Skip to content

cloudflare_zero_trust_access_policy does not support OIDC claims #5662

New issue
New issue
Closed
Closed
cloudflare_zero_trust_access_policy does not support OIDC claims#5662
Labels
kind/bugCategorizes issue or PR as related to a bug.version/5Categorizes issue or PR as related to version 5 of the provider.
@userbradley

Description

@userbradley
userbradley
opened on Jun 13, 2025

Confirmation

  • This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
  • I have searched the issue tracker and my issue isn't already found.
  • I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

terraform {
  required_providers {
    cloudflare = {
      source  = "cloudflare/cloudflare"
      version = "5.5.0"
    }
  }
}

Affected resource(s)

  • cloudflare_zero_trust_access_policy
  • cloudflare_zero_trust_access_group

Terraform configuration files

resource "cloudflare_zero_trust_access_policy" "mealie-1" {
  account_id = "c59e9360984172f96136a60b22bc3052"
  decision   = "allow"
  name       = "mealie 2"
  include = [
    {
      oidc = {
        identity_provider_id : "495e2702-de5f-49d4-9252-a6a7461583e9"
        claim_name : "groups"
        claim_value : "mealie"
      }
      login_method = {
        id = "495e2702-de5f-49d4-9252-a6a7461583e9"
      }
    }
  ]
}

Link to debug output

https://gist.github.com/userbradley/5eb34b37ee52250456be629282a01d79

Panic output

No response

Expected output

Should create a rule that accepts OIDC claims, and a specific auth provider. Note the below was manually made in the UI

Image

Actual output

It did not create the include for OIDC, instead said 0 changes to make

Image

Steps to reproduce

  1. Create OIDC provider in zerotrust
  2. Create policy and name it
  3. Create an include of OIDC Claim and set the claim_name to groups and the claim_value to anything you want
  4. Try to use the data "cloudflare_zero_trust_access_policy" tf block to view the OIDC claims

Additional factoids

Making an API request to the Policies API returns this functionality, but it just seems the tf provider does not have this functionality

{
  "result": {
    "created_at": "2025-06-13T13:19:23Z",
    "decision": "allow",
    "exclude": [],
    "id": "cf26e00f-0063-4ec9-803f-88e45e311206",
    "include": [
      {
        "oidc": {
          "identity_provider_id": "495e2702-de5f-49d4-9252-a6a7461583e9",
          "claim_name": "groups",
          "claim_value": "mealie"
        }
      },
      {
        "login_method": {
          "id": "495e2702-de5f-49d4-9252-a6a7461583e9"
        }
      }
    ],
    "name": "Mealie",
    "require": [],
    "session_duration": "24h",
    "uid": "cf26e00f-0063-4ec9-803f-88e45e311206",
    "updated_at": "2025-06-13T13:31:36Z",
    "reusable": true,
    "app_count": 0
  },
  "success": true,
  "errors": [],
  "messages": []
}

References

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.version/5Categorizes issue or PR as related to version 5 of the provider.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions