ruleset rules are not available as a standalone resource

See: cloudflare_firewall_rule; and that's my point. Don't deprecate working functionality until a suitable alternative is in place.

from terraform-provider-cloudflare.

This is also really a bummer for us. It completely breaks building decoupled modules, since you have to put all your rules into a single cloudflare_ruleset resource.

The new approach is way worse regarding maintainability and makes managing rules way more fragile.
Previously, you could create the firewall rules your module needs inside your module. Now, you have to remember that there's some rule - which is located inside a completely different module - that affects your module, that you need to change when you change something in your module/or change some config via a variable. Like a hostname for example.

Ref #2688, #2907, #2423, #2634

from terraform-provider-cloudflare.

this is intentional and is not a bug. you should not attempt to manage resources in terraform and another source - see https://developers.cloudflare.com/terraform/advanced-topics/best-practices/#manage-terraform-resources-in-terraform. there is no way for terraform to know which are the ones you intend to keep when it comes to ordering or overriding so this is a manual operation.

if you already have some rules defined and the WAF migration is performed, you can use a tool like cf-terraforming to export the entirety of the Ruleset configuration or you can individually resolve the differences.

from terraform-provider-cloudflare.

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

from terraform-provider-cloudflare.

Thank you for reporting this issue! For maintainers to dig into issues it is required that all issues include the entirety of TF_LOG=DEBUG output to be provided. The only parts that should be redacted are your user credentials in the X-Auth-Key, X-Auth-Email and Authorization HTTP headers. Details such as zone or account identifiers are not considered sensitive but can be redacted if you are very cautious. This log file provides additional context from Terraform, the provider and the Cloudflare API that helps in debugging issues. Without it, maintainers are very limited in what they can do and may hamper diagnosis efforts.

This issue has been marked with triage/needs-information and is unlikely to receive maintainer attention until the log file is provided making this a complete bug report.

from terraform-provider-cloudflare.

Thank you for reporting this issue! For maintainers to dig into issues it is required that all issues include the entirety of TF_LOG=DEBUG output to be provided. The only parts that should be redacted are your user credentials in the X-Auth-Key, X-Auth-Email and Authorization HTTP headers. Details such as zone or account identifiers are not considered sensitive but can be redacted if you are very cautious. This log file provides additional context from Terraform, the provider and the Cloudflare API that helps in debugging issues. Without it, maintainers are very limited in what they can do and may hamper diagnosis efforts.

This issue has been marked with triage/needs-information and is unlikely to receive maintainer attention until the log file is provided making this a complete bug report.

from terraform-provider-cloudflare.

Added gist

from terraform-provider-cloudflare.

The resource was a rule, not a rule set. You're moving the goal post and then claiming the approach was wrong.

I'd be fine not using the new resource, but then don't deprecate the old. It's working just fine right now even with the new custom rule backend.

from terraform-provider-cloudflare.

ruleset rules are not available as a standalone resource so we are talking about rulesets as a unified view in this context. there may be a time in the future where rules are manageable individually however, that is not in the foreseeable future so that is the only option today.

from terraform-provider-cloudflare.