cloudflare_firewall_rule: products need to be applied twice

[cytopia]

Confirmation

• [X] My issue isn't already found on the issue tracker.
• [X] I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform v1.0.7 on linux_amd64

• provider registry.terraform.io/carlpett/sops v0.6.3
• provider registry.terraform.io/cloudflare/cloudflare v3.1.0
• provider registry.terraform.io/hashicorp/aws v3.61.0

Affected resource(s)

cloudflare_firewall_rule

Terraform configuration files

resource "cloudflare_filter" "filters" {
  for_each = local.rules

  zone_id = lookup(data.cloudflare_zones.domain.zones[0], "id")

  description = each.value.description
  expression  = each.value.expression
  paused      = each.value.paused
}

resource "cloudflare_firewall_rule" "rules" {
  for_each = local.rules

  zone_id   = lookup(data.cloudflare_zones.domain.zones[0], "id")
  filter_id = cloudflare_filter.filters[each.value.expression].id

  priority    = each.value.priority
  description = each.value.description
  paused      = each.value.paused
  action      = each.value.action
  products    = each.value.products
}

Debug output

TF_LOG=DEBUG terraform apply
2021-10-06T11:56:37.637+0200 [DEBUG] Adding temp file log sink: /tmp/terraform-log992080271
2021-10-06T11:56:37.637+0200 [INFO]  Terraform version: 1.0.7
2021-10-06T11:56:37.637+0200 [INFO]  Go runtime version: go1.16.4
2021-10-06T11:56:37.637+0200 [INFO]  CLI args: []string{"/usr/local/bin/terraform", "apply"}
2021-10-06T11:56:37.637+0200 [DEBUG] Attempting to open CLI config file: /home/cytopia/.terraformrc
2021-10-06T11:56:37.637+0200 [DEBUG] File doesn't exist, but doesn't need to. Ignoring.
2021-10-06T11:56:37.637+0200 [DEBUG] ignoring non-existing provider search directory terraform.d/plugins
2021-10-06T11:56:37.637+0200 [DEBUG] ignoring non-existing provider search directory /home/cytopia/.terraform.d/plugins
2021-10-06T11:56:37.637+0200 [DEBUG] ignoring non-existing provider search directory /home/cytopia/.local/share/terraform/plugins
2021-10-06T11:56:37.637+0200 [DEBUG] ignoring non-existing provider search directory /usr/local/share/terraform/plugins
2021-10-06T11:56:37.637+0200 [DEBUG] ignoring non-existing provider search directory /usr/share/terraform/plugins
2021-10-06T11:56:37.638+0200 [INFO]  CLI command args: []string{"apply"}
2021-10-06T11:56:37.641+0200 [INFO]  AWS Auth provider used: "EnvProvider"
2021-10-06T11:56:37.643+0200 [DEBUG] Trying to get account information via sts:GetCallerIdentity
2021-10-06T11:56:37.643+0200 [DEBUG] [aws-sdk-go] DEBUG: Request sts/GetCallerIdentity Details:
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: sts.amazonaws.com
User-Agent: aws-sdk-go/1.40.25 (go1.16.4; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/1.0.7
Content-Length: 43
Authorization: XXXX
Content-Type: application/x-www-form-urlencoded; charset=utf-8
X-Amz-Date: 20211006T095637Z
X-Amz-Security-Token: XXXX
Accept-Encoding: gzip

Action=GetCallerIdentity&Version=2011-06-15
-----------------------------------------------------
2021-10-06T11:56:38.152+0200 [DEBUG] [aws-sdk-go] DEBUG: Response sts/GetCallerIdentity Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 200
Connection: close
Content-Length: 447
Content-Type: text/xml
Date: Wed, 06 Oct 2021 09:56:37 GMT
Keep-Alive: timeout=5
X-Amzn-Requestid: aaaaaaaaaaaaaaaaaaaaaaaaa

-----------------------------------------------------
2021-10-06T11:56:38.152+0200 [DEBUG] [aws-sdk-go] <GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <GetCallerIdentityResult>
    <Arn>arn:aws:sts::11111:assumed-role/AWS-ROLE/aws-account-name</Arn>
    <UserId>11111:aws-account-name</UserId>
    <Account>1111</Account>
  </GetCallerIdentityResult>
  <ResponseMetadata>
    <RequestId>5e0450fb-1dcf-4363-aee5-0ee9d8ec85a3</RequestId>
  </ResponseMetadata>
</GetCallerIdentityResponse>
2021-10-06T11:56:38.818+0200 [DEBUG] checking for provisioner in "."
2021-10-06T11:56:38.818+0200 [DEBUG] checking for provisioner in "/usr/local/bin"
2021-10-06T11:56:38.819+0200 [INFO]  Failed to read plugin lock file .terraform/plugins/linux_amd64/lock.json: open .terraform/plugins/linux_amd64/lock.json: no such file or directory
2021-10-06T11:56:38.820+0200 [INFO]  backend/local: starting Apply operation
2021-10-06T11:56:38.821+0200 [DEBUG] [aws-sdk-go] DEBUG: Request s3/ListObjects Details:
---[ REQUEST POST-SIGN ]-----------------------------
GET /?max-keys=1000&prefix=env%3A%2F HTTP/1.1
Host: aws-account-name-tf-state-backend-core.s3.eu-central-1.amazonaws.com
User-Agent: aws-sdk-go/1.40.25 (go1.16.4; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/1.0.7
Authorization: XXXX
X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
X-Amz-Date: 20211006T095638Z
X-Amz-Security-Token: XXXX
Accept-Encoding: gzip

-----------------------------------------------------
2021-10-06T11:56:38.977+0200 [DEBUG] [aws-sdk-go] DEBUG: Response s3/ListObjects Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Content-Type: application/xml
Date: Wed, 06 Oct 2021 09:56:40 GMT
Server: AmazonS3
X-Amz-Bucket-Region: eu-central-1
X-Amz-Id-2: CeuZGxwx+yGlQbMUtlq4blLtqH2R+oSbGYwFTXD6nUOOm20NGnDNP+JGk2fFtIOYPdv/bH0fytA=
X-Amz-Request-Id: 6Q29E45RZFBYJNP3

-----------------------------------------------------
2021-10-06T11:56:38.977+0200 [DEBUG] [aws-sdk-go] <?xml version="1.0" encoding="UTF-8"?>
<ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Name>aws-account-name-tf-state-backend-core</Name><Prefix>env:/</Prefix><Marker></Marker><MaxKeys>1000</MaxKeys><IsTruncated>false</IsTruncated></ListBucketResult>
2021-10-06T11:56:38.978+0200 [DEBUG] [aws-sdk-go] DEBUG: Request dynamodb/PutItem Details:
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: dynamodb.eu-central-1.amazonaws.com
User-Agent: aws-sdk-go/1.40.25 (go1.16.4; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/1.0.7
Content-Length: 489
Accept-Encoding: identity
Authorization: XXXX
Content-Type: application/x-amz-json-1.0
X-Amz-Date: 20211006T095638Z
X-Amz-Security-Token: XXXX
X-Amz-Target: DynamoDB_20120810.PutItem

{"ConditionExpression":"attribute_not_exists(LockID)","Item":{"Info":{"S":"{\"ID\":\"df5a76de-27d8-50ce-d87f-2586f2f28fd5\",\"Operation\":\"OperationTypeApply\",\"Info\":\"\",\"Who\":\"cytopia@localhost\",\"Version\":\"1.0.7\",\"Created\":\"2021-10-06T09:56:38.977526409Z\",\"Path\":\"aws-account-name-tf-state-backend-core/cloudflare/domain.tld/firewall\"}"},"LockID":{"S":"aws-account-name-tf-state-backend-core/cloudflare/domain.tld/firewall"}},"TableName":"aws-account-name-tf-state-backend-core"}
-----------------------------------------------------
2021-10-06T11:56:39.089+0200 [DEBUG] [aws-sdk-go] DEBUG: Response dynamodb/PutItem Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 200 OK
Connection: close
Content-Length: 2
Content-Type: application/x-amz-json-1.0
Date: Wed, 06 Oct 2021 09:56:39 GMT
Server: Server
X-Amz-Crc32: 2745614147
X-Amzn-Requestid: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

-----------------------------------------------------
2021-10-06T11:56:39.089+0200 [DEBUG] [aws-sdk-go] {}
2021-10-06T11:56:39.090+0200 [DEBUG] [aws-sdk-go] DEBUG: Request s3/GetObject Details:
---[ REQUEST POST-SIGN ]-----------------------------
GET /cloudflare/domain.tld/firewall HTTP/1.1
Host: aws-account-name-tf-state-backend-core.s3.eu-central-1.amazonaws.com
User-Agent: aws-sdk-go/1.40.25 (go1.16.4; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/1.0.7
Authorization: XXXX
X-Amz-Content-Sha256: aaaaaaaaaaaaaaaaaaa
X-Amz-Date: 20211006T095639Z
X-Amz-Security-Token: XXXX
Accept-Encoding: gzip

-----------------------------------------------------
2021-10-06T11:56:39.216+0200 [DEBUG] [aws-sdk-go] DEBUG: Response s3/GetObject Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 200 OK
Connection: close
Content-Length: 2220
Accept-Ranges: bytes
Content-Type: application/json
Date: Wed, 06 Oct 2021 09:56:40 GMT
Etag: "90f225ab489fdbb1b49a7d0e37513fe2"
Last-Modified: Wed, 06 Oct 2021 09:56:25 GMT
Server: AmazonS3
X-Amz-Id-2: P1/9Sza8zJWqXoM0WZ9n8ZtCaiffwkKwmeRMPGgrCz/gGZNaaDrdsdXHTvhr60J51ztQEB2dqNU=
X-Amz-Request-Id: 6Q26ZXAM8N07VTMA
X-Amz-Server-Side-Encryption: aws:kms
X-Amz-Server-Side-Encryption-Aws-Kms-Key-Id: arn:aws:kms:eu-central-1:1111:key/0000000000
X-Amz-Version-Id: Sv3_A4SIaQnn7.qV4Vynww0uUkrjotxJ

-----------------------------------------------------
2021-10-06T11:56:39.216+0200 [DEBUG] [aws-sdk-go]
2021-10-06T11:56:39.217+0200 [DEBUG] [aws-sdk-go] DEBUG: Request dynamodb/GetItem Details:
---[ REQUEST POST-SIGN ]-----------------------------
POST / HTTP/1.1
Host: dynamodb.eu-central-1.amazonaws.com
User-Agent: aws-sdk-go/1.40.25 (go1.16.4; linux; amd64) APN/1.0 HashiCorp/1.0 Terraform/1.0.7
Content-Length: 209
Accept-Encoding: identity
Authorization: XXXX
Content-Type: application/x-amz-json-1.0
X-Amz-Date: 20211006T095639Z
X-Amz-Security-Token: XXXX
X-Amz-Target: DynamoDB_20120810.GetItem

{"ConsistentRead":true,"Key":{"LockID":{"S":"aws-account-name-tf-state-backend-core/cloudflare/domain.tld/firewall-md5"}},"ProjectionExpression":"LockID, Digest","TableName":"aws-account-name-tf-state-backend-core"}
-----------------------------------------------------
2021-10-06T11:56:39.317+0200 [DEBUG] [aws-sdk-go] DEBUG: Response dynamodb/GetItem Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 200 OK
Connection: close
Content-Length: 148
Content-Type: application/x-amz-json-1.0
Date: Wed, 06 Oct 2021 09:56:39 GMT
Server: Server
X-Amz-Crc32: 774397084
X-Amzn-Requestid: aaaaaaaaaaaaaaaaaaaaaaaaaaaaa

