Core Platform Updates & Release Notes

You can now scope Cloudflare permissions to individual Cloudflare Tunnel instances and Cloudflare Mesh nodes. Administrators can delegate access to specific Tunnels or Mesh nodes without granting account-wide control over private networking.

What is new

When you add a member or create a permission policy, the resource picker now lists Cloudflare Tunnel instances and Cloudflare Mesh nodes as scopable resource types. You can:

• Grant a read-only role on a single Cloudflare Tunnel instance to a support operator for log streaming and diagnostics — without exposing other Tunnels or destructive actions.
• Grant a write role on a specific Cloudflare Mesh node to an application team — without giving them access to the rest of your private network.
• Scope a single policy to one or many Tunnels and Mesh nodes at once.

How it works

Granular permissions are a parallel layer to existing account-level roles — they do not replace them.

Existing account-level roles continue to work. A member with Cloudflare Access or Cloudflare Zero Trust retains write access to every Tunnel and Mesh node in the account. This ensures backward compatibility for existing automation and tokens.

Granular permissions are additive. For any API request on a specific Tunnel or Mesh node, access is granted if the principal has either the account-level role or a granular permission for that resource.

Resource enumeration is authorization-aware. Listing endpoints (GET /accounts/{id}/cfd_tunnel, GET /accounts/{id}/warp_connector) return only the resources the principal has at least read access to.

Get started

Configure granular permissions for Cloudflare Tunnel.

Configure granular permissions for Cloudflare Tunnel and Cloudflare Mesh in Cloudflare One.

Review the resource-scoped roles on the Cloudflare role reference.

Original source

Cloudflare has updated Logpush datasets:

New datasets

Email Security Post-Delivery Events: A new dataset with fields including AlertID, CompletedAt, Destination, FinalDisposition, Folder, From, FromName, MessageID, MessageTimestamp, MicrosoftTenantID, Operation, PostfixID, Reasons, Recipient, RequestedAt, RequestedBy, RequestedDisposition, Status, Subject, Success, and To.

Magic Network Monitoring Flow Logs: A new dataset with fields including AWSVPCFlowJSON, Bits, DestinationAS, DestinationAddress, DestinationPort, DeviceID, EgressBits, EgressPackets, Ethertype, FlowProtocol, FlowTimestamp, NumFlows, PacketID, Packets, Protocol, RuleIDs, SampleRate, SampleRateType, SamplerAddress, SourceAS, SourceAddress, SourcePort, TcpFlags, and Timestamp.

Updated fields in existing datasets

Firewall events (added): AISecurityInjectionScore, AISecurityPIICategories, AISecurityTokenCount, and AISecurityUnsafeTopicCategories.

HTTP requests (added): AISecurityInjectionScore, AISecurityPIICategories, AISecurityTokenCount, AISecurityUnsafeTopicCategories, and Subrequests.

For the complete field definitions for each dataset, refer to Logpush datasets.

Original source

You can now navigate, switch context, and take common actions in the Cloudflare dashboard without leaving your keyboard. Press ? anywhere to see the full list. Keyboard shortcuts can be disabled by visiting your profile settings.

Navigate

Shortcut

Action

g h

Go to Home

g a

Go to account overview

g z

Go to zone overview

g p

Go to your profile

g w

Go to Workers & Pages

g o

Go to Zero Trust

g b

Go to billing

g 1 – g 5

Go to a recent or pinned item (by position in sidebar)

t →

Move to the next tab

t ←

Move to the previous tab

p →

Move to the next page of a table

p ←

Move to the previous page of a table

Take action

Shortcut

Action

/

Open quick search

?

Show keyboard shortcuts

s a

Switch account

s z

Switch zone

s .

Star or unstar the current zone

p .

Pin or unpin the current page

t s

Toggle the sidebar open or closed

t m

Expand or collapse all sidebar menus

t a

Toggle Ask AI sidebar

d .

Toggle dark mode

c u

Copy the current URL

c d

Copy a deep link URL

Original source

Full Changelog: v6.10.0...v7.0.0

This is a major version release that includes breaking changes to three packages: ai_search, email_security, and workers. These changes reflect upstream API specification updates that improve type correctness and consistency.

Please ensure you read through the list of changes below before moving to this version - this will help you understand any down or upstream issues it may cause to your environments.

Breaking Changes

See the v7.0.0 Migration Guide for before/after code examples and actions needed for each change.

AI Search - SearchForAgents Metadata Removed

The SearchForAgents nested type has been removed from all instance metadata structs. This field is no longer part of the API specification.

Removed Types:

• InstanceNewResponseMetadataSearchForAgents
• InstanceUpdateResponseMetadataSearchForAgents
• InstanceListResponseMetadataSearchForAgents
• InstanceDeleteResponseMetadataSearchForAgents
• InstanceReadResponseMetadataSearchForAgents
• InstanceNewParamsMetadataSearchForAgents
• InstanceUpdateParamsMetadataSearchForAgents
• NamespaceInstanceNewResponseMetadataSearchForAgents
• NamespaceInstanceUpdateResponseMetadataSearchForAgents
• NamespaceInstanceListResponseMetadataSearchForAgents
• NamespaceInstanceDeleteResponseMetadataSearchForAgents
• NamespaceInstanceReadResponseMetadataSearchForAgents
• NamespaceInstanceNewParamsMetadataSearchForAgents
• NamespaceInstanceUpdateParamsMetadataSearchForAgents

Email Security - Path Parameter Type Changes

Multiple Email Security settings sub-resources have changed their path parameter types from int64 to string:

• AllowPolicies (policyID int64 -> policyID string)
• BlockSenders (patternID int64 -> patternID string)
• Domains (domainID int64 -> domainID string)
• ImpersonationRegistry (displayNameID int64 -> impersonationRegistryID string)
• TrustedDomains (trustedDomainID int64 -> trustedDomainID string)

Email Security - Investigate Parameter Rename

The Investigate.Get, Investigate.Move.New, and Investigate.Reclassify.New methods now use investigateID instead of postfixID as the path parameter name.

Email Security - Domains BulkDelete Method Removed

The SettingDomainService.BulkDelete method and its associated types have been removed:

• SettingDomainBulkDeleteResponse
• SettingDomainBulkDeleteParams

Email Security - TrustedDomains Return Type Change

SettingTrustedDomainService.New now returns *SettingTrustedDomainNewResponse instead of *SettingTrustedDomainNewResponseUnion.

Email Security - Investigate.Move Return Type Change

InvestigateMoveService.New now returns *pagination.SinglePage[InvestigateMoveNewResponse] instead of *[]InvestigateMoveNewResponse.

Workers - Observability Telemetry Filter Restructuring

The observability telemetry filter parameter types have been restructured to support nested filter groups. New discriminated union types replace the previous flat filter arrays:

• ObservabilityTelemetryKeysParams.Filters now accepts FiltersObjectFilterUnion (was []interface{})
• ObservabilityTelemetryQueryParams.Parameters.Filters now accepts FiltersObjectFilterUnion
• ObservabilityTelemetryValuesParams.Filters now accepts FiltersObjectFilterUnion

New types include FiltersObjectFiltersObject (for group filters with FilterCombination) and FiltersWorkersObservabilityFilterLeaf (for leaf filters with typed Operation, Type, and Value fields).

Features

Organizations - Audit Logs (client.Organizations.Logs.Audit)

NEW SERVICE: Query organization audit logs with cursor-based pagination.

• List() - Retrieve audit logs

Browser Rendering (client.BrowserRendering)

• client.BrowserRendering.Devtools.Browser.Targets.Close() - Close a specific browser target (tab, page) by ID

Queues (client.Queues)

• client.Queues.GetMetrics() - Retrieve queue metrics for a specific queue

AI Search (client.AISearch)

Added WaitForCompletion parameter to NamespaceInstanceItemNewOrUpdateParams and NamespaceInstanceItemSyncParams for synchronous indexing confirmation

Bug Fixes

• Magic Transit: ConnectorService.List parameter name corrected from query to params (non-functional, affects generated documentation only)

Deprecations

None in this release.

Get started

• Download Go SDK v7.0.0
• Go SDK documentation
• Migration Guide

Original source

Full Changelog: v4.3.1...v5.0.0

This is a major release of the Cloudflare Python SDK. It drops support for Python 3.8, adds 11 new API services, introduces optional aiohttp backend support for improved async concurrency, and includes hundreds of type and method updates across the entire API surface.

Please review the breaking changes below before upgrading. A migration guide is available at v5.0.0 Migration Guide.

Breaking Changes

Python 3.8 is no longer supported. The minimum required version is now Python 3.9.

typing-extensions minimum version bumped from >=4.10 to >=4.14.

The following resources have breaking changes. See the v5.0.0 Migration Guide for detailed migration instructions.

• abusereports
• acm.totaltls
• apigateway.configurations
• cloudforceone.threatevents
• d1.database
• intel.indicatorfeeds
• logpush.edge
• origintlsclientauth.hostnames
• queues.consumers
• radar.bgp
• rulesets.rules
• schemavalidation.schemas
• snippets
• zerotrust.dlp
• zerotrust.networks

Features

aiohttp Backend Support

The async client now supports an optional aiohttp HTTP backend for improved concurrency performance. Install with pip install cloudflare[aiohttp] and use DefaultAioHttpClient() as the http_client parameter.

Python 3.13 and 3.14 Support

Python 3.13 and 3.14 are now tested and supported.

New Services

The following top-level resources are new in this release:

Resource Client Path Description AI Search aisearch AI-powered search capabilities Connectivity connectivity Connectivity testing and diagnostics Email Sending email_sending Email send and send_raw endpoints Fraud fraud Fraud detection and prevention Google Tag Gateway google_tag_gateway Google Tag Gateway management Organizations organizations Organization audit logs and management R2 Data Catalog r2_data_catalog R2 Data Catalog operations Realtime Kit realtime_kit Realtime communication (Calls/TURN) Resource Tagging resource_tagging Resource tagging and labeling Token Validation token_validation Token validation configuration and rules Vulnerability Scanner vulnerability_scanner Vulnerability scanning, credential sets, and target environments

New Endpoints on Existing Services

• api_gateway: Labels endpoints
• billing: Billable usage PayGo endpoint
• brand_protection: v2 endpoints
• browser_rendering: DevTools methods
• cache: Origin cloud regions resource
• custom_origin_trust_store: Custom origin trust store
• dns: dns_records/usage endpoints
• email_security: Phishguard reports endpoint
• iam: User groups and user group members resources
• radar: Botnet Threat Feed and Post-Quantum endpoints
• workers: Observability Destinations resources
• zero_trust: Access Users, DEX rules, Device IP Profile, Device Subnet, WARP Connector connections and failover, WARP Subnet, Gateway PAC files
• zones: Zone environments endpoints

Bug Fixes

• Fixed polymorphic_serialization parameter in model_dump overrides
• Added BaseModel base to response SchemaFieldStruct/SchemaFieldList stubs in Pipelines
• Added missing model_rebuild/update_forward_refs for SharedEntryCustomEntry classes in DLP
• Made RunQueryParametersNeedleValue a BaseModel with arbitrary_types_allowed in Workers
• Removed duplicate notification_url field in webhook response types for Stream
• Resolved pre-existing codegen type errors
• Fixed type: ignore[call-arg] placement for mypy compatibility in Radar

Deprecations

Resources with @deprecated annotations on some methods include: accounts, addressing, ai-gateway, aisearch, api-gateway, billing, cloudforce-one, dns, email-routing, email-security, filters, firewall, images, intel, kv, logpush, origin-tls-client-auth, pages, pipelines, radar, rate-limits, registrar, rulesets, ssl, user, workers, workers-for-platforms, zero-trust, zones

Get started

• Download Python SDK v5.0.0
• Python SDK documentation
• Migration Guide

Original source

Full Changelog: v6.0.0-beta.2...v6.0.0

This is a major version release of the Cloudflare TypeScript SDK. It includes 11 entirely new top-level API resources, new sub-resources and methods across 50+ existing resources, SDK infrastructure improvements, and breaking changes to the generated API surface from the v5.x line.

