[Ruleset] Single rule override in a managed ruleset disables all other rules

[nickbabkin]

Confirmation

• [X] My issue isn't already found on the issue tracker.
• [X] I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

terraform -v Terraform v1.1.3 on darwin_amd64

• provider registry.terraform.io/cloudflare/cloudflare v3.7.0
• provider registry.terraform.io/hashicorp/aws v3.72.0
• provider registry.terraform.io/hashicorp/http v2.1.0
• provider registry.terraform.io/tchupp/env v0.0.2

Affected resource(s)

cloudflare_ruleset

Terraform configuration files

resource "cloudflare_ruleset" "terraform_managed_resource_8313e85ab7164e90adfaee5254de6322" {
  description = "Cloudflare Managed WAF ruleset"
  kind        = "zone"
  name        = "Managed WAF"
  phase       = "http_request_firewall_managed"
  zone_id     = "94691220711a494300a5b3021d0a8443"
  rules {
    action      = "execute"
    description = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
    enabled     = true
    expression  = "true"
    # id          = "db6a5a81d2a14d92be019b27852c227e"
    # ref         = "db6a5a81d2a14d92be019b27852c227e"
    # version     = "1"
    action_parameters {
      overrides {
        rules {
          action  = "log"
          enabled = true
          id      = "0f2da91cec674eb58006929e824b817c"
        }
        rules {
          action  = "log"
          enabled = true
          id      = "81718f38edde45a58298189e113e4f59"
        }
      }
      id      = "efb7b8c949ac4650a09736fc376e9aee"
      version = "latest"
    }
  }
}

Debug output

PLAN:

-----------------------------------------------------: timestamp=2022-01-18T16:08:37.257Z
2022-01-18T16:08:37.257Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: 2022/01/18 16:08:37 [DEBUG] Read CloudflareZone Settings: &cloudflare.ZoneSettingResponse{Response:cloudflare.Response{Success:true, Errors:[]cloudflare.ResponseInfo{}, Messages:[]cloudflare.ResponseInfo{}}, Result:[]cloudflare.ZoneSetting{cloudflare.ZoneSetting{ID:"0rtt", Editable:true, ModifiedOn:"", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"advanced_ddos", Editable:false, ModifiedOn:"", Value:"on", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"always_online", Editable:true, ModifiedOn:"2021-07-27T14:37:08.842655Z", Value:"on", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"always_use_https", Editable:true, ModifiedOn:"", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"automatic_https_rewrites", Editable:true, ModifiedOn:"2021-07-27T14:37:09.101991Z", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"brotli", Editable:true, ModifiedOn:"2021-07-27T14:37:08.403736Z", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"browser_cache_ttl", Editable:true, ModifiedOn:"2021-07-27T14:37:08.870975Z", Value:14400, TimeRemaining:0}, cloudflare.ZoneSetting{ID:"browser_check", Editable:true, ModifiedOn:"2021-07-27T14:37:09.011391Z", Value:"on", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"cache_level", Editable:true, ModifiedOn:"2021-07-27T14:37:08.197261Z", Value:"aggressive", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"challenge_ttl", Editable:true, ModifiedOn:"2021-07-27T14:37:08.687736Z", Value:1800, TimeRemaining:0}, cloudflare.ZoneSetting{ID:"ciphers", Editable:true, ModifiedOn:"", Value:[]interface {}{}, TimeRemaining:0}, cloudflare.ZoneSetting{ID:"cname_flattening", Editable:true, ModifiedOn:"", Value:"flatten_at_root", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"development_mode", Editable:true, ModifiedOn:"2021-07-27T14:37:09.038731Z", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"early_hints", Editable:true, ModifiedOn:"", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"edge_cache_ttl", Editable:true, ModifiedOn:"", Value:7200, TimeRemaining:0}, cloudflare.ZoneSetting{ID:"email_obfuscation", Editable:true, ModifiedOn:"2021-07-27T14:37:08.891936Z", Value:"on", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"filter_logs_to_cloudflare", Editable:true, ModifiedOn:"", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"hotlink_protection", Editable:true, ModifiedOn:"2021-07-27T14:37:08.299883Z", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"http2", Editable:true, ModifiedOn:"", Value:"on", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"http3", Editable:true, ModifiedOn:"2021-07-27T14:37:09.118323Z", Value:"on", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"ip_geolocation", Editable:true, ModifiedOn:"2021-07-27T14:37:08.511741Z", Value:"on", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"ipv6", Editable:true, ModifiedOn:"2021-08-09T14:19:57.083527Z", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"log_to_cloudflare", Editable:true, ModifiedOn:"", Value:"on", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"max_upload", Editable:true, ModifiedOn:"2021-08-18T06:12:13.970271Z", Value:500, TimeRemaining:0}, cloudflare.ZoneSetting{ID:"min_tls_version", Editable:true, ModifiedOn:"", Value:"1.2", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"minify", Editable:true, ModifiedOn:"2021-07-27T14:37:08.338596Z", Value:map[string]interface {}{"css":"off", "html":"off", "js":"off"}, TimeRemaining:0}, cloudflare.ZoneSetting{ID:"mirage", Editable:true, ModifiedOn:"2021-07-27T14:37:08.916457Z", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"mobile_redirect", Editable:true, ModifiedOn:"", Value:map[string]interface {}{"mobile_subdomain":interface {}(nil), "status":"off", "strip_uri":false}, TimeRemaining:0}, cloudflare.ZoneSetting{ID:"opportunistic_encryption", Editable:true, ModifiedOn:"2021-07-27T14:37:08.737619Z", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"opportunistic_onion", Editable:true, ModifiedOn:"2021-07-27T14:37:08.219545Z", Value:"on", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"orange_to_orange", Editable:true, ModifiedOn:"", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"origin_error_page_pass_thru", Editable:true, ModifiedOn:"2021-07-27T14:37:08.710318Z", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"polish", Editable:true, ModifiedOn:"2021-07-27T14:37:08.048877Z", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"prefetch_preload", Editable:true, ModifiedOn:"2021-07-27T14:37:08.936680Z", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"privacy_pass", Editable:true, ModifiedOn:"2021-07-27T14:37:08.586361Z", Value:"on", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"proxy_read_timeout", Editable:true, ModifiedOn:"2021-08-12T13:37:16.350930Z", Value:"900", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"pseudo_ipv4", Editable:true, ModifiedOn:"2021-07-27T14:37:08.809173Z", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"response_buffering", Editable:true, ModifiedOn:"2021-07-27T14:37:08.358612Z", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"rocket_loader", Editable:true, ModifiedOn:"2021-07-27T14:37:08.607404Z", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"security_header", Editable:true, ModifiedOn:"", Value:map[string]interface {}{"strict_transport_security":map[string]interface {}{"enabled":false, "include_subdomains":false, "max_age":0, "nosniff":false, "preload":false}}, TimeRemaining:0}, cloudflare.ZoneSetting{ID:"security_level", Editable:true, ModifiedOn:"2021-07-27T14:37:08.381710Z", Value:"high", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"server_side_exclude", Editable:true, ModifiedOn:"2021-07-27T14:37:08.760998Z", Value:"on", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"sort_query_string_for_cache", Editable:true, ModifiedOn:"2021-07-27T14:37:08.423667Z", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"ssl", Editable:true, ModifiedOn:"2021-07-27T14:37:08.783511Z", Value:"strict", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"tls_1_2_only", Editable:true, ModifiedOn:"", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"tls_1_3", Editable:true, ModifiedOn:"", Value:"on", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"tls_client_auth", Editable:true, ModifiedOn:"2021-07-27T14:37:08.447219Z", Value:"on", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"true_client_ip_header", Editable:true, ModifiedOn:"2021-07-27T14:37:08.091382Z", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"visitor_ip", Editable:true, ModifiedOn:"", Value:"on", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"waf", Editable:true, ModifiedOn:"", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"webp", Editable:true, ModifiedOn:"", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"websockets", Editable:true, ModifiedOn:"2021-07-27T14:37:08.318131Z", Value:"on", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"binary_ast", Editable:true, ModifiedOn:"", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"h2_prioritization", Editable:true, ModifiedOn:"", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"image_resizing", Editable:true, ModifiedOn:"", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"early_hints", Editable:true, ModifiedOn:"", Value:"off", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"universal_ssl", Editable:true, ModifiedOn:"", Value:"on", TimeRemaining:0}}}: timestamp=2022-01-18T16:08:37.257Z
2022-01-18T16:08:37.257Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: 2022/01/18 16:08:37 [WARN] Value not in schema returned from API zone settings (is it new?) - "advanced_ddos" : "on": timestamp=2022-01-18T16:08:37.257Z
2022-01-18T16:08:37.257Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: 2022/01/18 16:08:37 [WARN] Value not in schema returned from API zone settings (is it new?) - "edge_cache_ttl" : 7200: timestamp=2022-01-18T16:08:37.257Z
2022-01-18T16:08:37.257Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: 2022/01/18 16:08:37 [DEBUG] Flattened Cloudflare Zone Settings: map[string]interface {}{"always_online":"on", "always_use_https":"off", "automatic_https_rewrites":"off", "binary_ast":"off", "brotli":"off", "browser_cache_ttl":14400, "browser_check":"on", "cache_level":"aggressive", "challenge_ttl":1800, "ciphers":[]interface {}{}, "cname_flattening":"flatten_at_root", "development_mode":"off", "early_hints":"off", "email_obfuscation":"on", "filter_logs_to_cloudflare":"off", "h2_prioritization":"off", "hotlink_protection":"off", "http2":"on", "http3":"on", "image_resizing":"off", "ip_geolocation":"on", "ipv6":"off", "log_to_cloudflare":"on", "max_upload":500, "min_tls_version":"1.2", "minify":[]interface {}{map[string]interface {}{"css":"off", "html":"off", "js":"off"}}, "mirage":"off", "mobile_redirect":[]interface {}{map[string]interface {}{"mobile_subdomain":interface {}(nil), "status":"off", "strip_uri":false}}, "opportunistic_encryption":"off", "opportunistic_onion":"on", "orange_to_orange":"off", "origin_error_page_pass_thru":"off", "polish":"off", "prefetch_preload":"off", "privacy_pass":"on", "proxy_read_timeout":"900", "pseudo_ipv4":"off", "response_buffering":"off", "rocket_loader":"off", "security_header":[]interface {}{map[string]interface {}{"enabled":false, "include_subdomains":false, "max_age":0, "nosniff":false, "preload":false}}, "security_level":"high", "server_side_exclude":"on", "sort_query_string_for_cache":"off", "ssl":"strict", "tls_1_2_only":"off", "tls_1_3":"on", "tls_client_auth":"on", "true_client_ip_header":"off", "universal_ssl":"on", "visitor_ip":"on", "waf":"off", "webp":"off", "websockets":"on", "zero_rtt":"off"}: timestamp=2022-01-18T16:08:37.257Z
2022-01-18T16:08:37.257Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: 2022/01/18 16:08:37 [DEBUG] Flattened Cloudflare Read Only Zone Settings: []string{"advanced_ddos"}: timestamp=2022-01-18T16:08:37.257Z
2022-01-18T16:08:37.269Z [WARN]  Provider "registry.terraform.io/cloudflare/cloudflare" produced an invalid plan for module.zone_example_net.cloudflare_zone_settings_override.default[0], but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .settings[0].mobile_redirect: block count in plan (1) disagrees with count in config (0)
      - .settings[0].security_header: block count in plan (1) disagrees with count in config (0)
2022-01-18T16:08:37.272Z [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2022-01-18T16:08:37.274Z [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.7.0/linux_amd64/terraform-provider-cloudflare_v3.7.0 pid=391
2022-01-18T16:08:37.274Z [DEBUG] provider: plugin exited
2022-01-18T16:08:37.292Z [INFO]  backend/local: plan operation completed
2022-01-18T16:08:37.293Z [INFO]  backend/local: writing plan output to: .terraform/plan

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

  # cloudflare_ruleset.terraform_managed_resource_8313e85ab7164e90adfaee5254de6322 has changed
  ~ resource "cloudflare_ruleset" "terraform_managed_resource_8313e85ab7164e90adfaee5254de6322" {
        id          = "2237201281764c428f254c4593003f68"
        name        = "Managed WAF"
        # (4 unchanged attributes hidden)

      ~ rules {
            id          = "62cf64b830f74eedbcf0663ec06e8ebc"
            # (4 unchanged attributes hidden)

          ~ action_parameters {
                id        = "efb7b8c949ac4650a09736fc376e9aee"
              + products  = []
              + rules     = {}
              + rulesets  = []
                # (2 unchanged attributes hidden)

                # (1 unchanged block hidden)
            }
        }
    }

Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes.

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # cloudflare_ruleset.terraform_managed_resource_8313e85ab7164e90adfaee5254de6322 will be updated in-place
  ~ resource "cloudflare_ruleset" "terraform_managed_resource_8313e85ab7164e90adfaee5254de6322" {
        id          = "2237201281764c428f254c4593003f68"
        name        = "Managed WAF"
        # (4 unchanged attributes hidden)

      ~ rules {
            id          = "62cf64b830f74eedbcf0663ec06e8ebc"
            # (4 unchanged attributes hidden)

          ~ action_parameters {
                id        = "efb7b8c949ac4650a09736fc376e9aee"
                # (5 unchanged attributes hidden)

              ~ overrides {
                    # (1 unchanged attribute hidden)

                  + rules {
                      + action  = "log"
                      + enabled = true
                      + id      = "ae20608d93b94e97988db1bbc12cf9c8"
                    }
                    # (2 unchanged blocks hidden)
                }
            }
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.
╷
│ Warning: Experimental feature "module_variable_optional_attrs" is active
│ 
│   on modules/zone/versions.tf line 3, in terraform:
│    3:   experiments = [module_variable_optional_attrs]
│ 
│ Experimental features are subject to breaking changes in future minor or patch releases, based on feedback.
│ 
│ If you have feedback on the design of this feature, please open a GitHub issue to discuss it.
│ 
│ (and 40 more similar warnings elsewhere)

APPLY:

