Created
April 10, 2025 02:13
-
-
Save rak3rman/2f79f0538c68b8a4cead0f0dbd39346c to your computer and use it in GitHub Desktop.
Debug output: cloudflare_zero_trust_access_application `session_duration` default causes infrastructure apps with policies to fail
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols: | |
| + create | |
| Terraform will perform the following actions: | |
| # cloudflare_zero_trust_access_application.ssh_app will be created | |
| + resource "cloudflare_zero_trust_access_application" "ssh_app" { | |
| + account_id = "<REDACTED>" | |
| + app_launcher_visible = true | |
| + aud = (known after apply) | |
| + auto_redirect_to_identity = false | |
| + cors_headers = (known after apply) | |
| + created_at = (known after apply) | |
| + destinations = (known after apply) | |
| + enable_binding_cookie = false | |
| + footer_links = (known after apply) | |
| + http_only_cookie_attribute = true | |
| + id = (known after apply) | |
| + landing_page_design = (known after apply) | |
| + name = "SSH Access Test" | |
| + path_cookie_attribute = false | |
| + policies = [ | |
| + { | |
| + connection_rules = { | |
| + ssh = { | |
| + usernames = [ | |
| + "root", | |
| ] | |
| } | |
| } | |
| + decision = "allow" | |
| + exclude = (known after apply) | |
| + id = (known after apply) | |
| + include = (known after apply) | |
| + precedence = 1 | |
| + require = (known after apply) | |
| }, | |
| ] | |
| + saas_app = (known after apply) | |
| + scim_config = (known after apply) | |
| + session_duration = "24h" | |
| + skip_app_launcher_login_page = false | |
| + target_criteria = [ | |
| + { | |
| + port = 22 | |
| + protocol = "SSH" | |
| + target_attributes = { | |
| + "hostname" = [ | |
| + "test-server", | |
| ] | |
| } | |
| }, | |
| ] | |
| + type = "infrastructure" | |
| + updated_at = (known after apply) | |
| } | |
| # cloudflare_zero_trust_access_infrastructure_target.test_server will be created | |
| + resource "cloudflare_zero_trust_access_infrastructure_target" "test_server" { | |
| + account_id = "<REDACTED>" | |
| + created_at = (known after apply) | |
| + hostname = "test-server" | |
| + id = (known after apply) | |
| + ip = { | |
| + ipv4 = { | |
| + ip_addr = "10.0.0.1" | |
| } | |
| } | |
| + modified_at = (known after apply) | |
| } | |
| # cloudflare_zero_trust_access_policy.test_policy will be created | |
| + resource "cloudflare_zero_trust_access_policy" "test_policy" { | |
| + account_id = "<REDACTED>" | |
| + app_count = (known after apply) | |
| + approval_groups = (known after apply) | |
| + created_at = (known after apply) | |
| + decision = "allow" | |
| + exclude = (known after apply) | |
| + id = (known after apply) | |
| + include = [ | |
| + { | |
| + email = { | |
| + email = "[email protected]" | |
| } | |
| }, | |
| ] | |
| + name = "Allow engineers" | |
| + require = (known after apply) | |
| + reusable = (known after apply) | |
| + session_duration = "24h" | |
| + updated_at = (known after apply) | |
| } | |
| Plan: 3 to add, 0 to change, 0 to destroy. | |
| Do you want to perform these actions? | |
| Terraform will perform the actions described above. | |
| Only 'yes' will be accepted to approve. | |
| Enter a value: yes | |
| cloudflare_zero_trust_access_infrastructure_target.test_server: Creating... | |
| cloudflare_zero_trust_access_policy.test_policy: Creating... | |
| cloudflare_zero_trust_access_infrastructure_target.test_server: Creation complete after 0s [id=01961d70-e485-73ea-8f52-855d7e708e35] | |
| cloudflare_zero_trust_access_policy.test_policy: Creation complete after 0s [id=e3f46e7f-9fca-43ea-bd58-fc8043dc3fa4] | |
| cloudflare_zero_trust_access_application.ssh_app: Creating... | |
| ╷ | |
| │ Error: failed to make http request | |
| │ | |
| │ with cloudflare_zero_trust_access_application.ssh_app, | |
| │ on main.tf line 29, in resource "cloudflare_zero_trust_access_application" "ssh_app": | |
| │ 29: resource "cloudflare_zero_trust_access_application" "ssh_app" { | |
| │ | |
| │ POST "https://api.cloudflare.com/client/v4/accounts/<REDACTED>/access/apps": 400 Bad Request { | |
| │ "result": null, | |
| │ "success": false, | |
| │ "errors": [ | |
| │ { | |
| │ "code": 12130, | |
| │ "message": "access.api.error.invalid_request: invalid policy at index 0", | |
| │ "error_chain": [ | |
| │ { | |
| │ "message": "infrastructure apps do not support session duration" | |
| │ } | |
| │ ] | |
| │ } | |
| │ ], | |
| │ "messages": [] | |
| │ } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment