get_account_roles(...) return two roles with same ID

[ollaw]

Describe what happened

We're assigning permission to user on Cloudflare leveraging the get_account_roles() function, with which we retrieve the IDs of the available Roles that are then passed to AccountMember resource.

The issue started last Friday, since we weren't able to use the Role Workers Admin anymore and we switched to Workers Platform Admin. Today we discovered that users on Cloudflare have the Role Waiting Room Admin rather than Workers Platform Admin, and discovered that get_account_roles() returns the Role Workers Platform Admin and Waiting Room Admin with same ID.

After assigning the right role (Workers Platform Admin ) manually and refreshing the stacks, the ID of the Role for Workers Platform Admin is one that is not returned with get_account_roles.

Sample program

from pulumi_cloudflare import get_account_roles

account_roles = get_account_roles(account_id="123456")
print({role.name: role.id for role in account_roles.roles})

Log output

{
    "Cloudchamber Admin Read Only": "************812f",
    "Cloudchamber Admin": "************f3cc",
    "Secrets Store Reporter": "************a987",
    "Secrets Store Deployer": "************f0b9",
    "Secrets Store Admin": "************b389",
    "Cloudflare Zero Trust Secure DNS Locations Write": "************7715",
    "Brand Protection": "************5eeb",
    "Cloudforce One Read": "************e277",
    "Cloudforce One Admin": "************8c16",
    "Email Security Reporting": "************5e31",
    "Email Security Readonly": "************a2d7",
    "Email Security Analyst": "************fcaf",
    "Email Configuration Admin": "************c139",
    "Email Integration Admin": "************fdf1",
    "Vectorize Readonly": "************2e43",
    "Vectorize Admin": "************cf12",
    "Bot Management (Account-Wide)": "************40e5",
    "Hyperdrive Readonly": "************ce03",
    "Hyperdrive Admin": "************4b50",
    "Turnstile Read": "************b906",
    "Turnstile": "************93fd",
    "API Gateway Read": "************f4db",
    "API Gateway": "************c790",
    "Cloudflare R2 Read": "************ce9e",
    "Cloudflare R2 Admin": "************096e",
    "Page Shield Read": "************9e27",
    "Page Shield": "************bb20",
    "Cloudflare DEX": "************df71",
    "Zone Versioning Read (Account-Wide)": "************37d4",
    "Zone Versioning (Account-Wide)": "************dce6",
    "Minimal Account Access": "************3c39",
    "Zaraz Edit": "************faf3",
    "Waiting Room Admin": "************8c53",  # Same as Workers Platform Admin
    "Waiting Room Read": "************7234",
    "Magic Network Monitoring Admin": "************7fb4",
    "Magic Network Monitoring": "************0391",
    "Magic Network Monitoring Read-Only": "************988a",
    "Network Services (Magic)": "************412e",
    "Network Services (Magic, Read-Only)": "************fb25",
    "HTTP Applications": "************161b",
    "HTTP Applications Read": "************f5e1",
    "Trust And Safety": "************7519",
    "Zaraz Admin": "************d747",
    "Zaraz Read": "************0650",
    "Cloudflare Images": "************e42d",
    "Cloudflare Gateway": "************e215",
    "Cloudflare Zero Trust Reporting": "************865c",
    "Cloudflare Zero Trust Read Only": "************6990",
    "Cloudflare Zero Trust": "************1bfa",
    "Cloudflare Zero Trust PII": "************8e24",
    "Super Administrator - All Privileges": "************953d",
    "SSL/TLS, Caching, Performance, Page Rules, and Customization": "************c4df",
    "Log Share Reader": "************32e7",
    "Log Share": "************e6dc",
    "Load Balancer": "************1c5a",
    "Firewall": "************ab02",
    "DNS": "************6050",
    "Workers Platform Admin": "************8c53",  # Same as Waiting Room Admin
    "Cloudflare Stream": "************dcca",
    "Cloudflare Access": "************17af",
    "Cache Purge": "************ba0a",
    "Billing": "************58ee",
    "Audit Logs Viewer": "************78f3",
    "Analytics": "************9365",
    "Administrator Read Only": "************99c7",
    "Administrator": "************7430"
}

Affected Resource(s)

get_account_roles()

Output of pulumi about

Backend
Name L-PA-PW0CVKL1
URL s3://my-bucket-state
User gabrieleolla
Organizations
Token type personal

Dependencies:
NAME VERSION
black 23.10.0
flake8 6.1.0
isort 5.12.0
pulumi-cloudflare 5.49.1
setuptools 75.8.0
types-boto3-s3control 1.38.14

Pulumi locates its logs in /tmp by default

Additional context

I also tried to bump the provider to the last version available, and the return of the function is

{
        "description": "Can create, read, update and delete all resources in the Workers Platform.",
        "id": None,
        "name": "Workers Platform Admin",
        "permissions": {
            "analytics": {
                "read": True,
                "write": None
            },

is the only Role with None id, so I cannot assign it to any member.

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[corymhall]

@ollaw it looks like this may be an issue with either the underlying cloudflare terraform provider or the CloudFlare API itself.

Would you be able to create an issue in the upstream terraform provider repo?