cloudflare_ruleset: Panic on import when serve_stale action parameter is empty/nil

[guineveresaenger]

Confirmation

• This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• I have searched the issue tracker and my issue isn't already found.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

terraform -v
Terraform v1.10.2
on darwin_arm64

• provider registry.terraform.io/cloudflare/cloudflare v4.48.0

Affected resource(s)

• cloudflare_ruleset

Terraform configuration files

terraform {
  required_providers {
    cloudflare = {
      source  = "cloudflare/cloudflare"
      version = "~> 4.0"
    }
  }
}

resource "cloudflare_zone" "example" {
  account_id = <account-id>
  zone       = "example.com"
}

resource "cloudflare_ruleset" "example" {
  # (resource arguments)
}

Link to debug output

https://gist.github.com/guineveresaenger/af2fff842cfc94024aa707651293bdae

Panic output

cloudflare_ruleset.example: Import prepared!
  Prepared cloudflare_ruleset for import
cloudflare_ruleset.example: Refreshing state... [id=<redacted>]
╷
│ Error: Request cancelled
│ 
│ The plugin6.(*GRPCProvider).ReadResource request was cancelled.
╵


Stack trace from the terraform-provider-cloudflare_v4.48.0 plugin:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x0 pc=0x1037ef850]

goroutine 53 [running]:
github.com/cloudflare/terraform-provider-cloudflare/internal/framework/service/rulesets.toRulesetResourceModel({0x104947ac8, 0x1400064c7b0}, {0xb0?, {0x1400003cd60?, 0x1400003cd40?}}, {0x20?, {0x0?, 0x0?}}, {{0x14000f00032, 0x20}, ...})
	github.com/cloudflare/terraform-provider-cloudflare/internal/framework/service/rulesets/resource.go:627 +0x3020
github.com/cloudflare/terraform-provider-cloudflare/internal/framework/service/rulesets.(*RulesetResource).Read(0x14000b0c178, {0x104947ac8, 0x1400064c7b0}, {{{{0x10494fdb0, 0x14000e0a180}, {0x10439f200, 0x14000e05080}}, {0x104954a10, 0x14000c0e6e0}}, 0x14000b0c188, ...}, ...)
	github.com/cloudflare/terraform-provider-cloudflare/internal/framework/service/rulesets/resource.go:206 +0x3d0
github.com/hashicorp/terraform-plugin-framework/internal/fwserver.(*Server).ReadResource(0x140000ef688, {0x104947ac8, 0x1400064c7b0}, 0x1400064c810, 0x14000f29578)
	github.com/hashicorp/terraform-plugin-framework@v1.13.0/internal/fwserver/server_readresource.go:117 +0x69c
github.com/hashicorp/terraform-plugin-framework/internal/proto6server.(*Server).ReadResource(0x140000ef688, {0x104947ac8?, 0x1400064c6c0?}, 0x14000b54f40)
	github.com/hashicorp/terraform-plugin-framework@v1.13.0/internal/proto6server/server_readresource.go:55 +0x2e0
github.com/hashicorp/terraform-plugin-mux/tf6muxserver.(*muxServer).ReadResource(0x14000b2c300, {0x104947ac8?, 0x1400064c3f0?}, 0x14000b54f40)
	github.com/hashicorp/terraform-plugin-mux@v0.17.0/tf6muxserver/mux_server_ReadResource.go:35 +0x184
github.com/hashicorp/terraform-plugin-go/tfprotov6/tf6server.(*server).ReadResource(0x14000b16460, {0x104947ac8?, 0x14000633950?}, 0x14000b0e770)
	github.com/hashicorp/terraform-plugin-go@v0.25.0/tfprotov6/tf6server/server.go:784 +0x21c
github.com/hashicorp/terraform-plugin-go/tfprotov6/internal/tfplugin6._Provider_ReadResource_Handler({0x1048c8a60, 0x14000b16460}, {0x104947ac8, 0x14000633950}, 0x14000b2c800, 0x0)
	github.com/hashicorp/terraform-plugin-go@v0.25.0/tfprotov6/internal/tfplugin6/tfplugin6_grpc.pb.go:575 +0x1c0
google.golang.org/grpc.(*Server).processUnaryRPC(0x14000b66200, {0x104947ac8, 0x140006338c0}, {0x104951280, 0x140009a21a0}, 0x14000ac4ea0, 0x140006336b0, 0x105777fe8, 0x0)
	google.golang.org/grpc@v1.67.1/server.go:1394 +0xb64
google.golang.org/grpc.(*Server).handleStream(0x14000b66200, {0x104951280, 0x140009a21a0}, 0x14000ac4ea0)
	google.golang.org/grpc@v1.67.1/server.go:1805 +0xb20
google.golang.org/grpc.(*Server).serveStreams.func2.1()
	google.golang.org/grpc@v1.67.1/server.go:1029 +0x84
created by google.golang.org/grpc.(*Server).serveStreams.func2 in goroutine 42
	google.golang.org/grpc@v1.67.1/server.go:1040 +0x13c

Error: The terraform-provider-cloudflare_v4.48.0 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Expected output

A successful import of the resource, or an error that serve_stale field cannot be nil

Actual output

Panic trying to dereference a nil pointer.

Steps to reproduce

This occurs when, on a cache ruleset, the serve_stale parameter is set to {}. Not sure how the Rule got into this state originally, but you can force the issue like this:

1. Create a cache ruleset in the UI, with "Serve stale content while revalidating" enabled.
2. GET the Ruleset via cURL:

curl -s -X GET "https://api.cloudflare.com/client/v4/zones/<zone-id>/rulesets/<ruleset-id>" -H "X-Auth-Email: <email>" -H "X-auth-Key: <apiKey>" -H "Content-Type: application/json"

{
  "result": {
    "description": "",
    "id": <ruleset-id>,
    "kind": "zone",
    "last_updated": "2024-12-20T00:03:28.5157Z",
    "name": "default",
    "phase": "http_request_cache_settings",
    "rules": [
      {
        "action": "set_cache_settings",
        "action_parameters": {
          "cache": true,
          "serve_stale": {
            "disable_stale_while_updating": true
          }
        },
        "description": "Test Cache Rule with serve stale enabled",
        "enabled": true,
        "expression": "true",
        "id": "<rule-id>",
        "last_updated": "2024-12-20T00:03:28.5157Z",
        "ref": "<some-ref>",
        "version": "1"
      }
    ],
    "version": "1"
  },
  "success": true,
  "errors": [],
  "messages": []
}

3. PATCH the rule, now we have the rule ID, to be in the state that causes this bug.
   The following updates the Ruleset to have a new Description of "hello" (for quick verification) and setting "serve_stale" to an empty object on the cache rule.

curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/<zone-id>/rulesets/<ruleset-id>/rules/<rule-id>" -H "X-Auth-Email: <email>" -H "X-auth-Key: <authKey>" -H "Content-Type: application/json" -d '{"description": "hello", "action": "set_cache_settings", "action_parameters":{"cache": true, "serve_stale": {}}, "expression": "true"}' 
{
  "result": {
    "description": "",
    "id": "c82753edaa9f45da8ddb60426e5f6a84",
    "kind": "zone",
    "last_updated": "2024-12-20T00:40:41.487287Z",
    "name": "default",
    "phase": "http_request_cache_settings",
    "rules": [
      {
        "action": "set_cache_settings",
        "action_parameters": {
          "cache": true,
          "serve_stale": {}
        },
        "description": "hello",
        "enabled": true,
        "expression": "true",
        "id": "<rule-id>",
        "last_updated": "2024-12-20T00:40:41.487287Z",
        "ref": "<some-ref>",
        "version": "2"
      }
    ],
    "version": "2"
  },
  "success": true,
  "errors": [],
  "messages": []
}

4. Run terraform import cloudflare_ruleset.example zone/zone-id/-ruleset-id in a stack with the above configuration.

Additional factoids

This was first reported as a bug inherited by the pulumi-cloudflare provider. It's unclear how the Rule got into this state, but it's clearly possible via the API, and it should not panic.

References

https://developers.cloudflare.com/api/resources/rulesets/subresources/rules/methods/edit/ was helpful here for knowing what kind of permissions are needed to repro this.

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[github-actions]

Terraform debug log detected ✅