Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cloudflare tunnel ingress_rule.origin_request generates not needed properties that break tunnel #2553

Closed
2 tasks done
mmalyska opened this issue Jun 27, 2023 · 5 comments
Closed
2 tasks done

Cloudflare tunnel ingress_rule.origin_request generates not needed properties that break tunnel #2553

mmalyska opened this issue Jun 27, 2023 · 5 comments
Labels
triage/duplicate Indicates an issue is a duplicate of other open issue.

Comments

@mmalyska
Copy link

mmalyska commented Jun 27, 2023
edited
Loading

Confirmation

  • My issue isn't already found on the issue tracker.
  • I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform v1.5.0
on darwin_arm64

  • provider registry.terraform.io/cloudflare/cloudflare v4.8.0

Affected resource(s)

  • cloudflare_tunnel_config

Terraform configuration files

resource "cloudflare_tunnel" "jaskinia" {
  account_id = cloudflare_account.main.id
  name       = "Jaskinia"
  secret     = local.cloudflare_tunnel_secret
  config_src = "cloudflare"
}

resource "cloudflare_tunnel_config" "jaskinia_config" {
  account_id = cloudflare_account.main.id
  tunnel_id  = cloudflare_tunnel.jaskinia.id

  config {
    ingress_rule {
      hostname = "${local.cloudflare_domain}"
      service  = "https://traefik.traefik.svc.cluster.local:443"
      origin_request {
        origin_server_name = cloudflare_record.ingress.hostname
      }
    }
    ingress_rule {
      hostname = "*.${local.cloudflare_domain}"
      service  = "https://traefik.traefik.svc.cluster.local:443"
      origin_request {
        origin_server_name = cloudflare_record.ingress.hostname
      }
    }
    ingress_rule {
      service = "http_status:404"
    }
  }
}

Link to debug output

https://gist.github.com/mmalyska/c46af9673c6d382ddf13d64ed970dc94

Panic output

No response

Expected output

Terraform will perform the following actions:

  # cloudflare_tunnel_config.jaskinia_config_test will be updated in-place
  ~ resource "cloudflare_tunnel_config" "jaskinia_config_test" {
        id         = "13265f8c-9bcf-4195-9a8f-71eeb15b6f65"
        # (2 unchanged attributes hidden)

      ~ config {
          ~ ingress_rule {
                # (2 unchanged attributes hidden)

              + origin_request {
                  + origin_server_name       = "ipv4.example.com"
                }
            }
          ~ ingress_rule {
                # (2 unchanged attributes hidden)

              + origin_request {
                  + origin_server_name       = "ipv4.example.com"
                }
            }

            # (1 unchanged block hidden)
        }
    }

Actual output

Terraform will perform the following actions:

  # cloudflare_tunnel_config.jaskinia_config_test will be updated in-place
  ~ resource "cloudflare_tunnel_config" "jaskinia_config_test" {
        id         = "13265f8c-9bcf-4195-9a8f-71eeb15b6f65"
        # (2 unchanged attributes hidden)

      ~ config {
          ~ ingress_rule {
                # (2 unchanged attributes hidden)

              + origin_request {
                  + connect_timeout          = "30s"
                  + disable_chunked_encoding = false
                  + http2_origin             = false
                  + keep_alive_connections   = 100
                  + keep_alive_timeout       = "1m30s"
                  + no_happy_eyeballs        = false
                  + no_tls_verify            = false
                  + origin_server_name       = "ipv4.example.com"
                  + proxy_address            = "127.0.0.1"
                  + proxy_port               = 0
                  + tcp_keep_alive           = "30s"
                  + tls_timeout              = "10s"
                }
            }
          ~ ingress_rule {
                # (2 unchanged attributes hidden)

              + origin_request {
                  + connect_timeout          = "30s"
                  + disable_chunked_encoding = false
                  + http2_origin             = false
                  + keep_alive_connections   = 100
                  + keep_alive_timeout       = "1m30s"
                  + no_happy_eyeballs        = false
                  + no_tls_verify            = false
                  + origin_server_name       = "ipv4.example.com"
                  + proxy_address            = "127.0.0.1"
                  + proxy_port               = 0
                  + tcp_keep_alive           = "30s"
                  + tls_timeout              = "10s"
                }
            }

            # (1 unchanged block hidden)
        }
    }

Steps to reproduce

  1. Create tunnel without ingress_rule.origin_request
  2. After creating tunnel add ingress_rule.origin_request

Additional factoids

It breaks my tunnel and it is not working until I Configure only needed options in CF UI.

It should only add origin_server_name and not override any defaults. Also the durations are a bit wonky.
They looks this way in CF UI after applying the plan:
obraz
and they are not correct as durations base value is seconds and the values are too big:
obraz

After fixing them in UI and running plan it treats them as ns and not s:

# cloudflare_tunnel_config.jaskinia_config will be updated in-place
  ~ resource "cloudflare_tunnel_config" "jaskinia_config" {
        id         = "{some id}"
        # (2 unchanged attributes hidden)

      ~ config {
          ~ ingress_rule {
                # (2 unchanged attributes hidden)

              ~ origin_request {
                  ~ connect_timeout          = "30ns" -> "30s"
                  ~ keep_alive_timeout       = "90ns" -> "1m30s"
                  ~ tcp_keep_alive           = "30ns" -> "30s"
                  ~ tls_timeout              = "10ns" -> "10s"
                    # (9 unchanged attributes hidden)
                }
            }
          ~ ingress_rule {
                # (2 unchanged attributes hidden)

              ~ origin_request {
                  ~ connect_timeout          = "30ns" -> "30s"
                  ~ keep_alive_timeout       = "90ns" -> "1m30s"
                  ~ tcp_keep_alive           = "30ns" -> "30s"
                  ~ tls_timeout              = "10ns" -> "10s"
                    # (9 unchanged attributes hidden)
                }
            }

            # (1 unchanged block hidden)
        }
    }

So I think this shouldn't be closed as it won't fix adding additional properties in ingress_rule.origin_request.

References

It also adds proxy_address and other props that are not a duration, but should be empty that are fixed in #2520
@mmalyska mmalyska added kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jun 27, 2023
@github-actions
Copy link
Contributor

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions github-actions bot added the triage/debug-log-attached Indicates an issue or PR has a complete Terraform debug log. label Jun 27, 2023
@mmalyska mmalyska changed the title Cloudflare tunnel ingress_rule.origin_request generates not needed properties Cloudflare tunnel ingress_rule.origin_request generates not needed properties that break tunnel Jun 27, 2023
@jacobbednarz
Copy link
Member

the two issues mentioned here are already addressed in #2510 and #2504. you can confirm this by using the master branch and building your own dev version.

@jacobbednarz jacobbednarz closed this as not planned Won't fix, can't repro, duplicate, stale Jun 27, 2023
@jacobbednarz jacobbednarz added triage/duplicate Indicates an issue is a duplicate of other open issue. and removed kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. triage/debug-log-attached Indicates an issue or PR has a complete Terraform debug log. labels Jun 27, 2023
@mmalyska
Copy link
Author

mmalyska commented Jun 27, 2023
edited
Loading

@jacobbednarz you are wrong. I've build provider from master and the problem persists.

╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - cloudflare/cloudflare in /workspaces/home-ops/provision/terraform/test/terraform-provider-cloudflare
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with
│ published releases.
╵
var.cloudflare_api_key
  Enter a value: {redacted}
var.cloudflare_email
  Enter a value: {redacted}

cloudflare_account.main: Refreshing state... [id={redacted}]
cloudflare_tunnel.jaskinia: Refreshing state... [id={redacted}]
cloudflare_tunnel_config.jaskinia_config_test: Refreshing state... [id={redacted}]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # cloudflare_tunnel_config.jaskinia_config_test will be updated in-place
  ~ resource "cloudflare_tunnel_config" "jaskinia_config_test" {
        id         = "{redacted}"
        # (2 unchanged attributes hidden)

      ~ config {
          ~ ingress_rule {
                # (2 unchanged attributes hidden)

              + origin_request {
                  + connect_timeout          = "30s"
                  + disable_chunked_encoding = false
                  + http2_origin             = false
                  + keep_alive_connections   = 100
                  + keep_alive_timeout       = "1m30s"
                  + no_happy_eyeballs        = false
                  + no_tls_verify            = false
                  + origin_server_name       = "ipv4.example.com"
                  + proxy_address            = "127.0.0.1"
                  + proxy_port               = 0
                  + tcp_keep_alive           = "30s"
                  + tls_timeout              = "10s"
                }
            }

            # (2 unchanged blocks hidden)
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

And second yes, the problem with duration values treated as ns and not s is still there.

Check the new debug log https://gist.github.com/mmalyska/c46af9673c6d382ddf13d64ed970dc94#file-master_branch-txt

@mmalyska
Copy link
Author

@jacobbednarz after upgrade to 4.9.0 the problem is still the same as with master branch version

@Cyb3r-Jak3
Copy link
Contributor

Cyb3r-Jak3 commented Jun 28, 2023
edited
Loading

@mmalyska What you are seeing is expected.
Those are the default values for those attributes which are defined in the schema and on the developer documentation
4.9.0 fixed the issue where anything related to times would be handled incorrectly, which I am seeing as fixed.

Small Edit: You may have to manually fix existing tunnels as terraform isn't going to see that the timeouts are different.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage/duplicate Indicates an issue is a duplicate of other open issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jacobbednarz @mmalyska @Cyb3r-Jak3