cloudflare.AccessApplication not using the self_hosted_domains input

[OckhamOdyssey]

Describe what happened

I was importing Cloudflare ZTNA resources into our Pulumi repository with Python when I realized that only one application domain was being imported with several of these.

For example, using pulumi import cloudflare:index/accessApplication:AccessApplication other_admin_panels [ACCOUNT_ID]/[APPLICATION_ID] it returns this code:

import pulumi
import pulumi_cloudflare as cloudflare

other_admin_panels = cloudflare.AccessApplication("other_admin_panels",
    account_id=[ACCOUNT_ID],
    allowed_idps=["[IdP_ID"],
    domain="[SUBDOMAIN]/admin",
    http_only_cookie_attribute=True,
    name="Admin Panel",
    service_auth401_redirect=True,
    opts = pulumi.ResourceOptions(protect=True))

This application has five subdomain, this is an example:

Running pulumi up indicates that there are no changes to be made. In the web panel there are 5 domains, in the repository there is only one, so supposedly both states are the same:

pulumi up
Previewing update (cloudflare-ztna):
     Type                 Name                             Plan     
     pulumi:pulumi:Stack  cloudflare-ztna-cloudflare-ztna           

Resources:
    37 unchanged

Do you want to perform this update? details
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:cloudflare-ztna::cloudflare-ztna::pulumi:pulumi:Stack::cloudflare-ztna-cloudflare-ztna]

Do you want to perform this update? yes
Updating (cloudflare-ztna):
     Type                 Name                             Status     
     pulumi:pulumi:Stack  cloudflare-ztna-cloudflare-ztna             

Resources:
    37 unchanged

Duration: 1s

If I make a change, in service_auth401_redirect for example, the status of the resource is updated and all domains are removed from the application except the one specified in the "domain" input. What this means is that this Pulumi's Cloudflare package does take the domain status from the application but does not give you the full code on the import.

pulumi up
Previewing update (cloudflare-ztna):
     Type                                   Name                             Plan       Info
     pulumi:pulumi:Stack                    cloudflare-ztna-cloudflare-ztna             
 ~   └─ cloudflare:index:AccessApplication  other_admin_panels               update     [diff: ~serviceAuth401Redirect]

Resources:
    ~ 1 to update
    36 unchanged

Do you want to perform this update? details
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:cloudflare-ztna::cloudflare-ztna::pulumi:pulumi:Stack::cloudflare-ztna-cloudflare-ztna]
    ~ cloudflare:index/accessApplication:AccessApplication: (update) 🔒
        [id=e4d41497-481d-49b6-bbde-a14e31b85f2d]
        [urn=urn:pulumi:cloudflare-ztna::cloudflare-ztna::cloudflare:index/accessApplication:AccessApplication::other_admin_panels]
        [provider=urn:pulumi:cloudflare-ztna::cloudflare-ztna::pulumi:providers:cloudflare::default_5_33_1::a3e9024d-1125-4421-9af1-44e8d0032a0a]
      ~ serviceAuth401Redirect: true => false

Do you want to perform this update? yes
Updating (cloudflare-ztna):
     Type                                   Name                             Status           Info
     pulumi:pulumi:Stack                    cloudflare-ztna-cloudflare-ztna                   
 ~   └─ cloudflare:index:AccessApplication  other_admin_panels               updated (2s)     [diff: ~serviceAuth401Redirect]

Resources:
    ~ 1 updated
    36 unchanged

Duration: 4s

Sample program

I hope I have detailed the problem well enough. If you can explain to me how I can make a self-contained Pulumi program from a Cloudflare ZTNA, I will be happy to do so.

Log output

No response

Affected Resource(s)

No response

Output of pulumi about

CLI          
Version      3.124.0
Go Version   go1.22.5
Go Compiler  gc

Plugins
KIND      NAME        VERSION
resource  cloudflare  5.33.1
language  python      unknown

Host     
OS       ubuntu
Version  23.10
Arch     x86_64

This project is written in python: executable='/home/user/dev/[REDACTED]/cloudflare/ztna/venv/bin/python' version='3.11.6'

Current Stack: organization/cloudflare-ztna/cloudflare-ztna

[REDACTED]

Found no pending operations associated with cloudflare-ztna

Backend        
Name           user
URL            gs://[REDACTED]-infra-iac
User           user
Organizations  
Token type     personal

Dependencies:
NAME               VERSION
pip                24.1.2
pulumi_cloudflare  5.33.1
setuptools         68.1.2

Pulumi locates its logs in /tmp by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[iwahbe]

Hi @OckhamOdyssey, thanks for opening an issue. It looks like the import should have included fields for self_hosted_domains, but it doesn't. We'll take a look and try to figure out what's going wrong.

---

When looking into the issue, this program replicates the problem:

import pulumi
import pulumi_cloudflare as cloudflare

account_id = pulumi.Config().require("cloudflare-account-id")

domain="pulumi-cloudflare-demo.com"
access = cloudflare.AccessApplication("access",
    zone_id="<ZONE_ID>",
    domain=domain,
    http_only_cookie_attribute=True,
    name="Admin Panel",
    self_hosted_domains=[domain, f"mytest2.{domain}"],
    service_auth401_redirect=True,
)

imported = cloudflare.AccessApplication.get("imported", access.id.apply(lambda id: f"{account_id}/{id}"))

def assert_non_empty(input):
    assert len(input) > 0
    return input


pulumi.export("self_hosted_domains", imported.self_hosted_domains.apply(assert_non_empty))