-----------------------------------------------------
2021-10-06T11:56:39.317+0200 [DEBUG] [aws-sdk-go] {"Item":{"Digest":{"S":"7c437e71501721f3c6f634ba3589249f"},"LockID":{"S":"aws-account-name-tf-state-backend-core/cloudflare/domain.tld/firewall-md5"}}}
2021-10-06T11:56:39.321+0200 [DEBUG] created provider logger: level=debug
2021-10-06T11:56:39.321+0200 [INFO]  provider: configuring client automatic mTLS
2021-10-06T11:56:39.374+0200 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/carlpett/sops/0.6.3/linux_amd64/terraform-provider-sops_v0.6.3 args=[.terraform/providers/registry.terraform.io/carlpett/sops/0.6.3/linux_amd64/terraform-provider-sops_v0.6.3]
2021-10-06T11:56:39.375+0200 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/carlpett/sops/0.6.3/linux_amd64/terraform-provider-sops_v0.6.3 pid=3434874
2021-10-06T11:56:39.375+0200 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/carlpett/sops/0.6.3/linux_amd64/terraform-provider-sops_v0.6.3
2021-10-06T11:56:39.388+0200 [INFO]  provider.terraform-provider-sops_v0.6.3: configuring server automatic mTLS: timestamp=2021-10-06T11:56:39.388+0200
2021-10-06T11:56:39.444+0200 [DEBUG] provider.terraform-provider-sops_v0.6.3: plugin address: network=unix address=/tmp/plugin326537688 timestamp=2021-10-06T11:56:39.444+0200
2021-10-06T11:56:39.445+0200 [DEBUG] provider: using plugin: version=5
2021-10-06T11:56:39.514+0200 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unimplemented desc = unknown service plugin.GRPCStdio"
2021-10-06T11:56:39.514+0200 [DEBUG] No provider meta schema returned
2021-10-06T11:56:39.516+0200 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/carlpett/sops/0.6.3/linux_amd64/terraform-provider-sops_v0.6.3 pid=3434874
2021-10-06T11:56:39.516+0200 [DEBUG] provider: plugin exited
2021-10-06T11:56:39.516+0200 [DEBUG] created provider logger: level=debug
2021-10-06T11:56:39.516+0200 [INFO]  provider: configuring client automatic mTLS
2021-10-06T11:56:39.571+0200 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.1.0/linux_amd64/terraform-provider-cloudflare_v3.1.0 args=[.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.1.0/linux_amd64/terraform-provider-cloudflare_v3.1.0]
2021-10-06T11:56:39.571+0200 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.1.0/linux_amd64/terraform-provider-cloudflare_v3.1.0 pid=3434887
2021-10-06T11:56:39.571+0200 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.1.0/linux_amd64/terraform-provider-cloudflare_v3.1.0
2021-10-06T11:56:39.583+0200 [INFO]  provider.terraform-provider-cloudflare_v3.1.0: configuring server automatic mTLS: timestamp=2021-10-06T11:56:39.583+0200
2021-10-06T11:56:39.597+0200 [DEBUG] provider: using plugin: version=5
2021-10-06T11:56:39.597+0200 [DEBUG] provider.terraform-provider-cloudflare_v3.1.0: plugin address: address=/tmp/plugin3508364420 network=unix timestamp=2021-10-06T11:56:39.596+0200
2021-10-06T11:56:39.631+0200 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2021-10-06T11:56:39.632+0200 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.1.0/linux_amd64/terraform-provider-cloudflare_v3.1.0 pid=3434887
2021-10-06T11:56:39.632+0200 [DEBUG] provider: plugin exited
2021-10-06T11:56:39.632+0200 [DEBUG] created provider logger: level=debug
2021-10-06T11:56:39.632+0200 [INFO]  provider: configuring client automatic mTLS
2021-10-06T11:56:39.666+0200 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/hashicorp/aws/3.61.0/linux_amd64/terraform-provider-aws_v3.61.0_x5 args=[.terraform/providers/registry.terraform.io/hashicorp/aws/3.61.0/linux_amd64/terraform-provider-aws_v3.61.0_x5]
2021-10-06T11:56:39.667+0200 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/hashicorp/aws/3.61.0/linux_amd64/terraform-provider-aws_v3.61.0_x5 pid=3434899
2021-10-06T11:56:39.667+0200 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/hashicorp/aws/3.61.0/linux_amd64/terraform-provider-aws_v3.61.0_x5
2021-10-06T11:56:39.707+0200 [INFO]  provider.terraform-provider-aws_v3.61.0_x5: configuring server automatic mTLS: timestamp=2021-10-06T11:56:39.706+0200
2021-10-06T11:56:39.764+0200 [DEBUG] provider: using plugin: version=5
2021-10-06T11:56:39.764+0200 [DEBUG] provider.terraform-provider-aws_v3.61.0_x5: plugin address: address=/tmp/plugin170734246 network=unix timestamp=2021-10-06T11:56:39.764+0200
2021-10-06T11:56:39.895+0200 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2021-10-06T11:56:39.898+0200 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/aws/3.61.0/linux_amd64/terraform-provider-aws_v3.61.0_x5 pid=3434899
2021-10-06T11:56:39.898+0200 [DEBUG] provider: plugin exited
2021-10-06T11:56:39.899+0200 [INFO]  terraform: building graph: GraphTypeValidate
2021-10-06T11:56:39.899+0200 [DEBUG] adding implicit provider configuration provider["registry.terraform.io/cloudflare/cloudflare"], implied first by module.cloudflare_firewall.cloudflare_firewall_rule.rules
2021-10-06T11:56:39.899+0200 [DEBUG] ProviderTransformer: "module.cloudflare_firewall.cloudflare_filter.filters" (*terraform.NodeValidatableResource) needs module.cloudflare_firewall.provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-06T11:56:39.899+0200 [DEBUG] ProviderTransformer: "module.cloudflare_firewall.data.cloudflare_zones.domain" (*terraform.NodeValidatableResource) needs module.cloudflare_firewall.provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-06T11:56:39.900+0200 [DEBUG] ProviderTransformer: "data.sops_file.generic" (*terraform.NodeValidatableResource) needs provider["registry.terraform.io/carlpett/sops"]
2021-10-06T11:56:39.900+0200 [DEBUG] ProviderTransformer: "module.cloudflare_firewall.cloudflare_firewall_rule.rules" (*terraform.NodeValidatableResource) needs module.cloudflare_firewall.provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-06T11:56:39.900+0200 [DEBUG] pruning unused provider["registry.terraform.io/hashicorp/aws"]
2021-10-06T11:56:39.900+0200 [DEBUG] pruning unused provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-06T11:56:39.900+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:39.900+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:39.900+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:39.900+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:39.900+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:39.900+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:39.900+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.cloudflare_firewall_rule.rules" references: [module.cloudflare_firewall.local.rules (expand) module.cloudflare_firewall.cloudflare_filter.filters module.cloudflare_firewall.data.cloudflare_zones.domain]
2021-10-06T11:56:39.900+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.output.filters (expand)" references: [module.cloudflare_firewall.cloudflare_filter.filters]
2021-10-06T11:56:39.900+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall (expand)" references: []
2021-10-06T11:56:39.900+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.var.api_token (expand)" references: [data.sops_file.generic]
2021-10-06T11:56:39.900+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.var.rules (expand)" references: [var.rules]
