBUG] ReferenceTransformer: "var.cloudflare_token" references: []
2021-10-11T14:11:36.284+0100 [DEBUG] ReferenceTransformer: "var.cloudflare_zone_id" references: []
2021-10-11T14:11:36.284+0100 [DEBUG] ReferenceTransformer: "cloudflare_ruleset.account_custom_firewall" references: [var.cloudflare_account_id]
2021-10-11T14:11:36.284+0100 [DEBUG] ReferenceTransformer: "cloudflare_ruleset.zone_level_managed_waf (expand)" references: []
2021-10-11T14:11:36.284+0100 [DEBUG] ReferenceTransformer: "cloudflare_ruleset.account_custom_firewall_root (expand)" references: []
2021-10-11T14:11:36.284+0100 [DEBUG] pruneUnusedNodes: cloudflare_ip_list.example (expand) is no longer needed, removing
2021-10-11T14:11:36.284+0100 [DEBUG] pruneUnusedNodes: cloudflare_ruleset.terraform_standard_headers (expand) is no longer needed, removing
2021-10-11T14:11:36.284+0100 [DEBUG] pruneUnusedNodes: cloudflare_ruleset.account_managed_waf (expand) is no longer needed, removing
2021-10-11T14:11:36.284+0100 [DEBUG] pruneUnusedNodes: cloudflare_ruleset.zone_level_managed_waf_2 (expand) is no longer needed, removing
2021-10-11T14:11:36.284+0100 [DEBUG] pruneUnusedNodes: cloudflare_ruleset.zone_level_managed_waf (expand) is no longer needed, removing
2021-10-11T14:11:36.284+0100 [DEBUG] Removing "var.cloudflare_api_token", filtered by targeting.
2021-10-11T14:11:36.284+0100 [DEBUG] Removing "var.cloudflare_zone", filtered by targeting.
2021-10-11T14:11:36.284+0100 [DEBUG] Removing "var.cloudflare_zone_id", filtered by targeting.
2021-10-11T14:11:36.285+0100 [DEBUG] Starting graph walk: walkApply
2021-10-11T14:11:36.286+0100 [DEBUG] created provider logger: level=debug
2021-10-11T14:11:36.286+0100 [INFO]  provider: configuring client automatic mTLS
2021-10-11T14:11:36.327+0100 [DEBUG] provider: starting plugin: path=/Users/venceslas/go/src/github.com/cloudflare/terraform-provider-cloudflare/terraform-provider-cloudflare_99.0.0 args=[/Users/venceslas/go/src/github.com/cloudflare/terraform-provider-cloudflare/terraform-provider-cloudflare_99.0.0]
2021-10-11T14:11:36.331+0100 [DEBUG] provider: plugin started: path=/Users/venceslas/go/src/github.com/cloudflare/terraform-provider-cloudflare/terraform-provider-cloudflare_99.0.0 pid=27992
2021-10-11T14:11:36.332+0100 [DEBUG] provider: waiting for RPC address: path=/Users/venceslas/go/src/github.com/cloudflare/terraform-provider-cloudflare/terraform-provider-cloudflare_99.0.0
2021-10-11T14:11:36.353+0100 [INFO]  provider.terraform-provider-cloudflare_99.0.0: configuring server automatic mTLS: timestamp=2021-10-11T14:11:36.353+0100
2021-10-11T14:11:36.418+0100 [DEBUG] provider.terraform-provider-cloudflare_99.0.0: plugin address: network=unix address=/var/folders/nc/rqxx96yx24z2kk4w9twdjcg00000gp/T/plugin1080564616 timestamp=2021-10-11T14:11:36.418+0100
2021-10-11T14:11:36.418+0100 [DEBUG] provider: using plugin: version=5
2021-10-11T14:11:36.492+0100 [WARN]  ValidateProviderConfig from "provider[\"registry.terraform.io/cloudflare/cloudflare\"]" changed the config value, but that value is unused
2021-10-11T14:11:36.493+0100 [INFO]  provider.terraform-provider-cloudflare_99.0.0: 2021/10/11 14:11:36 [INFO] Cloudflare Client configured for user: <EMAIL>: timestamp=2021-10-11T14:11:36.493+0100
2021-10-11T14:11:36.493+0100 [INFO]  provider.terraform-provider-cloudflare_99.0.0: 2021/10/11 14:11:36 [INFO] Using specified account id 42ac0aa76a8d6368913cdcc93e1df204 in Cloudflare provider: timestamp=2021-10-11T14:11:36.493+0100
2021-10-11T14:11:36.493+0100 [INFO]  provider.terraform-provider-cloudflare_99.0.0: 2021/10/11 14:11:36 [INFO] Cloudflare Client configured for user: <EMAIL>: timestamp=2021-10-11T14:11:36.493+0100
2021-10-11T14:11:36.497+0100 [INFO]  Starting apply for cloudflare_ruleset.account_custom_firewall
2021-10-11T14:11:36.498+0100 [DEBUG] cloudflare_ruleset.account_custom_firewall: applying the planned Create change
2021-10-11T14:11:36.504+0100 [INFO]  provider.terraform-provider-cloudflare_99.0.0: 2021/10/11 14:11:36 [DEBUG] Cloudflare API Request Details:
---[ REQUEST ]---------------------------------------
POST /client/v4/accounts/42ac0aa76a8d6368913cdcc93e1df204/rulesets HTTP/1.1
Host: api.cloudflare.com
User-Agent: terraform/1.0.8 terraform-plugin-sdk/2.8.0 terraform-provider-cloudflare/dev
Content-Length: 451
Content-Type: application/json
X-Auth-Email: <EMAIL>
X-Auth-Key: <KEY>
Accept-Encoding: gzip

{
 "name": "Custom Ruleset for my account",
 "description": "SID and Exposed Credentials",
 "kind": "custom",
 "phase": "http_request_firewall_custom",
 "rules": [
  {
   "action": "block",
   "expression": "(http.host eq \"httpbin.vence.fun\" \u0026\u0026 http.request.uri.query eq \"session-id=true\") \u0026\u0026 (http.cookie contains \"sid=\") \u0026\u0026 (not(any(http.request.headers[\"cookie\"][*] ~ \"sid=[-,a-zA-Z0-9]{1,128}\")))",
   "description": "SID",
   "enabled": true
  }
 ]
}
-----------------------------------------------------: timestamp=2021-10-11T14:11:36.504+0100
2021-10-11T14:11:37.833+0100 [INFO]  provider.terraform-provider-cloudflare_99.0.0: 2021/10/11 14:11:37 [DEBUG] Cloudflare API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 200 OK
Cf-Cache-Status: DYNAMIC
Cf-Ray: 69c855d6cd4e53eb-LHR
Content-Type: application/json; charset=UTF-8
Date: Mon, 11 Oct 2021 13:11:37 GMT
Expect-Ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
Set-Cookie: __cflb=0H28vgHxwvgAQtjUGU56Rb8iNWZVUvXhha9xiR88eSZ; SameSite=Lax; path=/; expires=Mon, 11-Oct-21 15:41:38 GMT; HttpOnly
Set-Cookie: __cfruid=79ef2c682de152e367f07a1e7a34d1120a61f2e1-1633957897; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Vary: Accept-Encoding
X-Envoy-Upstream-Service-Time: 188
X-Version: 4607-d29fe82850d4

{
  "result": {
    "id": "5f0759ec93694181b4bef92d8c0fbf60",
    "name": "Custom Ruleset for my account",
    "description": "SID and Exposed Credentials",
    "source": "firewall_custom",
    "kind": "custom",
    "version": "1",
    "rules": [
      {
        "id": "64b5f08ea09a43f7a46df84a80c1cd8b",
        "version": "1",
        "action": "block",
        "expression": "(http.host eq \"httpbin.vence.fun\" \u0026\u0026 http.request.uri.query eq \"session-id=true\") \u0026\u0026 (http.cookie contains \"sid=\") \u0026\u0026 (not(any(http.request.headers[\"cookie\"][*] ~ \"sid=[-,a-zA-Z0-9]{1,128}\")))",
        "description": "SID",
        "last_updated": "2021-10-11T13:11:37.788558Z",
        "ref": "64b5f08ea09a43f7a46df84a80c1cd8b",
        "enabled": true
      }
    ],
    "last_updated": "2021-10-11T13:11:37.788558Z",
    "phase": "http_request_firewall_custom"
  },
  "success": true,
  "errors": [],
  "messages": []
}

