Terraform Provider seems to see erroneous response to query for a DNS zone CAA reso

For Workes & Pages, what is the name of the domain?

dcmoeller.de

What is the issue or error you’re encountering

Terraform Provider fails with Error: didn't get any DNS records for hostname: [HOSTNAME]

What are the steps to reproduce the issue?

I’m using the Teraform Provider to manage my Cloudflare data sets. One of the operations requests data regarding CAA resource records, and this one fails all the time, regardless of what I configure.

So I switched on Terraform debugging (export TF_LOG=DEBUG) to get more details, and get the following (excerpt, removed timestamp and log level from each line, and formatted JSON response body):

provider.terraform-provider-cloudflare_v4.36.0: 2024/07/03 11:01:23 
provider.terraform-provider-cloudflare_v4.36.0: GET /client/v4/zones/[ZONE_ID]/dns_records?content=0+issue+letsencrypt.org&name=[HOSTNAME]&page=1&per_page=100&type=CAA HTTP/1.1
provider.terraform-provider-cloudflare_v4.36.0: Host: api.cloudflare.com
provider.terraform-provider-cloudflare_v4.36.0: User-Agent: terraform-provider-cloudflare/4.36.0 terraform-plugin-sdk/2.34.0 terraform/1.9.0
provider.terraform-provider-cloudflare_v4.36.0: Content-Type: application/json
provider.terraform-provider-cloudflare_v4.36.0: X-Auth-Email: [redacted]
provider.terraform-provider-cloudflare_v4.36.0: X-Auth-Key: [redacted]
provider.terraform-provider-cloudflare_v4.36.0: Accept-Encoding: gzip
provider.terraform-provider-cloudflare_v4.36.0
provider.terraform-provider-cloudflare_v4.36.0: 2024/07/03 11:01:23 
provider.terraform-provider-cloudflare_v4.36.0: HTTP/2.0 200 OK
provider.terraform-provider-cloudflare_v4.36.0: Cf-Cache-Status: DYNAMIC
provider.terraform-provider-cloudflare_v4.36.0: Cf-Ray: 89d5b0ca2dc03614-FRA
provider.terraform-provider-cloudflare_v4.36.0: Content-Type: application/json
provider.terraform-provider-cloudflare_v4.36.0: Date: Wed, 03 Jul 2024 09:01:23 GMT
provider.terraform-provider-cloudflare_v4.36.0: Server: cloudflare
provider.terraform-provider-cloudflare_v4.36.0: Set-Cookie: [...]; SameSite=Lax; path=/; expires=Wed, 03-Jul-24 11:31:24 GMT; HttpOnly
provider.terraform-provider-cloudflare_v4.36.0: Set-Cookie: [...]; path=/; expires=Wed, 03-Jul-24 09:31:23 GMT; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
provider.terraform-provider-cloudflare_v4.36.0: Set-Cookie: [...]; path=/; domain=.api.cloudflare.com; HttpOnly; Secure; SameSite=None
provider.terraform-provider-cloudflare_v4.36.0: Vary: Accept-Encoding
provider.terraform-provider-cloudflare_v4.36.0
provider.terraform-provider-cloudflare_v4.36.0: {
  "result": {
    "id": "[ID]",
    "zone_id": "[ZONE_ID]",
    "zone_name": "[ZONE_NAME]",
    "name": "[NAME]",
    "type": "CNAME",                                      <=== HERE!
    "content": "xmpp-hosting.conversations.im",
    "proxiable": true,
    "proxied": false,
    "ttl": 3600,
    "locked": false,
    "meta": {
      "auto_added": false,
      "managed_by_apps": false,
      "managed_by_argo_tunnel": false
    },
    "comment": null,
    "tags": [],
    "created_on": "2020-05-12T08:20:18.419698Z",
    "modified_on": "2020-05-12T08:20:18.419698Z"
  },
  "success": true,
  "errors": [],
  "messages": []
}

So the request asks for CAA record(s), but Cloudflare API’s response contains data regarding some CNAME resource record, which makes the Terraform Provider fail with

Error: didn't get any DNS records for hostname: [HOSTNAME]

So to me it seems to be an erroneous response of your API server.

Can you share the actual hostname?

Do you actually have both CAA and CNAME records for the same name?

Edit: Other than that, the best place to report issues would probably be GitHub: Issues · cloudflare/terraform-provider-cloudflare · GitHub

Hostname is yunohost.dcmoeller.de.

According to the list of DNS entries shown on the dashboard, there is no parallel CNAME entry with name yunohost, but another MX record, and in sum three different CAA records.

I’ve not posted it on GitHub, because looking at the debug output, my first impression was that the problem resides primarily on the server backend, not the provider client.

$ dig @8.8.8.8 yunohost.dcmoeller.de CAA

[...]

;; ANSWER SECTION:
yunohost.dcmoeller.de.	3600	IN	CAA	0 issue "letsencrypt.org"
yunohost.dcmoeller.de.	3600	IN	CAA	0 issuewild "letsencrypt.org"
yunohost.dcmoeller.de.	3600	IN	CAA	0 iodef "mailto:[email protected]"

[...]



$ dig @8.8.8.8 yunohost.dcmoeller.de CNAME

[...]

;; AUTHORITY SECTION:
dcmoeller.de.		1800	IN	SOA	marek.ns.cloudflare.com. dns.cloudflare.com. 2345490810 10000 2400 604800 1800

[...]



$ dig @8.8.8.8 yunohost.dcmoeller.de MX

[...]

;; ANSWER SECTION:
yunohost.dcmoeller.de.	3600	IN	MX	10 yunohost.dcmoeller.de.

[...]

Weird.

Best to report that bug via GitHub then I guess.

To further investigate, I started to test it “by hand”:

First querying for all CAA records:

$ curl --silent \
       --header 'Content-Type: application/json' \
       --header 'X-Auth-Email: [EMAIL]' \
       --header 'X-Auth-Key: [KEY]' \
       'https://api.cloudflare.com/client/v4/zones/[ZONE_ID]/dns_records?name=yunohost.dcmoeller.de&page=1&per_page=100&type=CAA' \
  | jq .
{
  "result": [
    {
      [...]
      "type": "CAA",
      "content": "0 iodef \"mailto:[EMAIL]\"",
      [...]
    },
    {
      [...]
      "type": "CAA",
      "content": "0 issuewild \"letsencrypt.org\"",
      [...]
    },
    {
      [...]
      "type": "CAA",
      "content": "0 issue \"letsencrypt.org\"",
      [...]
    }
  ],
  "success": true,
  "errors": [],
  "messages": [],
  "result_info": {
    "page": 1,
    "per_page": 100,
    "count": 3,
    "total_count": 3,
    "total_pages": 1
  }
}

So far so good.

So now let’s query for a single CAA record, that has been reported within this response:

$ curl --silent \
       --header 'Content-Type: application/json' \
       --header 'X-Auth-Email: [EMAIL]' \
       --header 'X-Auth-Key: [KEY]' \
       'https://api.cloudflare.com/client/v4/zones/[ZONE_ID]/dns_records?name=yunohost.dcmoeller.de&page=1&per_page=100&type=CAA&content=0+issue+letsencrypt.org' \
  | jq .
{
  "result": [],
  "success": true,
  "errors": [],
  "messages": [],
  "result_info": {
    "page": 1,
    "per_page": 100,
    "count": 0,
    "total_count": 0,
    "total_pages": 1
  }
}

Not found! Maybe we should query with the double quotes surrounding letsencrypt.org?

$ curl --silent \
       --header 'Content-Type: application/json' \
       --header 'X-Auth-Email: [EMAIL]' \
       --header 'X-Auth-Key: [KEY]' \
       'https://api.cloudflare.com/client/v4/zones/[ZONE_ID]/dns_records?name=yunohost.dcmoeller.de&page=1&per_page=100&type=CAA&content=0+issue+"letsencrypt.org"' \
  | jq .
{
  "result": [],
  "success": true,
  "errors": [],
  "messages": [],
  "result_info": {
    "page": 1,
    "per_page": 100,
    "count": 0,
    "total_count": 0,
    "total_pages": 1
  }
}

Encoding double quote as %22 yields the same empty reponse:

$ curl --silent \
       --header 'Content-Type: application/json' \
       --header 'X-Auth-Email: [EMAIL]' \
       --header 'X-Auth-Key: [KEY]' \
       'https://api.cloudflare.com/client/v4/zones/[ZONE_ID]/dns_records?name=yunohost.dcmoeller.de&page=1&per_page=100&type=CAA&content=0+issue+%22letsencrypt.org%22' \
  | jq .
{
  "result": [],
  "success": true,
  "errors": [],
  "messages": [],
  "result_info": {
    "page": 1,
    "per_page": 100,
    "count": 0,
    "total_count": 0,
    "total_pages": 1
  }
}

I think this is the reason why the Terraform Provider also fails when querying especially for this single CAA resource record, like so:

data "cloudflare_record" "for_import" {
  zone_id = "[ZONE_ID]"
  type = "CAA"
  hostname = "yunohost.${cloudflare_zone.dcmoeller_de.zone}"
  content = "0 issue letsencrypt.org"
}

Adding double quotes here around letsencrypt.org does not succeed, too.

So how to query the API to get one of the reported CAA records exclusively?

Regards

Christian