Ruleset always shows 'updated' even with no changes

[invertedtomato]

Describe what happened

Whenever uping the stack, the ruleset always shows as "update", even when no changes have been made.

Previewing update (stage):
     Type                              Name            Plan       
     pulumi:pulumi:Stack               universe-stage             
 ~   ├─ cloudflare:index:Ruleset       administration  update     <=== Here

When looking at "details" no changes are shown.

    ~ cloudflare:index/ruleset:Ruleset: (update)
        [id=c905279a280d416296faa704bb8eab76]
        [urn=urn:pulumi:stage::universe::cloudflare:index/ruleset:Ruleset::administration]
        [provider=urn:pulumi:stage::universe::pulumi:providers:cloudflare::default_5_40_1::9db241e6-38b9-4db7-af0c-5c66ef8f8b1f]
        kind  : "zone"
        name  : "Administration"
        phase : "http_request_firewall_custom"
        rules : [
            [0]: {
                action          : "skip"
                actionParameters: {
                    phases: [
                        [0]: "http_ratelimit"
                    ]
                }
                description     : "Allow all administration access"
                enabled         : true
                expression      : "ip.src in {**REMOVED**}"
            }
        ]
        zoneId: "578ad30a56eaa290219e099a1aa2a6fb"

This is largely cosmetic but does tax my ups by a few seconds

Sample program

Following is the exact rule I'm creating:

 var adminRuleset = new Cloudflare.Ruleset("administration", new() 
  {
    ZoneId = zoneId,
    Name = "Administration",
    Kind = "zone",
    Phase = "http_request_firewall_custom",
    Rules = new List<Cloudflare.Inputs.RulesetRuleArgs>
    {
      new()
      {
        Description = "Allow all administration access",
        Enabled = true,
        Expression = $"ip.src in {{{string.Join(" ", Configuration.Service.AdministrationIps)}}}",
        Action = "skip",
        ActionParameters = new Cloudflare.Inputs.RulesetRuleActionParametersArgs
        {
          Phases = ["http_ratelimit"],
        }
      }
    }
  });

Log output

No response

Affected Resource(s)

No response

Output of pulumi about

CLI          
Version      3.136.1
Go Version   go1.23.2
Go Compiler  gc

Host     
OS       darwin
Version  14.6.1
Arch     arm64

Pulumi locates its logs in /var/folders/wv/9mvwjbd10lzcj_395n42f53r0000gn/T/ by default

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

[invertedtomato]

This may be identical to #630

[guineveresaenger]

Hi @invertedtomato - thank you for reporting this issue. We're sorry you're seeing a permadiff here - that's not the experience we want for you.

To help us pinpoint what's going on here, can you try the following:

On the latest version of this provider, run your program but with
PULUMI_TF_BRIDGE_ACCURATE_BRIDGE_PREVIEW=true pulumi up
and let us know if the issue persists? This is an experimental feature/fix for diffing issues currently under development.

Failing that, it would help us a lot with reproducing and debugging this issue on our end more quickly if you could provide us with a complete, runnable repro of this behavior, sensitive information redacted. Thank you!

[invertedtomato]

Hi @guineveresaenger , I'm afraid I had to move on and have solved my functional requirements without Pulumi. The issue remaining but I'm no longer in a position to pursue it.