-----------------------------------------------------: timestamp=2021-10-11T14:11:37.832+0100
2021-10-11T14:11:37.834+0100 [INFO]  provider.terraform-provider-cloudflare_99.0.0: 2021/10/11 14:11:37 [DEBUG] Cloudflare API Request Details:
---[ REQUEST ]---------------------------------------
PUT /client/v4/accounts/42ac0aa76a8d6368913cdcc93e1df204/rulesets/phases/http_request_firewall_custom/entrypoint HTTP/1.1
Host: api.cloudflare.com
User-Agent: terraform/1.0.8 terraform-plugin-sdk/2.8.0 terraform-provider-cloudflare/dev
Content-Length: 357
Content-Type: application/json
X-Auth-Email: <EMAIL>
X-Auth-Key: <KEY>
Accept-Encoding: gzip

{
 "description": "SID and Exposed Credentials",
 "rules": [
  {
   "action": "block",
   "expression": "(http.host eq \"httpbin.vence.fun\" \u0026\u0026 http.request.uri.query eq \"session-id=true\") \u0026\u0026 (http.cookie contains \"sid=\") \u0026\u0026 (not(any(http.request.headers[\"cookie\"][*] ~ \"sid=[-,a-zA-Z0-9]{1,128}\")))",
   "description": "SID",
   "enabled": true
  }
 ]
}
-----------------------------------------------------: timestamp=2021-10-11T14:11:37.834+0100
2021-10-11T14:11:39.048+0100 [INFO]  provider.terraform-provider-cloudflare_99.0.0: 2021/10/11 14:11:39 [DEBUG] Cloudflare API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 400 Bad Request
Cf-Cache-Status: DYNAMIC
Cf-Ray: 69c855de0f3a53eb-LHR
Content-Type: application/json; charset=UTF-8
Date: Mon, 11 Oct 2021 13:11:39 GMT
Expect-Ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
Set-Cookie: __cflb=0H28vgHxwvgAQtjUGU56Rb8iNWZVUvXhhjrdjDwdFi5; SameSite=Lax; path=/; expires=Mon, 11-Oct-21 15:41:40 GMT; HttpOnly
Set-Cookie: __cfruid=89e46104f0ba5c43c9bfebcff91383cea3e809e5-1633957899; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Vary: Accept-Encoding
X-Envoy-Upstream-Service-Time: 50
X-Version: 4607-d29fe82850d4

{
  "result": null,
  "success": false,
  "errors": [
    {
      "message": "'block' is not a valid value for Action because it is not possible to use the block action in a ruleset with phase http_request_firewall_custom and kind root"
    }
  ],
  "messages": null
}

-----------------------------------------------------: timestamp=2021-10-11T14:11:39.048+0100
2021-10-11T14:11:39.126+0100 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2021-10-11T14:11:39.128+0100 [DEBUG] provider: plugin process exited: path=/Users/venceslas/go/src/github.com/cloudflare/terraform-provider-cloudflare/terraform-provider-cloudflare_99.0.0 pid=27992
2021-10-11T14:11:39.128+0100 [DEBUG] provider: plugin exited
2021-10-11T14:19:37.041+0100 [DEBUG] Adding temp file log sink: /var/folders/nc/rqxx96yx24z2kk4w9twdjcg00000gp/T/terraform-log263357963
2021-10-11T14:19:37.042+0100 [INFO]  Terraform version: 1.0.8
2021-10-11T14:19:37.042+0100 [INFO]  Go runtime version: go1.16.4
2021-10-11T14:19:37.042+0100 [INFO]  CLI args: []string{"/Users/venceslas/bin/terraform", "-v"}
2021-10-11T14:19:37.043+0100 [DEBUG] Attempting to open CLI config file: /Users/venceslas/dev/tf/tf-provider
2021-10-11T14:19:37.043+0100 [INFO]  Loading CLI configuration from /Users/venceslas/dev/tf/tf-provider
2021-10-11T14:19:37.044+0100 [DEBUG] Not reading CLI config directory because config location is overridden by environment variable
2021-10-11T14:19:37.044+0100 [DEBUG] Explicit provider installation configuration is set
2021-10-11T14:19:37.045+0100 [INFO]  CLI command args: []string{"version", "-v"}