2021-10-06T11:56:39.900+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.local.rules (expand)" references: [module.cloudflare_firewall.var.rules (expand) module.cloudflare_firewall.var.rules (expand)]
2021-10-06T11:56:39.901+0200 [DEBUG] ReferenceTransformer: "output.rules" references: [module.cloudflare_firewall.output.rules (expand)]
2021-10-06T11:56:39.901+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:39.901+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:39.901+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:39.901+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.cloudflare_filter.filters" references: [module.cloudflare_firewall.local.rules (expand) module.cloudflare_firewall.data.cloudflare_zones.domain]
2021-10-06T11:56:39.901+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.data.cloudflare_zones.domain" references: [module.cloudflare_firewall.var.domain (expand)]
2021-10-06T11:56:39.901+0200 [DEBUG] ReferenceTransformer: "var.domain" references: []
2021-10-06T11:56:39.901+0200 [DEBUG] ReferenceTransformer: "var.rules" references: []
2021-10-06T11:56:39.901+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.output.rules (expand)" references: [module.cloudflare_firewall.cloudflare_firewall_rule.rules]
2021-10-06T11:56:39.901+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.output.domain (expand)" references: [module.cloudflare_firewall.data.cloudflare_zones.domain]
2021-10-06T11:56:39.901+0200 [DEBUG] ReferenceTransformer: "output.domain" references: [module.cloudflare_firewall.output.domain (expand)]
2021-10-06T11:56:39.901+0200 [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/carlpett/sops\"]" references: []
2021-10-06T11:56:39.901+0200 [DEBUG] ReferenceTransformer: "data.sops_file.generic" references: []
2021-10-06T11:56:39.901+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.var.domain (expand)" references: [var.domain]
2021-10-06T11:56:39.901+0200 [DEBUG] ReferenceTransformer: "output.filters" references: [module.cloudflare_firewall.output.filters (expand)]
2021-10-06T11:56:39.901+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.provider[\"registry.terraform.io/cloudflare/cloudflare\"]" references: [module.cloudflare_firewall.var.api_token (expand)]
2021-10-06T11:56:39.901+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall (close)" references: []
2021-10-06T11:56:39.902+0200 [DEBUG] Starting graph walk: walkValidate
2021-10-06T11:56:39.903+0200 [DEBUG] created provider logger: level=debug
2021-10-06T11:56:39.903+0200 [INFO]  provider: configuring client automatic mTLS
2021-10-06T11:56:39.935+0200 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/carlpett/sops/0.6.3/linux_amd64/terraform-provider-sops_v0.6.3 args=[.terraform/providers/registry.terraform.io/carlpett/sops/0.6.3/linux_amd64/terraform-provider-sops_v0.6.3]
2021-10-06T11:56:39.936+0200 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/carlpett/sops/0.6.3/linux_amd64/terraform-provider-sops_v0.6.3 pid=3435216
2021-10-06T11:56:39.936+0200 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/carlpett/sops/0.6.3/linux_amd64/terraform-provider-sops_v0.6.3
2021-10-06T11:56:39.947+0200 [INFO]  provider.terraform-provider-sops_v0.6.3: configuring server automatic mTLS: timestamp=2021-10-06T11:56:39.947+0200
2021-10-06T11:56:39.984+0200 [DEBUG] provider: using plugin: version=5
2021-10-06T11:56:39.984+0200 [DEBUG] provider.terraform-provider-sops_v0.6.3: plugin address: address=/tmp/plugin278358328 network=unix timestamp=2021-10-06T11:56:39.984+0200
2021-10-06T11:56:40.027+0200 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unimplemented desc = unknown service plugin.GRPCStdio"
2021-10-06T11:56:40.028+0200 [DEBUG] No provider meta schema returned
2021-10-06T11:56:40.031+0200 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/carlpett/sops/0.6.3/linux_amd64/terraform-provider-sops_v0.6.3 pid=3435216
2021-10-06T11:56:40.031+0200 [DEBUG] provider: plugin exited
2021-10-06T11:56:40.031+0200 [DEBUG] created provider logger: level=debug
2021-10-06T11:56:40.031+0200 [INFO]  provider: configuring client automatic mTLS
2021-10-06T11:56:40.065+0200 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.1.0/linux_amd64/terraform-provider-cloudflare_v3.1.0 args=[.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.1.0/linux_amd64/terraform-provider-cloudflare_v3.1.0]
2021-10-06T11:56:40.065+0200 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.1.0/linux_amd64/terraform-provider-cloudflare_v3.1.0 pid=3435229
2021-10-06T11:56:40.065+0200 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.1.0/linux_amd64/terraform-provider-cloudflare_v3.1.0
2021-10-06T11:56:40.074+0200 [INFO]  provider.terraform-provider-cloudflare_v3.1.0: configuring server automatic mTLS: timestamp=2021-10-06T11:56:40.074+0200
2021-10-06T11:56:40.083+0200 [DEBUG] provider.terraform-provider-cloudflare_v3.1.0: plugin address: address=/tmp/plugin789237701 network=unix timestamp=2021-10-06T11:56:40.083+0200
2021-10-06T11:56:40.083+0200 [DEBUG] provider: using plugin: version=5
2021-10-06T11:56:40.125+0200 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2021-10-06T11:56:40.126+0200 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.1.0/linux_amd64/terraform-provider-cloudflare_v3.1.0 pid=3435229
2021-10-06T11:56:40.126+0200 [DEBUG] provider: plugin exited
2021-10-06T11:56:40.126+0200 [INFO]  backend/local: apply calling Plan
2021-10-06T11:56:40.126+0200 [INFO]  terraform: building graph: GraphTypePlan
2021-10-06T11:56:40.127+0200 [DEBUG] adding implicit provider configuration provider["registry.terraform.io/cloudflare/cloudflare"], implied first by module.cloudflare_firewall.cloudflare_firewall_rule.rules (expand)
2021-10-06T11:56:40.127+0200 [DEBUG] ProviderTransformer: "module.cloudflare_firewall.cloudflare_filter.filters (expand)" (*terraform.nodeExpandPlannableResource) needs module.cloudflare_firewall.provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-06T11:56:40.127+0200 [DEBUG] ProviderTransformer: "data.sops_file.generic (expand)" (*terraform.nodeExpandPlannableResource) needs provider["registry.terraform.io/carlpett/sops"]
2021-10-06T11:56:40.127+0200 [DEBUG] ProviderTransformer: "module.cloudflare_firewall.cloudflare_firewall_rule.rules (expand)" (*terraform.nodeExpandPlannableResource) needs module.cloudflare_firewall.provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-06T11:56:40.127+0200 [DEBUG] ProviderTransformer: "module.cloudflare_firewall.data.cloudflare_zones.domain (expand)" (*terraform.nodeExpandPlannableResource) needs module.cloudflare_firewall.provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-06T11:56:40.127+0200 [DEBUG] pruning unused provider["registry.terraform.io/hashicorp/aws"]
2021-10-06T11:56:40.127+0200 [DEBUG] pruning unused provider["registry.terraform.io/cloudflare/cloudflare"]
2021-10-06T11:56:40.128+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.output.domain (expand)" references: [module.cloudflare_firewall.data.cloudflare_zones.domain (expand)]
2021-10-06T11:56:40.128+0200 [DEBUG] ReferenceTransformer: "output.domain" references: [module.cloudflare_firewall.output.domain (expand)]
2021-10-06T11:56:40.128+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.provider[\"registry.terraform.io/cloudflare/cloudflare\"]" references: [module.cloudflare_firewall.var.api_token (expand)]
