Resource "cloudflare_ruleset"

Greetings! My question is about creating new rules at the cloudflare provider, resource “cloudflare_ruleset”. The problem is that every time the configuration is applied, all the rules are overwritten.

main.tf module

Summary

locals {
tmp_ruleset = flatten([for key, value in var.ruleset: [
for index, value2 in value : {
block_action = key
block_description = index
block_expression = value2.expression
#priority = value2.priority
}]
])
tmp_ruleset2 = flatten([for key, value in var.ruleset: [
for index, value2 in value : {
skip_action = key
skip_description = index
skip_expression = value2.expression
skip_products = lookup(value2, “products”, )
#priority = value3.priority
}]
])
local_ruleset = { for rule in local.tmp_ruleset : rule.block_description => rule if (rule.block_action == “block”) || (rule.block_action == “managed_challenge”)}
local_ruleset2 = { for rule in local.tmp_ruleset2 : rule.skip_description => rule if (rule.skip_action == “skip”)}
}

resource “cloudflare_ruleset” “cf_ruleset” {
zone_id = var.zone_id
name = “base ruleset”
description = join(“_”,tolist([var.zone_name, “base”]))
kind = “zone”
phase = “http_request_firewall_custom”
dynamic rules {
for_each = local.local_ruleset
content {
action = rules.value.block_action
description = rules.value.block_description
expression = rules.value.block_expression
enabled = true
}
}
dynamic rules {
for_each = local.local_ruleset2
content {
action = rules.value.skip_action
action_parameters {
products = rules.value.skip_products
}
logging {
enabled = true
}
description = rules.value.skip_description
expression = rules.value.skip_expression
enabled = true
}
}
}

main.tf zone

Summary

cf_ruleset = {
skip = {
one = {
expression = “ip.src in {2.2.2.2}”
products = [“zoneLockdown”,“uaBlock”,“bic”,“hot”,“securityLevel”]
}
two = {
expression = “(http.host eq “test.com”)”
products = [“zoneLockdown”,“uaBlock”,“bic”,“hot”,“securityLevel”]
}
three = {
expression = “(http.host eq “ddos.com”)”
products = [“zoneLockdown”,“uaBlock”,“bic”,“hot”,“securityLevel”]
}
four = {
expression = “(http.host eq “provider.com”)”
products = [“zoneLockdown”,“uaBlock”,“bic”,“hot”,“securityLevel”]
}
}
managed_challenge = {
five = {
expression = “ip.geoip.country ne “CN””
}
six = {
expression = “ip.src in {12.12.12.12}”
}
Enabled_test = {
expression = “ip.src in {12.12.12.12}”
}
}
block = {
seven = {
expression = “(http.host eq “2cash.ph”)”
}
eight = {
expression = “(ip.src in {8.8.8.8})”
}
nine = {
expression = “ip.src in {100.1.1.1}”
}
ten = {
expression = “(http.host eq “google.com”)”
}
eleven = {
expression = “(ip.src in {1.1.1.1})”
}
}
}

And my result

Summary

~ resource “cloudflare_ruleset” “cf_ruleset” {
id = “3111316b8b344d38b7bf32dea35ff540”
name = “base ruleset”

(4 unchanged attributes hidden)

