Skip to content

cloudflare_zero_trust_access_identity_provider detects changes on every plan #5532

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
3 tasks done
dominiquehunziker opened this issue Apr 25, 2025 · 3 comments
Open
3 tasks done

cloudflare_zero_trust_access_identity_provider detects changes on every plan #5532

dominiquehunziker opened this issue Apr 25, 2025 · 3 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. version/5 Categorizes issue or PR as related to version 5 of the provider.

Comments

@dominiquehunziker
Copy link

dominiquehunziker commented Apr 25, 2025
edited
Loading

Confirmation

  • This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
  • I have searched the issue tracker and my issue isn't already found.
  • I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform v1.11.4
on windows_amd64
+ provider registry.terraform.io/cloudflare/cloudflare v5.3.0

Affected resource(s)

  • cloudflare_zero_trust_access_identity_provider

Terraform configuration files

terraform {
  required_providers {
    cloudflare = {
      source  = "cloudflare/cloudflare"
      version = "~> 5.3"
    }
  }
}

provider "cloudflare" {
  api_token = "REDACTED"
}

resource "cloudflare_zero_trust_access_identity_provider" "entra" {
  account_id = "REDACTED"
  name       = "Entra ID"
  type       = "azureAD"
  config = {
    client_id      = "REDACTED"
    client_secret  = "REDACTED"
    directory_id   = "REDACTED"
    pkce_enabled   = true
    support_groups = false
  }
}

Link to debug output

https://gist.github.com/dominiquehunziker/b55959e3c843cfb25345f2c163567204

Panic output

No response

Expected output

Terraform should not detect changes / modify the resource.

Actual output

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # cloudflare_zero_trust_access_identity_provider.entra will be updated in-place
  ~ resource "cloudflare_zero_trust_access_identity_provider" "entra" {
      ~ config      = {
          + client_secret              = (sensitive value)
          - conditional_access_enabled = false -> null
          ~ redirect_url               = "https://REDACTED.cloudflareaccess.com/cdn-cgi/access/callback" -> (known after apply)
            # (4 unchanged attributes hidden)
        }
        id          = "REDACTED"
        name        = "Entra ID"
      ~ scim_config = {
          ~ enabled                  = false -> (known after apply)
          ~ identity_update_behavior = "no_action" -> (known after apply)
          ~ scim_base_url            = "https://REDACTED.cloudflareaccess.com/scim/REDACTED" -> (known after apply)     
          + secret                   = (sensitive value)
          ~ user_deprovision         = false -> (known after apply)
        } -> (known after apply)
        # (2 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Steps to reproduce

Using the same Terraform

  • run terraform apply
  • run terraform plan

Additional factoids

Adding the default values explicitly for some of the parameters to the Terraform resource reduces the detected drift.

resource "cloudflare_zero_trust_access_identity_provider" "entra" {
  account_id = "REDACTED"
  name       = "Entra ID"
  type       = "azureAD"
  config = {
    client_id      = "REDACTED"
    client_secret  = "REDACTED"
    directory_id   = "REDACTED"
    pkce_enabled   = true
    support_groups = false
    conditional_access_enabled = false
  }
  scim_config = {
    enabled = false
    identity_update_behavior = "no_action"
    seat_deprovision = false
    user_deprovision = false
  }
}

results in

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # cloudflare_zero_trust_access_identity_provider.entra will be updated in-place
  ~ resource "cloudflare_zero_trust_access_identity_provider" "entra" {
      ~ config      = {
          + client_secret              = (sensitive value)
          ~ redirect_url               = "https://REDACTED.cloudflareaccess.com/cdn-cgi/access/callback" -> (known after apply)
            # (5 unchanged attributes hidden)
        }
        id          = "REDACTED"
        name        = "Entra ID"
      ~ scim_config = {
          ~ scim_base_url            = "https://REDACTED.cloudflareaccess.com/scim/REDACTED" -> (known after apply)     
          + secret                   = (sensitive value)
            # (4 unchanged attributes hidden)
        }
        # (2 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

References

No response
@dominiquehunziker dominiquehunziker added kind/bug Categorizes issue or PR as related to a bug. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Apr 25, 2025
@marcnyholm
Copy link

Seeing the exact same issue here on an Okta type resource.

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # cloudflare_zero_trust_access_identity_provider.okta will be updated in-place
  ~ resource "cloudflare_zero_trust_access_identity_provider" "okta" {
      ~ config      = {
          + client_secret  = (sensitive value)
          + prompt         = "none"
          ~ redirect_url   = "https://REDACTED.cloudflareaccess.com/cdn-cgi/access/callback" -> (known after apply)
          + support_groups = true
            # (2 unchanged attributes hidden)
        }
        id          = "REDACTED"
        name        = "Okta"
      ~ scim_config = {
          ~ scim_base_url            = "https://REDACTED.cloudflareaccess.com/scim/REDACTED" -> (known after apply)
          ~ secret                   = (sensitive value)
            # (4 unchanged attributes hidden)
        }
        # (2 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

On Mac ARM with same versions:

Terraform v1.11.4
on darwin_arm64
+ provider registry.terraform.io/cloudflare/cloudflare v5.3.0

@jhutchings1 jhutchings1 added the version/5 Categorizes issue or PR as related to version 5 of the provider. label Apr 25, 2025
@jhutchings1
Copy link
Collaborator

@dominiquehunziker can you provide debug logs here? I'm going to open an issue for an internal team to have a look, but I trust that'll be the first thing they need to root cause the issue.

@jhutchings1 jhutchings1 removed the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Apr 28, 2025
@dominiquehunziker
Copy link
Author

@jhutchings1 I have updated the initial report - https://gist.github.com/dominiquehunziker/b55959e3c843cfb25345f2c163567204

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. version/5 Categorizes issue or PR as related to version 5 of the provider.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dominiquehunziker @jhutchings1 @marcnyholm