2021-10-06T11:56:40.128+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.local.rules (expand)" references: [module.cloudflare_firewall.var.rules (expand) module.cloudflare_firewall.var.rules (expand)]
2021-10-06T11:56:40.128+0200 [DEBUG] ReferenceTransformer: "var.domain" references: []
2021-10-06T11:56:40.128+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.var.rules (expand)" references: [var.rules]
2021-10-06T11:56:40.128+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.var.api_token (expand)" references: [data.sops_file.generic (expand)]
2021-10-06T11:56:40.128+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.var.domain (expand)" references: [var.domain]
2021-10-06T11:56:40.128+0200 [DEBUG] ReferenceTransformer: "var.rules" references: []
2021-10-06T11:56:40.128+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:40.128+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:40.128+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:40.128+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:40.128+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:40.128+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:40.128+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.cloudflare_firewall_rule.rules (expand)" references: [module.cloudflare_firewall.local.rules (expand) module.cloudflare_firewall.cloudflare_filter.filters (expand) module.cloudflare_firewall.data.cloudflare_zones.domain (expand)]
2021-10-06T11:56:40.128+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.data.cloudflare_zones.domain (expand)" references: [module.cloudflare_firewall.var.domain (expand)]
2021-10-06T11:56:40.128+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.output.rules (expand)" references: [module.cloudflare_firewall.cloudflare_firewall_rule.rules (expand)]
2021-10-06T11:56:40.128+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.output.filters (expand)" references: [module.cloudflare_firewall.cloudflare_filter.filters (expand)]
2021-10-06T11:56:40.128+0200 [DEBUG] ReferenceTransformer: "output.filters" references: [module.cloudflare_firewall.output.filters (expand)]
2021-10-06T11:56:40.128+0200 [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/carlpett/sops\"]" references: []
2021-10-06T11:56:40.128+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall (expand)" references: []
2021-10-06T11:56:40.128+0200 [DEBUG] ReferenceTransformer: "data.sops_file.generic (expand)" references: []
2021-10-06T11:56:40.128+0200 [DEBUG] ReferenceTransformer: "output.rules" references: [module.cloudflare_firewall.output.rules (expand)]
2021-10-06T11:56:40.128+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall (close)" references: []
2021-10-06T11:56:40.128+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:40.128+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:40.128+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:40.128+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.cloudflare_filter.filters (expand)" references: [module.cloudflare_firewall.local.rules (expand) module.cloudflare_firewall.data.cloudflare_zones.domain (expand)]
2021-10-06T11:56:40.129+0200 [DEBUG] Starting graph walk: walkPlan
2021-10-06T11:56:40.130+0200 [DEBUG] created provider logger: level=debug
2021-10-06T11:56:40.130+0200 [INFO]  provider: configuring client automatic mTLS
2021-10-06T11:56:40.162+0200 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/carlpett/sops/0.6.3/linux_amd64/terraform-provider-sops_v0.6.3 args=[.terraform/providers/registry.terraform.io/carlpett/sops/0.6.3/linux_amd64/terraform-provider-sops_v0.6.3]
2021-10-06T11:56:40.162+0200 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/carlpett/sops/0.6.3/linux_amd64/terraform-provider-sops_v0.6.3 pid=3435242
2021-10-06T11:56:40.163+0200 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/carlpett/sops/0.6.3/linux_amd64/terraform-provider-sops_v0.6.3
2021-10-06T11:56:40.174+0200 [INFO]  provider.terraform-provider-sops_v0.6.3: configuring server automatic mTLS: timestamp=2021-10-06T11:56:40.174+0200
2021-10-06T11:56:40.210+0200 [DEBUG] provider: using plugin: version=5
2021-10-06T11:56:40.210+0200 [DEBUG] provider.terraform-provider-sops_v0.6.3: plugin address: address=/tmp/plugin194594120 network=unix timestamp=2021-10-06T11:56:40.210+0200
2021-10-06T11:56:40.253+0200 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unimplemented desc = unknown service plugin.GRPCStdio"
2021-10-06T11:56:40.254+0200 [DEBUG] No provider meta schema returned
2021-10-06T11:56:40.255+0200 [DEBUG] ReferenceTransformer: "data.sops_file.generic" references: []
2021-10-06T11:56:40.390+0200 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/carlpett/sops/0.6.3/linux_amd64/terraform-provider-sops_v0.6.3 pid=3435242
2021-10-06T11:56:40.390+0200 [DEBUG] provider: plugin exited
2021-10-06T11:56:40.390+0200 [DEBUG] created provider logger: level=debug
2021-10-06T11:56:40.390+0200 [INFO]  provider: configuring client automatic mTLS
2021-10-06T11:56:40.441+0200 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.1.0/linux_amd64/terraform-provider-cloudflare_v3.1.0 args=[.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.1.0/linux_amd64/terraform-provider-cloudflare_v3.1.0]
2021-10-06T11:56:40.442+0200 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.1.0/linux_amd64/terraform-provider-cloudflare_v3.1.0 pid=3435255
2021-10-06T11:56:40.442+0200 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.1.0/linux_amd64/terraform-provider-cloudflare_v3.1.0
2021-10-06T11:56:40.451+0200 [INFO]  provider.terraform-provider-cloudflare_v3.1.0: configuring server automatic mTLS: timestamp=2021-10-06T11:56:40.451+0200
2021-10-06T11:56:40.460+0200 [DEBUG] provider.terraform-provider-cloudflare_v3.1.0: plugin address: address=/tmp/plugin1276204310 network=unix timestamp=2021-10-06T11:56:40.460+0200
2021-10-06T11:56:40.460+0200 [DEBUG] provider: using plugin: version=5
2021-10-06T11:56:40.497+0200 [WARN]  ValidateProviderConfig from "module.cloudflare_firewall.provider[\"registry.terraform.io/cloudflare/cloudflare\"]" changed the config value, but that value is unused
2021-10-06T11:56:40.497+0200 [INFO]  provider.terraform-provider-cloudflare_v3.1.0: 2021/10/06 11:56:40 [INFO] Cloudflare Client configured for user:: timestamp=2021-10-06T11:56:40.497+0200
2021-10-06T11:56:40.498+0200 [INFO]  ReferenceTransformer: reference not found: "var.domain"
2021-10-06T11:56:40.498+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.data.cloudflare_zones.domain" references: []
2021-10-06T11:56:40.499+0200 [INFO]  provider.terraform-provider-cloudflare_v3.1.0: 2021/10/06 11:56:40 [DEBUG] Reading Zones: timestamp=2021-10-06T11:56:40.499+0200
2021-10-06T11:56:40.499+0200 [INFO]  provider.terraform-provider-cloudflare_v3.1.0: 2021/10/06 11:56:40 [DEBUG] Cloudflare API Request Details:
---[ REQUEST ]---------------------------------------
GET /client/v4/zones?name=domain.tld&per_page=50 HTTP/1.1
Host: api.cloudflare.com
User-Agent: terraform/1.0.7 terraform-plugin-sdk/2.7.1 terraform-provider-cloudflare/3.1.0
Authorization: Bearer Fps19LCWhsDYso-h9zF_SRlqU_GZ5XmWs2qChUnO
Content-Type: application/json
Accept-Encoding: gzip

