cloudflare_tunnel_route flapping due to tunnel id changes

[michael-mcclintock]

Confirmation

• My issue isn't already found on the issue tracker.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform v1.1.9

• provider registry.terraform.io/cloudflare/cloudflare v3.14.0

Affected resource(s)

cloudflare_tunnel_route

Terraform configuration files

# A Named Tunnel resource called zero_trust_ssh_http
resource "cloudflare_argo_tunnel" "tunnel" {
  account_id = data.cloudflare_zone.zone.account_id
  name       = "${local.name_prefix}-cloudflare-tunnel"
  secret     = random_id.tunnel_secret.b64_std
}

# Each route is the CIDR block we will route throught the Cloudflare tunnel
resource "cloudflare_tunnel_route" "route" {
  for_each   = var.tunnel_routes
  account_id = data.cloudflare_zone.zone.account_id
  tunnel_id  = cloudflare_argo_tunnel.tunnel.id
  network    = each.key
  comment    = "New tunnel route for ${each.key}"
}

Debug output

Let me know if you want the debug from the original apply or the subsequent plans that flap

Panic output

No response

Expected output

After doing an apply the tunnel and the routes are created:

module.cloudflare_tunnel.cloudflare_argo_tunnel.tunnel: Creation complete after 1s [id=cffe6b5a-fb67-47ab-9eca-fd44d7f9fc4e]
module.cloudflare_tunnel.cloudflare_tunnel_route.route["10.20.0.0/18"]: Creating...
module.cloudflare_tunnel.cloudflare_tunnel_route.route["10.20.64.0/18"]: Creating...
module.cloudflare_tunnel.cloudflare_tunnel_route.route["10.20.128.0/18"]: Creating...
module.cloudflare_tunnel.cloudflare_tunnel_route.route["10.20.0.0/18"]: Creation complete after 1s [id=10.20.0.0/18]
module.cloudflare_tunnel.cloudflare_tunnel_route.route["10.20.128.0/18"]: Creation complete after 1s [id=10.20.128.0/18]
module.cloudflare_tunnel.cloudflare_tunnel_route.route["10.20.64.0/18"]: Creation complete after 2s [id=10.20.64.0/18]

Doing another plan should generate no changes

Actual output

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

  # module.cloudflare_tunnel.cloudflare_tunnel_route.route["10.20.0.0/18"] has changed
  ~ resource "cloudflare_tunnel_route" "route" {
        id         = "10.20.0.0/18"
      ~ network    = "10.20.20.251/32" -> "10.20.34.132/32"
      ~ tunnel_id  = "8283d830-9303-4a69-a0a8-f2dd01b06f34" -> "74bbf7aa-db68-4763-8b23-ef06ae6b3180"
        # (2 unchanged attributes hidden)
    }

  # module.cloudflare_tunnel.cloudflare_tunnel_route.route["10.20.128.0/18"] has changed
  ~ resource "cloudflare_tunnel_route" "route" {
        id         = "10.20.128.0/18"
      ~ network    = "10.20.34.132/32" -> "10.20.20.251/32"
      ~ tunnel_id  = "74bbf7aa-db68-4763-8b23-ef06ae6b3180" -> "8283d830-9303-4a69-a0a8-f2dd01b06f34"
        # (2 unchanged attributes hidden)
    }

Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # module.cloudflare_tunnel.cloudflare_tunnel_route.route["10.20.0.0/18"] must be replaced
-/+ resource "cloudflare_tunnel_route" "route" {
      ~ id         = "10.20.0.0/18" -> (known after apply)
      ~ network    = "10.20.34.132/32" -> "10.20.0.0/18"
      ~ tunnel_id  = "74bbf7aa-db68-4763-8b23-ef06ae6b3180" -> "cffe6b5a-fb67-47ab-9eca-fd44d7f9fc4e" # forces replacement
        # (2 unchanged attributes hidden)
    }

  # module.cloudflare_tunnel.cloudflare_tunnel_route.route["10.20.128.0/18"] must be replaced
-/+ resource "cloudflare_tunnel_route" "route" {
      ~ id         = "10.20.128.0/18" -> (known after apply)
      ~ network    = "10.20.20.251/32" -> "10.20.128.0/18"
      ~ tunnel_id  = "8283d830-9303-4a69-a0a8-f2dd01b06f34" -> "cffe6b5a-fb67-47ab-9eca-fd44d7f9fc4e" # forces replacement
        # (2 unchanged attributes hidden)
    }

  # module.cloudflare_tunnel.cloudflare_tunnel_route.route["10.20.64.0/18"] must be replaced
-/+ resource "cloudflare_tunnel_route" "route" {
      ~ id         = "10.20.64.0/18" -> (known after apply)
      ~ network    = "10.20.20.251/32" -> "10.20.64.0/18"
      ~ tunnel_id  = "8283d830-9303-4a69-a0a8-f2dd01b06f34" -> "cffe6b5a-fb67-47ab-9eca-fd44d7f9fc4e" # forces replacement
        # (2 unchanged attributes hidden)
    }

Steps to reproduce

Every time I do plan it shows the flapping

Additional factoids

No response

References

No response

[github-actions]

Thank you for reporting this issue! For maintainers to dig into issues it is required that all issues include the entirety of TF_LOG=DEBUG output to be provided. The only parts that should be redacted are your user credentials in the X-Auth-Key, X-Auth-Email and Authorization HTTP headers. Details such as zone or account identifiers are not considered sensitive but can be redacted if you are very cautious. This log file provides additional context from Terraform, the provider and the Cloudflare API that helps in debugging issues. Without it, maintainers are very limited in what they can do and may hamper diagnosis efforts.

This issue has been marked with triage/needs-information and is unlikely to receive maintainer attention until the log file is provided making this a complete bug report.

[tjstansell]

This is the same as #1611 actually (I believe) and all related to the upstream cloudflare-go library not properly sending the query parameters to target a specific tunnel route, so it would return with the wrong one. The upstream library has been fixed and released. And #1615 bumps the library here. We're simply waiting for them to release a new version of this provider.

[jacobbednarz]

if you remove this from the module and do the three resources individually, do you get the same issue?

[jacobbednarz]

providing the full TF_LOG=DEBUG output will help narrow this down as well.

[michael-mcclintock]

Thanks for the quick response. I'll wait for the bump to the cloudflare-go library and if that doesn't fix it will send in the debug logs

[michael-mcclintock]

We updated the provider to 3.15.0 and it resolved the issue. Thank you!