Error: invalid zone setting "image_resizing" (value: ) found - cannot be set as it is read only

[hpapadopoulos]

Confirmation

• [X] My issue isn't already found on the issue tracker.
• [X] I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

terraform -v
Terraform v0.15.1
on darwin_amd64
+ provider registry.terraform.io/cloudflare/cloudflare v3.4.0

Affected resource(s)

cloudflare_zone_settings_override

Terraform configuration files

resource "cloudflare_zone_settings_override" "some_zone" {
  zone_id = var.zone_id
  settings {
    always_online            = var.always_online
    always_use_https         = var.always_use_https
    automatic_https_rewrites = var.automatic_https_rewrites
    brotli                   = var.brotli
    binary_ast               = var.binary_ast
    browser_cache_ttl        = var.browser_cache_ttl
    browser_check            = var.browser_check
    cache_level              = var.cache_level
    challenge_ttl            = var.challenge_ttl
    cname_flattening         = var.cname_flattening
    development_mode         = var.development_mode
    email_obfuscation        = var.email_obfuscation
    early_hints              = var.early_hints
    h2_prioritization        = var.h2_prioritization
    hotlink_protection       = var.hotlink_protection
    http2                    = var.http2
    http3                    = var.http3
    image_resizing           = var.image_resizing
    ip_geolocation           = var.ip_geolocation
    ipv6                     = var.ipv6
    max_upload               = var.max_upload
    min_tls_version          = var.min_tls_version
    #minify                      = var.minify
    mirage = var.mirage
    #mobile_redirect             = var.mobile_redirect
    opportunistic_encryption    = var.opportunistic_encryption
    opportunistic_onion         = var.opportunistic_onion
    origin_error_page_pass_thru = var.origin_error_page_pass_thru
    polish                      = var.polish
    prefetch_preload            = var.prefetch_preload
    privacy_pass                = var.privacy_pass
    pseudo_ipv4                 = var.pseudo_ipv4
    response_buffering          = var.response_buffering
    rocket_loader               = var.rocket_loader
    security_level              = var.security_level
    server_side_exclude         = var.server_side_exclude
    sort_query_string_for_cache = var.sort_query_string_for_cache
    ssl                         = var.ssl
    universal_ssl               = var.universal_ssl
    tls_1_3                     = var.tls_1_3
    tls_client_auth             = var.tls_client_auth
    true_client_ip_header       = var.true_client_ip_header
    waf                         = var.waf
    webp                        = var.webp
    websockets                  = var.websockets
    zero_rtt                    = var.zero_rtt
    dynamic "security_header" {
      for_each = var.security_headers
      content {
        enabled            = security_header.value.security_header_enabled
        include_subdomains = security_header.value.security_header_include_subdomains
        max_age            = security_header.value.security_header_max_age
        nosniff            = security_header.value.security_header_nosniff
        preload            = security_header.value.security_header_preload
      }
    }
  }
}

Debug output

│ Error: invalid zone setting "image_resizing" (value: ) found - cannot be set as it is read only

Panic output

No response

Expected output

No changes on the setting image_resizing

Actual output

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # cloudflare_zone_settings_override.this is tainted, so must be replaced
-/+ resource "cloudflare_zone_settings_override" "this" {
      ~ id                       = "$some_id" -> (known after apply)
      + initial_settings         = (known after apply)
      + initial_settings_read_at = (known after apply)
      ~ readonly_settings        = [
          - "advanced_ddos",
          - "binary_ast",
          - "image_resizing",
        ] -> (known after apply)
      ~ zone_status              = "active" -> (known after apply)
      ~ zone_type                = "full" -> (known after apply)
        # (1 unchanged attribute hidden)

      ~ settings {
          ~ automatic_https_rewrites    = "off" -> "on"
          ~ binary_ast                  = "off" -> "on"
          ~ brotli                      = "off" -> "on"
          ~ cache_level                 = "aggressive" -> "simplified"
          ~ challenge_ttl               = 1800 -> 2700
          ~ ciphers                     = [] -> (known after apply)
          ~ filter_logs_to_cloudflare   = "off" -> (known after apply)
          ~ http3                       = "off" -> "on"
          ~ image_resizing              = "off" -> "on"
          ~ ipv6                        = "on" -> "off"
          ~ log_to_cloudflare           = "on" -> (known after apply)
          ~ max_upload                  = 100 -> 500
          ~ mirage                      = "off" -> "on"
          ~ opportunistic_encryption    = "off" -> "on"
          ~ orange_to_orange            = "off" -> (known after apply)
          ~ privacy_pass                = "on" -> "off"
          ~ proxy_read_timeout          = "100" -> (known after apply)
          ~ server_side_exclude         = "on" -> "off"
          ~ ssl                         = "flexible" -> "full"
          ~ tls_1_2_only                = "off" -> (known after apply)
          ~ visitor_ip                  = "on" -> (known after apply)
            # (30 unchanged attributes hidden)

          ~ minify {
              ~ css  = "off" -> (known after apply)
              ~ html = "on" -> (known after apply)
              ~ js   = "off" -> (known after apply)
            }

          ~ mobile_redirect {
              + mobile_subdomain = (known after apply)
              ~ status           = "off" -> (known after apply)
              ~ strip_uri        = false -> (known after apply)
            }

          ~ security_header {
              ~ enabled            = false -> (known after apply)
              ~ include_subdomains = false -> (known after apply)
              ~ max_age            = 0 -> (known after apply)
              ~ nosniff            = false -> (known after apply)
              ~ preload            = false -> (known after apply)
            }
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.

│ Warning: Resource targeting is in effect
│ 
│ You are creating a plan with the -target option, which means that the result of this plan may not represent all of the changes requested by the current configuration.
│ 
│ The -target option is not for routine use, and is provided only for exceptional situations such as recovering from errors or mistakes, or when Terraform specifically suggests to use it as part of an error message.
╵

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

cloudflare_zone_settings_override.babylonhealth_uk: Destroying... [id=$some_id]
╷
│ Warning: Applied changes may be incomplete
│ 
│ The plan was created with the -target option in effect, so some changes requested in the configuration may have been ignored and the output values may not be fully updated. Run the following command to verify that no other
│ changes are pending:
│     terraform plan
│ 
│ Note that the -target option is not suitable for routine use, and is provided only for exceptional situations such as recovering from errors or mistakes, or when Terraform specifically suggests to use it as part of an error
│ message.
╵
╷
│ Error: invalid zone setting "image_resizing" (value: ) found - cannot be set as it is read only
│ 
│ 

Steps to reproduce

Try to apply the config with the default values.

References

Same issue as: https://github.com/cloudflare/terraform-provider-cloudflare/issues/961 That wasn't resolved, just closed, so not sure what the outcome was

This also looks similar https://github.com/cloudflare/terraform-provider-cloudflare/issues/533

[hpapadopoulos]

Similarly, even after state rm, another setting is giving the same error:

│ Error: invalid zone setting "binary_ast" (value: on) found - cannot be set as it is read only
│ 
│   with cloudflare_zone_settings_override.this,
│   on zone_settings.tf line 1, in resource "cloudflare_zone_settings_override" "this":
│    1: resource "cloudflare_zone_settings_override" "this" {

and then again from another state rm and try to set it from scratch

│ Error: invalid zone setting "binary_ast" (value: off) found - cannot be set as it is read only
│ 
│   with cloudflare_zone_settings_override.this,
│   on zone_settings.tf line 1, in resource "cloudflare_zone_settings_override" "this":
│    1: resource "cloudflare_zone_settings_override" "this" {

So no matter if you try with on/of, it will won't allow it. When I remove it from the config entirely, I get this:

╷
│ Error: invalid zone setting "binary_ast" (value: ) found - cannot be set as it is read only
│ 
│ 
╵

[jacobbednarz]

please see the documentation for this on the provider registry - https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/zone_settings_override#plan-dependent-settings

you shouldn't be defining all these settings unless you are explicitly wanting to override them. this resource isn't intended to be used as a "manage all settings in state" resource, only overrides from the defaults.

