origin_max_http_version setting and first_party_fonts

[ratesangelo]

Confirmation

• This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• I have searched the issue tracker and my issue isn't already found.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

terraform {
required_providers {
cloudflare = {
source = "cloudflare/cloudflare"
version = "4.38.0"

}

}
}

Affected resource(s)

Context: We used to control zone setting via "profile" by plan: free, pro, enterprise via:
resource "cloudflare_zone_settings_override" "pro_default_profile" {
count = var.profile == "pro_default" ? 1 : 0

zone_id = var.zone_id
settings {
// dns settings
cname_flattening = var.cname_flattening != null ? var.cname_flattening : "flatten_at_root"

// ssl/tls settings
ssl                      = var.ssl != null ? var.ssl : "full"
always_use_https         = var.always_use_https != null ? var.always_use_https : "on"
min_tls_version          = var.min_tls_version != null ? var.min_tls_version : "1.2"
opportunistic_encryption = var.opportunistic_encryption != null ? var.opportunistic_encryption : "on"
tls_1_3                  = var.tls_1_3 != null ? var.tls_1_3 : "on"
automatic_https_rewrites = var.automatic_https_rewrites != null ? var.automatic_https_rewrites : "on"
universal_ssl            = var.universal_ssl != null ? var.universal_ssl : "on"
tls_client_auth          = var.tls_client_auth != null ? var.tls_client_auth : "off"

// firewall settings
security_level = var.security_level != null ? var.security_level : "medium"
challenge_ttl  = var.challenge_ttl != null ? var.challenge_ttl : "1800"
browser_check  = var.browser_check != null ? var.browser_check : "on"
privacy_pass   = var.privacy_pass != null ? var.privacy_pass : "on"

// speed settings
image_resizing = var.image_resizing != null ? var.image_resizing : null
polish         = var.polish != null ? var.polish : "lossless"
mirage         = var.mirage != null ? var.mirage : "on"
webp           = var.webp != null ? var.webp : "off"
minify {
  css  = var.minify_css != null ? var.minify_css : "on"
  js   = var.minify_js != null ? var.minify_js : "on"
  html = var.minify_html != null ? var.minify_html : "on"
}
//Content Optimization
brotli            = var.brotli != null ? var.brotli : "on"
rocket_loader     = var.rocket_loader != null ? var.rocket_loader : "off"

// mobile redirect is by default off
//mobile_redirect  {
//  status = "off"
//  }

// Protocol Optimization
http2                 = var.http2 != null ? var.http2 : "on"
http3                 = var.http3 != null ? var.http3 : "on"
zero_rtt              = var.zero_rtt != null ? var.zero_rtt : "on"
h2_prioritization     = var.h2_prioritization != null ? var.h2_prioritization : "on"
opportunistic_onion   = var.opportunistic_onion != null ? var.opportunistic_onion : "on"

// caching settings
cache_level                 = var.cache_level != null ? var.cache_level : "aggressive"  // aggressive is standard
browser_cache_ttl           = var.browser_cache_ttl != null ? var.browser_cache_ttl : 14400
// crawler hints depends on
#always_online               = var.#always_online != null ? var.#always_online : "on"
development_mode            = var.development_mode != null ? var.development_mode : "off"
//sort_query_string_for_cache = var.sort_query_string_for_cache != null ? var.sort_query_string_for_cache : "on"

//response_buffering    = var.response_buffering != null ? var.response_buffering : "off"
//true_client_ip_header = var.true_client_ip_header != null ? var.true_client_ip_header : "off"

// custom pages settings
//origin_error_page_pass_thru = var.origin_error_page_pass_thru != null ? var.origin_error_page_pass_thru : "off"
//RULES

// NETWORK
ipv6                  = var.ipv6 != null ? var.ipv6 : "on"
pseudo_ipv4           = var.pseudo_ipv4 != null ? var.pseudo_ipv4 : "off"
ip_geolocation        = var.ip_geolocation != null ? var.ip_geolocation : "on"
websockets            = var.websockets != null ? var.websockets : "on"
max_upload            = var.max_upload != null ? var.max_upload : 100
//log_to_cloudflare     = var.log_to_cloudflare != null ? var.log_to_cloudflare : "on"

// scrape shield settings
email_obfuscation   = var.email_obfuscation != null ? var.email_obfuscation : "on"
server_side_exclude = var.server_side_exclude != null ? var.server_side_exclude : "on"
hotlink_protection  = var.hotlink_protection != null ? var.hotlink_protection : "off"

// HSTS
dynamic "security_header" {
  for_each = var.hsts.enabled ? [1] : []
  content {
    enabled             = var.hsts.enabled
    preload             = lookup(var.hsts, "preload", true)
    max_age             = lookup(var.hsts, "max_age", 31536000) // 1 year
    include_subdomains  = lookup(var.hsts, "include_subdomains", true)
    nosniff             = lookup(var.hsts, "nosniff", true)
  }
}

}
}

We are in an effort to move cloudflare_zone_settings_override block on each zone.tf

resource "cloudflare_zone_settings_override" "zone_setting_override__dev" {
zone_id = cloudflare_zone_dev.id
settings {
always_online = "on"
always_use_https = "on"
automatic_https_rewrites = "on"
brotli = "on"
browser_cache_ttl = 0
browser_check = "on"
cache_level = "aggressive"
challenge_ttl = 1800
cname_flattening = "flatten_at_root"
development_mode = "off"
early_hints = "off"
email_obfuscation = "on"
filter_logs_to_cloudflare = "off"
hotlink_protection = "off"
http2 = "on"
http3 = "on"
ip_geolocation = "on"
ipv6 = "on"
log_to_cloudflare = "on"
max_upload = 100
min_tls_version = "1.2"
minify {
css = "on"
html = "on"
js = "on"
}
mirage = "on"
opportunistic_encryption = "on"
opportunistic_onion = "on"
orange_to_orange = "off"
origin_error_page_pass_thru = "off"
polish = "lossless"
prefetch_preload = "off"
privacy_pass = "on"
proxy_read_timeout = "100"
pseudo_ipv4 = "add_header"
response_buffering = "off"
rocket_loader = "on"
security_header {
enabled = true
include_subdomains = true
max_age = 15768000
nosniff = true
preload = true
}
security_level = "medium"
server_side_exclude = "on"
sort_query_string_for_cache = "off"
ssl = "full"
tls_1_3 = "on"
tls_client_auth = "off"
true_client_ip_header = "off"
visitor_ip = "on"
waf = "off"
webp = "on"
websockets = "on"
zero_rtt = "off"
}
}
After applying these on 3 zones and disabling the module on each of the 3 zones we got the following erros

• Error: The value provided for origin_max_http_version setting is not valid. The value must either be 1 or 2 (1146)

• Error: could not unmarshal first_party_fonts feature because "" is not a valid value, accepted values are off/on

Terraform configuration files

resource "cloudflare_zone_settings_override" "zone_setting_override_<zonee_dev" {
  zone_id = cloudflare_zone.insurancehotline_dev.id
  settings {
    always_online             = "on"
    always_use_https          = "on"
    automatic_https_rewrites  = "on"
    brotli                    = "on"
    browser_cache_ttl         = 0
    browser_check             = "on"
    cache_level               = "aggressive"
    challenge_ttl             = 1800
    cname_flattening          = "flatten_at_root"
    development_mode          = "off"
    early_hints               = "off"
    email_obfuscation         = "on"
    filter_logs_to_cloudflare = "off"
    hotlink_protection        = "off"
    http2                     = "on"
    http3                     = "on"
    ip_geolocation            = "on"
    ipv6                      = "on"
    log_to_cloudflare         = "on"
    max_upload                = 100
    min_tls_version           = "1.2"
    minify {
      css  = "on"
      html = "on"
      js   = "on"
    }
    mirage                      = "on"
    opportunistic_encryption    = "on"
    opportunistic_onion         = "on"
    orange_to_orange            = "off"
    origin_error_page_pass_thru = "off"
    polish                      = "lossless"
    prefetch_preload            = "off"
    privacy_pass                = "on"
    proxy_read_timeout          = "100"
    pseudo_ipv4                 = "add_header"
    response_buffering          = "off"
    rocket_loader               = "on"
    security_header {
      enabled            = true
      include_subdomains = true
      max_age            = 15768000
      nosniff            = true
      preload            = true
    }
    security_level              = "medium"
    server_side_exclude         = "on"
    sort_query_string_for_cache = "off"
    ssl                         = "full"
    tls_1_3                     = "on"
    tls_client_auth             = "off"
    true_client_ip_header       = "off"
    visitor_ip                  = "on"
    waf                         = "off"
    webp                        = "on"
    websockets                  = "on"
    zero_rtt                    = "off"
  }
}

Link to debug output

https://gist.github.com/ratesangelo/fd9e01dee8edaff9b0fe56c5d5895a1f

Panic output

╷
│ Error: The value provided for origin_max_http_version setting is not valid. The value must either be 1 or 2 (1146)
│
│
╵
╷
│ Warning: Deprecated Resource
│
│
│ (and 9 more similar warnings elsewhere)
╵
╷
│ Error: could not unmarshal first_party_fonts feature because "" is not a valid value, accepted values are off/on
│
│
╵
╷
│ Error: could not unmarshal first_party_fonts feature because "" is not a valid value, accepted values are off/on

Expected output

I expect to override the zone configuration for each zone.

However, I can’t find the expected value for origin_max_http_version in the Terraform provider documentation: Cloudflare Terraform Provider. While I understand it accepts a string, I’m unsure what specific value I should assign.

Additionally, where can I find origin_max_http_version in the Cloudflare UI?

Regarding first_party_fonts, where is that documented? Is it related to the zone_settings_override?

Actual output

The setting did not change or got override

Steps to reproduce

add that config to the zone.tf
terraform plan
terraform apply plan

Additional factoids

No response

References

No response

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[github-actions]

Thank you for opening this issue and sorry to hear you're hitting issues. Unfortunately, the reproduction case provided contains HCL dynamic expressions. Examples of these are:

• Conditionals
• For loops
• Dynamic blocks
• Modules and module references

Maintainers don't accept these as reproduction cases since using these constructs and expressions can hold their own logic bugs which are outside of the provider and not able to be diagnosed.

For maintainers to triage this issue, we recommend providing a minimal reproduction test case that is only contains the impacted resources and can be easily reproduced in an isolated environment. Without providing this, maintainers are limited in what support they can provide.