2022-01-18T16:11:37.751Z [WARN]  Provider "registry.terraform.io/cloudflare/cloudflare" produced an invalid plan for cloudflare_ruleset.terraform_managed_resource_8313e85ab7164e90adfaee5254de6322, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .rules[0].action_parameters[0].ruleset: planned value cty.StringVal("") for a non-computed attribute
      - .rules[0].action_parameters[0].rulesets: planned value cty.SetValEmpty(cty.String) for a non-computed attribute
      - .rules[0].action_parameters[0].increment: planned value cty.NumberIntVal(0) for a non-computed attribute
      - .rules[0].action_parameters[0].products: planned value cty.SetValEmpty(cty.String) for a non-computed attribute
      - .rules[0].action_parameters[0].rules: planned value cty.MapValEmpty(cty.String) for a non-computed attribute
      - .rules[0].action_parameters[0].overrides[0].action: planned value cty.StringVal("") for a non-computed attribute
      - .rules[0].action_parameters[0].overrides[0].enabled: planned value cty.False for a non-computed attribute
      - .rules[0].action_parameters[0].overrides[0].rules[0].score_threshold: planned value cty.NumberIntVal(0) for a non-computed attribute
      - .rules[0].action_parameters[0].overrides[0].rules[0].sensitivity_level: planned value cty.StringVal("") for a non-computed attribute
      - .rules[0].action_parameters[0].overrides[0].rules[1].sensitivity_level: planned value cty.StringVal("") for a non-computed attribute
      - .rules[0].action_parameters[0].overrides[0].rules[1].score_threshold: planned value cty.NumberIntVal(0) for a non-computed attribute
cloudflare_ruleset.terraform_managed_resource_8313e85ab7164e90adfaee5254de6322: Modifying... [id=2237201281764c428f254c4593003f68]
2022-01-18T16:11:37.754Z [INFO]  Starting apply for cloudflare_ruleset.terraform_managed_resource_8313e85ab7164e90adfaee5254de6322
2022-01-18T16:11:37.755Z [DEBUG] cloudflare_ruleset.terraform_managed_resource_8313e85ab7164e90adfaee5254de6322: applying the planned Update change
2022-01-18T16:11:37.761Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: 2022/01/18 16:11:37 [DEBUG] unknown key encountered in buildRulesetRulesFromResource for action parameters: products: timestamp=2022-01-18T16:11:37.761Z
2022-01-18T16:11:37.762Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: 2022/01/18 16:11:37 [DEBUG] Cloudflare API Request Details:
---[ REQUEST ]---------------------------------------
PUT /client/v4/zones/94691220711a494300a5b3021d0a8443/rulesets/2237201281764c428f254c4593003f68 HTTP/1.1
Host: api.cloudflare.com
User-Agent: terraform/1.1.3 terraform-plugin-sdk/2.10.1 terraform-provider-cloudflare/3.7.0
Content-Length: 545
Authorization: Bearer D-s6q-jJjYPzwZYP4iI89W--GR_oOBbACoZBgBPp
Content-Type: application/json
Accept-Encoding: gzip

{
 "description": "Cloudflare Managed WAF ruleset",
 "rules": [
  {
   "action": "execute",
   "action_parameters": {
    "id": "efb7b8c949ac4650a09736fc376e9aee",
    "overrides": {
     "enabled": false,
     "rules": [
      {
       "id": "0f2da91cec674eb58006929e824b817c",
       "action": "log",
       "enabled": true
      },
      {
       "id": "81718f38edde45a58298189e113e4f59",
       "action": "log",
       "enabled": true
      },
      {
       "id": "ae20608d93b94e97988db1bbc12cf9c8",
       "action": "log",
       "enabled": true
      }
     ]
    },
    "version": "latest"
   },
   "expression": "true",
   "description": "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset",
   "enabled": true
  }
 ]
}
-----------------------------------------------------: timestamp=2022-01-18T16:11:37.762Z
2022-01-18T16:11:39.736Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: 2022/01/18 16:11:39 [DEBUG] Cloudflare API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 200 OK
Cf-Cache-Status: DYNAMIC
Cf-Ray: 6cf919a929285790-IAD
Content-Type: application/json; charset=UTF-8
Date: Tue, 18 Jan 2022 16:11:39 GMT
Expect-Ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
Set-Cookie: __cflb=0H28vgHxwvgAQtjUGU56Rb8iNWZVUvXhqkC64fYN6ZT; SameSite=Lax; path=/; expires=Tue, 18-Jan-22 18:41:40 GMT; HttpOnly
Set-Cookie: __cfruid=10e115dbf56ed28a25293305082941f7a16f1500-1642522299; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Vary: Accept-Encoding
X-Envoy-Upstream-Service-Time: 875
X-Version: 4856-0d1141c75d51

{
  "result": {
    "id": "2237201281764c428f254c4593003f68",
    "name": "Managed WAF",
    "description": "Cloudflare Managed WAF ruleset",
    "source": "firewall_managed",
    "kind": "zone",
    "version": "3",
    "rules": [
      {
        "id": "bde910c6136d46a4a69683665a8230a9",
        "version": "1",
        "action": "execute",
        "action_parameters": {
          "id": "efb7b8c949ac4650a09736fc376e9aee",
          "version": "latest",
          "overrides": {
            "enabled": false,
            "rules": [
              {
                "id": "0f2da91cec674eb58006929e824b817c",
                "action": "log",
                "enabled": true
              },
              {
                "id": "81718f38edde45a58298189e113e4f59",
                "action": "log",
                "enabled": true
              },
              {
                "id": "ae20608d93b94e97988db1bbc12cf9c8",
                "action": "log",
                "enabled": true
              }
            ]
          }
        },
        "expression": "true",
        "description": "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset",
        "last_updated": "2022-01-18T16:11:39.155671Z",
        "ref": "bde910c6136d46a4a69683665a8230a9",
        "enabled": true
      }
    ],
    "last_updated": "2022-01-18T16:11:39.155671Z",
    "phase": "http_request_firewall_managed"
  },
  "success": true,
  "errors": [],
  "messages": []
}