[hpapadopoulos]

Hey @jacobbednarz , thanks for the reply, but as I mentioned here, it doesn't matter if it is defined or not or what value we have, it still throws the error.

[cascadingstyletrees]

Gabe from CSUP here, had a customer with the same issue, without having that setting in the script, on provider v3.4.

[jacobbednarz]

the reason it will be constantly erroring now is that the values are already in the state file and attempting to update the resource with them. you should remove the resource from state and reapply only the settings you are overriding and it should be fine.

[hpapadopoulos]

Hey @jacobbednarz , as I mentioned above, I always go with blank state: This (Similarly, even after state rm, another setting is giving the same error:)

[fr3fou]

I'm dealing with the exact same issue and my settings block is completely empty -

resource "cloudflare_zone_settings_override" "settings" {
  zone_id = var.zone_id
  settings {
  }
}

and I still get an error along the lines of Error: invalid zone setting "mirage" (value: ) found - cannot be set as it is read only

This resource is basically unusable for me

[patryk]

Hey guys. I'll be dealing with this issue since @jacobbednarz is away for a while.

So far, I've been unable to reproduce your issue. The read only settings are not supposed to be put into config file. But even after I remove them, the settings are applied fine. If it does actually land in a state file, removing it with terraform state rm should fix it. Either way, if you look into .tfstate file, it should be in the readonly_settings section, indicating as uneditable.

For more context I need the debug log. https://www.terraform.io/docs/internals/debugging.html describes how to generate one. Be sure to redact your API keys/tokens, but the rest of the output should be unedited. If you are uncomfortable posting them here on GitHub, please attach them to your respective support tickets (I believe you opened one).

[fr3fou]

Hey guys. I'll be dealing with this issue since @jacobbednarz is away for a while.

So far, I've been unable to reproduce your issue. The read only settings are not supposed to be put into config file. But even after I remove them, the settings are applied fine. If it does actually land in a state file, removing it with terraform state rm should fix it. Either way, if you look into .tfstate file, it should be in the readonly_settings section, indicating as uneditable.

For more context I need the debug log. https://www.terraform.io/docs/internals/debugging.html describes how to generate one. Be sure to redact your API keys/tokens, but the rest of the output should be unedited. If you are uncomfortable posting them here on GitHub, please attach them to your respective support tickets (I believe you opened one).

I managed to fix it by using terraform state rm. Huge thanks for the reply anyway!

[thomasnugent]

Hey @patryk, as mentioned in this thread and some others (e.g. https://github.com/cloudflare/terraform-provider-cloudflare/issues/377), this cloudflare_zone_settings_override isn't intended to be how we define settings. Is there a preferred way or is it still being developed (which in that case I'd love to sign up for a notification of this somehow haha).

Examples of settings: cache settings, speed optimisation, email obfuscation, cache TTL.

Happy to make another "Issue" unless I've missed an existing one already.

[hpapadopoulos]

Hi @patryk ,

I appreciate the work around, but this is definitely not a solution, as if it requires someone to manually intervene, it beats the purpose of automation and in no way it can be used in a CI/CD pipeline.

Regarding The read only settings are not supposed to be put into config file. I will once again point towards my previous replies that even if I don't include the config, it still doesn't allow to apply and gives out the error.

In any case, I'll follow up with the support team on the ticket as this doesn't seem to be treated as an issue. (have submitted the debug logs on the ticket)

[patryk]

@fr3fou Great to hear it fixed your issue.

@thomasnugent As @jacobbednarz already mentioned, this resource is meant (by its semantic) to define settings that differ from their defaults. This is an unfortunate design decision of the person who initially implemented the plugin. While I am not aware of immediate plans to deal with it, this is a kind of problem we might attack in a future breaking change (likely mid-term). For now, you should put in a resource only the settings that do differ from their defauls (even if they are already in the defined state because e.g. you manually edited them in UI), except settings unavailable to you in your subscription plan.

@hpapadopoulos Please be assured we're not ignoring your issue, but in order to have a chance fixing it, we need to be able to reproduce it.

[hpapadopoulos]

Thanks @patryk , but I am not saying that you're ignoring the issue, just that it isn't treated as one and is treated more as if I it is a feature

this resource is meant (by its semantic) to define settings that differ from their defaults.

