Greetings! My question is about creating new rules at the cloudflare provider, resource “cloudflare_ruleset”. The problem is that every time the configuration is applied, all the rules are overwritten.
main.tf module
Summary
locals {
tmp_ruleset = flatten([for key, value in var.ruleset: [
for index, value2 in value : {
block_action = key
block_description = index
block_expression = value2.expression
#priority = value2.priority
}]
])
tmp_ruleset2 = flatten([for key, value in var.ruleset: [
for index, value2 in value : {
skip_action = key
skip_description = index
skip_expression = value2.expression
skip_products = lookup(value2, “products”, )
#priority = value3.priority
}]
])
local_ruleset = { for rule in local.tmp_ruleset : rule.block_description => rule if (rule.block_action == “block”) || (rule.block_action == “managed_challenge”)}
local_ruleset2 = { for rule in local.tmp_ruleset2 : rule.skip_description => rule if (rule.skip_action == “skip”)}
}
resource “cloudflare_ruleset” “cf_ruleset” {
zone_id = var.zone_id
name = “base ruleset”
description = join(“_”,tolist([var.zone_name, “base”]))
kind = “zone”
phase = “http_request_firewall_custom”
dynamic rules {
for_each = local.local_ruleset
content {
action = rules.value.block_action
description = rules.value.block_description
expression = rules.value.block_expression
enabled = true
}
}
dynamic rules {
for_each = local.local_ruleset2
content {
action = rules.value.skip_action
action_parameters {
products = rules.value.skip_products
}
logging {
enabled = true
}
description = rules.value.skip_description
expression = rules.value.skip_expression
enabled = true
}
}
}
main.tf zone
Summary
cf_ruleset = {
skip = {
one = {
expression = “ip.src in {2.2.2.2}”
products = [“zoneLockdown”,“uaBlock”,“bic”,“hot”,“securityLevel”]
}
two = {
expression = “(http.host eq "test.com")”
products = [“zoneLockdown”,“uaBlock”,“bic”,“hot”,“securityLevel”]
}
three = {
expression = “(http.host eq "ddos.com")”
products = [“zoneLockdown”,“uaBlock”,“bic”,“hot”,“securityLevel”]
}
four = {
expression = “(http.host eq "provider.com")”
products = [“zoneLockdown”,“uaBlock”,“bic”,“hot”,“securityLevel”]
}
}
managed_challenge = {
five = {
expression = “ip.geoip.country ne "CN"”
}
six = {
expression = “ip.src in {12.12.12.12}”
}
Enabled_test = {
expression = “ip.src in {12.12.12.12}”
}
}
block = {
seven = {
expression = “(http.host eq "2cash.ph")”
}
eight = {
expression = “(ip.src in {8.8.8.8})”
}
nine = {
expression = “ip.src in {100.1.1.1}”
}
ten = {
expression = “(http.host eq "google.com")”
}
eleven = {
expression = “(ip.src in {1.1.1.1})”
}
}
}
And my result
Summary
~ resource “cloudflare_ruleset” “cf_ruleset” {
id = “3111316b8b344d38b7bf32dea35ff540”
name = “base ruleset”
# (4 unchanged attributes hidden)
~ rules {
~ id = "f5cb829e6d6a409f970a11856985e521" -> (known after apply)
~ last_updated = "2024-04-22 14:18:55.66116 +0000 UTC" -> (known after apply)
~ ref = "f5cb829e6d6a409f970a11856985e521" -> (known after apply)
~ version = "2" -> (known after apply)
# (4 unchanged attributes hidden)
}
~ rules {
~ id = "5c48c86b4e5248409dc17c5637e8c528" -> (known after apply)
~ last_updated = "2024-04-22 14:18:55.66116 +0000 UTC" -> (known after apply)
~ ref = "5c48c86b4e5248409dc17c5637e8c528" -> (known after apply)
~ version = "2" -> (known after apply)
# (4 unchanged attributes hidden)
}
~ rules {
~ action = "managed_challenge" -> "block"
~ description = "five" -> "eleven"
~ expression = "ip.geoip.country ne \"CN\"" -> "(ip.src in {1.1.1.1})"
~ id = "e128b5a7cdc84ea0a7d12104ddca471f" -> (known after apply)
~ last_updated = "2024-04-22 14:18:55.66116 +0000 UTC" -> (known after apply)
~ ref = "e128b5a7cdc84ea0a7d12104ddca471f" -> (known after apply)
~ version = "1" -> (known after apply)
# (1 unchanged attribute hidden)
}
~ rules {
~ action = "block" -> "managed_challenge"
~ description = "nine" -> "five"
~ expression = "ip.src in {100.1.1.1}" -> "ip.geoip.country ne \"CN\""
~ id = "1c2c43cb08cd4420b4401eeff3d93a52" -> (known after apply)
~ last_updated = "2024-04-22 14:18:55.66116 +0000 UTC" -> (known after apply)
~ ref = "1c2c43cb08cd4420b4401eeff3d93a52" -> (known after apply)
~ version = "2" -> (known after apply)
# (1 unchanged attribute hidden)
}
~ rules {
~ description = "seven" -> "nine"
~ expression = "(http.host eq \"2cash.ph\")" -> "ip.src in {100.1.1.1}"
~ id = "b51e2848320c4b2f89d776b249ada184" -> (known after apply)
~ last_updated = "2024-04-22 14:18:55.66116 +0000 UTC" -> (known after apply)
~ ref = "b51e2848320c4b2f89d776b249ada184" -> (known after apply)
~ version = "2" -> (known after apply)
# (2 unchanged attributes hidden)
}
~ rules {
~ action = "managed_challenge" -> "block"
~ description = "six" -> "seven"
~ expression = "ip.src in {12.12.12.12}" -> "(http.host eq \"2cash.ph\")"
~ id = "22a4066563934a579456df8ab92ed7e3" -> (known after apply)
~ last_updated = "2024-04-22 14:18:55.66116 +0000 UTC" -> (known after apply)
~ ref = "22a4066563934a579456df8ab92ed7e3" -> (known after apply)
~ version = "2" -> (known after apply)
# (1 unchanged attribute hidden)
}
~ rules {
~ action = "block" -> "managed_challenge"
~ description = "ten" -> "six"
~ expression = "(http.host eq \"google.com\")" -> "ip.src in {12.12.12.12}"
~ id = "35a1019d748b488aa40fa6429000b7ad" -> (known after apply)
~ last_updated = "2024-04-22 14:18:55.66116 +0000 UTC" -> (known after apply)
~ ref = "35a1019d748b488aa40fa6429000b7ad" -> (known after apply)
~ version = "2" -> (known after apply)
# (1 unchanged attribute hidden)
}
~ rules {
~ action = "skip" -> "block"
~ description = "four" -> "ten"
~ expression = "(http.host eq \"provider.com\")" -> "(http.host eq \"google.com\")"
~ id = "b5c27a330048448b908b449a235d20cd" -> (known after apply)
~ last_updated = "2024-04-22 14:18:55.66116 +0000 UTC" -> (known after apply)
~ ref = "b5c27a330048448b908b449a235d20cd" -> (known after apply)
~ version = "2" -> (known after apply)
# (1 unchanged attribute hidden)
- action_parameters {
- products = [
- "bic",
- "hot",
- "securityLevel",
- "uaBlock",
- "zoneLockdown",
] -> null
}
- logging {
- enabled = true -> null
}
}
~ rules {
~ description = "one" -> "four"
~ expression = "ip.src in {2.2.2.2}" -> "(http.host eq \"provider.com\")"
~ id = "59b4d905da9c4953b77ed4d84857b810" -> (known after apply)
~ last_updated = "2024-04-22 14:18:55.66116 +0000 UTC" -> (known after apply)
~ ref = "59b4d905da9c4953b77ed4d84857b810" -> (known after apply)
~ version = "2" -> (known after apply)
# (2 unchanged attributes hidden)
~ action_parameters {
+ version = (known after apply)
# (1 unchanged attribute hidden)
}
# (1 unchanged block hidden)
}
~ rules {
~ description = "three" -> "one"
~ expression = "(http.host eq \"ddos.com\")" -> "ip.src in {2.2.2.2}"
~ id = "95ca6b67da33490cbb84ee22e61b9d2b" -> (known after apply)
~ last_updated = "2024-04-22 14:18:55.66116 +0000 UTC" -> (known after apply)
~ ref = "95ca6b67da33490cbb84ee22e61b9d2b" -> (known after apply)
~ version = "1" -> (known after apply)
# (2 unchanged attributes hidden)
~ action_parameters {
+ version = (known after apply)
# (1 unchanged attribute hidden)
}
# (1 unchanged block hidden)
}
~ rules {
~ description = "two" -> "three"
~ expression = "(http.host eq \"zaymer.com\")" -> "(http.host eq \"ddos.com\")"
~ id = "85e698e431574a738c1117748e7e3b15" -> (known after apply)
~ last_updated = "2024-04-22 14:18:55.66116 +0000 UTC" -> (known after apply)
~ ref = "85e698e431574a738c1117748e7e3b15" -> (known after apply)
~ version = "1" -> (known after apply)
# (2 unchanged attributes hidden)
~ action_parameters {
+ version = (known after apply)
# (1 unchanged attribute hidden)
}
# (1 unchanged block hidden)
}
+ rules {
+ action = "skip"
+ description = "two"
+ enabled = true
+ expression = "(http.host eq \"zaymer.com\")"
+ id = (known after apply)
+ last_updated = (known after apply)
+ ref = (known after apply)
+ version = (known after apply)
+ action_parameters {
+ products = [
+ "bic",
+ "hot",
+ "securityLevel",
+ "uaBlock",
+ "zoneLockdown",
]
+ version = (known after apply)
}
+ logging {
+ enabled = true
}
}
}
By adding a rule, they begin to be overwritten…
I don’t know what to do anymore.
Terraform -v 1.7.5
Provider Cloudflare 4.30.0