Import for Access App Fails

[bradyburke]

What happened?

Any import of an access application fails with:

  cloudflare:index:AccessApplication (galaxy-dev.io/api/v1/admin)
    error: Preview failed: importing galaxy-dev.io/api/v1/admin: importer for galaxy-dev.io/api/v1/admin returned a empty resource state. This is always the result of a bug in the resource provider - please report this as a bug in the Pulumi provider repository.

Expected Behavior

The import to succeed.

Steps to reproduce

Create an access app and try to import it into a stack.

Output of pulumi about

❯ pulumi about
CLI          
Version      3.67.0
Go Version   go1.20.4
Go Compiler  gc

Plugins
NAME          VERSION
aws           5.19.0
azure-native  1.84.0
cloudflare    4.16.0
gcp           6.41.0
nodejs        unknown

Host     
OS       darwin
Version  13.3.1
Arch     arm64

This project is written in nodejs: executable='/opt/homebrew/bin/node' version='v20.0.0'

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[t0yv0]

Thank you for reporting this issue @bradyburke !

Judging from pulumi about you are using cloudflare 4.16.0, does this issue affect more recent versions also such as v5.0.0?

[bradyburke]

@t0yv0 Trying to figure that out, updating has caused quite a few errors within our stacks:

    pulumi:pulumi:Stack trino-plane-dev-global running error: fatal: failed to Init GRPC to register RPC handlers: failed to create resource provider: ProviderInfo needs a semver-compatible version string, got info.Version=""

    pulumi:providers:cloudflare default_5_1_0  error: could not read plugin [/Users/bradyburke/.pulumi/plugins/resource-cloudflare-v5.1.0/pulumi-resource-cloudflare] stdout: EOF

    pulumi:pulumi:Stack trino-plane-dev-global running error: Unhandled exception: Error: invocation of cloudflare:index/getZones:getZones returned an error: error reading from server: read tcp 127.0.0.1:53134->127.0.0.1:53131: use of closed network connection

    pulumi:pulumi:Stack trino-plane-dev-global running error: Unhandled exception: Error: invocation of cloudflare:index/getZones:getZones returned an error: error reading from server: read tcp 127.0.0.1:53134->127.0.0.1:53131: use of closed network connection

    pulumi:pulumi:Stack trino-plane-dev-global running error: Unhandled exception: Error: invocation of cloudflare:index/getZones:getZones returned an error: error reading from server: read tcp 127.0.0.1:53134->127.0.0.1:53131: use of closed network connection

    pulumi:pulumi:Stack trino-plane-dev-global running error: Unhandled exception: Error: invocation of cloudflare:index/getZones:getZones returned an error: error reading from server: read tcp 127.0.0.1:53134->127.0.0.1:53131: use of closed network connection

    pulumi:pulumi:Stack trino-plane-dev-global running error: Unhandled exception: Error: invocation of cloudflare:index/getZones:getZones returned an error: error reading from server: read tcp 127.0.0.1:53134->127.0.0.1:53131: use of closed network connection

    pulumi:providers:cloudflare default_5_1_0  1 error
    pulumi:pulumi:Stack trino-plane-dev-global  5 errors; 1 warning; 1 message

I'll try to repro in a different stack.

[t0yv0]

Thank you! Yes, 5.1.0 is currently not usable due to a P1 issue, fixing that shortly to release 5.1.1; 5.0.0 may be interesting to try.

[bradyburke]

@t0yv0 On 5.0.0:

Diagnostics:
  cloudflare:index:AccessApplication (galaxy-dev.io/api/v1/admin):
    error: Preview failed: 1 error occurred:
        * must provide exactly one of "api_key", "api_token" or "api_user_service_key".

[t0yv0]

It sounds like something is not getting the right credentials to talk to the Cloudflare API, or perhaps there was an unintentional change in 5.x.x around credentials handling. How are you authorizing your program? It appears that one method that works is using scoped API tokens, that can be set as an env var:

export CLOUDFLARE_API_TOKEN=...

[t0yv0]

Some further notes, I've tried to reproduce this issue but getting a slightly different error. I've first used this Pulumi program to provision an actual AccessApplication:

import * as pulumi from "@pulumi/pulumi";
import * as cloudflare from "@pulumi/cloudflare";

const config = new pulumi.Config();
const accountId = config.require("accountId");

const zone = new cloudflare.Zone("my-zone", {
    zone: "ts-test-cloudflare-pulumi.com",
    accountId: accountId,
});

// With CORS configuration
// So AccessApplication is actually a SDKv2 resource. Why is it being denied?
const stagingApp = new cloudflare.AccessApplication("stagingApp", {
    corsHeaders: [{
        allowCredentials: true,
        allowedMethods: [
            "GET",
            "POST",
            "OPTIONS",
        ],
        allowedOrigins: ["https://ts-test-cloudflare-pulumi.com"],
        maxAge: 10,
    }],
    domain: "ts-test-cloudflare-pulumi",
    name: "staging application",
    sessionDuration: "24h",
    saasApp: {spEntityId: "gibberish21423523", consumerServiceUrl: "http://theregibberish21423523"},
    type: "saas",
    zoneId: zone.id
});

export const appid = stagingApp.id;

Then I used import to import another copy of it into the Pulumi stack:

#!/usr/bin/env bash

set -euo pipefail

export CLOUDFLARE_API_TOKEN=...
ACCOUNT_ID=...
pulumi config set accountId "$ACCOUNT_ID"

pulumi up --yes

echo pulumi import cloudflare:index/accessApplication:AccessApplication example2 $(pulumi stack output appid)
PULUMI_DEBUG_GRPC="$PWD/import.json" pulumi import cloudflare:index/accessApplication:AccessApplication example2 $ACCOUNT_ID/$(pulumi stack output appid)

The error I'm getting is

    error: Preview failed: importing **redacted-account-id**/**redacted-app-id**: failed to read Access Application state

I wonder how to reproduce the originally reported error message. Perhaps there is an issue with token scopes I'm using not permitting this tor read the state.