CF-TERRAFORMING for CLOUPDFLARE_RULESET resource not terraforming the RULES within ruleset

[kaincosta]

Confirmation

• My issue isn't already found on the issue tracker.
• I have replicated my issue using the latest version of the library and it is still present.

cf-terraforming version

cf-terraforming 0.23.3

Expected outcome

When using cf-terraforming to terraform the CLOudFLARE_RULESET it should not only bring the basic setting of the ruleset but also the RULES within it, as it did before.

Actual outcome

The output shows the RULESETS basic config within the ZONE, but their RULES

resource "cloudflare_ruleset" "terraform_managed_resource_<id_redacted>" {
  description = "Created by the Cloudflare security team, this ruleset provides normalization on the URL path"
  kind        = "managed"
  name        = "Cloudflare Normalization Ruleset"
  phase       = "http_request_sanitize"
  zone_id     = "<redacted>"
}

resource "cloudflare_ruleset" "terraform_managed_resource_<id_redacted>" {
  kind    = "managed"
  name    = "Bot Fight Mode for Likely Bots"
  phase   = "http_request_sbfm"
  zone_id = "<redacted>"
}

resource "cloudflare_ruleset" "terraform_managed_resource_<id_redacted>" {
  kind    = "managed"
  name    = "Bot Fight Mode for Definite Bots"
  phase   = "http_request_sbfm"
  zone_id = "<redacted>"
}

resource "cloudflare_ruleset" "terraform_managed_resource_<id_redacted>" {
  description = "Created by the Cloudflare security team, this ruleset is designed to provide fast and effective protection for all your applications. It is frequently updated to cover new vulnerabilities and reduce false positives."
  kind        = "managed"
  name        = "Cloudflare Managed Ruleset"
  phase       = "http_request_firewall_managed"
  zone_id     = "<redacted>"
}

resource "cloudflare_ruleset" "terraform_managed_resource_<id_redacted>" {
  description = "Cloudflare's implementation of the Open Web Application Security Project (OWASP) ModSecurity Core Rule Set. We routinely monitor for updates from OWASP based on the latest version available from the official code repository"
  kind        = "managed"
  name        = "Cloudflare OWASP Core Ruleset"
  phase       = "http_request_firewall_managed"
  zone_id     = "<redacted>"
}

resource "cloudflare_ruleset" "terraform_managed_resource_<id_redacted>" {
  description = "Exposed credentials check rules"
  kind        = "managed"
  name        = "Cloudflare Exposed Credentials Check Ruleset"
  phase       = "http_request_firewall_managed"
  zone_id     = "<redacted>"
}

resource "cloudflare_ruleset" "terraform_managed_resource_<id_redacted>" {
  description = "Automatic mitigation of HTTP-based DDoS attacks. Cloudflare routinely adds signatures to address new attack vectors. Additional configuration allows you to customize the sensitivity of each rule and the performed mitigation action."
  kind        = "managed"
  name        = "DDoS L7 ruleset"
  phase       = "ddos_l7"
  zone_id     = "<redacted>"
}

resource "cloudflare_ruleset" "terraform_managed_resource_<id_redacted>" {
  description = "Created by the Cloudflare security team, this ruleset is designed to provide protection for free zones"
  kind        = "managed"
  name        = "Cloudflare Managed Free Ruleset"
  phase       = "http_request_firewall_managed"
  zone_id     = "<redacted>"
}

resource "cloudflare_ruleset" "terraform_managed_resource_<id_redacted>" {
  kind    = "zone"
  name    = "default"
  phase   = "http_request_firewall_managed"
  zone_id = "<redacted>"
}

resource "cloudflare_ruleset" "terraform_managed_resource_<id_redacted>" {
  description = "Rules maintained by bots team that can run for all plans"
  kind        = "managed"
  name        = "Cloudflare Bot Management rules for all plans"
  phase       = "http_request_sbfm"
  zone_id     = "<redacted>"
}

resource "cloudflare_ruleset" "terraform_managed_resource_<id_redacted>" {
  kind    = "zone"
  name    = "default"
  phase   = "http_request_firewall_custom"
  zone_id = "<redacted>"
}

Steps to reproduce

#Execute the following
cf-terraforming generate --email myemail@email.com --token <my-CF-token-here> -z <ZONE-ID for which I want the rulesets> --resource-type cloudflare_ruleset > importing-example1.tf

References

I'm checking directly on the cf-terraforming repo >> https://github.com/cloudflare/cf-terraforming
And for the supported resources I'm checking the list on your repo: https://github.com/cloudflare/cf-terraforming#:~:text=provider%20%22cloudflare/cloudflare%22-,Supported%20Resources,-v5

[kaincosta]

Another important comment:
I checked via CLOUDFLARE API and when doing a curl against:

https://api.cloudflare.com/client/v4/zones/<zone-id>/rulesets

it bring the same information, only the basic settings of the RULESET
and not the RULES within the rulesets.

the OLD endpoint"https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/firewall/rules" did return that information, but this resource is suppose to be deprecated.

Curl command:

❯ curl -X  GET "https://api.cloudflare.com/client/v4/zones/<redacted-zone-id>/rulesets" \
        -H "Authorization: Bearer <redacted-token>" \
        -H "Content-Type: application/json" | jq .

OUTPUT:

{
  "result": [
    {
      "description": "Created by the Cloudflare security team, this ruleset provides normalization on the URL path",
      "id": "<redacted-zone-id>",
      "kind": "managed",
      "last_updated": "2024-08-01T17:37:11.538019Z",
      "name": "Cloudflare Normalization Ruleset",
      "phase": "http_request_sanitize",
      "version": "6"
    },
    {
      "description": "",
      "id": "<redacted-zone-id>",
      "kind": "managed",
      "last_updated": "2024-12-18T17:13:02.123258Z",
      "name": "Bot Fight Mode for Likely Bots",
      "phase": "http_request_sbfm",
      "source": "firewall_managed",
      "version": "8"
    },
    {
      "description": "",
      "id": "<redacted-zone-id>",
      "kind": "managed",
      "last_updated": "2024-12-18T17:13:03.199618Z",
      "name": "Bot Fight Mode for Definite Bots",
      "phase": "http_request_sbfm",
      "source": "firewall_managed",
      "version": "8"
    },
    {
      "description": "Created by the Cloudflare security team, this ruleset is designed to provide fast and effective protection for all your applications. It is frequently updated to cover new vulnerabilities and reduce false positives.",
      "id": "<redacted-zone-id>",
      "kind": "managed",
      "last_updated": "2025-02-18T17:35:15.131581Z",
      "name": "Cloudflare Managed Ruleset",
      "phase": "http_request_firewall_managed",
      "source": "firewall_managed",
      "version": "232"
    },
    {
      "description": "Cloudflare's implementation of the Open Web Application Security Project (OWASP) ModSecurity Core Rule Set. We routinely monitor for updates from OWASP based on the latest version available from the official code repository",
      "id": "<redacted-zone-id>",
      "kind": "managed",
      "last_updated": "2024-08-19T17:26:58.593021Z",
      "name": "Cloudflare OWASP Core Ruleset",
      "phase": "http_request_firewall_managed",
      "source": "firewall_managed",
      "version": "87"
    },
    {
      "description": "Exposed credentials check rules",
      "id": "<redacted-zone-id>",
      "kind": "managed",
      "last_updated": "2024-08-01T17:37:12.291474Z",
      "name": "Cloudflare Exposed Credentials Check Ruleset",
      "phase": "http_request_firewall_managed",
      "source": "firewall_managed",
      "version": "89"
    },
    {
      "description": "Automatic mitigation of HTTP-based DDoS attacks. Cloudflare routinely adds signatures to address new attack vectors. Additional configuration allows you to customize the sensitivity of each rule and the performed mitigation action.",
      "id": "<redacted-zone-id>",
      "kind": "managed",
      "last_updated": "2025-02-19T21:08:00.815518Z",
      "name": "DDoS L7 ruleset",
      "phase": "ddos_l7",
      "version": "2718"
    },
    {
      "description": "Created by the Cloudflare security team, this ruleset is designed to provide protection for free zones",
      "id": "<redacted-zone-id>",
      "kind": "managed",
      "last_updated": "2024-08-01T17:37:10.825759Z",
      "name": "Cloudflare Managed Free Ruleset",
      "phase": "http_request_firewall_managed",
      "source": "firewall_managed",
      "version": "57"
    },
    {
      "description": "",
      "id": "<redacted-zone-id>",
      "kind": "zone",
      "last_updated": "2023-09-06T21:04:30.352935Z",
      "name": "default",
      "phase": "http_request_firewall_managed",
      "source": "firewall_managed",
      "version": "2"
    },
    {
      "description": "Rules maintained by bots team that can run for all plans",
      "id": "<redacted-zone-id>",
      "kind": "managed",
      "last_updated": "2025-02-12T23:39:38.344875Z",
      "name": "Cloudflare Bot Management rules for all plans",
      "phase": "http_request_sbfm",
      "source": "firewall_managed",
      "version": "10"
    },
    {
      "description": "",
      "id": "<redacted-zone-id>",
      "kind": "zone",
      "last_updated": "2025-02-20T11:04:18.084537Z",
      "name": "default",
      "phase": "http_request_firewall_custom",
      "source": "firewall_custom",
      "version": "50"
    }
  ],
  "success": true,
  "errors": [],
  "messages": []
}

[kaincosta]

Another question, would this have any impact on how terraform is able to track the rules within a ruleset?

[kaincosta]

I just tried with a new endpoint from the API: curl -X GET https://api.cloudflare.com/client/v4/zones/<zone-id>/rulesets/<ruleset-id>, which returned the expected output, I'm wondering inthe CF-TERRAFORMING, what resource would bring the same output as this?

[cheewai-bash]

Using cf-terraform v0.23.3 with the latest cloudflare/cloudflare provisioner v.5.1.0, I encounter exactly the same issue. cf-terraforming generate --resource-type cloudflare_ruleset output is missing rules attribute.

[cheewai-bash]

Using cf-terraform v0.23.3 with the latest cloudflare/cloudflare provisioner v.5.1.0, I encounter exactly the same issue. cf-terraforming generate --resource-type cloudflare_ruleset output is missing rules attribute.

--account and --zone arguments are mutually-exclusive.

When run with --zone argument

DEBU[0000] initializing cloudflare-go with API Token     account_Id= zone_id=XXX-REDACTED-XXX
DEBU[0001] initializing Terraform in .                  
DEBU[0003] detected provider                             version=5.1.0
DEBU[0003] reading Terraform schema for Cloudflare provider 
DEBU[0004] reading and building resource                 resource=cloudflare_ruleset
DEBU[0005] generating resource output                    count=20 resource=cloudflare_ruleset
DEBU[0005] got unknown attribute configuration: key account_id, value <nil>, value type <nil> 
DEBU[0005] attribute "rules" has not been generated     
DEBU[0005] got unknown attribute configuration: key account_id, value <nil>, value type <nil> 
DEBU[0005] attribute "rules" has not been generated     
DEBU[0005] got unknown attribute configuration: key account_id, value <nil>, value type <nil> 
DEBU[0005] attribute "rules" has not been generated     
DEBU[0005] got unknown attribute configuration: key account_id, value <nil>, value type <nil> 
DEBU[0005] attribute "rules" has not been generated     
DEBU[0005] got unknown attribute configuration: key account_id, value <nil>, value type <nil> 
DEBU[0005] attribute "rules" has not been generated     
DEBU[0005] got unknown attribute configuration: key account_id, value <nil>, value type <nil> 
DEBU[0005] attribute "rules" has not been generated     
DEBU[0005] got unknown attribute configuration: key account_id, value <nil>, value type <nil> 
DEBU[0005] attribute "rules" has not been generated     
DEBU[0005] got unknown attribute configuration: key account_id, value <nil>, value type <nil> 
DEBU[0005] attribute "rules" has not been generated     
DEBU[0005] got unknown attribute configuration: key account_id, value <nil>, value type <nil> 
DEBU[0005] attribute "rules" has not been generated     
DEBU[0005] got unknown attribute configuration: key account_id, value <nil>, value type <nil> 
DEBU[0005] attribute "rules" has not been generated     
DEBU[0005] got unknown attribute configuration: key account_id, value <nil>, value type <nil> 
DEBU[0005] attribute "rules" has not been generated     
DEBU[0005] got unknown attribute configuration: key account_id, value <nil>, value type <nil> 
DEBU[0005] attribute "rules" has not been generated     
DEBU[0005] got unknown attribute configuration: key account_id, value <nil>, value type <nil> 
DEBU[0005] attribute "rules" has not been generated     
DEBU[0005] got unknown attribute configuration: key account_id, value <nil>, value type <nil> 
DEBU[0005] attribute "rules" has not been generated     
DEBU[0005] got unknown attribute configuration: key account_id, value <nil>, value type <nil> 
DEBU[0005] attribute "rules" has not been generated     
DEBU[0005] got unknown attribute configuration: key account_id, value <nil>, value type <nil> 
DEBU[0005] attribute "rules" has not been generated     
DEBU[0005] got unknown attribute configuration: key account_id, value <nil>, value type <nil> 
DEBU[0005] attribute "rules" has not been generated     
DEBU[0005] got unknown attribute configuration: key account_id, value <nil>, value type <nil> 
DEBU[0005] attribute "rules" has not been generated     
DEBU[0005] got unknown attribute configuration: key account_id, value <nil>, value type <nil> 
DEBU[0005] attribute "rules" has not been generated     
DEBU[0005] got unknown attribute configuration: key account_id, value <nil>, value type <nil> 
DEBU[0005] attribute "rules" has not been generated     
resource "cloudflare_ruleset" "terraform_managed_resource_70339d97bdb34195bbf054b1ebe81f76" {
  description = "Created by the Cloudflare security team, this ruleset provides normalization on the URL path"
  kind        = "managed"
  name        = "Cloudflare Normalization Ruleset"
  phase       = "http_request_sanitize"
  zone_id     = "XXX-REDACTED-XXX"
}

When run with --account argument

DEBU[0001] initializing Terraform in .                  
DEBU[0002] detected provider                             version=5.1.0
DEBU[0002] reading Terraform schema for Cloudflare provider 
DEBU[0004] reading and building resource                 resource=cloudflare_ruleset
DEBU[0005] generating resource output                    count=3 resource=cloudflare_ruleset
DEBU[0005] attribute "rules" has not been generated     
DEBU[0005] got unknown attribute configuration: key zone_id, value <nil>, value type <nil> 
DEBU[0005] attribute "rules" has not been generated     
DEBU[0005] got unknown attribute configuration: key zone_id, value <nil>, value type <nil> 
DEBU[0005] attribute "rules" has not been generated     
DEBU[0005] got unknown attribute configuration: key zone_id, value <nil>, value type <nil> 
resource "cloudflare_ruleset" "terraform_managed_resource_4d21379b4f9f4bb088e0729962c8b3cf" {
  account_id  = "XXX-REDACTED-XXX"
  description = "Automatic mitigation of HTTP-based DDoS attacks. Cloudflare routinely adds signatures to address new attack vectors. Additional configuration allows you to customize the sensitivity of each rule and the performed mitigation action."
  kind        = "managed"
  name        = "DDoS L7 ruleset"
  phase       = "ddos_l7"
}

[stboissdev]

+1

[nhanvqit]

+1 same issue

[vhgbao01]

same problem +1

[aimuz]

I encountered the same problem, and it seems to have lasted for a month

[aimuz]

I'm glad I've made progress on this issue. I solved this problem in the following ways.

The main reason for this problem is that the list method does not list the details, while the get method does. Therefore, this problem can be solved by importing the status.

cf-terraforming generate --email myemail@email.com --token <my-CF-token-here> -z <ZONE-ID for which I want the rulesets> --resource-type cloudflare_ruleset > importing-example1.tf

cf-terraforming import --email myemail@email.com --token <my-CF-token-here> -z <ZONE-ID for which I want the rulesets> --resource-type cloudflare_ruleset > 1.sh

bash 1.sh

terraform show > importing-example1.tf

[gui-baeta]

@aimuz That worked and helped me get on the right track! Thank you!

So, if am understanding correctly, what you did:

1. generate ruleset resources -> Gets us each ruleset basic metadata, but not all the rules in it. Before doing this,
2. generate the Terraform imports for all rulesets -> Makes Terraform create state of those rulesets. This state is created based on whats in the Infrastructure, Cloudflare side.
3. After having the necessary Terraform metadata, having the state in sync with the Infrastructure, we can finally generate the HCL that respects the state.

Am I thinking right?

Some Testing I did

Following your steps:

1. the cf-terraforming generate,
2. followed by cf-terraforming import ... > tf-import-commands.sh,
3. followed by bash tf-import-commands.sh,
4. and finally terraform show > generated.tf.

• If I then try to Terraform Plan, it errors saying that I can't define the id attributes as they are read-only. To appease my mind a bit, I would like to know if you hit this same error @aimuz?

  NOTE: I fixed this error by deleting all definitions of id's.
  Another NOTE I want to make for anyone like me who has beginner/-ish knowledge of Terraform: (Please correct me if I am wrong. This is what I am gathering from my tests)

  • The state will have the ids since that is what represents the real deployed infrastructure, which in our case is the Cloudflare side. The resource definitions themselves should not have the ids since this is something that Cloudflare generates, not our Terraform instances.

Based on your method, I then continued on what I was doing, which is trying to create a full representation of the Cloudflare configurations but in HCL/Terrafrom.

If I create the (modern) import blocks with cf-terraforming import --modern-import-block ..., and then try doing terraform plan, Terraform invites me to use -generate-config-out=generated.tf like so:

terraform plan -generate-config-out=generated.tf

That gives me a 100% valid HCL configuration - terraform plan-ning does not error.

Idk what this issue is/where it comes from...

However, something weird happens. Comparing the values the Cloudflare REST API gets me and what this process gave me:

• I have ruleset rules that have the attribute categories and others that do not. For the ones that don't have this attribute categories, on terraform plan, Terraform wants to do in-place changes of these resources, telling me that it will add this non-existent categories attribute with (known after apply).

  

  ... when my Terraform HCL does not have this attribute set, not even set as = null.