search

cloudflare / terraform-provider-cloudflare

Cloudflare Terraform Provider
https://registry.terraform.io/providers/cloudflare/cloudflare
Mozilla Public License 2.0
749 stars 573 forks source link

`cloudflare_access_application` should be replaced when `auth_type` is changed. #3314

Closed F21 closed 3 months ago

F21 commented 3 months ago

Confirmation

Terraform and Cloudflare provider version

Terraform v1.8.3 on linux_amd64

Affected resource(s)

Terraform configuration files

resource "cloudflare_access_application" "test" {
  account_id           = "REDACTED"
  name                 = "REDACTED"
  type                 = "saas"
  saas_app {
    auth_type        = "oidc"
    redirect_uris    = ["REDACTED"]
    scopes           = ["openid", "groups", "email", "profile"]
    app_launcher_url = "REDACTED"
  }
}

Link to debug output

N/a

Panic output

No response

Expected output

The access application should be deleted and recreated.

Actual output

The request fails:

Error: error updating Access Application for accounts "XXX": error from makeRequest: received internal server error response (HTTP 500), please try again later
│
│   with cloudflare_access_application.test,
│   on test.tf line 9, in resource "cloudflare_access_application" "test":
│    9: resource "cloudflare_access_application" "test" {
│

Steps to reproduce

  1. Create SAML version of an access application: 
    resource "cloudflare_access_application" "test" {
account_id           = "REDACTED"
name                 = "test"
type                 = "saas"
saas_app {
consumer_service_url = "test"
sp_entity_id         = "test"
name_id_format       = "email"
}
}
  2. Terraform apply
  3. Update the resource to oidc: 
    resource "cloudflare_access_application" "test" {
account_id           = "REDACTED"
name                 = "REDACTED"
type                 = "saas"
saas_app {
auth_type        = "oidc"
redirect_uris    = ["REDACTED"]
scopes           = ["openid", "groups", "email", "profile"]
app_launcher_url = "REDACTED"
}
}
  4. Terraform apply.
  5. Terraform apply fails.

Additional factoids

When creating an application in the UI, it specifically states that the auth_type cannot be changed and the application will need to be recreated:

Choose an authentication method: Security Assertion Markup Language (SAML) or OpenID Connect (OIDC). Once the application is created, you will not be able to change this setting.

References

No response

github-actions[bot] commented 3 months ago

Community Note

Voting for Prioritization

Volunteering to Work on This Issue

github-actions[bot] commented 3 months ago

Thank you for reporting this issue! For maintainers to dig into issues it is required that all issues include the entirety of TF_LOG=DEBUG output to be provided. The only parts that should be redacted are your user credentials in the X-Auth-Key, X-Auth-Email and Authorization HTTP headers. Details such as zone or account identifiers are not considered sensitive but can be redacted if you are very cautious. This log file provides additional context from Terraform, the provider and the Cloudflare API that helps in debugging issues. Without it, maintainers are very limited in what they can do and may hamper diagnosis efforts.

This issue has been marked with triage/needs-information and is unlikely to receive maintainer attention until the log file is provided making this a complete bug report.

github-actions[bot] commented 2 months ago

This functionality has been released in v4.35.0 of the Terraform Cloudflare Provider.

Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!