-----------------------------------------------------: timestamp=2022-01-18T16:11:39.735Z
2022-01-18T16:11:39.736Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: 2022/01/18 16:11:39 [DEBUG] Cloudflare API Request Details:
---[ REQUEST ]---------------------------------------
GET /client/v4/zones/94691220711a494300a5b3021d0a8443/rulesets/2237201281764c428f254c4593003f68 HTTP/1.1
Host: api.cloudflare.com
User-Agent: terraform/1.1.3 terraform-plugin-sdk/2.10.1 terraform-provider-cloudflare/3.7.0
Authorization: Bearer D-s6q-jJjYPzwZYP4iI89W--GR_oOBbACoZBgBPp
Content-Type: application/json
Accept-Encoding: gzip

-----------------------------------------------------: timestamp=2022-01-18T16:11:39.736Z
2022-01-18T16:11:40.949Z [INFO]  provider.terraform-provider-cloudflare_v3.7.0: 2022/01/18 16:11:40 [DEBUG] Cloudflare API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 200 OK
Cf-Cache-Status: DYNAMIC
Cf-Ray: 6cf919b56a9d8232-IAD
Content-Type: application/json; charset=UTF-8
Date: Tue, 18 Jan 2022 16:11:40 GMT
Expect-Ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
Set-Cookie: __cflb=0H28vgHxwvgAQtjUGU56Rb8iNWZVUvXhr5bS6HBMK6V; SameSite=Lax; path=/; expires=Tue, 18-Jan-22 18:41:41 GMT; HttpOnly
Set-Cookie: __cfruid=aa86a692c4d28008a4768214b0a4c0483d930cc6-1642522300; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Vary: Accept-Encoding
X-Envoy-Upstream-Service-Time: 146
X-Version: 4856-0d1141c75d51

{
  "result": {
    "id": "2237201281764c428f254c4593003f68",
    "name": "Managed WAF",
    "description": "Cloudflare Managed WAF ruleset",
    "source": "firewall_managed",
    "kind": "zone",
    "version": "3",
    "rules": [
      {
        "id": "bde910c6136d46a4a69683665a8230a9",
        "version": "1",
        "action": "execute",
        "action_parameters": {
          "id": "efb7b8c949ac4650a09736fc376e9aee",
          "version": "latest",
          "overrides": {
            "enabled": false,
            "rules": [
              {
                "id": "0f2da91cec674eb58006929e824b817c",
                "action": "log",
                "enabled": true
              },
              {
                "id": "81718f38edde45a58298189e113e4f59",
                "action": "log",
                "enabled": true
              },
              {
                "id": "ae20608d93b94e97988db1bbc12cf9c8",
                "action": "log",
                "enabled": true
              }
            ]
          }
        },
        "expression": "true",
        "description": "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset",
        "last_updated": "2022-01-18T16:11:39.155671Z",
        "ref": "bde910c6136d46a4a69683665a8230a9",
        "enabled": true
      }
    ],
    "last_updated": "2022-01-18T16:11:39.155671Z",
    "phase": "http_request_firewall_managed"
  },
  "success": true,
  "errors": [],
  "messages": []
}

