cloudflare_custom_ssl fails when running apply multiple times

[dominiquehunziker]

Confirmation

• This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• I have searched the issue tracker and my issue isn't already found.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform v1.11.4
on linux_amd64
+ provider registry.terraform.io/cloudflare/cloudflare v5.3.0

Affected resource(s)

• cloudflare_custom_ssl

Terraform configuration files

terraform {
  required_providers {
    cloudflare = {
      source  = "cloudflare/cloudflare"
      version = "~> 5.3"
    }
  }
}

provider "cloudflare" {
  api_token = "REDACTED"
}

resource "cloudflare_custom_ssl" "tunnel" {
  zone_id = "REDACTED"

  certificate = <<EOF
REDACTED
EOF
  private_key = <<EOF
REDACTED
EOF

  bundle_method = "ubiquitous"
  geo_restrictions = {
    label = "eu"
  }
  type = "sni_custom"
}

Link to debug output

https://gist.github.com/dominiquehunziker/b4a489fd360b4bc783d8234917f4f08f

Panic output

Error: Provider produced inconsistent result after apply

When applying changes to cloudflare_custom_ssl.tunnel, provider
"provider["registry.terraform.io/cloudflare/cloudflare"]" produced an
unexpected new value: .id: was
cty.StringVal("8ef369eb-5a56-47b9-aaf4-9eeeb8a3c472"), but now
cty.StringVal("180beff6-1cfe-479d-baae-c4f90e205615").

This is a bug in the provider, which should be reported in the provider's
own issue tracker.

Expected output

Multiple terraform apply should not result in changes.

Actual output

cloudflare_custom_ssl.tunnel: Refreshing state... [id=8ef369eb-5a56-47b9-aaf4-9eeeb8a3c472]

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

# cloudflare_custom_ssl.tunnel will be updated in-place
~ resource "cloudflare_custom_ssl" "tunnel" {
      + certificate      = <<-EOT
        REDACTED
        EOT
      ~ expires_on       = "2025-07-20T23:59:59Z" -> (known after apply)
      ~ hosts            = [
          - "REDACTED",
        ] -> (known after apply)
        id               = "8ef369eb-5a56-47b9-aaf4-9eeeb8a3c472"
      ~ issuer           = "SectigoLimited" -> (known after apply)
      + keyless_server   = (known after apply)
      ~ modified_on      = "2025-04-25T10:06:55Z" -> (known after apply)
      + private_key      = (sensitive value)
      ~ signature        = "SHA256WithRSA" -> (known after apply)
      ~ status           = "active" -> (known after apply)
      ~ uploaded_on      = "2025-04-25T10:06:53Z" -> (known after apply)
        # (5 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
cloudflare_custom_ssl.tunnel: Modifying... [id=8ef369eb-5a56-47b9-aaf4-9eeeb8a3c472]
cloudflare_custom_ssl.tunnel: Still modifying... [id=8ef369eb-5a56-47b9-aaf4-9eeeb8a3c472, 10s elapsed]
cloudflare_custom_ssl.tunnel: Still modifying... [id=8ef369eb-5a56-47b9-aaf4-9eeeb8a3c472, 20s elapsed]
cloudflare_custom_ssl.tunnel: Still modifying... [id=8ef369eb-5a56-47b9-aaf4-9eeeb8a3c472, 30s elapsed]

Steps to reproduce

• run terraform apply multiple times

Additional factoids

No response

References

• potentially related to cloudflare_custom_ssl resource update failing in provider v5.2.0 #5454

[jhutchings1]

Hello, I've opened an internal ticket to track this one within the team. Thanks!