cloudflare_zone_settings_override TF state in wrong state if apply fails in the very first time

[Nmishin]

Confirmation

• My issue isn't already found on the issue tracker.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

terraform 1.0.4
cloudflare 3.15.0 (and some previous versions)

Affected resource(s)

cloudflare_zone_settings_override

Terraform configuration files

zone_settings = {
  "default" = {
    always_online            = "on"
    always_use_https         = "on"
    automatic_https_rewrites = "off"
    brotli                   = "on"
    browser_cache_ttl        = 0
    browser_check            = "on"
    binary_ast               = "off"
    cache_level              = "aggressive"
    challenge_ttl            = 1800
    cname_flattening         = "flatten_at_root"
    development_mode         = "off"
    early_hints              = "off"
    email_obfuscation        = "on"
    hotlink_protection       = "off"
    http2                    = "on"
    http3                    = "on"
    h2_prioritization        = "on"
    ip_geolocation           = "on"
    ipv6                     = "on"
    max_upload               = 100
    min_tls_version          = "1.2"
  }
}

Debug output

module.zone_settings["dd"].cloudflare_zone_settings_override.main: Destroying... [id=<zone_id>]
2022-06-29T21:50:06.863Z [INFO] Starting apply for module.zone_settings["dd"].cloudflare_zone_settings_override.main
2022-06-29T21:50:06.863Z [DEBUG] module.zone_settings["dd"].cloudflare_zone_settings_override.main: applying the planned Delete change
2022-06-29T21:50:06.865Z [INFO] provider.terraform-provider-cloudflare_v3.15.0: 2022/06/29 21:50:06 [DEBUG] Reverting Cloudflare Zone Settings to initial settings with update configuration: []cloudflare.ZoneSetting{cloudflare.ZoneSetting{ID:"rocket_loader", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"cname_flattening", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"0rtt", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"ip_geolocation", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"browser_cache_ttl", Editable:false, ModifiedOn:"", Value:0, TimeRemaining:0}, cloudflare.ZoneSetting{ID:"tls_client_auth", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"true_client_ip_header", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"orange_to_orange", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"brotli", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"hotlink_protection", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"pseudo_ipv4", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"log_to_cloudflare", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"always_online", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"tls_1_3", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"http2", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"tls_1_2_only", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"origin_error_page_pass_thru", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"privacy_pass", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"server_side_exclude", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"websockets", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"ipv6", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"prefetch_preload", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"ssl", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"cache_level", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"sort_query_string_for_cache", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"mirage", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"opportunistic_encryption", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"opportunistic_onion", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"development_mode", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"always_use_https", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"polish", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"waf", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"filter_logs_to_cloudflare", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"visitor_ip", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"early_hints", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"browser_check", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"security_level", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"min_tls_version", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"automatic_https_rewrites", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"challenge_ttl", Editable:false, ModifiedOn:"", Value:0, TimeRemaining:0}, cloudflare.ZoneSetting{ID:"response_buffering", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"http3", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"max_upload", Editable:false, ModifiedOn:"", Value:0, TimeRemaining:0}, cloudflare.ZoneSetting{ID:"proxy_read_timeout", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}, cloudflare.ZoneSetting{ID:"email_obfuscation", Editable:false, ModifiedOn:"", Value:"", TimeRemaining:0}}: timestamp=2022-06-29T21:50:06.865Z
2022-06-29T21:50:06.865Z [INFO] provider.terraform-provider-cloudflare_v3.15.0: 2022/06/29 21:50:06 [DEBUG] Cloudflare API Request Details:
---[ REQUEST ]---------------------------------------
PATCH /client/v4/zones/<zone_id>/settings/early_hints HTTP/1.1
Host: api.cloudflare.com
User-Agent: terraform/1.0.4 terraform-plugin-sdk/2.10.1 terraform-provider-cloudflare/3.15.0
Content-Length: 67
Authorization: Bearer [MASKED]
Content-Type: application/json
Accept-Encoding: gzip
{
"id": "early_hints",
"editable": false,
"value": "",
"time_remaining": 0
}
-----------------------------------------------------: timestamp=2022-06-29T21:50:06.865Z
2022-06-29T21:50:09.544Z [INFO] provider.terraform-provider-cloudflare_v3.15.0: 2022/06/29 21:50:09 [DEBUG] Cloudflare API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 400 Bad Request
Connection: close
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Cf-Cache-Status: DYNAMIC
Cf-Ray: 7231e03d4cbec1c0-IAD
Content-Type: application/json
Date: Wed, 29 Jun 2022 21:50:09 GMT
Expect-Ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Expires: Sun, 25 Jan 1981 05:00:00 GMT
Pragma: no-cache
Server: cloudflare
Set-Cookie: __cflb=0H28vgHxwvgAQtjUGU4vq74ZFe3sNVUZU27uZhJqqTK; SameSite=Lax; path=/; expires=Thu, 30-Jun-22 00:20:10 GMT; HttpOnly
Set-Cookie: __cfruid=6e75a96bcdae3066f126153d63a144a6b1cdccad-1656539409; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
Strict-Transport-Security: max-age=31536000
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
{
"success": false,
"errors": [
{
"code": 1007,
"message": "Invalid value for zone setting early_hints"
}
],
"messages": [],
"result": null
}
-----------------------------------------------------: timestamp=2022-06-29T21:50:09.544Z
╷
│ Error: Invalid value for zone setting early_hints (1007)
│
│
╵
2022-06-29T21:50:09.720Z [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2022-06-29T21:50:09.721Z [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/cloudflare/cloudflare/3.15.0/linux_amd64/terraform-provider-cloudflare_v3.15.0 pid=195
2022-06-29T21:50:09.721Z [DEBUG] provider: plugin exited

