search

cloudflare / terraform-provider-cloudflare

Cloudflare Terraform Provider
https://registry.terraform.io/providers/cloudflare/cloudflare
Mozilla Public License 2.0
778 stars 599 forks source link

Unable to Enable Managed Rulesets / WAF Settings #1394

Closed mcatany closed 2 years ago

mcatany commented 2 years ago

Confirmation

Terraform and Cloudflare provider version

Terraform version: 1.0.4 cloudflare/cloudflare v3.7.0

Affected resource(s)

cloudflare_ruleset

Terraform configuration files

# Zone-level WAF Managed Ruleset
resource "cloudflare_ruleset" "zone_level_managed_waf" {
  for_each = { for waf_rule in var.waf_rules : waf_rule["zone_id"] => waf_rule }
  zone_id     = each.value["zone_id"]
  name        = "Managed WAF"
  description = "Cloudflare Managed WAF ruleset"
  kind        = "zone"
  phase       = "http_request_firewall_managed"

  rules {
    action = "execute"
    action_parameters {
      id = "efb7b8c949ac4650a09736fc376e9aee"
    }

    expression = "true"
    enabled = true
    description = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
  }
}

Debug output

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: 2022-01-18T07:44:56.470Z [DEBUG] command: asking for input: "\nDo you want to perform these actions?"
yes

2022-01-18T07:46:08.720Z [INFO]  backend/local: apply calling Apply
2022-01-18T07:46:08.721Z [INFO]  terraform: building graph: GraphTypeApply
2022-01-18T07:46:08.722Z [DEBUG] Resource state not found for node "module.cloudflare.cloudflare_ruleset.zone_level_managed_waf[\"log everything in hvbrt\"]", instance module.cloudflare.cloudflare_ruleset.zone_level_managed_waf["log everything in hvbrt"]
2022-01-18T07:46:08.723Z [DEBUG] adding implicit provider configuration provider["terraform.io/builtin/terraform"], implied first by data.terraform_remote_state.cloudflare_org (expand)
2022-01-18T07:46:08.724Z [DEBUG] ProviderTransformer: "module.cloudflare.cloudflare_ruleset.zone_level_managed_waf (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2022-01-18T07:46:08.724Z [DEBUG] ProviderTransformer: "module.cloudflare.cloudflare_firewall_rule.firewall_rule (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2022-01-18T07:46:08.724Z [DEBUG] ProviderTransformer: "data.terraform_remote_state.cloudflare_org (expand)" (*terraform.nodeExpandApplyableResource) needs provider["terraform.io/builtin/terraform"]
2022-01-18T07:46:08.724Z [DEBUG] ProviderTransformer: "module.cloudflare.cloudflare_ruleset.zone_level_managed_waf[\"log everything in hvbrt\"]" (*terraform.NodeApplyableResourceInstance) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2022-01-18T07:46:08.724Z [DEBUG] ProviderTransformer: "module.cloudflare.cloudflare_filter.filter (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2022-01-18T07:46:08.726Z [ERROR] AttachSchemaTransformer: No provider config schema available for provider["terraform.io/builtin/terraform"]
2022-01-18T07:46:08.726Z [DEBUG] ReferenceTransformer: "module.cloudflare.var.firewall_rules (expand)" references: [local.firewall_rules (expand)]
2022-01-18T07:46:08.726Z [DEBUG] ReferenceTransformer: "local.firewall_rules_hivebrite (expand)" references: [local.firewall_rules_map (expand) data.terraform_remote_state.cloudflare_org (expand)]
2022-01-18T07:46:08.726Z [DEBUG] ReferenceTransformer: "local.waf_rules (expand)" references: [local.firewall_rules_hvbrt (expand)]
2022-01-18T07:46:08.726Z [DEBUG] ReferenceTransformer: "local.waf_rules_map (expand)" references: []
2022-01-18T07:46:08.726Z [INFO]  ReferenceTransformer: reference not found: "each.value"
2022-01-18T07:46:08.726Z [DEBUG] ReferenceTransformer: "module.cloudflare.cloudflare_ruleset.zone_level_managed_waf[\"log everything in hvbrt\"]" references: [module.cloudflare.var.waf_rules (expand)]
2022-01-18T07:46:08.726Z [DEBUG] ReferenceTransformer: "module.cloudflare.cloudflare_filter.filter (expand)" references: [module.cloudflare.var.firewall_rules (expand)]
2022-01-18T07:46:08.726Z [DEBUG] ReferenceTransformer: "module.cloudflare.var.account_id (expand)" references: [local.account_id (expand)]
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "local.firewall_rules_hvbrt (expand)" references: [local.firewall_rules_map (expand) data.terraform_remote_state.cloudflare_org (expand)]
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/cloudflare/cloudflare\"]" references: [local.account_id (expand)]
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "provider[\"terraform.io/builtin/terraform\"]" references: []
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "module.cloudflare (expand)" references: []
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "module.cloudflare.cloudflare_ruleset.zone_level_managed_waf (expand)" references: [module.cloudflare.var.waf_rules (expand)]
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "module.cloudflare.cloudflare_firewall_rule.firewall_rule (expand)" references: [module.cloudflare.var.firewall_rules (expand)]
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "local.waf_rules_hvbrt (expand)" references: [local.waf_rules_map (expand) data.terraform_remote_state.cloudflare_org (expand)]
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "local.waf_rules_hivebrite (expand)" references: [local.waf_rules_map (expand) data.terraform_remote_state.cloudflare_org (expand)]
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "data.terraform_remote_state.cloudflare_org (expand)" references: []
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "module.cloudflare.var.waf_rules (expand)" references: [local.waf_rules (expand)]
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "local.firewall_rules (expand)" references: [local.firewall_rules_hvbrt (expand) local.firewall_rules_hivebrite (expand)]
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "local.firewall_rules_map (expand)" references: []
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "local.account_id (expand)" references: [data.terraform_remote_state.cloudflare_org (expand)]
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "module.cloudflare (close)" references: []
2022-01-18T07:46:08.727Z [DEBUG] pruneUnusedNodes: local.waf_rules_hivebrite (expand) is no longer needed, removing
2022-01-18T07:46:08.727Z [DEBUG] pruneUnusedNodes: module.cloudflare.cloudflare_firewall_rule.firewall_rule (expand) is no longer needed, removing
2022-01-18T07:46:08.727Z [DEBUG] pruneUnusedNodes: local.waf_rules_hvbrt (expand) is no longer needed, removing
2022-01-18T07:46:08.727Z [DEBUG] pruneUnusedNodes: local.waf_rules_map (expand) is no longer needed, removing
2022-01-18T07:46:08.727Z [DEBUG] pruneUnusedNodes: module.cloudflare.var.account_id (expand) is no longer needed, removing
2022-01-18T07:46:08.727Z [DEBUG] pruneUnusedNodes: module.cloudflare.cloudflare_filter.filter (expand) is no longer needed, removing
2022-01-18T07:46:08.727Z [DEBUG] pruneUnusedNodes: module.cloudflare.var.firewall_rules (expand) is no longer needed, removing
2022-01-18T07:46:08.728Z [DEBUG] pruneUnusedNodes: local.firewall_rules (expand) is no longer needed, removing
2022-01-18T07:46:08.728Z [DEBUG] pruneUnusedNodes: local.firewall_rules_hivebrite (expand) is no longer needed, removing
2022-01-18T07:46:08.728Z [DEBUG] Starting graph walk: walkApply
2022-01-18T07:46:08.729Z [DEBUG] created provider logger: level=debug
2022-01-18T07:46:08.730Z [INFO]  provider: configuring client automatic mTLS
2022-01-18T07:46:08.767Z [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.7.0/linux_amd64/terraform-provider-cloudflare_v3.7.0 args=[.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.7.0/linux_amd64/terraform-provider-cloudflare_v3.7.0]
2022-01-18T07:46:08.767Z [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.7.0/linux_amd64/terraform-provider-cloudflare_v3.7.0 pid=141
2022-01-18T07:46:08.767Z [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.7.0/linux_amd64/terraform-provider-cloudflare_v3.7.0
2022-01-18T07:46:08.771Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: configuring server automatic mTLS: timestamp=2022-01-18T07:46:08.771Z
2022-01-18T07:46:08.780Z [DEBUG] provider.terraform-provider-cloudflare_v3.7.0: plugin address: address=/tmp/plugin1517009116 network=unix timestamp=2022-01-18T07:46:08.780Z
2022-01-18T07:46:08.780Z [DEBUG] provider: using plugin: version=5
2022-01-18T07:46:08.821Z [WARN]  ValidateProviderConfig from "provider[\"registry.terraform.io/cloudflare/cloudflare\"]" changed the config value, but that value is unused
2022-01-18T07:46:08.822Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: 2022/01/18 07:46:08 [INFO] Cloudflare Client configured for user:: timestamp=2022-01-18T07:46:08.822Z
2022-01-18T07:46:08.822Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: 2022/01/18 07:46:08 [INFO] Using specified account id f0c9334a714988fdfcf85a0c4d1b2406 in Cloudflare provider: timestamp=2022-01-18T07:46:08.822Z
2022-01-18T07:46:08.822Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: 2022/01/18 07:46:08 [INFO] Cloudflare Client configured for user:: timestamp=2022-01-18T07:46:08.822Z
module.cloudflare.cloudflare_ruleset.zone_level_managed_waf["log everything in hvbrt"]: Creating...
2022-01-18T07:46:08.825Z [INFO]  Starting apply for module.cloudflare.cloudflare_ruleset.zone_level_managed_waf["log everything in hvbrt"]
2022-01-18T07:46:08.826Z [DEBUG] module.cloudflare.cloudflare_ruleset.zone_level_managed_waf["log everything in hvbrt"]: applying the planned Create change
2022-01-18T07:46:08.827Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: 2022/01/18 07:46:08 [DEBUG] unknown key encountered in buildRulesetRulesFromResource for action parameters: products: timestamp=2022-01-18T07:46:08.827Z
2022-01-18T07:46:08.827Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: 2022/01/18 07:46:08 [DEBUG] Cloudflare API Request Details:
---[ REQUEST ]---------------------------------------
POST /client/v4/zones/e23ded7d7fb96271f13f24c728ebda7e/rulesets HTTP/1.1
Host: api.cloudflare.com
User-Agent: terraform/1.0.4 terraform-plugin-sdk/2.10.1 terraform-provider-cloudflare/3.7.0
Content-Length: 345
Authorization: Bearer 6fZsNW7R23Ef-g7ne3Rql8Z9wnWAQa4fT-3BvBCd
Content-Type: application/json
Accept-Encoding: gzip

{
 "name": "Managed WAF",
 "description": "Cloudflare Managed WAF ruleset",
 "kind": "zone",
 "phase": "http_request_firewall_managed",
 "rules": [
  {
   "action": "execute",
   "action_parameters": {
    "id": "efb7b8c949ac4650a09736fc376e9aee"
   },
   "expression": "true",
   "description": "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset",
   "enabled": true
  }
 ]
}
-----------------------------------------------------: timestamp=2022-01-18T07:46:08.827Z
2022-01-18T07:46:10.182Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: 2022/01/18 07:46:10 [DEBUG] Cloudflare API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 400 Bad Request
Cf-Cache-Status: DYNAMIC
Cf-Ray: 6cf63536ed03cdb3-CDG
Content-Type: application/json; charset=UTF-8
Date: Tue, 18 Jan 2022 07:46:10 GMT
Expect-Ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
Set-Cookie: __cflb=0H28vgHxwvgAQtjUGU56Rb8iNWZVUvXhs6XDJtrrPZP; SameSite=Lax; path=/; expires=Tue, 18-Jan-22 10:16:11 GMT; HttpOnly
Set-Cookie: __cfruid=d6b2a80da861ff825847b9163c5eb9f3cc9e40dc-1642491970; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Vary: Accept-Encoding
X-Envoy-Upstream-Service-Time: 39
X-Version: 4852-25bca9288535

{
  "result": null,
  "success": false,
  "errors": [
    {
      "message": "exceeded maximum number of zone rulesets for phase 'http_request_firewall_managed'"
    }
  ],
  "messages": null
}

-----------------------------------------------------: timestamp=2022-01-18T07:46:10.182Z
╷
│ Error: failed to create ruleset "Managed WAF" as a similar configuration already exists. If you are migrating from the Dashboard, you will need to first manually remove it using the API (https://api.cloudflare.com/#zone-rulesets-delete-zone-ruleset) before you can configure it in Terraform. Otherwise, you have hit the entitlements quota and should contact your account team.
│ 
│   with module.cloudflare.cloudflare_ruleset.zone_level_managed_waf["log everything in hvbrt"],
│   on .terraform/modules/cloudflare/firewall_rules.tf line 23, in resource "cloudflare_ruleset" "zone_level_managed_waf":
│   23: resource "cloudflare_ruleset" "zone_level_managed_waf" {
│ 
╵
2022-01-18T07:46:10.669Z [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2022-01-18T07:46:10.673Z [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.7.0/linux_amd64/terraform-provider-cloudflare_v3.7.0 pid=141
2022-01-18T07:46:10.673Z [DEBUG] provider: plugin exited
[terragrunt] 2022/01/18 07:46:10 Hit multiple errors:
exit status 1
Makefile:42: recipe for target 'apply' failed
make: *** [apply] Error 1

Panic output

No response

Expected output

With an API call I'm able to enable the Cloudfare Managed Ruleset curl -X PUT -H "X-Auth-Email: user@user.com" -H "X-Auth-Key: xxxxxxxxxxxxxxxxxxxxx" "https://api.cloudflare.com/client/v4/zones/xxxxxxxxxxxxxxxxx/rulesets/phases/http_request_firewall_managed/entrypoint" -d '{ "rules": [ { "action": "execute", "action_parameters": { "id": "efb7b8c949ac4650a09736fc376e9aee" }, "expression": "true", "description": "Execute Cloudflare Managed Ruleset on my phase entry point" } ] }'

{ "result": { "id": "00d360633f134f7f8615d4ec42e8a917", "name": "default", "description": "", "source": "firewall_managed", "kind": "zone", "version": "8", "rules": [ { "id": "588e3f6ac1ef4534a6283e4fcd9db834", "version": "1", "action": "execute", "action_parameters": { "id": "efb7b8c949ac4650a09736fc376e9aee", "version": "latest" }, "expression": "true", "description": "Execute Cloudflare Managed Ruleset on my phase entry point", "last_updated": "2022-01-17T16:32:49.871554Z", "ref": "588e3f6ac1ef4534a6283e4fcd9db834", "enabled": true } ], "last_updated": "2022-01-17T16:32:49.871554Z", "phase": "http_request_firewall_managed" }, "success": true, "errors": [], "messages": [] }

But with the Terraform Cloudflare Provider I'm unable since it says as stated before that: "Error: failed to create ruleset "Managed WAF" as a similar configuration already exists. "

Actual output

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: 2022-01-18T07:44:56.470Z [DEBUG] command: asking for input: "\nDo you want to perform these actions?"
yes

2022-01-18T07:46:08.720Z [INFO]  backend/local: apply calling Apply
2022-01-18T07:46:08.721Z [INFO]  terraform: building graph: GraphTypeApply
2022-01-18T07:46:08.722Z [DEBUG] Resource state not found for node "module.cloudflare.cloudflare_ruleset.zone_level_managed_waf[\"log everything in hvbrt\"]", instance module.cloudflare.cloudflare_ruleset.zone_level_managed_waf["log everything in hvbrt"]
2022-01-18T07:46:08.723Z [DEBUG] adding implicit provider configuration provider["terraform.io/builtin/terraform"], implied first by data.terraform_remote_state.cloudflare_org (expand)
2022-01-18T07:46:08.724Z [DEBUG] ProviderTransformer: "module.cloudflare.cloudflare_ruleset.zone_level_managed_waf (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2022-01-18T07:46:08.724Z [DEBUG] ProviderTransformer: "module.cloudflare.cloudflare_firewall_rule.firewall_rule (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2022-01-18T07:46:08.724Z [DEBUG] ProviderTransformer: "data.terraform_remote_state.cloudflare_org (expand)" (*terraform.nodeExpandApplyableResource) needs provider["terraform.io/builtin/terraform"]
2022-01-18T07:46:08.724Z [DEBUG] ProviderTransformer: "module.cloudflare.cloudflare_ruleset.zone_level_managed_waf[\"log everything in hvbrt\"]" (*terraform.NodeApplyableResourceInstance) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2022-01-18T07:46:08.724Z [DEBUG] ProviderTransformer: "module.cloudflare.cloudflare_filter.filter (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/cloudflare/cloudflare"]
2022-01-18T07:46:08.726Z [ERROR] AttachSchemaTransformer: No provider config schema available for provider["terraform.io/builtin/terraform"]
2022-01-18T07:46:08.726Z [DEBUG] ReferenceTransformer: "module.cloudflare.var.firewall_rules (expand)" references: [local.firewall_rules (expand)]
2022-01-18T07:46:08.726Z [DEBUG] ReferenceTransformer: "local.firewall_rules_hivebrite (expand)" references: [local.firewall_rules_map (expand) data.terraform_remote_state.cloudflare_org (expand)]
2022-01-18T07:46:08.726Z [DEBUG] ReferenceTransformer: "local.waf_rules (expand)" references: [local.firewall_rules_hvbrt (expand)]
2022-01-18T07:46:08.726Z [DEBUG] ReferenceTransformer: "local.waf_rules_map (expand)" references: []
2022-01-18T07:46:08.726Z [INFO]  ReferenceTransformer: reference not found: "each.value"
2022-01-18T07:46:08.726Z [DEBUG] ReferenceTransformer: "module.cloudflare.cloudflare_ruleset.zone_level_managed_waf[\"log everything in hvbrt\"]" references: [module.cloudflare.var.waf_rules (expand)]
2022-01-18T07:46:08.726Z [DEBUG] ReferenceTransformer: "module.cloudflare.cloudflare_filter.filter (expand)" references: [module.cloudflare.var.firewall_rules (expand)]
2022-01-18T07:46:08.726Z [DEBUG] ReferenceTransformer: "module.cloudflare.var.account_id (expand)" references: [local.account_id (expand)]
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "local.firewall_rules_hvbrt (expand)" references: [local.firewall_rules_map (expand) data.terraform_remote_state.cloudflare_org (expand)]
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/cloudflare/cloudflare\"]" references: [local.account_id (expand)]
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "provider[\"terraform.io/builtin/terraform\"]" references: []
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "module.cloudflare (expand)" references: []
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "module.cloudflare.cloudflare_ruleset.zone_level_managed_waf (expand)" references: [module.cloudflare.var.waf_rules (expand)]
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "module.cloudflare.cloudflare_firewall_rule.firewall_rule (expand)" references: [module.cloudflare.var.firewall_rules (expand)]
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "local.waf_rules_hvbrt (expand)" references: [local.waf_rules_map (expand) data.terraform_remote_state.cloudflare_org (expand)]
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "local.waf_rules_hivebrite (expand)" references: [local.waf_rules_map (expand) data.terraform_remote_state.cloudflare_org (expand)]
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "data.terraform_remote_state.cloudflare_org (expand)" references: []
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "module.cloudflare.var.waf_rules (expand)" references: [local.waf_rules (expand)]
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "local.firewall_rules (expand)" references: [local.firewall_rules_hvbrt (expand) local.firewall_rules_hivebrite (expand)]
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "local.firewall_rules_map (expand)" references: []
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "local.account_id (expand)" references: [data.terraform_remote_state.cloudflare_org (expand)]
2022-01-18T07:46:08.727Z [DEBUG] ReferenceTransformer: "module.cloudflare (close)" references: []
2022-01-18T07:46:08.727Z [DEBUG] pruneUnusedNodes: local.waf_rules_hivebrite (expand) is no longer needed, removing
2022-01-18T07:46:08.727Z [DEBUG] pruneUnusedNodes: module.cloudflare.cloudflare_firewall_rule.firewall_rule (expand) is no longer needed, removing
2022-01-18T07:46:08.727Z [DEBUG] pruneUnusedNodes: local.waf_rules_hvbrt (expand) is no longer needed, removing
2022-01-18T07:46:08.727Z [DEBUG] pruneUnusedNodes: local.waf_rules_map (expand) is no longer needed, removing
2022-01-18T07:46:08.727Z [DEBUG] pruneUnusedNodes: module.cloudflare.var.account_id (expand) is no longer needed, removing
2022-01-18T07:46:08.727Z [DEBUG] pruneUnusedNodes: module.cloudflare.cloudflare_filter.filter (expand) is no longer needed, removing
2022-01-18T07:46:08.727Z [DEBUG] pruneUnusedNodes: module.cloudflare.var.firewall_rules (expand) is no longer needed, removing
2022-01-18T07:46:08.728Z [DEBUG] pruneUnusedNodes: local.firewall_rules (expand) is no longer needed, removing
2022-01-18T07:46:08.728Z [DEBUG] pruneUnusedNodes: local.firewall_rules_hivebrite (expand) is no longer needed, removing
2022-01-18T07:46:08.728Z [DEBUG] Starting graph walk: walkApply
2022-01-18T07:46:08.729Z [DEBUG] created provider logger: level=debug
2022-01-18T07:46:08.730Z [INFO]  provider: configuring client automatic mTLS
2022-01-18T07:46:08.767Z [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.7.0/linux_amd64/terraform-provider-cloudflare_v3.7.0 args=[.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.7.0/linux_amd64/terraform-provider-cloudflare_v3.7.0]
2022-01-18T07:46:08.767Z [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.7.0/linux_amd64/terraform-provider-cloudflare_v3.7.0 pid=141
2022-01-18T07:46:08.767Z [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.7.0/linux_amd64/terraform-provider-cloudflare_v3.7.0
2022-01-18T07:46:08.771Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: configuring server automatic mTLS: timestamp=2022-01-18T07:46:08.771Z
2022-01-18T07:46:08.780Z [DEBUG] provider.terraform-provider-cloudflare_v3.7.0: plugin address: address=/tmp/plugin1517009116 network=unix timestamp=2022-01-18T07:46:08.780Z
2022-01-18T07:46:08.780Z [DEBUG] provider: using plugin: version=5
2022-01-18T07:46:08.821Z [WARN]  ValidateProviderConfig from "provider[\"registry.terraform.io/cloudflare/cloudflare\"]" changed the config value, but that value is unused
2022-01-18T07:46:08.822Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: 2022/01/18 07:46:08 [INFO] Cloudflare Client configured for user:: timestamp=2022-01-18T07:46:08.822Z
2022-01-18T07:46:08.822Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: 2022/01/18 07:46:08 [INFO] Using specified account id f0c9334a714988fdfcf85a0c4d1b2406 in Cloudflare provider: timestamp=2022-01-18T07:46:08.822Z
2022-01-18T07:46:08.822Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: 2022/01/18 07:46:08 [INFO] Cloudflare Client configured for user:: timestamp=2022-01-18T07:46:08.822Z
module.cloudflare.cloudflare_ruleset.zone_level_managed_waf["log everything in hvbrt"]: Creating...
2022-01-18T07:46:08.825Z [INFO]  Starting apply for module.cloudflare.cloudflare_ruleset.zone_level_managed_waf["log everything in hvbrt"]
2022-01-18T07:46:08.826Z [DEBUG] module.cloudflare.cloudflare_ruleset.zone_level_managed_waf["log everything in hvbrt"]: applying the planned Create change
2022-01-18T07:46:08.827Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: 2022/01/18 07:46:08 [DEBUG] unknown key encountered in buildRulesetRulesFromResource for action parameters: products: timestamp=2022-01-18T07:46:08.827Z
2022-01-18T07:46:08.827Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: 2022/01/18 07:46:08 [DEBUG] Cloudflare API Request Details:
---[ REQUEST ]---------------------------------------
POST /client/v4/zones/e23ded7d7fb96271f13f24c728ebda7e/rulesets HTTP/1.1
Host: api.cloudflare.com
User-Agent: terraform/1.0.4 terraform-plugin-sdk/2.10.1 terraform-provider-cloudflare/3.7.0
Content-Length: 345
Authorization: Bearer 6fZsNW7R23Ef-g7ne3Rql8Z9wnWAQa4fT-3BvBCd
Content-Type: application/json
Accept-Encoding: gzip

{
 "name": "Managed WAF",
 "description": "Cloudflare Managed WAF ruleset",
 "kind": "zone",
 "phase": "http_request_firewall_managed",
 "rules": [
  {
   "action": "execute",
   "action_parameters": {
    "id": "efb7b8c949ac4650a09736fc376e9aee"
   },
   "expression": "true",
   "description": "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset",
   "enabled": true
  }
 ]
}
-----------------------------------------------------: timestamp=2022-01-18T07:46:08.827Z
2022-01-18T07:46:10.182Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: 2022/01/18 07:46:10 [DEBUG] Cloudflare API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 400 Bad Request
Cf-Cache-Status: DYNAMIC
Cf-Ray: 6cf63536ed03cdb3-CDG
Content-Type: application/json; charset=UTF-8
Date: Tue, 18 Jan 2022 07:46:10 GMT
Expect-Ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
Set-Cookie: __cflb=0H28vgHxwvgAQtjUGU56Rb8iNWZVUvXhs6XDJtrrPZP; SameSite=Lax; path=/; expires=Tue, 18-Jan-22 10:16:11 GMT; HttpOnly
Set-Cookie: __cfruid=d6b2a80da861ff825847b9163c5eb9f3cc9e40dc-1642491970; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Vary: Accept-Encoding
X-Envoy-Upstream-Service-Time: 39
X-Version: 4852-25bca9288535

{
  "result": null,
  "success": false,
  "errors": [
    {
      "message": "exceeded maximum number of zone rulesets for phase 'http_request_firewall_managed'"
    }
  ],
  "messages": null
}

-----------------------------------------------------: timestamp=2022-01-18T07:46:10.182Z
╷
│ Error: failed to create ruleset "Managed WAF" as a similar configuration already exists. If you are migrating from the Dashboard, you will need to first manually remove it using the API (https://api.cloudflare.com/#zone-rulesets-delete-zone-ruleset) before you can configure it in Terraform. Otherwise, you have hit the entitlements quota and should contact your account team.
│ 
│   with module.cloudflare.cloudflare_ruleset.zone_level_managed_waf["log everything in hvbrt"],
│   on .terraform/modules/cloudflare/firewall_rules.tf line 23, in resource "cloudflare_ruleset" "zone_level_managed_waf":
│   23: resource "cloudflare_ruleset" "zone_level_managed_waf" {
│ 
╵
2022-01-18T07:46:10.669Z [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2022-01-18T07:46:10.673Z [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.7.0/linux_amd64/terraform-provider-cloudflare_v3.7.0 pid=141
2022-01-18T07:46:10.673Z [DEBUG] provider: plugin exited
[terragrunt] 2022/01/18 07:46:10 Hit multiple errors:
exit status 1
Makefile:42: recipe for target 'apply' failed
make: *** [apply] Error 1

Steps to reproduce

1) Create the cloudflare_ruleset per code provided above 2) Run a terraform plan/apply

Additional factoids

This example is documented in:

https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset

References

No response

jacobbednarz commented 2 years ago

please include the untruncated TF_LOG=DEBUG output.

have you read the note in the documentation and followed the error message for checking the phase doesn’t already exist?

mcatany commented 2 years ago

Hi @jacobbednarz and thanks for the quick response. I've updated the previous message with the TF_LOG=DEBUG. I've seen that the endpoint I was using is different in the curl i was doing client/v4/zones/xxxxxxxxxxxxxxxxx/rulesets/phases/http_request_firewall_managed/entrypoint And the one used by terraform: client/v4/zones/xxxxxxxxxxxxxxxxx/rulesets

The think that I don't get is why with the client/v4/zones/xxxxxxxxxxxxxxxxx/rulesets/phases/http_request_firewall_managed/entrypoint it doesn't complain about "exceeded maximum number of zone rulesets" and with the client/v4/zones/xxxxxxxxxxxxxxxxx/rulesets for provider it does. Is there any way to point to "/entrypoint" with the provider?

Thanks,

Miquel

mcatany commented 2 years ago

I guess the behaviour explained in my last comment is related to this: https://developers.cloudflare.com/ruleset-engine/about "To deploy a ruleset to a phase, add a rule that executes the ruleset to the phase entry point."

nickbabkin commented 2 years ago

@mcatany We were facing the same issue lately. The solution is you have to delete the existing ruleset from zone to be able to add a new one.

# Get ruleset ID
curl -X GET "https://api.cloudflare.com/client/v4/zones/$zone/rulesets" -H "Authorization: Bearer "$CLOUDFLARE_API_TOKEN"" -H "Content-Type: application/json" | jq -r '.result[] | select(.description == "Cloudflare Managed WAF ruleset") | .id')

#Deleting the ruleset
curl -X DELETE "https://api.cloudflare.com/client/v4/zones/$zone/rulesets/$ruleset_id" -H "Authorization: Bearer "$CLOUDFLARE_API_TOKEN"" -H "Content-Type: application/json"

Then reapply terraform, and it will work.

mcatany commented 2 years ago

Hi @nickbabkin, thanks for the help. I've tried that the days before:

curl -X GET "https://api.cloudflare.com/client/v4/zones/${zone_id}/rulesets" -H "X-Auth-Email: ${user}" -H "X-Auth-Key: ${auth_key}" -H "Content-Type: application/json"  | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3254    0  3254    0     0   2299      0 --:--:--  0:00:01 --:--:--  2299
{
  "result": [
    {
      "id": "70339d97bdb34195bbf054b1ebe81f76",
      "name": "Cloudflare Normalization Ruleset",
      "description": "Created by the Cloudflare security team, this ruleset provides normalization on the URL path",
      "kind": "managed",
      "version": "1",
      "last_updated": "2020-12-18T09:28:09.655749Z",
      "phase": "http_request_sanitize"
    },
    {
      "id": "a6905ff86d3844cebc1a88dd80c659e7",
      "name": "Bot Fight Mode for Likely Bots",
      "description": "",
      "source": "firewall_managed",
      "kind": "managed",
      "version": "4",
      "last_updated": "2021-07-01T16:59:14.386598Z",
      "phase": "http_request_sbfm"
    },
    {
      "id": "48ba18287c544bd7bdbe842a294f1ae2",
      "name": "Bot Fight Mode for Definite Bots",
      "description": "",
      "source": "firewall_managed",
      "kind": "managed",
      "version": "4",
      "last_updated": "2021-07-01T16:59:17.970712Z",
      "phase": "http_request_sbfm"
    },
    {
      "id": "4814384a9e5d4991b9815dcfc25d2f1f",
      "name": "Cloudflare OWASP Core Ruleset",
      "description": "Cloudflare's implementation of the Open Web Application Security Project (OWASP) ModSecurity Core Rule Set. We routinely monitor for updates from OWASP based on the latest version available from the official code repository",
      "source": "firewall_managed",
      "kind": "managed",
      "version": "33",
      "last_updated": "2021-10-25T18:33:29.023088Z",
      "phase": "http_request_firewall_managed"
    },
    {
      "id": "c2e184081120413c86c3ab7e14069605",
      "name": "Cloudflare Exposed Credentials Check Ruleset",
      "description": "Exposed credentials check rules",
      "source": "firewall_managed",
      "kind": "managed",
      "version": "36",
      "last_updated": "2021-10-25T18:33:32.902825Z",
      "phase": "http_request_firewall_managed"
    },
    {
      "id": "efb7b8c949ac4650a09736fc376e9aee",
      "name": "Cloudflare Managed Ruleset",
      "description": "Created by the Cloudflare security team, this ruleset is designed to provide fast and effective protection for all your applications. It is frequently updated to cover new vulnerabilities and reduce false positives.",
      "source": "firewall_managed",
      "kind": "managed",
      "version": "43",
      "last_updated": "2021-12-17T14:49:14.317544Z",
      "phase": "http_request_firewall_managed"
    },
    {
      "id": "4d21379b4f9f4bb088e0729962c8b3cf",
      "name": "DDoS L7 ruleset",
      "description": "Automatic mitigation of HTTP-based DDoS attacks. Cloudflare routinely adds signatures to address new attack vectors. Additional configuration allows you to customize the sensitivity of each rule and the performed mitigation action.",
      "kind": "managed",
      "version": "486",
      "last_updated": "2022-01-14T10:14:36.212151Z",
      "phase": "ddos_l7"
    },
    {
      "id": "00d360633f134f7f8615d4ec42e8a917",
      "name": "default",
      "description": "",
      "source": "firewall_managed",
      "kind": "zone",
      "version": "28",
      "last_updated": "2022-01-18T13:15:51.941667Z",
      "phase": "http_request_firewall_managed"
    }
  ],
  "success": true,
  "errors": [],
  "messages": []
}

But when I try to DELETE it:

curl -X DELETE "https://api.cloudflare.com/client/v4/zones/{$zone_id}}/rulesets/efb7b8c949ac4650a09736fc376e9aee" -H "X-Auth-Email: ${user}" -H "X-Auth-Key: ${auth_key}" -H "Content-Type: application/json" | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   167    0   167    0     0    122      0 --:--:--  0:00:01 --:--:--   122
{
  "result": null,
  "success": false,
  "errors": [
    {
      "message": "could not find ruleset efb7b8c949ac4650a09736fc376e9aee"
    }
  ],
  "messages": null
}
mcatany commented 2 years ago

The GET on that same ruleset endpoint works BTW (client/v4/zones/{$zone_id}}/rulesets/efb7b8c949ac4650a09736fc376e9aee).

jacobbednarz commented 2 years ago

@mcatany both of those endpoints are already used in the provider; one creates the phase and the other attaches the desired rules to the Ruleset. Both are required as the PUT cannot create the phase on it’s own.

Closing this off as it isn’t a bug with the provider but a side effect of having Rulesets created in the UI and then trying to manage them via Terraform as well. The linked documentation (and error message from Terraform) outlines how to clean this up to allow managing resource in Terraform. Once the Ruleset is deleted, Terraform management will work. If you have modified Rules in the Ruleset, you will also need to clean them up before migrating the Ruleset.

nickbabkin commented 2 years ago

@mcatany the ruleset you have to delete based on your output is this: 00d360633f134f7f8615d4ec42e8a917

Look for the kind:zone in the output

mcatany commented 2 years ago

Thanks @nickbabkin, now it works. And sorry for the lose of time @jacobbednarz

jacobbednarz commented 2 years ago

np, hopefully the improvements in #1393 will help with this scenario in the future.