Please ensure you read through the list of changes below before moving to this version - this will help you understand any down or upstream issues it may cause to your environments.

Breaking Changes

SDK Infrastructure

Retry-After handling changed: The SDK now respects any server-specified Retry-After value for rate-limited requests. Previously, values over 60 seconds were ignored and a default backoff was used instead.

Empty response handling: Responses with content-length: 0 now return undefined instead of attempting to parse the body.

Environment variable reading: Empty string env vars (for example, CLOUDFLARE_API_TOKEN="") are now treated as unset.

Path query parameter merging: URL search params embedded in endpoint paths are now extracted and merged into the query object.

Removed Endpoints (17)

17 HTTP endpoints were removed from the SDK, affecting abuse-reports, cloudforce-one, dlp/profiles/predefined, email-security/investigate, email-security/settings, and intel/ip-list.

Method Signature Changes

client.ai.toMarkdown.transform(file, { ...params }) -> client.ai.toMarkdown.transform({ ...params }) -- file moved from positional arg into params body

client.radar.ai.toMarkdown.create(body, { ...params }) -> client.radar.ai.toMarkdown.create({ ...params }) -- body moved from positional arg into params

client.abuseReports.create(reportType, { ...params }) -> client.abuseReports.create(reportParam, { ...params }) -- positional arg renamed

client.iam.userGroups.members.create(userGroupId, [ ...body ]) -> client.iam.userGroups.members.create(userGroupId, [ ...members ]) -- body array param renamed

Renamed Client Paths

client.originTLSClientAuth.hostnames.certificates -> client.originTLSClientAuth.zoneCertificates

client.radar.netflows -> client.radar.netFlows (casing change)

Return Type Changes (179)

133 methods now return null instead of a typed response object. This primarily affects delete operations across accounts, cache, d1, filters, firewall, hyperdrive, iam, kv, logpush, logs, r2, stream, workers, zero-trust, zones, and others.

17 methods changed pagination type (for example, KeysCursorPaginationAfter -> KeysCursorLimitPagination).

29 methods changed to a different named type (for example, CloudflaredCreateResponse -> CloudflareTunnel).

Removed Types (43)

24 shared types removed from root namespace (ASN, AuditLog, Member, Permission, Role, Subscription, Token, etc.). 19 response types consolidated or renamed.

Resource Restructuring

19 resources were restructured from single files to directories. Public API client paths are unchanged, but deep imports may break.

New Top-Level Resources

11 entirely new resources added to the client:

Resource

Client Path

Methods

Description

AI Search

client.aiSearch

46

Instances, namespaces, tokens, and items

Connectivity

client.connectivity

5

Directory service APIs

Email Sending

client.emailSending

7

Send and send_raw endpoints

Fraud

client.fraud

2

Fraud detection API

Google Tag Gateway

client.googleTagGateway

2

Google Tag Gateway management

Organizations

client.organizations

8

Organization profiles and audit logs

R2 Data Catalog

client.r2DataCatalog

11

R2 Data Catalog routes

Realtime Kit

client.realtimeKit

54

Realtime Kit APIs

Resource Tagging

client.resourceTagging

9

Resource tagging routes

Token Validation

client.tokenValidation

13

Token validation rules

Vulnerability Scanner

client.vulnerabilityScanner

21

Vulnerability scanning

New Sub-Resources on Existing Resources

browser-rendering: crawl, devtools - Crawl endpoints and DevTools methods

cache: origin-cloud-regions - Origin cloud regions resource

dns: usage - DNS records usage endpoints

d1: time-travel - Time travel get_bookmark and restore

email-security: phishguard - Phishguard reports endpoint

pipelines: sinks, streams - Pipelines restructure

radar: agent-readiness, geolocations, post-quantum - New analytics endpoints

workers: observability - Observability destinations

zones: environments - Zone environments endpoints

api-gateway: labels - Labels endpoints

brand-protection: v2 - V2 endpoints

alerting: silences - Alert silencing API

billing: usage - Billable usage PayGo endpoint

iam: sso - SSO Connectors resource

queues: getMetrics method - Queues metrics endpoint

registrar: registration-status, update-status - Registrar API convergence

zero-trust: DLP settings, DEX rules, Access Users, WARP Connector, WARP Subnets, Gateway PAC files, Gateway tenants