Panic output

No response

Expected output

None the custom firewall rules should be created and the http_request_firewall_custom entrypoint should refer to that ID.

Actual output

The error output is the following:

╷
│ Error: error updating ruleset phase entrypoint Custom Ruleset for my account: HTTP status 400: 'block' is not a valid value for Action because it is not possible to use the block action in a ruleset with phase http_request_firewall_custom and kind root
│ 
│   with cloudflare_ruleset.account_custom_firewall,
│   on rulesets.tf line 1210, in resource "cloudflare_ruleset" "account_custom_firewall":
│ 1210: resource "cloudflare_ruleset" "account_custom_firewall" {

Steps to reproduce

  1. Create a cloudflare_ruleset with a kind set as cutom
  2. Apply the configuration
  3. The error seen above should be seen

Additional factoids

As per the debug file we can see that the ruleset is created with a POST first and then edited with the rules on the entrypoint. As per the documentation here the ruleset should be edited on the path /client/v4/accounts/<account>/rulesets/<rulesets_id>. The entrypoint should be edited with the ressource cloudflare_ruleset.account_custom_firewall_root where we execute the Custom Rules created previously.

References

https://developers.cloudflare.com/ruleset-engine/custom-rulesets/create-custom-ruleset
@vences vences added kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Oct 11, 2021
jacobbednarz added a commit that referenced this issue Oct 12, 2021
@jacobbednarz
resource/cloudflare_ruleset: don't attempt to update the phase for "c…
0032d17 
…ustom" rulesets

After creating the base Ruleset, we usually attempt to update it in place
however Rulesets with a "custom" kind don't need this so we can remove it.

Closes #1242
@jacobbednarz jacobbednarz mentioned this issue Oct 12, 2021
Merged
jacobbednarz added a commit that referenced this issue Oct 12, 2021
@jacobbednarz
resource/cloudflare_ruleset: don't attempt to update the phase for "c…
d594201 
…ustom" rulesets

After creating the base Ruleset, we usually attempt to update it in place
however Rulesets with a "custom" kind don't need this so we can remove it.

Closes #1242
jacobbednarz added a commit that referenced this issue Oct 12, 2021
@jacobbednarz
resource/cloudflare_ruleset: don't attempt to update the phase for "c…
1e592b8 
…ustom" rulesets

After creating the base Ruleset, we usually attempt to update it in place
however Rulesets with a "custom" kind don't need this so we can remove it.

Closes #1242
jacobbednarz added a commit that referenced this issue Oct 12, 2021
@jacobbednarz
resource/cloudflare_ruleset: don't attempt to update the phase for "c…
36a1e9f 
…ustom" rulesets

After creating the base Ruleset, we usually attempt to update it in place
however Rulesets with a "custom" kind don't need this so we can remove it.

Closes #1242
@jacobbednarz
Copy link
Member

thanks for yet another amazing bug report 👏 i've taken a swing at this in #1245 which solves the immediate problem while i look into refactoring to remove the initial POST without clobbering the rulesets created via the UI.

@jacobbednarz jacobbednarz added triage/accepted Indicates an issue or PR is ready to be actively worked on. workflow/pr-attached Indicates the issue has PR(s) attached. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Oct 12, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. triage/accepted Indicates an issue or PR is ready to be actively worked on. workflow/pr-attached Indicates the issue has PR(s) attached.
Projects
None yet
Milestone
No milestone
2 participants
@jacobbednarz @vences