[X] This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
[X] I have searched the issue tracker and my issue isn't already found.
[X] I have replicated my issue using the latest version of the provider and it is still present.
When the ordering of associated hostnames returned from the Cloudflare API differs from the ordering in Terraform, we expect one of two outcomes:
Applying Terraform (or doing a PUT against the API) with the same list of hostnames in a different order should actually reorder them on the server side so that future runs don't produce any drift.
Terraform should not care about the order of the returned hostnames and report no drift if the order differs from what the API returns.
Actual output
If the ordering differs, we get a permanent drift, like so:
Terraform will perform the following actions:
# cloudflare_access_mutual_tls_certificate.test will be updated in-place
~ resource "cloudflare_access_mutual_tls_certificate" "test" {
~ associated_hostnames = [
- "<hostname 1>",
"<hostname 2>",
+ "<hostname 1>",
]
id = "<id>"
name = "test"
# (3 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
Both applying this change through Terraform and directly through the Cloudflare API does not actually reflect the new ordering on the server side, and the drift continues to show up in subsequent runs. We could work around this if the ordering was deterministic and something we could account for in our Terraform config (if it is, please advise and we can take that approach) but we notice that even for the same list of hostnames, they are returned in a different order on different certs.
Steps to reproduce
Create an Access mTLS cert with a multiple associated hostnames
Change the ordering of the hostnames in the Terraform configuration to a different order than the Cloudflare API returns them in
This results in drift which will show up in subsequent plan/apply and will not go away upon successful apply
Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
Volunteering to Work on This Issue
If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.
Confirmation
Terraform and Cloudflare provider version
Terraform v1.9.1 on darwin_amd64
Affected resource(s)
Terraform configuration files
Link to debug output
https://gist.github.com/bporter816/a339f01e2c2ea6107279e589bb5d21b5
Panic output
No response
Expected output
When the ordering of associated hostnames returned from the Cloudflare API differs from the ordering in Terraform, we expect one of two outcomes:
Actual output
If the ordering differs, we get a permanent drift, like so:
Both applying this change through Terraform and directly through the Cloudflare API does not actually reflect the new ordering on the server side, and the drift continues to show up in subsequent runs. We could work around this if the ordering was deterministic and something we could account for in our Terraform config (if it is, please advise and we can take that approach) but we notice that even for the same list of hostnames, they are returned in a different order on different certs.
Steps to reproduce
Additional factoids
No response
References
No response