-----------------------------------------------------: timestamp=2021-10-06T11:56:40.499+0200
2021-10-06T11:56:41.330+0200 [INFO]  provider.terraform-provider-cloudflare_v3.1.0: 2021/10/06 11:56:41 [DEBUG] Cloudflare API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 200 OK
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Cf-Cache-Status: DYNAMIC
Cf-Ray: 699e0569b98d4522-TXL
Content-Type: application/json
Date: Wed, 06 Oct 2021 09:56:41 GMT
Expect-Ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Expires: Sun, 25 Jan 1981 05:00:00 GMT
Pragma: no-cache
Server: cloudflare
Set-Cookie: __cflb=0H28vgHxwvgAQtjUGU56Rb8iNWZVUvXhZY8ZXy2V9FB; SameSite=Lax; path=/; expires=Wed, 06-Oct-21 12:26:42 GMT; HttpOnly
Set-Cookie: __cfruid=fdcc0cdfae6d73db2e4d76d0b5a2ee3f8bf4c3ea-1633514201; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN

{
 "result": [
  {
   "id": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
   "name": "domain.tld",
   "status": "active",
   "paused": false,
   "type": "full",
   "development_mode": 0,
   "name_servers": [
    "algin.ns.cloudflare.com",
    "sandy.ns.cloudflare.com"
   ],
   "original_name_servers": [
    "dns.dns4.de",
    "dns.dns2.de",
    "dns.dns1.de",
    "dns.dns3.de"
   ],
   "original_registrar": null,
   "original_dnshost": null,
   "modified_on": "2021-08-30T08:10:30.715395Z",
   "created_on": "2021-07-29T09:17:43.308335Z",
   "activated_on": "2021-07-29T12:05:16.415964Z",
   "vanity_name_servers": [],
   "vanity_name_servers_ips": null,
   "meta": {
    "step": 2,
    "wildcard_proxiable": true,
    "custom_certificate_quota": 1,
    "page_rule_quota": 100,
    "phishing_detected": false,
    "multiple_railguns_allowed": false
   },
   "owner": {
    "id": "aaaaaaaaaaaaaaaaaaaaa",
    "type": "user",
    "email": "mail@domain.tld"
   },
   "account": {
    "id": "aaaaaaaaaaaaaaaaaaaa",
    "name": "Company"
   },
   "permissions": [
    "#access:edit",
    "#access:read",
    "#analytics:read",
    "#app:edit",
    "#auditlogs:read",
    "#billing:read",
    "#cache_purge:edit",
    "#dns_records:edit",
    "#dns_records:read",
    "#lb:edit",
    "#lb:read",
    "#legal:read",
    "#logs:edit",
    "#logs:read",
    "#member:read",
    "#organization:edit",
    "#organization:read",
    "#ssl:edit",
    "#ssl:read",
    "#stream:edit",
    "#stream:read",
    "#subscription:edit",
    "#subscription:read",
    "#teams:edit",
    "#teams:read",
    "#teams:report",
    "#waf:edit",
    "#waf:read",
    "#webhooks:edit",
    "#webhooks:read",
    "#worker:edit",
    "#worker:read",
    "#zone:edit",
    "#zone:read",
    "#zone_settings:edit",
    "#zone_settings:read"
   ],
   "plan": {
    "id": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
    "name": "Enterprise Website",
    "price": 0,
    "currency": "USD",
    "frequency": "",
    "is_subscribed": true,
    "can_subscribe": true,
    "legacy_id": "enterprise",
    "legacy_discount": false,
    "externally_managed": true
   }
  }
 ],
 "result_info": {
  "page": 1,
  "per_page": 50,
  "total_pages": 1,
  "count": 1,
  "total_count": 1
 },
 "success": true,
 "errors": [],
 "messages": []
}
-----------------------------------------------------: timestamp=2021-10-06T11:56:41.329+0200
2021-10-06T11:56:41.332+0200 [WARN]  Provider "module.cloudflare_firewall.provider[\"registry.terraform.io/cloudflare/cloudflare\"]" produced an unexpected new value for module.cloudflare_firewall.data.cloudflare_zones.domain.
      - .filter[0].match: was null, but now cty.StringVal("")
      - .filter[0].paused: was null, but now cty.False
      - .filter[0].status: was null, but now cty.StringVal("")
      - .filter[0].lookup_type: was null, but now cty.StringVal("exact")
2021-10-06T11:56:41.333+0200 [DEBUG] Resource instance state not found for node "module.cloudflare_firewall.cloudflare_filter.filters[\"(http.request.uri.path contains \\\"/api/\\\")\\n\"]", instance module.cloudflare_firewall.cloudflare_filter.filters["(http.request.uri.path contains \"/api/\")\n"]
2021-10-06T11:56:41.333+0200 [INFO]  ReferenceTransformer: reference not found: "local.rules"
2021-10-06T11:56:41.333+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:41.334+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:41.334+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:41.334+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.cloudflare_filter.filters[\"(http.request.uri.path contains \\\"/api/\\\")\\n\"]" references: []
2021-10-06T11:56:41.334+0200 [DEBUG] refresh: module.cloudflare_firewall.cloudflare_filter.filters["(http.request.uri.path contains \"/api/\")\n"]: no state, so not refreshing
2021-10-06T11:56:41.341+0200 [DEBUG] Resource instance state not found for node "module.cloudflare_firewall.cloudflare_firewall_rule.rules[\"(http.request.uri.path contains \\\"/api/\\\")\\n\"]", instance module.cloudflare_firewall.cloudflare_firewall_rule.rules["(http.request.uri.path contains \"/api/\")\n"]
2021-10-06T11:56:41.341+0200 [INFO]  ReferenceTransformer: reference not found: "local.rules"
2021-10-06T11:56:41.341+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:41.341+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:41.341+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:41.341+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:41.341+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:41.341+0200 [INFO]  ReferenceTransformer: reference not found: "cloudflare_filter.filters"
2021-10-06T11:56:41.341+0200 [INFO]  ReferenceTransformer: reference not found: "each.value"
2021-10-06T11:56:41.341+0200 [DEBUG] ReferenceTransformer: "module.cloudflare_firewall.cloudflare_firewall_rule.rules[\"(http.request.uri.path contains \\\"/api/\\\")\\n\"]" references: []
2021-10-06T11:56:41.342+0200 [DEBUG] refresh: module.cloudflare_firewall.cloudflare_firewall_rule.rules["(http.request.uri.path contains \"/api/\")\n"]: no state, so not refreshing
2021-10-06T11:56:41.344+0200 [INFO]  provider.terraform-provider-cloudflare_v3.1.0: 2021/10/06 11:56:41 [WARN] Truncating attribute path of 0 diagnostics for TypeSet: timestamp=2021-10-06T11:56:41.344+0200
2021-10-06T11:56:41.349+0200 [WARN]  Provider "registry.terraform.io/cloudflare/cloudflare" produced an invalid plan for module.cloudflare_firewall.cloudflare_firewall_rule.rules["(http.request.uri.path contains \"/api/\")\n"], but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .products: planned value cty.NullVal(cty.Set(cty.String)) does not match config value cty.SetValEmpty(cty.String)
2021-10-06T11:56:41.350+0200 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2021-10-06T11:56:41.359+0200 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.1.0/linux_amd64/terraform-provider-cloudflare_v3.1.0 pid=3435255
2021-10-06T11:56:41.359+0200 [DEBUG] provider: plugin exited

