Skip to content

cloudflare_api_token resource always shows changes (drift) #5548

New issue
New issue
Closed
Closed
cloudflare_api_token resource always shows changes (drift)#5548
Labels
kind/bugCategorizes issue or PR as related to a bug.version/5Categorizes issue or PR as related to version 5 of the provider.
@boillodmanuel

Description

@boillodmanuel
boillodmanuel
opened on May 5, 2025

Confirmation

  • This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
  • I have searched the issue tracker and my issue isn't already found.
  • I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform v1.9.8
on darwin_arm64
+ provider registry.terraform.io/cloudflare/cloudflare v5.3.0

Affected resource(s)

  • cloudflare_api_token

Terraform configuration files

terraform {
  required_version = ">= 1.0"
  required_providers {
    cloudflare = {
      source  = "cloudflare/cloudflare"
      version = "~>5.3"
    }
  }
  backend "local" {}
}

provider "cloudflare" {
  email   = local.CLOUDFLARE_EMAIL
  api_key = local.CLOUDFLARE_API_KEY
}


data "cloudflare_api_token_permission_groups_list" "all" {
}

locals {
  api_token_zone_permissions_groups_map = {
    for perm in data.cloudflare_api_token_permission_groups_list.all.result :
    perm.name => perm.id
    if contains(perm.scopes, "com.cloudflare.api.account.zone")
  }
}

resource "cloudflare_api_token" "test_api_token" {
  name   = "test-cf-v5-api-token"
  status = "active"

  policies = [{
    effect = "allow"
    permission_groups = [
      { "id" = local.api_token_zone_permissions_groups_map["DNS Write"] },
      { "id" = local.api_token_zone_permissions_groups_map["Zone Read"] },
    ]
    resources = {
      "com.cloudflare.api.account.${local.ACCOUNT_ID}" = "*"
    }
  }]
}

Link to debug output

no

Panic output

No response

Expected output

No changes detected

Actual output

Terraform will perform the following actions:

  # cloudflare_api_token.test_api_token will be updated in-place
  ~ resource "cloudflare_api_token" "test_api_token" {
      + condition    = (known after apply)
        id           = "de493ea5bbd25d3b48f6f66abe35fdde"
      ~ issued_on    = "2025-05-05T09:22:28Z" -> (known after apply)
      + last_used_on = (known after apply)
      ~ modified_on  = "2025-05-05T09:37:52Z" -> (known after apply)
        name         = "test-cf-v5-api-token"
      ~ policies     = [
          ~ {
              ~ id                = "2d6f78b5a2f041a9967083e295e01c87" -> (known after apply)
              ~ permission_groups = [
                  ~ {
                      ~ id   = "c8fed203ed3043cba015a93ad1616f1f" -> "4755a26eedb94da69e1066d98aa820be"
                      ~ name = "Zone Read" -> (known after apply)
                    },
                  ~ {
                      ~ id   = "4755a26eedb94da69e1066d98aa820be" -> "c8fed203ed3043cba015a93ad1616f1f"
                      ~ name = "DNS Write" -> (known after apply)
                    },
                ]
                # (2 unchanged attributes hidden)
            },
        ]
      ~ value        = (sensitive value)
        # (1 unchanged attribute hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Steps to reproduce

terraform apply with above code

Additional factoids

No response

References

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.version/5Categorizes issue or PR as related to version 5 of the provider.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions