Skip to content

Hostname AOP Certificates are not Supported with the v5 ProvidersΒ #5895

New issue
New issue
Open
Open
Hostname AOP Certificates are not Supported with the v5 Providers#5895
Labels
kind/bugCategorizes issue or PR as related to a bug.version/5Categorizes issue or PR as related to version 5 of the provider.
@awellock

Description

@awellock
awellock
opened on Aug 8, 2025

Confirmation

  • This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
  • I have searched the issue tracker and my issue isn't already found.
  • I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

terraform -v
Terraform v1.12.2
on darwin_arm64
+ provider registry.terraform.io/cloudflare/cloudflare v5.8.2
+ provider registry.terraform.io/hashicorp/tls v4.1.0

Affected resource(s)

cloudflare_authenticated_origin_pulls
cloudflare_authenticated_origin_pulls_certificate

Terraform configuration files

resource "cloudflare_authenticated_origin_pulls_certificate" "self_signed" {
  zone_id     = var.zone_id
  certificate = tls_self_signed_cert.cert.cert_pem
  private_key = tls_private_key.cert_key.private_key_pem
}


resource "cloudflare_authenticated_origin_pulls" "test_alexwellock_com" {
  zone_id = var.zone_id
  config = [{
    cert_id = cloudflare_authenticated_origin_pulls_certificate.self_signed.id
    enabled = true
    hostname = var.hostname
  }]
}

Link to debug output

https://gist.github.com/awellock/fffd0f1f7b734cabfd2b6597aae63f68

Panic output

No panic

Expected output

I expect a way to create a client certificate for Hostname-scoped AOP. However, it looks like the 5.x version of the provider removed the type variable from the certificate object.

Actual output

No way to create a hostname client cert so AOP can not be enabled on the hostname with the cert that gets created.

Steps to reproduce

I provided all the terrafrom code needed to reproduce the error with the assumption that an SSL cert is already created.
Use the only method of adding a client AOP certificate to Cloudflare.
Try to use the cert for hostname based AOP.

Additional factoids

Version 4 for the provider has the notion of type "per-zone" or "per-hostname", which allowed the provider to call the correct endpoint to upload the client cert. This functionality appears to be missing in 5.
A post to /zones/{zone_id}/origin_tls_client_auth/hostnames/certificates
vs
/zones/{zone_id}/origin_tls_client_auth

References

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.version/5Categorizes issue or PR as related to version 5 of the provider.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions