[cloudflare_ruleset, http_ratelimit] Error: Provider produced inconsistent result after apply

[eherde]

Confirmation

• This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• I have searched the issue tracker and my issue isn't already found.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform v1.9.8
on darwin_amd64
+ provider registry.terraform.io/cloudflare/cloudflare v4.44.0
+ provider registry.terraform.io/hashicorp/google v6.7.0
+ provider registry.terraform.io/hashicorp/google-beta v6.7.0

Affected resource(s)

cloudflare_ruleset

Terraform configuration files

# WAF - Rate Limiting Rules
resource "cloudflare_ruleset" "waf_rate_limit" {
  zone_id = "REDACTED"
  name    = "default"
  kind    = "zone"
  phase   = "http_ratelimit"

  rules {
    action      = "block"
    action_parameters {
      response {
        content      = "{\"error\":{\"message\":\"Rate Limit Exceeded\",\"type\":\"rate_limit_error\",\"code\":\"rate_limit_exceeded\"}}"
        content_type = "application/json"
        status_code  = 429
      }
    }
    description = "RL - IP abuse"
    enabled     = false
    expression = "(http.request.uri.path eq \"/some/path\" and ip.src in {1.2.3.4 4.3.2.1})"
    ratelimit {
      characteristics     = ["ip.src", "cf.colo.id"]
      period              = 60
      requests_per_period = 1
    }
  }
}

Link to debug output

https://gist.github.com/eherde/5a4c12ae1269372ec4342050e0e08b51

Panic output

No response

Expected output

I expected the apply to succeed.

Actual output

It failed with this error:

╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to cloudflare_ruleset.waf_rate_limit, provider "provider[\"registry.terraform.io/cloudflare/cloudflare\"]" produced an unexpected new value: .rules[0].ratelimit[0].mitigation_timeout: was null, but now cty.NumberIntVal(0).
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵

Steps to reproduce

1. Create the provided terraform
2. Run terraform apply

Additional factoids

No response

References

No response

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[ilyar-simplex]

Very annoying bug, the only workaround I found - ignoring changes:

lifecycle {
    ignore_changes = [
      rules[0].ratelimit[0].mitigation_timeout,
      rules[1].ratelimit[0].mitigation_timeout,
    ]
  }

[jhutchings1]

Thank you for your bug report! We are not doing active development on the v4 Terraform providers at this time. If you can reproduce this on v5, please reopen your issue and we can have a look there. Thank you!