Can't modify cipher on cloudflare_custom_hostname complaining with Certificate Authority selection is only available on an Enterprise plan

[mikim83]

Confirmation

• This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• I have searched the issue tracker and my issue isn't already found.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform v1.5.7
on darwin_arm64
+ provider registry.terraform.io/cloudflare/cloudflare v4.40.0
+ provider registry.terraform.io/hashicorp/aws v5.59.0

Affected resource(s)

cloudflare_custom_hostname

Terraform configuration files

resource "cloudflare_custom_hostname" "domain.example.com" {
  hostname = "domain.example.com"
  zone_id  = "MY_ZONE_ID"
  ssl {
    bundle_method         = "ubiquitous"
    method                = "txt"
    settings {
      min_tls_version = "1.2"
      ciphers         = ["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305"]
    }
    type     = "dv"
    wildcard = false
  }
}

Link to debug output

https://gist.github.com/mikim83/d818322cb4f379166187ebd8e5666c01

Panic output

No response

Expected output

Success

Actual output

Error: failed to update custom hostname certificate: Certificate Authority selection is only available on an Enterprise plan. If you're interested in the Enterprise plan, please fill out this form and someone from our sales team will contact you: https://www.cloudflare.com/plans/enterprise/contact/ (1459)

Steps to reproduce

1. Have a business plan on cloudflare

2. Have the Advanced Certificate Manager addon

3. Create and validate custom_hostname like this:
   resource "cloudflare_custom_hostname" "domain_example_com" { hostname = "domain_example_com" zone_id = "MY_ZONE_ID" ssl { bundle_method = "ubiquitous" method = "txt" settings { min_tls_version = "1.2" } type = "dv" wildcard = false } }

4. Modify the resource to define which ssl ciphers you want to allow:
   resource "cloudflare_custom_hostname" "domain_example_com" { hostname = "domain_example_com" zone_id = "MY_ZONE_ID" ssl { bundle_method = "ubiquitous" method = "txt" settings { min_tls_version = "1.2" ciphers = ["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305"] } type = "dv" wildcard = false } }

5. Apply changes and then you get this error:
   Error: failed to update custom hostname certificate: Certificate Authority selection is only available on an Enterprise plan. If you're interested in the Enterprise plan, please fill out this form and someone from our sales team will contact you: https://www.cloudflare.com/plans/enterprise/contact/ (1459)

Additional factoids

In the official documentation from Cloudflare (link) explicity says that:

With Advanced Certificate Manager or within Cloudflare for SaaS, you can restrict connections between Cloudflare and clients — such as your visitor’s browser — to specific cipher suites.
You may want to do this to follow specific recommendations, to disable weak cipher suites, or to comply with industry standards.

So, modifing the ciphers settings on cloudflare_custom_hostname resource, with ACM addon, it should be allowed.

In fact, if I perform a curl directly to the Cloudflare API using the same API_TOKEN on terraform I can change the settings:

curl --request PATCH \ "https://api.cloudflare.com/client/v4/zones/MY_ZONE_ID/custom_hostnames/HOSTNAME_ID" \ --header "Authorization: Bearer API_TOKEN" \ --header "Content-Type: application/json" \ --data '{ "ssl": { "type": "dv", "method": "http", "hosts": [ "example.domain.com" ], "settings": { "min_tls_version": "1.2", "ciphers": ["ECDHE-ECDSA-AES128-GCM-SHA256", "ECDHE-RSA-AES128-GCM-SHA256", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-AES256-GCM-SHA384", "ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-RSA-CHACHA20-POLY1305"] }, "bundle_method": "ubiquitous", "wildcard": false } }'

Once the curl is finished, if I perform a terraform plan I can see the changes done on the cloudflare api side.

I think the problem is originated because the provider always sends the certificate_authority property, that is only allowed to be modified in the Enterprise Plan.

References

No response

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.