Terraform import/plan crashes after 2.18.0 upgrade

[ouranos]

Terraform version

Terraform v0.14.5
+ provider registry.terraform.io/cloudflare/cloudflare v2.18.0

Affected resource(s)

• cloudflare_access_group

Terraform configuration files

resource "cloudflare_access_group" "test_warp" {
  account_id = var.cloudflare_account_id
  name       = "Test WARP"

  include {
    email_domain = ["example.com"]
  }
}

Debug output

Panic output

https://gist.github.com/ouranos/4a778cb21dc80a35cca973b051b547e1

Expected behavior

The group is expected to be imported

Actual behavior

Terraform crashed

Steps to reproduce

1. Create an Access group with terraform apply
2. From the Cloudflare UI, edit the group to add "Require: Google Groups = [email protected]"
3. Run terraform plan
4. Terraform crash

Important factoids

The Cloudflare API reports this additional condition:

   "require":[
      {
         "gsuite":{
            "id":"redacted",
            "email":"[email protected]",
            "identity_provider_id":"<redacted_uid>"
         }
      }
   ]

Also note that if trying to require Gateway connections by adding "Require: Warp = Warp", terraform plan won't detect this configuration change. The API report it properly:

   "require":[
      {
         "warp":{
            "integration_uid":"<redacted_uid>",
            "integration_name":"Warp"
         }
      }
   ]

References

Community note

• Please vote on this issue by adding a 👍 reaction
  to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull
  request, please leave a comment

[jacobbednarz]

Just to confirm here, you're applying changes, updating via the UI and then attempting to apply again and you're getting a crash?

[ouranos]

Just to confirm here, you're applying changes, updating via the UI and then attempting to apply again and you're getting a crash?

Yes, sorry just edited to add a bit more details as I pressed submit too early.

I was trying to figure out how to set up some conditions that were not in the documentation. So I applied the initial change then manually edited it via the UI and was expecting terraform plan to show me the diff but instead:

• With a GSuite group requirement, it crashes (with 2.17.0 it wasn't showing a difference)
• With a WARP requirement, it doesn't show any difference

Here's the kind of group I'm trying to setup via Terraform:

[jacobbednarz]

The API (and here Terraform) doesn't yet support WARP attributes so that isn't going to be managed at the current time. We don't generally add support until the teams add public API support for it and commit to an interface they will continue to support. I can chase up this internally for a timeline.

Editing combined Access policies in the UI actually gives them a new ID which Terraform won't be able to manage. It doesn't look like that is the issue here but just FYI in case that pops up.

As for Gsuite, I'll have to spin up a full integration test for that as we don't current have a good way to test it automatically. In the meantime, you should manage your policies either via the UI or Terraform; not both.

[ouranos]

The API (and here Terraform) doesn't yet support WARP attributes so that isn't going to be managed at the current time. We don't generally add support until the teams add public API support for it and commit to an interface they will continue to support. I can chase up this internally for a timeline.

Thanks for pointing that out. I saw the API was showing it but if it's not publicly supported it makes sense.

Editing combined Access policies in the UI actually gives them a new ID which Terraform won't be able to manage. It doesn't look like that is the issue here but just FYI in case that pops up.

Ok, good to know.

As for Gsuite, I'll have to spin up a full integration test for that as we don't current have a good way to test it automatically. In the meantime, you should manage your policies either via the UI or Terraform; not both.

Ok, I'll stick with the UI for now.

Trying to create a new group, the following still causes a crash when trying to apply (the group is created correctly though):

resource "cloudflare_access_group" "test_warp" {
  account_id = var.cloudflare_account_id
  name       = "Test WARP"

  include {
    email_domain = ["example.com"]
  }

  require {
    gsuite {
      email                = ["[email protected]"]
      identity_provider_id = cloudflare_access_identity_provider.gsuite_oauth.id 
    }
  }
}

[jacobbednarz]

I managed to reproduce this one and made the fix in #940. Turns out I copy/pasta the attribute name wrong which results in trying to access a non-existent map key.

Thanks for raising this one @ouranos, we appreciate it!

[warwick-mitchell1]

Hi, is there an ETA on when 2.19.0 will be released? We're currently suffering from this bug but can't revert to an older version as using new resource cloudflare_argo_tunnel

[jacobbednarz]

no ETA at the moment; likely in the next week or so though once the 0.14 cloudflare-go breaking changes are incorporated.

if you need the changes immediately, you can build the provider locally following https://github.com/cloudflare/terraform-provider-cloudflare#building-the-provider