Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'invalid JSON: unknown field "id"' when updating Cloudflare Managed rulesets #3916

Open
3 tasks done
codybswaney opened this issue Sep 6, 2024 · 5 comments
Open
3 tasks done

'invalid JSON: unknown field "id"' when updating Cloudflare Managed rulesets #3916

codybswaney opened this issue Sep 6, 2024 · 5 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. service/rulesets Categorizes issue or PR as related to the Rulesets service. triage/accepted Indicates an issue or PR is ready to be actively worked on. triage/debug-log-attached Indicates an issue or PR has a complete Terraform debug log. workflow/synced

Comments

@codybswaney
Copy link

codybswaney commented Sep 6, 2024
edited
Loading

Confirmation

  • This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
  • I have searched the issue tracker and my issue isn't already found.
  • I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

$ terraform -v
Terraform v1.9.5
on darwin_arm64
+ provider registry.terraform.io/cloudflare/cloudflare v4.41.0
+ provider registry.terraform.io/hashicorp/aws v5.66.0

Affected resource(s)

  • cloudflare_ruleset

Terraform configuration files

locals {
  zone_id               = "<REDACTED>"
  cf_managed_ruleset_id = "efb7b8c949ac4650a09736fc376e9aee"
  cf_owasp_ruleset_id   = "4814384a9e5d4991b9815dcfc25d2f1f"
  cf_creds_ruleset_id   = "c2e184081120413c86c3ab7e14069605"
}

resource "cloudflare_ruleset" "zone_level_managed_waf" {
  zone_id     = local.zone_id
  name        = "default"
  description = "Zone-Level WAF Managed Rules config"
  kind        = "zone"
  phase       = "http_request_firewall_managed"

  # Cloudflare Managed Ruleset
  rules {
    description = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
    action      = "log"
    expression  = "true"
    enabled     = true

    action_parameters {
      id      = local.cf_managed_ruleset_id
      version = "latest"

      overrides {
        rules {
          action  = "log"
          enabled = true
          id      = "3b0c61407d0b4f7d87e516472116d2fe"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "8840c3fa2c7947f6b10176ceb8f65558"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "7aeb2faf29284398aeb782e54875e938"
        }
        rules {
          action  = "log"
          enabled = false
          id      = "7babab188b3c40ae87b93ec451f4fd5b"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "8ac6964456494da6b098a93c35f86fc9"
        }
        rules {
          action  = "log"
          enabled = false
          id      = "23ee7cebe6e8443e99ecf932ab579455"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "76f9871c8e88445b807c9ebcd440c742"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "cd7bd3dbe8fd4add9926ad50068b2a17"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "34da2a5e0a95425d9b0e44f07c641d63"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "2fe273498e964f0bb20ac022d5a14a5e"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "47631a04883d4d7cab6bd7b83478adcb"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "977ad8daef224ecdbe475c7ab3ab3365"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "bdd776b4f296477f960acc346dfa618e"
        }
        rules {
          action  = "log"
          enabled = false
          id      = "49449f901cab4a01b2591ab836babcca"
        }
        rules {
          action  = "log"
          enabled = false
          id      = "d6f6d394cb01400284cfb7971e7aed1e"
        }
        rules {
          action  = "log"
          enabled = false
          id      = "d9aeff22f1024655937e5b033a61fbc5"
        }
        rules {
          action  = "log"
          enabled = false
          id      = "525329e705aa4fa596e126366d02615e"
        }
        rules {
          action  = "log"
          enabled = false
          id      = "8bb4bf582f704b61980fceff442561a8"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "15b0616fe67a439a8a3852410cadd290"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "00bee3de44184f7f8a6ad10910f04e13"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "7b1cfed7fd4047c6949c4d054751ef80"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "d8c7dbf00ec546e48e3c4340486c3ee2"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "ff8b8608c2c14bf5b3de621b6fc2309c"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "71b7793c77e24287861b82f0ec97cf32"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "40cba5ee3a014208958da0855ddfd8e3"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "5dd38056f4cd43fca7f198e6384f1856"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "d384de3d016d414dbf4d14caaa83212b"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "4a6e23c2acfe4b979b8c4d856d4d8e84"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "55b100786189495c93744db0e1efdffb"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "db1f213645904ab9b16b227b4a6a7b3a"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "6a05218f9dba40ed8eb4e89b12e7bc07"
        }
        rules {
          action  = "log"
          enabled = false
          id      = "aa3411d5505b4895b547d68950a28587"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "ac89e3a915594a139fc370dece6a8e28"
        }
        rules {
          action  = "log"
          enabled = false
          id      = "5de7edfa648c4d6891dc3e7f84534ffa"
        }
        rules {
          action  = "log"
          enabled = false
          id      = "a5f1081bb2a3413e88ac88c0d36f0fb0"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "5ac122b3972c4247a247f3271045f374"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "230867e5cb844fe092f1e1b4e504c459"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "505cbd1ba4b24bdcb227d854b8b46cbc"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "cb5b6de178d3488d8649da8608b7b3a2"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "390b6273c8dc4366b36e52fc6f35c356"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "20e34d3164a340dbb5c5d29203ccff90"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "b777ce009bb346b39be4886055a71165"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "34158d546873469a8f8ccee19139627b"
        }
        rules {
          action  = "log"
          enabled = false
          id      = "d8e629b68b5c4bb69b2f01a3ab285f5e"
        }
        rules {
          action  = "log"
          enabled = false
          id      = "b84a82ec35064ee8aa204897f775a3b0"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "7f41cd9aca1d42f09b4f1477957ee0b0"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "7994335d116849f7a0ab6b771d1d0db7"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "d653f5ed71a348ea97b9bc5c295fd819"
        }
        rules {
          action  = "log"
          enabled = false
          id      = "48e06376fc6347c0bf08b8ccf82d008b"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "d52aa57408a144afa35e0fd96e3897dc"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "8d9f209f35df412ba4bafe5156335ab1"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "8ea0937695984040b528c80a4e6df495"
        }
        rules {
          action  = "block"
          enabled = false
          id      = "b1efd337665d49f5950f892971120c4b"
        }
      }
    }

  }

  # OWASP Core Ruleset
  rules {
    description = "Execute Cloudflare OWASP Core Ruleset on my zone-level phase entry point ruleset"
    action      = "log"
    expression  = "true"
    enabled     = true

    action_parameters {
      id      = local.cf_owasp_ruleset_id
      version = "latest"

      overrides {
        categories {
          category = "paranoia-level-2"
          enabled  = false
        }
        categories {
          category = "paranoia-level-3"
          enabled  = false
        }
        categories {
          category = "paranoia-level-4"
          enabled  = false
        }
        rules {
          action          = "managed_challenge"
          id              = "6179ae15870a4bb7b2d480d4843b323c"
          score_threshold = 40
        }
      }
    }
  }

  # Exposed Credentials Check Ruleset
  rules {
    action     = "log"
    expression = "true"
    enabled    = true

    action_parameters {
      id      = local.cf_creds_ruleset_id
      version = "latest"
    }
  }
}

Link to debug output

https://gist.github.com/codybswaney/af7d334b87eebdb71abbcb881e1ae8c1

Panic output

No response

Expected output

I expected the plan which sets execute to log and enables the three managed rulesets to succeed.

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # cloudflare_ruleset.zone_level_managed_waf will be updated in-place
  ~ resource "cloudflare_ruleset" "zone_level_managed_waf" {
      + description = "Zone-Level WAF Managed Rules config"
        id          = "99ad0cfc75634c07a98f2cb2ce6445cb"
        name        = "default"
        # (3 unchanged attributes hidden)

      ~ rules {
          ~ action       = "execute" -> "log"
          + description  = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
          ~ enabled      = false -> true
          ~ id           = "e4d66e73c0924737b51bb3c8a2c6c2d8" -> (known after apply)
          ~ last_updated = "2024-09-03 17:46:40.190764 +0000 UTC" -> (known after apply)
          ~ ref          = "e4d66e73c0924737b51bb3c8a2c6c2d8" -> (known after apply)
          ~ version      = "1" -> (known after apply)
            # (1 unchanged attribute hidden)

            # (1 unchanged block hidden)
        }
      ~ rules {
          ~ action       = "execute" -> "log"
          + description  = "Execute Cloudflare OWASP Core Ruleset on my zone-level phase entry point ruleset"
          ~ enabled      = false -> true
          ~ id           = "61e46161ae684225bf54765f36ad27d0" -> (known after apply)
          ~ last_updated = "2024-09-03 17:46:40.190764 +0000 UTC" -> (known after apply)
          ~ ref          = "61e46161ae684225bf54765f36ad27d0" -> (known after apply)
          ~ version      = "1" -> (known after apply)
            # (1 unchanged attribute hidden)

            # (1 unchanged block hidden)
        }
      ~ rules {
          ~ action       = "execute" -> "log"
          ~ enabled      = false -> true
          ~ id           = "47d79f6692554f239a62339238cf9115" -> (known after apply)
          ~ last_updated = "2024-09-03 18:24:01.348032 +0000 UTC" -> (known after apply)
          ~ ref          = "47d79f6692554f239a62339238cf9115" -> (known after apply)
          ~ version      = "2" -> (known after apply)
            # (2 unchanged attributes hidden)

