DomBlack commented 2 weeks ago

Confirmation

[X] This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
[X] I have searched the issue tracker and my issue isn't already found.
[X] I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Running via the latest version of the pulumi module, however I've read the code and I'm pretty sure it's still in the master branch of this repo

Affected resource(s)

ZeroTrustAccessMtlsHostnameSettings

Terraform configuration files

Example:

    _, err = cloudflare.NewZeroTrustAccessMtlsHostnameSettings(ctx, "mtls-passthrough", &cloudflare.ZeroTrustAccessMtlsHostnameSettingsArgs{
        ZoneId: pulumi.String("myaccount-id"),
        Settings: cloudflare.ZeroTrustAccessMtlsHostnameSettingsSettingArray{
            &cloudflare.ZeroTrustAccessMtlsHostnameSettingsSettingArgs{
                Hostname:                    record.Hostname,
                ChinaNetwork:                pulumi.Bool(false),
                ClientCertificateForwarding: pulumi.Bool(true),
            },
        },
    })


### Link to debug output

n/a

### Panic output

_No response_

### Expected output

When using `ZoneId` as the parameter to update a specific zones mTLS hostname settings, only that zone is impacted, no other zones on the account are effected.

### Actual output

Either an API response of;

{ "result": null, "success": false, "errors": [ { "code": 12036, "message": "access.api.error.hostnames_must_belong_to_your_domain" } ], "messages": [] }


Or settings from other zones are removed

### Steps to reproduce

Have an account with multiple zones, manually through the API setup these settings on all zones.

Then try and use the terraform provider using the `zoneId` (not `accountId`) setting to update just that one zone

### Additional factoids

The reason is the code first reads the existing hostnames to find out what to delete by calling;

https://api.cloudflare.com/client/v4/zones/${zone id here}/access/certificates/settings



However, this endpoint includes all hostnames for the entire account - not just the zone requested.

This means then when the terraform provider goes to write the responses back it tries to include hostnames outside the zone in the URL.

### References

_No response_

github-actions[bot] commented 2 weeks ago

Community Note

Voting for Prioritization

Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.

github-actions[bot] commented 2 weeks ago

Thank you for reporting this issue! For maintainers to dig into issues it is required that all issues include the entirety of TF_LOG=DEBUG output to be provided. The only parts that should be redacted are your user credentials in the X-Auth-Key, X-Auth-Email and Authorization HTTP headers. Details such as zone or account identifiers are not considered sensitive but can be redacted if you are very cautious. This log file provides additional context from Terraform, the provider and the Cloudflare API that helps in debugging issues. Without it, maintainers are very limited in what they can do and may hamper diagnosis efforts.

This issue has been marked with triage/needs-information and is unlikely to receive maintainer attention until the log file is provided making this a complete bug report.

DomBlack commented 2 weeks ago

Pulumi debugging with TF_LOG=DEBUG set

Previewing update (staging):

@ previewing update.........
    pulumi:pulumi:Stack infra-staging  pulumi-aws: starting to validate credentials. Disable this by AWS_SKIP_CREDENTIALS_VALIDATION or skipCredentialsValidation option
    pulumi:pulumi:Stack infra-staging  pulumi-aws: credentials are valid
    pulumi:pulumi:Stack infra-staging running    sdkv2provider/config.go:39: provider: cloudflare Client configured for user: : provider=cloudflare@5.42.0
    pulumi:pulumi:Stack infra-staging running    provider/config.go:38: provider: cloudflare Client configured for user: : provider=cloudflare@5.42.0
@ previewing update....
    cloudflare:index:ZeroTrustAccessMtlsHostnameSettings mtls-passthrough  debug:   fwserver/server_planresourcechange.go:208: sdk.framework: Detected value change between proposed new state and prior state: provider=cloudflare@5.42.0 tf_attribute_path=settings
    cloudflare:index:ZeroTrustAccessMtlsHostnameSettings mtls-passthrough  debug:   fwserver/server_planresourcechange.go:217: sdk.framework: Marking Computed attributes with null configuration values as unknown (known after apply) in the plan to prevent potential Terraform errors: provider=cloudflare@5.42.0
 ~  cloudflare:index:ZeroTrustAccessMtlsHostnameSettings mtls-passthrough update [diff: ~settings]; debug:   fwserver/server_planresourcechange.go:217: sdk.framework: Marking Computed attributes with null configuration values as unknown (known after apply) in the plan to prevent potential Terraform errors: provider=cloudflare@5.42.0
 ~  cloudflare:index:ZeroTrustAccessMtlsHostnameSettings mtls-passthrough update [diff: ~settings]; debug:   fwserver/server_planresourcechange.go:208: sdk.framework: Detected value change between proposed new state and prior state: provider=cloudflare@5.42.0 tf_attribute_path=settings
 ~  cloudflare:index:ZeroTrustAccessMtlsHostnameSettings mtls-passthrough update [diff: ~settings]; debug:   fwserver/server_planresourcechange.go:217: sdk.framework: Marking Computed attributes with null configuration values as unknown (known after apply) in the plan to prevent potential Terraform errors: provider=cloudflare@5.42.0
Diagnostics:
  cloudflare:index:ZeroTrustAccessMtlsHostnameSettings (mtls-passthrough):
    debug:   fwserver/server_planresourcechange.go:208: sdk.framework: Detected value change between proposed new state and prior state: provider=cloudflare@5.42.0 tf_attribute_path=settings
    debug:   fwserver/server_planresourcechange.go:217: sdk.framework: Marking Computed attributes with null configuration values as unknown (known after apply) in the plan to prevent potential Terraform errors: provider=cloudflare@5.42.0
    debug:   fwserver/server_planresourcechange.go:208: sdk.framework: Detected value change between proposed new state and prior state: provider=cloudflare@5.42.0 tf_attribute_path=settings
    debug:   fwserver/server_planresourcechange.go:217: sdk.framework: Marking Computed attributes with null configuration values as unknown (known after apply) in the plan to prevent potential Terraform errors: provider=cloudflare@5.42.0

  pulumi:pulumi:Stack (infra-staging):
    pulumi-aws: starting to validate credentials. Disable this by AWS_SKIP_CREDENTIALS_VALIDATION or skipCredentialsValidation option
    pulumi-aws: credentials are valid
       sdkv2provider/config.go:39: provider: cloudflare Client configured for user: : provider=cloudflare@5.42.0
       provider/config.go:38: provider: cloudflare Client configured for user: : provider=cloudflare@5.42.0

Resources:
    ~ 1 to update
    911 unchanged

Updating (staging):