Terraform used the selected providers to generate the following execution plan. Resource actions are
indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.cloudflare_firewall.cloudflare_filter.filters["(http.request.uri.path contains \"/api/\")\n"] will be created
  + resource "cloudflare_filter" "filters" {
      + description = "API: /api/*"
      + expression  = <<-EOT
            (http.request.uri.path contains "/api/")
        EOT
      + id          = (known after apply)
      + paused      = false
      + zone_id     = "<ZONE-ID-REMOVED>"
    }

  # module.cloudflare_firewall.cloudflare_firewall_rule.rules["(http.request.uri.path contains \"/api/\")\n"] will be created
  + resource "cloudflare_firewall_rule" "rules" {
      + action      = "allow"
      + description = "API: /api/*"
      + filter_id   = (known after apply)
      + id          = (known after apply)
      + paused      = false
      + priority    = 10
      + zone_id     = "<ZONE-ID-REMOVED>"
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  ~ filters = {
      + (http.request.uri.path contains "/api/")
 = {
          + description = "API: /api/*"
          + expression  = <<-EOT
                (http.request.uri.path contains "/api/")
            EOT
          + id          = (known after apply)
          + paused      = false
          + ref         = null
          + zone_id     = "<ZONE-ID-REMOVED>"
        }
    }
  ~ rules   = {
      + (http.request.uri.path contains "/api/")
 = {
          + action      = "allow"
          + description = "API: /api/*"
          + filter_id   = (known after apply)
          + id          = (known after apply)
          + paused      = false
          + priority    = 10
          + products    = null
          + zone_id     = "<ZONE-ID-REMOVED>"
        }
    }
2021-10-06T11:56:41.367+0200 [DEBUG] command: asking for input: "\nDo you want to perform these actions?"

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value:

Panic output

No response

Expected output

It is expected that products is set to an empty list: [] instead of null during the initial first run

Actual output

During the first run, products is set to null

Steps to reproduce

terraform.tfvars:

rules = [
  {
    priority    = 10
    description = "API: /api/*"
    paused      = false
    action      = "allow"
    expression  = <<-EOT
    (http.request.uri.path contains "/api/")
    EOT
    products    = []
  },
]

The issue lies within products = each.value.products. Even though it is set to an empty list ([]). The first terraform apply will set it to null. See below for roll out:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.cloudflare_firewall.cloudflare_filter.filters["(http.request.uri.path contains \"/api/\")\n"] will be created
  + resource "cloudflare_filter" "filters" {
      + description = "API: /api/*"
      + expression  = <<-EOT
            (http.request.uri.path contains "/api/")
        EOT
      + id          = (known after apply)
      + paused      = false
      + zone_id     = "<ZONE-ID-REMOVED>"
    }

  # module.cloudflare_firewall.cloudflare_firewall_rule.rules["(http.request.uri.path contains \"/api/\")\n"] will be created
  + resource "cloudflare_firewall_rule" "rules" {
      + action      = "allow"
      + description = "API: /api/*"
      + filter_id   = (known after apply)
      + id          = (known after apply)
      + paused      = false
      + priority    = 10
      + zone_id     = "<ZONE-ID-REMOVED>"
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Changes to Outputs:
  ~ filters = {
      + (http.request.uri.path contains "/api/")
 = {
          + description = "API: /api/*"
          + expression  = <<-EOT
                (http.request.uri.path contains "/api/")
            EOT
          + id          = (known after apply)
          + paused      = false
          + ref         = null
          + zone_id     = "<ZONE-ID-REMOVED>"
        }
    }
  ~ rules   = {
      + (http.request.uri.path contains "/api/")
 = {
          + action      = "allow"
          + description = "API: /api/*"
          + filter_id   = (known after apply)
          + id          = (known after apply)
          + paused      = false
          + priority    = 10
          + products    = null
          + zone_id     = "<ZONE-ID-REMOVED>"
        }
    }

If I now do another plan, it tells me that changes were detected outside terraform and that it now wants to set products to an empty list instead (which is what I've told it initially to do).

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

  # module.cloudflare_firewall.cloudflare_firewall_rule.rules["(http.request.uri.path contains \"/api/\")\n"] has been changed
  ~ resource "cloudflare_firewall_rule" "rules" {
        id          = "<ZONE-ID-REMOVED>"
      + products    = []
        # (6 unchanged attributes hidden)
    }

Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes.

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Changes to Outputs:
  ~ rules = {
      ~ (http.request.uri.path contains "/api/")
 = {
          ~ products    = null -> []
            # (7 unchanged elements hidden)
        }
    }

You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.

Additional factoids

No response

References

Might be related to this one: https://github.com/cloudflare/terraform-provider-cloudflare/issues/1224

[jacobbednarz]

Are you able to replicate this without using for_each? The following doesn't show the problem and the state looks correct.

resource "cloudflare_filter" "wordpress" {
  zone_id     = var.cloudflare_zone_id
  description = "Wordpress break-in attempts that are outside of the office"
  expression  = "(http.request.uri.path ~ \".*wp-login.php\" or http.request.uri.path ~ \".*xmlrpc.php\") and ip.src ne 192.0.2.1"
}

resource "cloudflare_firewall_rule" "wordpress" {
  zone_id     = var.cloudflare_zone_id
  description = "Block wordpress break-in attempts"
  filter_id   = cloudflare_filter.wordpress.id
  action      = "block"
}

$ terraform apply -auto-approve

cloudflare_filter.wordpress: Creating...
cloudflare_filter.wordpress: Creation complete after 1s [id=d44f063cb8b743c7a442d25f2a40a4ea]
cloudflare_firewall_rule.wordpress: Creating...
cloudflare_firewall_rule.wordpress: Creation complete after 1s [id=cf5ef17dfee34f268132e6cdc1db49ba]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

$ terraform apply -auto-approve

cloudflare_filter.wordpress: Refreshing state... [id=d44f063cb8b743c7a442d25f2a40a4ea]
cloudflare_firewall_rule.wordpress: Refreshing state... [id=cf5ef17dfee34f268132e6cdc1db49ba]

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

$ cat terraform.tfstate | jq '.resources[].instances[]'
{
  "schema_version": 0,
  "attributes": {
    "description": "Wordpress break-in attempts that are outside of the office",
    "expression": "(http.request.uri.path ~ \".*wp-login.php\" or http.request.uri.path ~ \".*xmlrpc.php\") and ip.src ne 192.0.2.1",
    "id": "d44f063cb8b743c7a442d25f2a40a4ea",
    "paused": false,
    "ref": "",
    "zone_id": "0da42c8d2132a9ddaf714f9e7c920711"
  },
  "sensitive_attributes": [],
  "private": "bnVsbA=="
}
{
  "schema_version": 0,
  "attributes": {
    "action": "block",
    "description": "Block wordpress break-in attempts",
    "filter_id": "d44f063cb8b743c7a442d25f2a40a4ea",
    "id": "cf5ef17dfee34f268132e6cdc1db49ba",
    "paused": false,
    "priority": 0,
    "products": [],
    "zone_id": "0da42c8d2132a9ddaf714f9e7c920711"
  },
  "sensitive_attributes": [],
  "private": "bnVsbA==",
  "dependencies": [
    "cloudflare_filter.wordpress"
  ]
}

[cytopia]

You are not settings the products param in your example btw.

What I've tried is to explicitly set it to [] (hardcoded):

resource "cloudflare_firewall_rule" "rules" {
  for_each = local.rules

  zone_id   = lookup(data.cloudflare_zones.domain.zones[0], "id")
  filter_id = cloudflare_filter.filters[each.value.expression].id

  priority    = each.value.priority
  description = each.value.description
  paused      = each.value.paused
  action      = each.value.action
  products    = []
}

The addition that terraform plan reports is:

  + resource "cloudflare_firewall_rule" "rules" {
      + action      = "challenge"
      + description = "TEST"
      + filter_id   = (known after apply)
      + id          = (known after apply)
      + paused      = false
      + priority    = 41
      + zone_id     = "REMOVED"
    }

As you can see from above, it does not even include products within the resource to be created.

However, when looking at the Changes to Outputs section which is defined as so:

output "rules" {
  description = "Created Cloudflare rules for the current zone."
  value       = cloudflare_firewall_rule.rules
}

Then I see that the fetched products is again returned as null

Plan: 2 to add, 2 to change, 0 to destroy.

Changes to Outputs:

  ~ rules   = {
      + (ip.geoip.asnum eq 00000) = {
          + action      = "challenge"
          + description = "TEST"
          + filter_id   = (known after apply)
          + id          = (known after apply)
          + paused      = false
          + priority    = 41
          + products    = null
          + zone_id     = "<REMOVED>"
        }
        # (38 unchanged elements hidden)
    }

[cytopia]

So anyways in both examples, the initial issue post and the newly added one they do apply correctly and everything is set fine at Cloudflare level. However the Terraform state does not seem to be correct and reports wrong values for the output. This is then also the reason that I need to apply twice in order for it to get the correct output values.

[jacobbednarz]

Thanks, you're right, that example was missing the products attribute (I copied in the wrong example).

Appreciate the updated comments which sheds more light here as the issue isn't actually with the resource, it's using outputs where the problem rears its head.

The apply only takes a single run and the state is correct (an empty list) as intended so that seems fine. We don't do anything special for outputs within the provider and the handling of those values are all performed by Terraform core so I think you may need to open a bug with the core team to find out what is going on here. Only thing that hints at this behaviour is the following output on 1.x

Outputs:

rules = {
  "action" = "block"
  "description" = "Block wordpress break-in attempts"
  "filter_id" = "8c1b942df69643c1b706946135723975"
  "id" = "2cf7bdc06f1045a4b1c372ef8544cfd9"
  "paused" = false
  "priority" = 0
  "products" = toset(null) /* of string */
  "zone_id" = "0da42c8d2132a9ddaf714f9e7c920711"
}

Running this in the console shows the outcome you are seeing.

$ terraform console
> toset(null)
null

[jacobbednarz]

Closing as this looks like a Terraform core issue, not something we control or can fix in the provider.