Error reading setting "nel" for zone in v4.33.0

[lra]

Confirmation

• [X] This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• [X] I have searched the issue tracker and my issue isn't already found.
• [X] I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform v1.8.3
on darwin_arm64
+ provider registry.terraform.io/cloudflare/cloudflare v4.33.0

Affected resource(s)

cloudflare_zone_settings_override

Terraform configuration files

resource "cloudflare_zone_settings_override" "settings" {
  for_each = var.cloudflare_zones
  zone_id  = data.cloudflare_zone.zone[each.key].id
  settings {
    always_use_https            = "on"
    brotli                      = "on"
    browser_cache_ttl           = 0
    browser_check               = "off"
    cache_level                 = "aggressive"
    ciphers                     = local.ciphers_strong
    http2                       = "on"
    http3                       = "on"
    h2_prioritization           = "on"
    image_resizing              = "open"
    max_upload                  = 2000
    min_tls_version             = "1.2"
    origin_error_page_pass_thru = "off"
    origin_max_http_version     = "2"
    polish                      = "lossless"
    privacy_pass                = "on"
    security_level              = "essentially_off"
    ssl                         = "full"
    universal_ssl = "on"

    minify {
      css  = "on"
      html = "on"
      js   = "off"
    }

    security_header {
      enabled            = true
      include_subdomains = true
      max_age            = 31536000
    }
  }
}

Link to debug output

https://gist.github.com/lra/02b32fb89f8ac9e77129e6656e535a3f

Panic output

No response

Expected output

$ terraform plan
No changes. Your infrastructure matches the configuration.

Actual output

$ terraform plan
╷
│ Error: Error reading setting "nel" for zone "REDACTED": auth.forbidden (1010)
│ 
│   with module.REDACTED.cloudflare_zone_settings_override.settings["REDACTED"],
│   on ../../modules/REDACTED/cloudflare.tf line 29, in resource "cloudflare_zone_settings_override" "settings":
│   29: resource "cloudflare_zone_settings_override" "settings" {

Steps to reproduce

1. Set the provider version to v4.33.0
2. Run terraform plan

Additional factoids

• No error with cloudflare 4.32.0
• We have no "Network Error Logging" option on our cloudflare portal, unlike what's stated in the doc, so maybe that's an issue with our zones.

References

No response

[github-actions[bot]]

Terraform debug log detected :white_check_mark:

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[nitrocode]

Yep, hitting the same error. Thanks for creating this issue.

Our workaround for now

terraform {
  required_providers {
    cloudflare = {
      source = "cloudflare/cloudflare"
      # due to https://github.com/cloudflare/terraform-provider-cloudflare/issues/3312
      version = "~> 4, < 4.33.0"
    }
  }
}

[nitrocode]

I worked with a cloudflare tam to enable NEL across all our zones with a support ticket. No additional scope on the token was needed.

[jacobbednarz]

thanks for raising. the underlying problem here is with the service response and throwing a 403 which upsets the resource fetching the value (even when you don't have it entitled). the service team is looking to address it and once addressed, will allow it to be queried without any additional changes in your code or the provider.

[lra]

thanks for raising. the underlying problem here is with the service response and throwing a 403 which upsets the resource fetching the value (even when you don't have it entitled). the service team is looking to address it and once addressed, will allow it to be queried without any additional changes in your code or the provider.

Thanks.

If this issue is closed, how can we know when it will be fixed so we can resume upgrading the provider version?

[therealdwright]

Still experiencing this issue - I think the issue was prematurely closed.

[thadnutt]

Still experiencing this issue as well.

[jacobbednarz]

a fix for this has been released to production by the service team. v4.33.0 should now work for both unentitled and entitled users of NEL.

if you're still having issues, please open a new issue to be triaged.