Perpetual drift from Access mTLS cert associated hostname reordering

[bporter816]

Confirmation

• This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• I have searched the issue tracker and my issue isn't already found.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform v1.9.1
on darwin_amd64

• provider registry.terraform.io/cloudflare/cloudflare v4.36.0

Affected resource(s)

• cloudflare_access_mutual_tls_certificate

Terraform configuration files

# Configure the Cloudflare provider using the required_providers stanza
# required with Terraform 0.13 and beyond. You may optionally use version
# directive to prevent breaking changes occurring unannounced.
terraform {
  required_providers {
    cloudflare = {
      source  = "cloudflare/cloudflare"
      version = "~> 4.0"
    }
  }
}

variable "account_id" {
  type    = string
  default = "<account id>"
}

variable "certificate" {
  type    = string
  default = <<EOF
<self signed cert generated with openssl>
  EOF
}

resource "cloudflare_access_mutual_tls_certificate" "test" {
  name        = "test"
  account_id  = var.account_id
  certificate = var.certificate
  associated_hostnames = [
    "<hostname 1>",
    "<hostname 2>",
  ]
}

Link to debug output

https://gist.github.com/bporter816/a339f01e2c2ea6107279e589bb5d21b5

Panic output

No response

Expected output

When the ordering of associated hostnames returned from the Cloudflare API differs from the ordering in Terraform, we expect one of two outcomes:

1. Applying Terraform (or doing a PUT against the API) with the same list of hostnames in a different order should actually reorder them on the server side so that future runs don't produce any drift.
2. Terraform should not care about the order of the returned hostnames and report no drift if the order differs from what the API returns.

Actual output

If the ordering differs, we get a permanent drift, like so:

Terraform will perform the following actions:

  # cloudflare_access_mutual_tls_certificate.test will be updated in-place
  ~ resource "cloudflare_access_mutual_tls_certificate" "test" {
      ~ associated_hostnames = [
          - "<hostname 1>",
            "<hostname 2>",
          + "<hostname 1>",
        ]
        id                   = "<id>"
        name                 = "test"
        # (3 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Both applying this change through Terraform and directly through the Cloudflare API does not actually reflect the new ordering on the server side, and the drift continues to show up in subsequent runs. We could work around this if the ordering was deterministic and something we could account for in our Terraform config (if it is, please advise and we can take that approach) but we notice that even for the same list of hostnames, they are returned in a different order on different certs.

Steps to reproduce

1. Create an Access mTLS cert with a multiple associated hostnames
2. Change the ordering of the hostnames in the Terraform configuration to a different order than the Cloudflare API returns them in
3. This results in drift which will show up in subsequent plan/apply and will not go away upon successful apply

Additional factoids

No response

References

No response

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[bporter816]

Hi @jacobbednarz, any thoughts on this? I'm not sure the feasibility of an actual API change for solution (1) I listed above, but I'd love to get some insight or confirmation of how the API behaves, e.g. what determines the ordering of the associated hostnames. I'm also happy to contribute a PR for solution (2) of making the Terraform provider ignore the ordering (treat it more like a set than a list), if that idea makes sense.

[github-actions]

This functionality has been released in v4.41.0 of the Terraform Cloudflare Provider.

Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!