cloudflare_tunnel resource cannot be imported without recreating the tunnel because imported tunnels don't have the tunnel secret in state

[xortive]

Confirmation

• This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• I have searched the issue tracker and my issue isn't already found.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

terraform 1.5.5
provider 4.39.0

Affected resource(s)

cloudflare_tunnel

Terraform configuration files

resource "cloudflare_tunnel" "example" {
  account_id = "f037e56e89293a057740de681ac9abbe"
  name       = "my-tunnel"
  secret     = base64decode(jsondecode(base64decode(<base64 encoded tunnel token, as returned by the /token endpoint of the api>))["s"])
}

import {
  to = cloudflare_tunnel.my_tunnel
  id = "f037e56e89293a057740de681ac9abbe/e83a2443-e0c6-4d81-8eb0-d90f56be0375"
}

Link to debug output

N/A

Panic output

N/A

Expected output

An imported tunnel is not recreated when the same secret is provided

Actual output

The tunnel was recreated

Steps to reproduce

Import any tunnel and provide the existing secret

Additional factoids

I believe two changes are required to fix this correctly.

• pull the secret value out of the token and store that as well as the token in the state in resourceCloudflareTunnelRead
• secret should not have ForceNew: true as the API supports PATCH now

Also, #3355 is correct that secret should not be a required field, but is incorrect on the reasoning why -- I will add a comment to that issue about this.

References

#3355 documents the tunnel token format

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[github-actions]

Thank you for reporting this issue! For maintainers to dig into issues it is required that all issues include the entirety of TF_LOG=DEBUG output to be provided. The only parts that should be redacted are your user credentials in the X-Auth-Key, X-Auth-Email and Authorization HTTP headers. Details such as zone or account identifiers are not considered sensitive but can be redacted if you are very cautious. This log file provides additional context from Terraform, the provider and the Cloudflare API that helps in debugging issues. Without it, maintainers are very limited in what they can do and may hamper diagnosis efforts.

This issue has been marked with triage/needs-information and is unlikely to receive maintainer attention until the log file is provided making this a complete bug report.

[github-actions]

Thank you for reporting this issue! For maintainers to dig into issues it is required that all issues include the entirety of TF_LOG=DEBUG output to be provided. The only parts that should be redacted are your user credentials in the X-Auth-Key, X-Auth-Email and Authorization HTTP headers. Details such as zone or account identifiers are not considered sensitive but can be redacted if you are very cautious. This log file provides additional context from Terraform, the provider and the Cloudflare API that helps in debugging issues. Without it, maintainers are very limited in what they can do and may hamper diagnosis efforts.

This issue has been marked with triage/needs-information and is unlikely to receive maintainer attention until the log file is provided making this a complete bug report.

[github-actions]

Marking this issue as stale due to 30 days of inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 7 days it will automatically be closed. Maintainers can also remove the lifecycle/stale label.
If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

[richjyoung]

This makes it impossible to migrate from cloudflare_tunnel resource types to cloudflare_zero_trust_tunnel_cloudflared without destroying an existing tunnel. terraform state mv cannot handle changing the resource type so our only option was remove the old resource type from the state and then import the new one, except the secret forces replacement.