            # (1 unchanged block hidden)
        }
    }

Actual output

Apply fails with invalid JSON: unknown field "id"

Terraform will perform the following actions:

  # cloudflare_ruleset.zone_level_managed_waf will be updated in-place
  ~ resource "cloudflare_ruleset" "zone_level_managed_waf" {
      + description = "Zone-Level WAF Managed Rules config"
        id          = "99ad0cfc75634c07a98f2cb2ce6445cb"
        name        = "default"
        # (3 unchanged attributes hidden)

      ~ rules {
          ~ action       = "execute" -> "log"
          + description  = "Execute Cloudflare Managed Ruleset on my zone-level phase entry point ruleset"
          ~ enabled      = false -> true
          ~ id           = "e4d66e73c0924737b51bb3c8a2c6c2d8" -> (known after apply)
          ~ last_updated = "2024-09-03 17:46:40.190764 +0000 UTC" -> (known after apply)
          ~ ref          = "e4d66e73c0924737b51bb3c8a2c6c2d8" -> (known after apply)
          ~ version      = "1" -> (known after apply)
            # (1 unchanged attribute hidden)

            # (1 unchanged block hidden)
        }
      ~ rules {
          ~ action       = "execute" -> "log"
          + description  = "Execute Cloudflare OWASP Core Ruleset on my zone-level phase entry point ruleset"
          ~ enabled      = false -> true
          ~ id           = "61e46161ae684225bf54765f36ad27d0" -> (known after apply)
          ~ last_updated = "2024-09-03 17:46:40.190764 +0000 UTC" -> (known after apply)
          ~ ref          = "61e46161ae684225bf54765f36ad27d0" -> (known after apply)
          ~ version      = "1" -> (known after apply)
            # (1 unchanged attribute hidden)

            # (1 unchanged block hidden)
        }
      ~ rules {
          ~ action       = "execute" -> "log"
          ~ enabled      = false -> true
          ~ id           = "47d79f6692554f239a62339238cf9115" -> (known after apply)
          ~ last_updated = "2024-09-03 18:24:01.348032 +0000 UTC" -> (known after apply)
          ~ ref          = "47d79f6692554f239a62339238cf9115" -> (known after apply)
          ~ version      = "2" -> (known after apply)
            # (2 unchanged attributes hidden)

            # (1 unchanged block hidden)
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.
cloudflare_ruleset.zone_level_managed_waf: Modifying... [id=99ad0cfc75634c07a98f2cb2ce6445cb]
╷
│ Error: error updating ruleset with ID "99ad0cfc75634c07a98f2cb2ce6445cb"
│ 
│   with cloudflare_ruleset.zone_level_managed_waf,
│   on waf_managed_rules.tf line 34, in resource "cloudflare_ruleset" "zone_level_managed_waf":
│   34: resource "cloudflare_ruleset" "zone_level_managed_waf" {
│ 
│ invalid JSON: unknown field "id"

Steps to reproduce

  1. Import default entrypoint managed ruleset for phase http_request_firewall_managed
  2. Try to enable them at log action level
  3. Apply

Additional factoids

No response

References

Following the guide at https://developers.cloudflare.com/terraform/additional-configurations/waf-managed-rulesets/
@codybswaney codybswaney added kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Sep 6, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 6, 2024

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 6, 2024
edited
Loading

Terraform debug log detected ✅

@github-actions github-actions bot added triage/needs-information Indicates an issue needs more information in order to work on it. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Sep 6, 2024
@jacobbednarz
Copy link
Member

please include the TF_LOG=DEBUG output, not the terraform operation output to help triaging this one.

@codybswaney
Copy link
Author

Apologies @jacobbednarz , I have updated the link to the correct gist

@github-actions github-actions bot added triage/debug-log-attached Indicates an issue or PR has a complete Terraform debug log. and removed triage/needs-information Indicates an issue needs more information in order to work on it. labels Sep 9, 2024
@jacobbednarz jacobbednarz added triage/accepted Indicates an issue or PR is ready to be actively worked on. service/rulesets Categorizes issue or PR as related to the Rulesets service. labels Sep 10, 2024
@guitar9999
Copy link

Do you still see the issue?
There was a incident which was resolved yesterday.
https://www.cloudflarestatus.com/incidents/26vtmwm3mgh6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. service/rulesets Categorizes issue or PR as related to the Rulesets service. triage/accepted Indicates an issue or PR is ready to be actively worked on. triage/debug-log-attached Indicates an issue or PR has a complete Terraform debug log. workflow/synced
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jacobbednarz @codybswaney @guitar9999