Although it throws the error even when the values are not defined.

But as mentioned above, I'll follow on the support ticket as I can share more details around it (including the full debug logs ~8.5k lines)

[patryk]

Hi @hpapadopoulos, I believe I've found the root cause of your issue. Hint: you did nothing wrong with image_resizing. This is also not the Terraform fault.

The API is initially reporting that Image Resizing is "read only", even though you are able to toggle it on in the UI. Once enabled, the API will begin reporting setting as "editable = true". Terraform plugin respects this fields, that's why it reports back error "the setting is read only" to the customer.

To unblock yourself, toggle the setting once manually in the UI (which apparently ignores the "editable" field). My apologies for the issue, but the API is owned by the different team from my own. The Support Team will make them aware of the issue.

Thanks for patience and sorry it took so long.

[getkey]

I am also encountering this issue with true_client_ip_header.

[joarobles]

Removing the resource from the state with terraform state rm <resource> solves this as a workaround

[salomvary]

I had the same issue with v3.20.0 and terraform state rm <resource> indeed worked. I am still puzzled as to why this was happening. Re-read the entire conversation here as well as the documentation for cloudflare_zone_settings_override and still don't get it. If this is not an issue in this provider, then where? Could someone who understands this summarize so that someone with mid-level experience (that is not expert) with Terraform and Cloudflare can understand. Much appreciated!

[pthieu]

facing this right now, i only want to manage the SSL config and have this

resource "cloudflare_zone_settings_override" "zone_settings" {
  zone_id = data.cloudflare_zone.site.id
  settings {
    ssl = "full"
  }
}

but getting errors like

Error: invalid zone setting "origin_error_page_pass_thru" (value: ) found - cannot be set as it is read only

[sachasmart]

facing this right now, i only want to manage the SSL config and have this

resource "cloudflare_zone_settings_override" "zone_settings" {
  zone_id = data.cloudflare_zone.site.id
  settings {
    ssl = "full"
  }
}

but getting errors like

Error: invalid zone setting "origin_error_page_pass_thru" (value: ) found - cannot be set as it is read only

Not sure if this has been resolved yet but this worked for me just now. Should be noted that I used cf-terraforming for the cloudflare_zone_setting_override, which imported the entire settings. This didn't work and I came to this thread - all I really want to manage is my ssl mode within the context of Terraform. I removed all the excise settings and reapplied and it went through...

resource "cloudflare_zone_settings_override" "terraform_managed_resource_uuid" {
  zone_id = "var.zone_id"
  settings {
    ssl = "strict"
  }
}

[sre95]

I encountered the same issue using Terraform v1.6.4 and v4.20.0 of Cloudflare provider. I think I added some features not available in Cloudflare free tier such as min_tls_version setting.

resource "cloudflare_zone_settings_override" "your_ressource_name" {
  zone_id = cloudflare_zone.example.id

  settings {
    tls_1_3                  = "on"
    min_tls_version          = "1.2"
    automatic_https_rewrites = "on"
    ssl                      = "strict"
  }
}

I resolved the issue by removing the option and resource from Terraform cloud state via the command below :

terraform state rm cloudflare_zone_settings_override.<your_ressource_name>

resource "cloudflare_zone_settings_override" "your_ressource_name" {
  zone_id = cloudflare_zone.example.id

  settings {
    tls_1_3                  = "on"
    automatic_https_rewrites = "on"
    ssl                      = "strict"
  }
}

[Fedcomp]

Surprised it's still a thing. My terraform state is in gitlab managed state in their own CI/CD pipeline. Executing any terraform commands locally beat the purpose of gitops and it just very complicated in my case.

Yes, i use this resource for single setting, yet it fails on setting i never set when terraform is trying to recreate the settings.

[Fedcomp]

So i had to add

before_script:
  - gitlab-terraform plan
  - gitlab-terraform state rm cloudflare_zone_settings_override.%terraform_zone_state_name%

To my gitlab-ci.yml just to remove this state entry. Maybe this workaround will help someone. Replace %terraform_zone_state_name% with actual name.