Unable to create cloudflare_tunnel_config with warp_routing enabled

[dmitriydvoryanchuk-chime]

Confirmation

• My issue isn't already found on the issue tracker.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform: 1.5.2
Provider: 4.18.0

Affected resource(s)

cloudflare_tunnel
cloudflare_tunnel_config

Terraform configuration files

resource "cloudflare_tunnel_config" "aws_vpc_it_prod" {
  account_id = "id"
  tunnel_id  = cloudflare_tunnel.aws_vpc_it_prod.id
  config {
    warp_routing {
      enabled = true
    }
}

Link to debug output

https://gist.github.com/dmitriydvoryanchuk-chime/e6e12336ea0cba8a13122e1d5b5a45a0

Panic output

No response

Expected output

cloudflare_tunnel_config should be created

Actual output

╷
│ Error: Insufficient ingress_rule blocks
│
│ on cfd_tunnels.tf line 41, in resource "cloudflare_tunnel_config" "aws_vpc_it":
│ 41: config {
│
│ At least 1 "ingress_rule" blocks are required.

Steps to reproduce

1. Create cloudflare_tunnel
2. Attempt to create corresponding cloudflare_tunnel_config with configuration specified above.
3. Create fails due to ingress_rule block being required.
4. Specifying a required ingress_rule block with the minimum service parameter set as blank will crash the provider.
5. Specifying ingress_rule with a dummy service parameter (such as https://localhost:80) causes warp_routing config to flip to false
6. Not specifying cloudflare_tunnel_config at all does not set warp_routing to true.

Additional factoids

We are trying to create a cloudflared tunnel with warp routing enabled. With the way the provider is currently implemented, it is not possible to do so. If the tunnel is created using the UI/dashboard, the API GET output for the tunnel configuration is:
"config": { "warp-routing": { "enabled": true } }, "source": "cloudflare" which is what is desired.

Running an import on a tunnel created using the UI does not import an ingress_rule block and will fail to create the resource.
Although this is working exactly as implemented, our required configuration is not supported.

References

#2916
https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/tunnel_config#nested-schema-for-config

[github-actions]

Terraform debug log detected ✅

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[jacobbednarz]

can you include the TF_LOG=DEBUG output on that gist? once that is there, this is ready for triage.

[dmitriydvoryanchuk-chime]

can you include the TF_LOG=DEBUG output on that gist? once that is there, this is ready for triage.

@jacobbednarz Updated with debug output, thanks!

[tpickett66]

I ran into this today and originally thought it was a bug. After working through a solution I realized the default configuration generated by the UI does include a default ingress rule pointing at http_status:503 I was able to replicate this using the resource:

resource "cloudflare_tunnel_config" "conf" {
  account_id = var.cloudflare_account_id
  tunnel_id  = cloudflare_tunnel.tunnel.id

  config {
    ingress_rule {
      service = "http_status:503"
    }
    warp_routing {
      enabled = true
    }
  }
}

[dmitriydvoryanchuk-chime]

I ran into this today and originally thought it was a bug. After working through a solution I realized the default configuration generated by the UI does include a default ingress rule pointing at http_status:503 I was able to replicate this using the resource:

resource "cloudflare_tunnel_config" "conf" {
  account_id = var.cloudflare_account_id
  tunnel_id  = cloudflare_tunnel.tunnel.id

  config {
    ingress_rule {
      service = "http_status:503"
    }
    warp_routing {
      enabled = true
    }
  }
}

@tpickett66 Brilliant, thank you for tracking this down. Looks like this is working for us now, so all CF should have to do is update their provider doc.