Skip to content

Resource cloudflare_access_rule in upgrade loop #5871

New issue
New issue
Open
Open
Resource cloudflare_access_rule in upgrade loop#5871
Labels
kind/bugCategorizes issue or PR as related to a bug.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.
@dmx-on

Description

@dmx-on
dmx-on
opened on Aug 6, 2025

Confirmation

  • This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
  • I have searched the issue tracker and my issue isn't already found.
  • I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

OpenTofu: v1.10.3
terragrunt: 0.83.2
cloudflare/cloudflare: v5.8.2

Affected resource(s)

  • cloudflare_access_rule

Terraform configuration files

resource "cloudflare_access_rule" "rule" {
  for_each = var.access_rules

  account_id = var.account_id
  zone_id    = var.zone_id

  mode = each.value.mode

  configuration = {
    target = each.value.target
    value  = each.value.value
  }
  notes = try(each.value.notes, null)
}

variable "account_id" {
  type = string
}

variable "zone_id" {
  type = string
}

variable "access_rules" {
  description = "Map of access rule keys to config objects"
  type = map(object({
    mode   = string
    target = string
    value  = string
    notes  = optional(string)
  }))
}

Link to debug output

Panic output

No response

Expected output

After applying changes for cloudflare_access_rule resource I am expecting that Terraform plan command detects no changes but it does - it wants to change read only "allowed_modes" and "scope" fields over and over again. In other words Terraform apply does not consolidate the state.

Actual output

# cloudflare_access_rule.rule["rule1"] will be updated in-place
~ resource "cloudflare_access_rule" "rule" {
    ~ allowed_modes = [
        - "whitelist",
        - "block",
        - "challenge",
        - "js_challenge",
        - "managed_challenge",
      ] -> (known after apply)
    ~ created_on    = "2025-08-06T10:51:39Z" -> (known after apply)
      id            = "***"
    ~ modified_on   = "2025-08-06T11:36:30Z" -> (known after apply)
    ~ scope         = {
        + email = (known after apply)
        ~ id    = "****" -> (known after apply)
        ~ type  = "organization" -> (known after apply)
      } -> (known after apply)
      # (3 unchanged attributes hidden)

After Terraform apply the same config drift is detected in a loop.

Steps to reproduce

  1. Apply changes for cloudflare_access_rule resource
  2. Try apply again
  3. The same changes for read only "allowed_modes" and "scope" fields are visible Terraform plan.

Additional factoids

No response

References

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions