Permissions for importing redirect ruleset

[wyardley]

Confirmation

• This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• I have searched the issue tracker and my issue isn't already found.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

OpenTofu v1.8.1
on darwin_arm64
+ provider registry.opentofu.org/cloudflare/cloudflare v4.40.0

Affected resource(s)

cloudflare_ruleset

Terraform configuration files

The actual rule in the example above just based on the docs for now, though I'd eventually adjust it to the actual contents of the existing zone after importing it.


resource "cloudflare_ruleset" "github" {
  zone_id     = cloudflare_zone.zone["xxxx"].id
  name        = "GitHub"
  description = "Redirect ruleset"
  kind        = "zone"
  phase       = "http_request_dynamic_redirect"

  rules {
    action = "redirect"
    action_parameters {
      from_value {
        status_code = 301
        target_url {
          value = "some_host.com"
        }
        preserve_query_string = true
      }
    }
    expression  = "(http.request.uri.path matches \"^/api/\")"
    description = "Apply redirect from value"
    enabled     = true
  }
}

Link to debug output

https://gist.github.com/wyardley/3a3632946973138e54087bbf808f8cad

Panic output

No response

Expected output

I expected to be able to import the ruleset

Actual output

I am getting an error

% tf import  cloudflare_ruleset.github zone/xxxx/yyyy  
[...]
╷
│ Error: error reading ruleset ID "yyyy"
│ 
│ Authentication error (10000)

Steps to reproduce

1. tf import cloudflare_ruleset.github zone/xxxx/yyyy

Additional factoids

I've set the Zone > Single Redirect > Edit permissions (as well as the regular DNS permissions for the zone) as per https://developers.cloudflare.com/rules/url-forwarding/single-redirects/create-api/#required-api-token-permissions

Is there an additional permission or set of permissions I should need to import this, or am I using the wrong import syntax?

I'm getting the ID for the ruleset from the URL of the edit ruleset page, and then using the zone's

References

No response

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[github-actions]

Terraform debug log detected ✅

[wyardley]

Hi - I've included more extended logging in the gist attached.

[jacobbednarz]

unfortunately, the terraform provider is just another HTTP client to the APIs and we don't do anything specific with permissions and there is very little we can do here. the URL it is calling looks correct so only permission issues remain.

what i recommend is to:

• add a token with all the permissions that may be related and slowly remove them until you find the minimum required ones.
• have a dig into the developer docs to see if they mention the minimums.
• use API keys + email to unblock yourself.

if that fails, you're best off raising a support ticket to have the service team look into what is required.

note: there is some work in the near future that will making tracking down these required permissions much easier, it's just not here yet.

[wyardley]

Thanks. FWIW, the developer docs (linked above) mention that as the minimum permissions, assuming this is the right type of resource

[jacobbednarz]

that looks to be the correct docs for what you're after here. it could very well be out of date permissions or a service issue. the support folks can definitely get you sorted though!