  ~ rules {
      ~ id           = "f5cb829e6d6a409f970a11856985e521" -> (known after apply)
      ~ last_updated = "2024-04-22 14:18:55.66116 +0000 UTC" -> (known after apply)
      ~ ref          = "f5cb829e6d6a409f970a11856985e521" -> (known after apply)
      ~ version      = "2" -> (known after apply)
        # (4 unchanged attributes hidden)
    }
  ~ rules {
      ~ id           = "5c48c86b4e5248409dc17c5637e8c528" -> (known after apply)
      ~ last_updated = "2024-04-22 14:18:55.66116 +0000 UTC" -> (known after apply)
      ~ ref          = "5c48c86b4e5248409dc17c5637e8c528" -> (known after apply)
      ~ version      = "2" -> (known after apply)
        # (4 unchanged attributes hidden)
    }
  ~ rules {
      ~ action       = "managed_challenge" -> "block"
      ~ description  = "five" -> "eleven"
      ~ expression   = "ip.geoip.country ne \"CN\"" -> "(ip.src in {1.1.1.1})"
      ~ id           = "e128b5a7cdc84ea0a7d12104ddca471f" -> (known after apply)
      ~ last_updated = "2024-04-22 14:18:55.66116 +0000 UTC" -> (known after apply)
      ~ ref          = "e128b5a7cdc84ea0a7d12104ddca471f" -> (known after apply)
      ~ version      = "1" -> (known after apply)
        # (1 unchanged attribute hidden)
    }
  ~ rules {
      ~ action       = "block" -> "managed_challenge"
      ~ description  = "nine" -> "five"
      ~ expression   = "ip.src in {100.1.1.1}" -> "ip.geoip.country ne \"CN\""
      ~ id           = "1c2c43cb08cd4420b4401eeff3d93a52" -> (known after apply)
      ~ last_updated = "2024-04-22 14:18:55.66116 +0000 UTC" -> (known after apply)
      ~ ref          = "1c2c43cb08cd4420b4401eeff3d93a52" -> (known after apply)
      ~ version      = "2" -> (known after apply)
        # (1 unchanged attribute hidden)
    }
  ~ rules {
      ~ description  = "seven" -> "nine"
      ~ expression   = "(http.host eq \"2cash.ph\")" -> "ip.src in {100.1.1.1}"
      ~ id           = "b51e2848320c4b2f89d776b249ada184" -> (known after apply)
      ~ last_updated = "2024-04-22 14:18:55.66116 +0000 UTC" -> (known after apply)
      ~ ref          = "b51e2848320c4b2f89d776b249ada184" -> (known after apply)
      ~ version      = "2" -> (known after apply)
        # (2 unchanged attributes hidden)
    }
  ~ rules {
      ~ action       = "managed_challenge" -> "block"
      ~ description  = "six" -> "seven"
      ~ expression   = "ip.src in {12.12.12.12}" -> "(http.host eq \"2cash.ph\")"
      ~ id           = "22a4066563934a579456df8ab92ed7e3" -> (known after apply)
      ~ last_updated = "2024-04-22 14:18:55.66116 +0000 UTC" -> (known after apply)
      ~ ref          = "22a4066563934a579456df8ab92ed7e3" -> (known after apply)
      ~ version      = "2" -> (known after apply)
        # (1 unchanged attribute hidden)
    }
  ~ rules {
      ~ action       = "block" -> "managed_challenge"
      ~ description  = "ten" -> "six"
      ~ expression   = "(http.host eq \"google.com\")" -> "ip.src in {12.12.12.12}"
      ~ id           = "35a1019d748b488aa40fa6429000b7ad" -> (known after apply)
      ~ last_updated = "2024-04-22 14:18:55.66116 +0000 UTC" -> (known after apply)
      ~ ref          = "35a1019d748b488aa40fa6429000b7ad" -> (known after apply)
      ~ version      = "2" -> (known after apply)
        # (1 unchanged attribute hidden)
    }
  ~ rules {
      ~ action       = "skip" -> "block"
      ~ description  = "four" -> "ten"
      ~ expression   = "(http.host eq \"provider.com\")" -> "(http.host eq \"google.com\")"
      ~ id           = "b5c27a330048448b908b449a235d20cd" -> (known after apply)
      ~ last_updated = "2024-04-22 14:18:55.66116 +0000 UTC" -> (known after apply)
      ~ ref          = "b5c27a330048448b908b449a235d20cd" -> (known after apply)
      ~ version      = "2" -> (known after apply)
        # (1 unchanged attribute hidden)

      - action_parameters {
          - products = [
              - "bic",
              - "hot",
              - "securityLevel",
              - "uaBlock",
              - "zoneLockdown",
            ] -> null
        }

      - logging {
          - enabled = true -> null
        }
    }
  ~ rules {
      ~ description  = "one" -> "four"
      ~ expression   = "ip.src in {2.2.2.2}" -> "(http.host eq \"provider.com\")"
      ~ id           = "59b4d905da9c4953b77ed4d84857b810" -> (known after apply)
      ~ last_updated = "2024-04-22 14:18:55.66116 +0000 UTC" -> (known after apply)
      ~ ref          = "59b4d905da9c4953b77ed4d84857b810" -> (known after apply)
      ~ version      = "2" -> (known after apply)
        # (2 unchanged attributes hidden)

      ~ action_parameters {
          + version  = (known after apply)
            # (1 unchanged attribute hidden)
        }

        # (1 unchanged block hidden)
    }
  ~ rules {
      ~ description  = "three" -> "one"
      ~ expression   = "(http.host eq \"ddos.com\")" -> "ip.src in {2.2.2.2}"
      ~ id           = "95ca6b67da33490cbb84ee22e61b9d2b" -> (known after apply)
      ~ last_updated = "2024-04-22 14:18:55.66116 +0000 UTC" -> (known after apply)
      ~ ref          = "95ca6b67da33490cbb84ee22e61b9d2b" -> (known after apply)
      ~ version      = "1" -> (known after apply)
        # (2 unchanged attributes hidden)

      ~ action_parameters {
          + version  = (known after apply)
            # (1 unchanged attribute hidden)
        }

        # (1 unchanged block hidden)
    }
  ~ rules {
      ~ description  = "two" -> "three"
      ~ expression   = "(http.host eq \"zaymer.com\")" -> "(http.host eq \"ddos.com\")"
      ~ id           = "85e698e431574a738c1117748e7e3b15" -> (known after apply)
      ~ last_updated = "2024-04-22 14:18:55.66116 +0000 UTC" -> (known after apply)
      ~ ref          = "85e698e431574a738c1117748e7e3b15" -> (known after apply)
      ~ version      = "1" -> (known after apply)
        # (2 unchanged attributes hidden)

      ~ action_parameters {
          + version  = (known after apply)
            # (1 unchanged attribute hidden)
        }

        # (1 unchanged block hidden)
    }
  + rules {
      + action       = "skip"
      + description  = "two"
      + enabled      = true
      + expression   = "(http.host eq \"zaymer.com\")"
      + id           = (known after apply)
      + last_updated = (known after apply)
      + ref          = (known after apply)
      + version      = (known after apply)

      + action_parameters {
          + products = [
              + "bic",
              + "hot",
              + "securityLevel",
              + "uaBlock",
              + "zoneLockdown",
            ]
          + version  = (known after apply)
        }

      + logging {
          + enabled = true
        }
    }
}

By adding a rule, they begin to be overwritten…
I don’t know what to do anymore.
Terraform -v 1.7.5
Provider Cloudflare 4.30.0

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.