@ updating........
    pulumi:pulumi:Stack infra-staging running    provider/config.go:38: provider: cloudflare Client configured for user: : provider=cloudflare@5.42.0
    pulumi:pulumi:Stack infra-staging running    sdkv2provider/config.go:39: provider: cloudflare Client configured for user: : provider=cloudflare@5.42.0
    pulumi:pulumi:Stack infra-staging running debug:   sdkv2provider/data_source_zone.go:80: provider: Reading Zones: provider=cloudflare@5.42.0
    cloudflare:index:ZeroTrustAccessMtlsHostnameSettings mtls-passthrough  debug:   fwserver/server_planresourcechange.go:208: sdk.framework: Detected value change between proposed new state and prior state: provider=cloudflare@5.42.0 tf_attribute_path=settings
    cloudflare:index:ZeroTrustAccessMtlsHostnameSettings mtls-passthrough
  debug:   fwserver/server_planresourcechange.go:217: sdk.framework: Marking Computed attributes with null configuration values as unknown (known after apply) in the plan to prevent potential Terraform errors: provider=cloudflare@5.42.0
 ~  cloudflare:index:ZeroTrustAccessMtlsHostnameSettings mtls-passthrough updating (0s) [diff: ~settings]; debug:   fwserver/server_planresourcechange.go:208: sdk.framework: Detected value change between proposed new state and prior state: provider=cloudflare@5.42.0 tf_attribute_path=settings
@ updating....
 ~  cloudflare:index:ZeroTrustAccessMtlsHostnameSettings mtls-passthrough updating (0s) [diff: ~settings]; debug:   fwserver/server_planresourcechange.go:208: sdk.framework: Detected value change between proposed new state and prior state: provider=cloudflare@5.42.0 tf_attribute_path=settings
    cloudflare:index:ZeroTrustAccessMtlsHostnameSettings mtls-passthrough
  debug:   fwserver/server_planresourcechange.go:217: sdk.framework: Marking Computed attributes with null configuration values as unknown (known after apply) in the plan to prevent potential Terraform errors: provider=cloudflare@5.42.0
    pulumi:pulumi:Stack infra-staging running read pulumi:pulumi:StackReference prod
 ~  cloudflare:index:ZeroTrustAccessMtlsHostnameSettings mtls-passthrough updating (1s) [diff: ~settings]; debug:   zero_trust_access_mtls_hostname_settings/resource.go:133: provider: Updating Cloudflare Access Mutal TLS Hostname Settings from struct: {Settings:[{ChinaNetwork:0x1400270be33 ClientCertificateForwarding:0x1400270be35 Hostname:api.foobar.dev} {ChinaNetwork:<nil> ClientCertificateForwarding:<nil> Hostname:api.foobar.app}]}: provider=cloudflare@5.42.0
@ updating....
 ~  cloudflare:index:ZeroTrustAccessMtlsHostnameSettings mtls-passthrough updating (2s) [diff: ~settings]; error: error updating Access Mutual TLS Hostname Settings: error updating Access Mutual TLS Hostname Settings for zones "131312e48bb74a2f021dc255659831cd": error from makeRequest: access.api.error.hostnames_must_belong_to_your_domain (12036)
 ~  cloudflare:index:ZeroTrustAccessMtlsHostnameSettings mtls-passthrough **updating failed** [diff: ~settings]; error: error updating Access Mutual TLS Hostname Settings: error updating Access Mutual TLS Hostname Settings for zones "131312e48bb74a2f021dc255659831cd": error from makeRequest: access.api.error.hostnames_must_belong_to_your_domain (12036)
    pulumi:pulumi:Stack infra-staging running read pulumi:pulumi:StackReference prod
@ updating....
    pulumi:pulumi:Stack infra-staging running error: update failed
    pulumi:pulumi:Stack infra-staging **failed** 1 error; 6 messages; 50 debugs
    cloudflare:index:ZeroTrustAccessMtlsHostnameSettings mtls-passthrough
  2 debugs
Diagnostics:
  pulumi:pulumi:Stack (infra-staging):
  cloudflare:index:ZeroTrustAccessMtlsHostnameSettings (mtls-passthrough
):
    debug:   fwserver/server_planresourcechange.go:217: sdk.framework: Marking Computed attributes with null configuration values as unknown (known after apply) in the plan to prevent potential Terraform errors: provider=cloudflare@5.42.0
    debug:   fwserver/server_planresourcechange.go:217: sdk.framework: Marking Computed attributes with null configuration values as unknown (known after apply) in the plan to prevent potential Terraform errors: provider=cloudflare@5.42.0

  cloudflare:index:ZeroTrustAccessMtlsHostnameSettings (mtls-passthrough):
    debug:   fwserver/server_planresourcechange.go:208: sdk.framework: Detected value change between proposed new state and prior state: provider=cloudflare@5.42.0 tf_attribute_path=settings
    debug:   fwserver/server_planresourcechange.go:208: sdk.framework: Detected value change between proposed new state and prior state: provider=cloudflare@5.42.0 tf_attribute_path=settings
    debug:   zero_trust_access_mtls_hostname_settings/resource.go:133: provider: Updating Cloudflare Access Mutal TLS Hostname Settings from struct: {Settings:[{ChinaNetwork:0x1400270be33 ClientCertificateForwarding:0x1400270be35 Hostname:api.foobar.dev} {ChinaNetwork:<nil> ClientCertificateForwarding:<nil> Hostname:api.foobar.app}]}: provider=cloudflare@5.42.0
    error: error updating Access Mutual TLS Hostname Settings: error updating Access Mutual TLS Hostname Settings for zones "131312e48bb74a2f021dc255659831cd": error from makeRequest: access.api.error.hostnames_must_belong_to_your_domain (12036)

Resources:
    107 unchanged

Duration: 12s

cloudflare / terraform-provider-cloudflare

Access mTls Hostname Settings don't work with multiple zones using it independantly and error out #4520

Confirmation

Terraform and Cloudflare provider version

Affected resource(s)

Terraform configuration files

Community Note