Unable to create new origin rule and Transform Rule using Terraform , after importing Origin rule and Transform rule

[AzureTushar]

Confirmation

• My issue isn't already found on the issue tracker.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform version : v1.7.5
Cloudflare provider version : v4.26.0

Affected resource(s)

We are not able to create new rules set origin rule and Transform using terraform .
We started with Cloudflare Dashboard and created few rules sets like origin rule , transform rules , A records and WAF rules etc.
Now we want to automate creation of new rules and but I am getting error

cloudflare_ruleset.http_origin_rule_ui_provider: Creating...
╷
│ Error: failed to create ruleset "http_request_origin"
│
│ with cloudflare_ruleset.http_origin_rule_ui_provider,
│ on main.tf line 48, in resource "cloudflare_ruleset" "http_origin_rule_ui_provider":
│ 48: resource "cloudflare_ruleset" "http_origin_rule_ui_provider" {
│
│ A similar configuration with rules already exists and overwriting will have
│ unintended consequences. If you are migrating from the Dashboard, you will
│ need to first import the existing rules using cf-terraforming. You can find
│ details about how to do this at
│ https://developers.cloudflare.com/terraform/additional-configurations/ddos-managed-rulesets/#optional-delete-existing-rulesets-to-start-from-scratch

After connecting on all with Cloudflare support they said that we should be able to create new rules using terraform and importing existing rule is not needed . we did try that still facing the above error .

We have also tried importing existing origin rule and transform rules using CF-terraforming , but still its giving same error . We have not imported other rules like WAF and Cname and A records as we donot want to control it using terraform.

Terraform configuration files

# resource "cloudflare_ruleset" "http_origin_rule_ui_provider" {
#   zone_id     = var.zone_id
#   name        = "Change origin"
#   description = ""
#   kind        = "zone"
#   phase       = "http_request_origin"

#   rules {
#     action = "route"
#     action_parameters {
#       host_header = "example.net"
#       origin {
#         host = "example.net"
#         port = 8000
#       }
#     }
#     expression  = "(http.request.uri.path matches \"^/api/\")"
#     description = "Change origin of API requests"
#     enabled     = true
#   }
# }

Link to debug output

2024-03-27T09:27:15.868Z [ERROR] provider.terraform-provider-cloudflare_v4.27.0: Response contains error diagnostic: @caller=github.com/hashicorp/[email protected]/tfprotov6/internal/diag/diagnostics.go:62 @module=sdk.proto diagnostic_severity=ERROR tf_resource_type=cloudflare_ruleset tf_rpc=ApplyResourceChange tf_req_id=c8cdd27c-3cda-03a9-5131-e7d128d2022c diagnostic_detail="A similar configuration with rules already exists and overwriting will have unintended consequences. If you are migrating from the Dashboard, you will need to first import the existing rules using cf-terraforming. You can find details about how to do this at https://developers.cloudflare.com/terraform/additional-configurations/ddos-managed-rulesets/#optional-delete-existing-rulesets-to-start-from-scratch" diagnostic_summary="failed to create ruleset "http_request_origin"" tf_proto_version=6.4 tf_provider_addr=registry.terraform.io/cloudflare/cloudflare timestamp=2024-03-27T09:27:15.867Z 2024-03-27T09:27:15.894Z [DEBUG] State storage *remote.State declined to persist a state snapshot 2024-03-27T09:27:15.894Z [ERROR] vertex "cloudflare_ruleset.http_origin_rule_ui_provider" error: failed to create ruleset "http_request_origin" 2024-03-27T09:27:15.894Z [DEBUG] states/remote: state read serial is: 1; serial is: 1 2024-03-27T09:27:15.894Z [DEBUG] states/remote: state read lineage is: 6da6d58c-30bf-f4f5-7b58-d10eb554a33d; lineage is: 6da6d58c-30bf-f4f5-7b58-d10eb554a33d ╷ │ Error: failed to create ruleset "http_request_origin" │ │ with cloudflare_ruleset.http_origin_rule_ui_provider, │ on main.tf line 48, in resource "cloudflare_ruleset" "http_origin_rule_ui_provider": │ 48: resource "cloudflare_ruleset" "http_origin_rule_ui_provider" { │ │ A similar configuration with rules already exists and overwriting will have │ unintended consequences. If you are migrating from the Dashboard, you will │ need to first import the existing rules using cf-terraforming. You can find │ details about how to do this at │ https://developers.cloudflare.com/terraform/additional-configurations/ddos-managed-rulesets/#optional-delete-existing-rulesets-to-start-from-scratch ╵ 2024-03-27T09:27:15.897Z [DEBUG] Azure Backend Request: HEAD /terraform-state/buc.cloudflare.pat.nonprod.tfstate HTTP/1.1 Host: bucnonprodterraformstate.blob.core.windows.net User-Agent: HashiCorp Terraform/1.7.5 (+https://www.terraform.io) VSTS_28c605bd-04ed-4b71-afe0-c71a037e115f_build_1636_0 X-Ms-Date: Wed, 27 Mar 2024 09:27:15 GMT X-Ms-Lease-Id: 4ef00cea-5549-632b-4bda-552d67203b50 X-Ms-Version: 2018-11-09

Panic output

2024-03-27T09:27:15.868Z [ERROR] provider.terraform-provider-cloudflare_v4.27.0: Response contains error diagnostic: @caller=github.com/hashicorp/[email protected]/tfprotov6/internal/diag/diagnostics.go:62 @module=sdk.proto diagnostic_severity=ERROR tf_resource_type=cloudflare_ruleset tf_rpc=ApplyResourceChange tf_req_id=c8cdd27c-3cda-03a9-5131-e7d128d2022c diagnostic_detail="A similar configuration with rules already exists and overwriting will have unintended consequences. If you are migrating from the Dashboard, you will need to first import the existing rules using cf-terraforming. You can find details about how to do this at https://developers.cloudflare.com/terraform/additional-configurations/ddos-managed-rulesets/#optional-delete-existing-rulesets-to-start-from-scratch" diagnostic_summary="failed to create ruleset "http_request_origin"" tf_proto_version=6.4 tf_provider_addr=registry.terraform.io/cloudflare/cloudflare timestamp=2024-03-27T09:27:15.867Z

2024-03-27T09:27:15.894Z [DEBUG] State storage *remote.State declined to persist a state snapshot

2024-03-27T09:27:15.894Z [ERROR] vertex "cloudflare_ruleset.http_origin_rule_ui_provider" error: failed to create ruleset "http_request_origin"

2024-03-27T09:27:15.894Z [DEBUG] states/remote: state read serial is: 1; serial is: 1

2024-03-27T09:27:15.894Z [DEBUG] states/remote: state read lineage is: 6da6d58c-30bf-f4f5-7b58-d10eb554a33d; lineage is: 6da6d58c-30bf-f4f5-7b58-d10eb554a33d

╷

│ Error: failed to create ruleset "http_request_origin"

│

│ with cloudflare_ruleset.http_origin_rule_ui_provider,

│ on main.tf line 48, in resource "cloudflare_ruleset" "http_origin_rule_ui_provider":

│ 48: resource "cloudflare_ruleset" "http_origin_rule_ui_provider" {

│

│ A similar configuration with rules already exists and overwriting will have

│ unintended consequences. If you are migrating from the Dashboard, you will

│ need to first import the existing rules using cf-terraforming. You can find

│ details about how to do this at

│ https://developers.cloudflare.com/terraform/additional-configurations/ddos-managed-rulesets/#optional-delete-existing-rulesets-to-start-from-scratch

╵

2024-03-27T09:27:15.897Z [DEBUG] Azure Backend Request:

HEAD /terraform-state/buc.cloudflare.pat.nonprod.tfstate HTTP/1.1

Host: bucnonprodterraformstate.blob.core.windows.net

User-Agent: HashiCorp Terraform/1.7.5 (+https://www.terraform.io) VSTS_28c605bd-04ed-4b71-afe0-c71a037e115f_build_1636_0

X-Ms-Date: Wed, 27 Mar 2024 09:27:15 GMT

X-Ms-Lease-Id: 4ef00cea-5549-632b-4bda-552d67203b50

X-Ms-Version: 2018-11-09

Expected output

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
Finishing: terraform apply

Actual output

Terraform v1.7.5
on linux_amd64

• provider registry.terraform.io/cloudflare/cloudflare v4.27.0
• provider registry.terraform.io/hashicorp/azurerm v3.97.1
  /datadrive/vm02-agent01/_work/_tool/terraform/1.7.5/x64/terraform apply -auto-approve .tfplan
  cloudflare_ruleset.http_origin_rule_ui_provider: Creating...
  ╷
  │ Error: failed to create ruleset "http_request_origin"
  │
  │ with cloudflare_ruleset.http_origin_rule_ui_provider,
  │ on main.tf line 48, in resource "cloudflare_ruleset" "http_origin_rule_ui_provider":
  │ 48: resource "cloudflare_ruleset" "http_origin_rule_ui_provider" {
  │
  │ A similar configuration with rules already exists and overwriting will have
  │ unintended consequences. If you are migrating from the Dashboard, you will
  │ need to first import the existing rules using cf-terraforming. You can find
  │ details about how to do this at
  │ https://developers.cloudflare.com/terraform/additional-configurations/ddos-managed-rulesets/#optional-delete-existing-rulesets-to-start-from-scratch

Steps to reproduce

1. Create origin rule and Transform rule using dashboard
2. try to create another origin rule and Transform rule using Terraform
3. Terraform apply will be give error

Additional factoids

No response

References

No response

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[github-actions]

Thank you for reporting this issue! For maintainers to dig into issues it is required that all issues include the entirety of TF_LOG=DEBUG output to be provided. The only parts that should be redacted are your user credentials in the X-Auth-Key, X-Auth-Email and Authorization HTTP headers. Details such as zone or account identifiers are not considered sensitive but can be redacted if you are very cautious. This log file provides additional context from Terraform, the provider and the Cloudflare API that helps in debugging issues. Without it, maintainers are very limited in what they can do and may hamper diagnosis efforts.

This issue has been marked with triage/needs-information and is unlikely to receive maintainer attention until the log file is provided making this a complete bug report.

[github-actions]

Thank you for reporting this issue! For maintainers to dig into issues it is required that all issues include the entirety of TF_LOG=DEBUG output to be provided. The only parts that should be redacted are your user credentials in the X-Auth-Key, X-Auth-Email and Authorization HTTP headers. Details such as zone or account identifiers are not considered sensitive but can be redacted if you are very cautious. This log file provides additional context from Terraform, the provider and the Cloudflare API that helps in debugging issues. Without it, maintainers are very limited in what they can do and may hamper diagnosis efforts.

This issue has been marked with triage/needs-information and is unlikely to receive maintainer attention until the log file is provided making this a complete bug report.

[jacobbednarz]

this isn't a provider bug but a safety guard to stop people from accidentally blowing away existing configuration created by the dashboard. the error message here is pointing to the issue

│ A similar configuration with rules already exists and overwriting will have
│ unintended consequences. If you are migrating from the Dashboard, you will
│ need to first import the existing rules using cf-terraforming. You can find
│ details about how to do this at
│ https://developers.cloudflare.com/terraform/additional-configurations/ddos-managed-rulesets/#optional-delete-existing-rulesets-to-start-from-scratch

you'll need to either remove the specific phase mentioned here (http_request_origin) or import it first.

[AzureTushar]

Hello Team, We have also tried importing the rules using cf terraforming still it was giving the same error as already mentioned. Could you please guide us any alternate solution or help me with guidline in importing to check if we are missing something. Regards, Tushar

…

On Thu, 28 Mar, 2024, 2:20 am Jacob Bednarz, ***@***.***> wrote: this isn't a provider bug but a safety guard to stop people from accidentally blowing away existing configuration created by the dashboard. the error message here is pointing to the issue │ A similar configuration with rules already exists and overwriting will have │ unintended consequences. If you are migrating from the Dashboard, you will │ need to first import the existing rules using cf-terraforming. You can find │ details about how to do this at │ https://developers.cloudflare.com/terraform/additional-configurations/ddos-managed-rulesets/#optional-delete-existing-rulesets-to-start-from-scratch you'll need to either remove the specific phase mentioned here (http_request_origin) or import it first. — Reply to this email directly, view it on GitHub <#3219 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AV27LU5HLIJ3CNDPIV65VLDY2MWINAVCNFSM6AAAAABFKRVWRCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMRTHE3DANBQGY> . You are receiving this because you authored the thread.Message ID: ***@***.*** com>