Panic output

No response

Expected output

Apply complete!

Actual output

│ Error: Invalid value for zone setting early_hints (1007)

Steps to reproduce

1. Create a new configuration for cloudflare_zone_settings_override
2. make some mistake in syntax, tokens or something
3. try to apply changed configuration

Additional factoids

As I understand the main issue that cloudflare_zone_settings_override don't have a "initial_settings" at all, and try to make wrong request to the Cloudflare API, with blank values (as you can see from debug output).

In the state it looks like this:

      "module": "module.zone_settings[\"dd\"]",
      "mode": "managed",
      "type": "cloudflare_zone_settings_override",
      "name": "main",
      "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]",
      "instances": [
        {
          "status": "tainted",
          "schema_version": 0,
          "attributes": {
            "id": "<zone_id>",
            "initial_settings": null,
            "initial_settings_read_at": null,
            "readonly_settings": [
              "advanced_ddos"
            ],
            "settings": [
              {
                "always_online": "on",
                "always_use_https": "off",
                "automatic_https_rewrites": "off",
                "binary_ast": "",
                "brotli": "off",
                "browser_cache_ttl": 14400,

state truncated

References

No response

[renaudhager]

Hi @Nmishin,

I have the issue than you with the version 3.18.0.
For me it happens when Terraform try to recreate the resource cloudflare_zone/settings_override, by destroying first and then recreates it.
It fails during the destruction, because of bad API call.

I did the following workaround:

1. remove the cloudflare_zone/settings_override resource definition from the code.
2. remove the cloudflare_zone/settings_override resource from the state file.
3. put back the resource definition.

See below:

[TomGudman]

What @renaudhager said still works and worked for me but I simply did:

terragrunt rm state cloudflare_zone_settings_override.this    # edit 'this' for your resource name
terragrunt apply

PS: Replace terragrunt by terraform in the above commands if you don't use terragrunt.

[jacobbednarz]

this is a side effect of the way resource works internally and it not being clear this resource shouldn't be used for all resources that aren't overridden from their default values or have plan dependant values. instead of spending too much time on addressing this known problem, #1646 will hopefully introduce a new resource that manages all settings correctly (not just overridden ones) so we'll concentrate effort there instead.

[gtebbutt]

@jacobbednarz Just came across this issue after having the same issue in 4.5.0 - is there a recommended alternative now? I wasn't able to see one in the docs, but I may well have missed it.