Zone-Level Ruleset Import Uses Incorrect API Endpoint

[maheedharTumpudi]

Confirmation

• This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• I have searched the issue tracker and my issue isn't already found.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform Cloudflare Provider: v4.50.0 (also tested with v4.51.0)
Terraform Version: v1.9.8

Affected resource(s)

cloudflare_ruleset

Terraform configuration files

resource "cloudflare_ruleset" "static-redirect-rule" {
  zone_id     = var.zone_id
  name        = var.name
  description = var.description
  kind        = var.kind
  phase       = var.phase

  dynamic "rules" {
    for_each = var.redirect-rules
    content {
      #ref = rules.key
      action = "redirect"
      action_parameters {
        from_value {
          status_code = 301
          target_url {
            value      = rules.value.target-url != "" ? rules.value.target-url : null
            expression = rules.value.target-expression != "" ? rules.value.target-expression : null
          }
          preserve_query_string = rules.value.preserve-query-string
        }
      }
      expression  = rules.value.expression
      description = rules.value.name
      enabled     = true
    }
  }
}

Link to debug output

https://gist.github.com/maheedharTumpudi/ecb34700753ca08ec6fe597ff73d3973

Panic output

No response

Expected output

Import successful

Actual output

╷
│ Error: error reading ruleset ID "b4ea950b77334357a9a3a5ba25448521"
│
│ Authentication error (10000)

Steps to reproduce

• Use the terraform import command to import a zone-level ruleset: terraform import 'module.btuanalytics-com-static-redirect-rule.cloudflare_ruleset.static-redirect-rule' 'zones/a0f79b4c115310cf6189f9462908523a/b4ea950b77334357a9a3a5ba25448521'

• Observe the debug logs showing that the provider makes a request to:

GET /client/v4/accounts/a0f79b4c115310cf6189f9462908523a/rulesets/b4ea950b77334357a9a3a5ba25448521

• The request fails with the following error:

{
"success": false,
"errors": [
{
"code": 10000,
"message": "Authentication error"
}
]
}

• Manually testing the API via Postman confirms that the correct endpoint is:

GET /client/v4/zones/a0f79b4c115310cf6189f9462908523a/rulesets/b4ea950b77334357a9a3a5ba25448521
This request works and returns the expected response.

Additional factoids

The provider should correctly identify the scope of the ruleset as zone-level and make the API request to zones/<zone_id>/rulesets instead of accounts/<account_id>/rulesets.

Actual Behavior
The provider incorrectly uses the accounts/<account_id>/rulesets endpoint, causing the import to fail.

Relevant Debug Logs
2025-01-22T12:43:54.177+0530 [DEBUG] provider.terraform-provider-cloudflare_v4.51.0.exe: GET /client/v4/accounts/a0f79b4c115310cf6189f9462908523a/rulesets/b4ea950b77334357a9a3a5ba25448521 HTTP/1.1
2025-01-22T12:43:54.177+0530 [DEBUG] provider.terraform-provider-cloudflare_v4.51.0.exe: Host: api.cloudflare.com

References

No response

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[github-actions]

Thank you for opening this issue and sorry to hear you're hitting issues. Unfortunately, the reproduction case provided contains HCL dynamic expressions. Examples of these are:

• Conditionals
• For loops
• Dynamic blocks
• Modules and module references

Maintainers don't accept these as reproduction cases since using these constructs and expressions can hold their own logic bugs which are outside of the provider and not able to be diagnosed.

For maintainers to triage this issue, we recommend providing a minimal reproduction test case that is only contains the impacted resources and can be easily reproduced in an isolated environment. Without providing this, maintainers are limited in what support they can provide.

[williamoconnorme]

Thanks for sharing this issue. I hit this problem today also and couldn't see where in the provider this URL is set to patch this in a local version of the provider. In my scenario I was able to delete the ruleset via the cloudflare API and then have terraform re-create the ruleset. This is possibly not a mitigation option for anyone that can't remove their firewall rules temporarily

[maheedharTumpudi]

@williamoconnorme true not everyone will be able to delete and recreate critical resources, as you said even I was able to delete and create the rulesets from Terraform but this is happening only for imports as the API call is being constructed incorrectly.