-----------------------------------------------------: timestamp=2022-01-18T16:11:40.948Z
2022-01-18T16:11:40.950Z [WARN]  Provider "provider[\"registry.terraform.io/cloudflare/cloudflare\"]" produced an unexpected new value for cloudflare_ruleset.terraform_managed_resource_8313e85ab7164e90adfaee5254de6322, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .rules[0].id: was cty.StringVal("62cf64b830f74eedbcf0663ec06e8ebc"), but now cty.StringVal("bde910c6136d46a4a69683665a8230a9")
      - .rules[0].action_parameters[0].overrides[0].rules[2].score_threshold: was null, but now cty.NumberIntVal(0)
      - .rules[0].action_parameters[0].overrides[0].rules[2].sensitivity_level: was null, but now cty.StringVal("")
cloudflare_ruleset.terraform_managed_resource_8313e85ab7164e90adfaee5254de6322: Modifications complete after 3s [id=2237201281764c428f254c4593003f68]
2022-01-18T16:11:40.952Z [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2022-01-18T16:11:40.956Z [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.7.0/linux_amd64/terraform-provider-cloudflare_v3.7.0 pid=213
2022-01-18T16:11:40.956Z [DEBUG] provider: plugin exited
2022-01-18T16:11:40.963Z [DEBUG] Uploading remote state to S3: {
  Body: buffer(0xc002d74fc0),
  Bucket: "xxx",
  ContentLength: 143344,
  ContentType: "application/json",
  Key: "cloudflare-terraform:/test/terraform.tfstate"
}

2022-01-18T16:11:41.729Z [DEBUG] [aws-sdk-go]
╷
│ Warning: Experimental feature "module_variable_optional_attrs" is active
│ 
│   on modules/zone/versions.tf line 3, in terraform:
│    3:   experiments = [module_variable_optional_attrs]
│ 
│ Experimental features are subject to breaking changes in future minor or patch releases, based on feedback.
│ 
│ If you have feedback on the design of this feature, please open a GitHub issue to discuss it.
│ 
│ (and 40 more similar warnings elsewhere)
╵

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Panic output

No response

Expected output

We expect only the override to be applied

Actual output

All rules that were enabled by default in the ruleset get disabled

Steps to reproduce

1. Add a new override to an existing cloudflare managed ruleset rule
2. terraform apply
3. All rules in the ruleset will get disabled

Additional factoids

No response

References

No response

[jacobbednarz]

IIRC, this is an issue with "enabled": false in the overrides disabling all the others because the value was modified at one time or another. From memory, the solution is that you should now explicitly send it set the true since the value has been modified (aka, it doesn’t happen if you haven’t changed it previously).

@vences do you recall?

[jacobbednarz]

(if it is, this is a known thing with using booleans as zero, optional and default values in Terraform)

[nickbabkin]

@jacobbednarz this is correct, setting enabled: true under overrides helped. However, it has now enabled all the rules. How can I use default cloudflare rule settings (the ones managed by CF security team) combined with couple custom overrides?

Basically, now I have two options: 1) Either use default cloudflare recommended settings with no overrides at all 2) Apply custom overrides while enabling all the rules (even the rules that are recommended to be disabled by Cloudflare)

Any way out of this misery ? :)

[vences]

@jacobbednarz yes it has been highlighted here and you even sent an enhancement to the plugin sdk here As soon as it is explicitly set-up you cannot revert to the default configuration unfortunately. Only way for now is to delete and recreate the rulesets configuration without the enabled.

[wjdavis5]

Its worth noting in this thread, that the implications to the end user can be somewhat catastrophic. As was mentioned here, the first time we applied our template w/o including enable , the ruleset was created and everything worked. But on subsequent deployments of the same template enabled: false was injected. We didnt catch this and our Production WAF was disabled for months. To further complicate matters, the Portal UI clearly shows everything is enabled. It wasnt until I queried the rulesets via the API that I discovered why we hadnt seen a single rule trip. Its no fun having to explain to your CISO that your shiny new WAF has been off for months. Its even less fun to explain that Cloudflare knew this was an issue.

[github-actions[bot]]

This functionality has been released in v3.17.0 of the Terraform Cloudflare Provider.

Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!