Terraform cloudflare provider stopped creating access apps

dean.mcrobie · August 16, 2023, 1:50am

We are using cloudflare ztna to secure our dynamic development environments built of AWS. We create many tunnels to individual apps, all using the replicated access policies. Today August 15th 2023, our terraform provider repeatedly failed creating access policies for the tunnels (a task it has been doing for months). Cloudflare Terraform provide version is 4.12 (latest).

resource "cloudflare_access_policy" "no_auth_review_policies" {
  for_each = toset(["www", "admin", "api"])

  application_id = cloudflare_access_application.review_apps[each.key].id
  zone_id        = data.terraform_remote_state.common.outputs.cloudflare_zone_kaiyo_staging_id
  name           = "Bypass policy for ${each.key}-review-${var.review_environment_name}"
  precedence     =  1
  decision       = "bypass"
  include {
    group = ["valid-cloudflare-access-group-guid",]
  }
}

this has been working fine! now we get

│ Error: error creating Access Policy for ID "": error from makeRequest: access.api.error.invalid_request: invalid 'include' configuration (12130)

dean.mcrobie · August 16, 2023, 1:55am

for those curious the ID it’s referring it is created here:

resource "cloudflare_access_application" "review_apps" {
  for_each = toset(["www", "admin", "api"])

  zone_id          =  data.terraform_remote_state.common.outputs.cloudflare_zone_some_domain_id
  name             = "${each.key}-review-${var.review_environment_name}"
  domain           = "${each.key}-review-${var.review_environment_name}.some-domain.com"
  session_duration = "1h"
}

dean.mcrobie · August 16, 2023, 8:49pm

So we have resolved our own problem here. We used to be able to have an access_policy that included a group which consisted of two IP addresses to drive our bypass rule. Tuesday 8/15 at 3pm this behavior stopped working at cloudflare.

After much debugging, adding the allowlisted IP addresses directly to the include statement in the access policy resolved the issue for us:

resource "cloudflare_access_policy" "no_auth_review_policies" {
  for_each = toset(["www", "admin", "api"])

  application_id = cloudflare_access_application.review_apps[each.key].id
  zone_id        = data.terraform_remote_state.common.outputs.cloudflare_zone_staging_id
  name           = "Bypass policy for ${each.key}-review-${var.review_environment_name}"
  precedence     =  1
  decision       = "bypass"
  include {
    ip = [
      data.terraform_remote_state.common.outputs.gitlab-runner-ip, 
      data.terraform_remote_state.common.outputs.office-ip,
      data.terraform_remote_state.common.outputs.vpn-public-ip
      ]
    }
}