Bug Fixes

Resolved type errors from codegen overwriting manual fixes

Fixed post() usage for to-markdown endpoints to resolve async type error

Added least-privilege permissions to all workflow jobs

Reverted erroneous removal of rulesets resource methods and types

Resolved prettier formatting errors in codegen output

Deprecations

The following resources now include @deprecated annotations on some methods:

accounts, addressing, ai-gateway, aisearch, api-gateway, billing, cloudforce-one, custom-nameservers, dns, email-routing, email-security, filters, firewall, images, intel, keyless-certificates, kv, logpush, origin-tls-client-auth, page-shield, pages, pipelines, radar, rate-limits, registrar, rulesets, ssl, user, workers, workers-for-platforms, zero-trust, zones

Get started

Download TypeScript SDK v6.0.0

TypeScript SDK documentation

Full Changelog

Original source

You can now pay for Cloudflare services directly from your bank account using Instant Bank Payments via Link.

What changed

Link now supports bank account payments in addition to cards. If you have a bank account saved in Link, it appears as a payment option at checkout. If not, you can connect one during the checkout flow.

How to use it

During checkout, select your bank account from your saved Link payment methods.

Confirm the payment.

After your first Link authentication, your bank account is available for future purchases without re-entering details.

Who is eligible

Instant Bank Payments via Link is available to US-based self-serve accounts across all Cloudflare products. Your existing cards remain available at checkout.

Bank-based Link payments appear in your billing history with the payment method shown as link and last four digits as 0000. For details, refer to the Instant Bank Payments via Link documentation.

Original source

Direct access to Support from the dashboard

The Support button in the dashboard global navigation header now takes you directly to the Cloudflare Support Portal, eliminating the previous dropdown menu.

This change ensures that when you need help, you spend less time navigating the UI and more time getting the answers you need.

What changed?

Previous behavior: Selecting ? Support opened a dropdown menu with various links (Help Center, Cloudflare Community, etc.).

New behavior: Selecting Support immediately redirects your current tab to the Support Portal.

To learn more about the resources available to you, refer to the Cloudflare Support documentation.

Original source

Resource Tagging is now in public beta and rolling out to all Cloudflare accounts over the coming days. You can attach custom key-value metadata to your Cloudflare resources and query across your entire account to find what you need.

What's included

• Broad resource type support — Tag zones, custom hostnames, Cloudflare Tunnels, Workers scripts, D1 databases, R2 buckets, KV namespaces, Durable Objects, Queues, Stream videos, Images, Access applications, Gateway rules, AI Gateways, and more. Refer to the full list of supported resource types.
• Powerful filtering — Query tagged resources using AND/OR logic, negation, and key-only matching. Combine up to 20 filters per query to build precise resource views.
• Account and zone-level endpoints — Full CRUD operations across both scopes.
• Token-based authentication — Tagging supports Account Owned Tokens that persist independently of individual users, so your automation keeps running through credential rotations and team changes.
• Flexible role support — Super Administrators, Workers Admins, and Tag Admins can all manage tags.

API-first by design

The API is the primary interface for Resource Tagging and the recommended path for all workflows — scripting tag assignments, building CI/CD pipelines, or integrating with your infrastructure-as-code toolchain.

Dashboard UI

You can also view and manage tagged resources directly in the Cloudflare dashboard. Navigate to Manage Account > Resource Tagging to see all tagged resources across your account, filter by resource name or tag, and add or edit tags inline.

What's coming next

In future releases, expect support for additional resource types across the Cloudflare platform, tag-based access control policies for scoping user permissions to tagged resources, billing and usage attribution by tag for breaking down costs by team, project, or environment, and Terraform provider support for managing tags declaratively.

Current limitations

• PUT replaces all tags on a resource (no partial update). Use the GET, merge, PUT workflow to modify individual tags safely.
• DELETE removes all tags from a resource. To remove a single tag, PUT the remaining tags back.
• Querying tags for a resource that has never been tagged returns 500 instead of 404. This is a known beta limitation.

To get started, refer to the Resource Tagging documentation.

Original source

Cloudflare-generated 5xx error responses now return structured JSON and Markdown when agents request them, matching the format already available for 1xxx errors. Responses follow RFC 9457 (Problem Details for HTTP APIs) and include a Retry-After HTTP header on retryable codes.

Changes

5xx coverage. Ten Cloudflare-generated error codes (500, 502, 504, 520-526) now serve structured responses. These are errors Cloudflare itself generates when it cannot reach or understand the origin server. Origin-generated 5xx responses that Cloudflare passes through are not affected.

Fault attribution. The error_category field tells agents where the fault lies:

origin (502, 504, 520-524) — the origin server is responsible. Transient; retry with the backoff in retry_after.

cloudflare (500) — Cloudflare's fault, not the website or the request. Short retry.

ssl (525, 526) — the origin's TLS configuration is broken. Do not retry.

Retry-After header. Retryable codes (500, 502, 504, 520-524) include a Retry-After HTTP header matching the retry_after body field. Non-retryable codes (525, 526) do not include the header.

Negotiation behavior

Request header sent

Response format

Accept: application/json

JSON (application/json content type)

Accept: application/problem+json

JSON (application/problem+json content type)

Accept: application/json, text/markdown;q=0.9

JSON

Accept: text/markdown

Markdown

Accept: text/markdown, application/json

Markdown (equal q, first-listed wins)

Accept: /

HTML (default)

Availability

Available now for all zones on all plans.

Get started

Get JSON response for error 522:

curl -s --compressed -H "Accept: application/json" -A "TestAgent/1.0" -H "Accept-Encoding: gzip, deflate" "<YOUR_DOMAIN>/cdn-cgi/error/522" | jq .

Check presence of the Retry-After HTTP header associated with the JSON response for error 521:

curl -s --compressed -D - -o /dev/null -H "Accept: application/json" -A "TestAgent/1.0" -H "Accept-Encoding: gzip, deflate" "<YOUR_DOMAIN>/cdn-cgi/error/521" | grep -i retry-after

References:

RFC 9457 — Problem Details for HTTP APIs

Cloudflare 5xx error documentation

Original source

Terraform Provider v5.19.0 introduces 14 new resources spanning AI Gateway, Pipelines, R2 Data Catalog, User Groups, Vulnerability Scanner, Workers Observability, and Zero Trust capabilities. This release significantly improves the v4 to v5 migration experience with automatic state upgraders for 26 resources, working seamlessly with the new tf-migrate CLI tool to automate resource renames, attribute updates, and moved block generation. Together, these enhancements reduce manual migration effort and minimize risk when upgrading from v4 to v5.

Note: cmd/migrate is deprecated in favor of tf-migrate and will be removed in a future release (#7062)

New Resources

cloudflare_ai_gateway: Manage AI Gateway instances

cloudflare_certificate_authorities_hostname_associations: Manage mTLS certificate hostname associations

cloudflare_custom_page_asset: Manage custom page assets

cloudflare_pipeline: Manage Cloudflare Pipelines

cloudflare_r2_data_catalog: Manage R2 Data Catalog

cloudflare_user_group: Manage user groups

cloudflare_user_group_members: Manage user group memberships

cloudflare_vulnerability_scanner_credential: Manage vulnerability scanner credentials

cloudflare_vulnerability_scanner_credential_set: Manage vulnerability scanner credential sets

cloudflare_vulnerability_scanner_target_environment: Manage vulnerability scanner target environments

cloudflare_workers_observability_destination: Manage Workers Observability destinations

cloudflare_zero_trust_device_ip_profile: Manage Zero Trust device IP profiles

cloudflare_zero_trust_device_subnet: Manage Zero Trust device subnets

cloudflare_zero_trust_dlp_settings: Manage Zero Trust DLP settings

Features

V4 to V5 Migration State Upgraders

State upgraders added for seamless migration from v4 to v5 for the following resources:

account

account_member

account_token

authenticated_origin_pulls

authenticated_origin_pulls_hostname_certificate

byo_ip_prefix

custom_hostname

custom_ssl

leaked_credential_check

leaked_credential_check_rule

logpush_ownership_challenge

mtls_certificate

observatory_scheduled_test

pages_domain

regional_tiered_cache

turnstile_widget

workers_custom_domain

zero_trust_device_custom_profile

zero_trust_device_default_profile

zero_trust_device_posture_integration

zero_trust_gateway_certificate

zero_trust_gateway_settings

zero_trust_organization

zero_trust_tunnel_cloudflared_virtual_network

zone_setting

Other Features

ruleset: Add content_converter and redirects_for_ai_training support to configuration rules

zero_trust_gateway_logging: Make importable

Bug Fixes

Migration & State Management

account_member: Add UseStateForUnknown to status field to prevent drift

authenticated_origin_pulls_settings: Fix no prior schema and no-op upgrade

certificate_pack: Initialize empty lists instead of null in state upgrader to prevent drift

migrations: Handle ambiguous schema_version state for v4/v5 coexistence

zero_trust_access_policy: Fix nil pointer panic in state upgrader; set PriorSchema nil for v4 state upgrade

Resource-Specific Fixes

ai_search_instance: Restore original defaults for cache and cache_threshold; conflict resolution

apijson: Return empty object from MarshalForPatch when no fields are serializable

dlp_predefined_profile: Eliminate perpetual entries and enabled_entries drift

dns_record: Avoid unnecessary drift for ipv4_only and ipv6_only attributes; remove private_routing default value

drift: Preserve prior state values for optional fields not returned by API

healthcheck: Use buildHealthcheckPlanChecks helper for correct plan checks per migration source; update assertions

leaked_credential_check_rule: Handle empty ID from v4 provider state migration

list_item: Remove context

logpush_job: Update model for migration

ruleset: Fix migration; add redirects_for_ai_training to SourceV4ActionParametersModel; fix duplicate model attribute

worker: Add UseStateForUnknown() plan modifiers and update tests for observability.traces

workers_custom_domain: Handle HTTP 200 no content header; update assertions

workers_script: Fix model drift

zero_trust_access_identity_provider: Fix boolean drifts

zero_trust_device_managed_networks: Upgrade resource state

zero_trust_gateway_policy: Make filters Computed+Optional to prevent drift

zero_trust_gateway_settings: Fix breaking changes; implement sweeper to reset account to clean defaults

zone_setting: Migration test improvements and fixes

Documentation

healthcheck: Update port description to clarify defaults

Add application-scoped access policy migration guidance

Update zone_settings_override migration guide for tf-migrate v2 workflow

For more information

Terraform Provider

Version 5 Migration Guide

Documentation on using Terraform with Cloudflare

Original source

We're excited to announce tf-migrate, a purpose-built CLI tool that simplifies migrating from Cloudflare Terraform Provider v4 to v5.

v5 is stable and ready for production

Terraform Provider v5 is stable and actively receiving updates. We encourage all users to migrate to v5 to take advantage of ongoing enhancements and new capabilities.

Cloudflare uses tf-migrate to migrate our own infrastructure — the same tool we're providing to the community — ensuring the best possible migration experience.

What tf-migrate does

tf-migrate automates the tedious and error-prone parts of the v4 to v5 migration process:

• Resource type renames – Automatically updates cloudflare_record → cloudflare_dns_record, cloudflare_access_application → cloudflare_zero_trust_access_application, and 40+ other renamed resources
• Attribute transformations – Updates field names (e.g., value → content for DNS records) and restructures nested blocks
• Moved block generation – Creates Terraform 1.8+ moved blocks to prevent resource replacements and ensure zero-downtime migrations
• Cross-file reference updates – Automatically finds and updates all references to renamed resources across your entire configuration
• Dry-run mode – Preview all changes before applying them to ensure safety

Combined with the automatic state upgraders introduced in v5.19+, tf-migrate eliminates the manual work and risk that previously made v5 migrations challenging. Tf-migrate operates directly on the config, and the built-in state upgraders handle the rest.

Supported resources

Tf-migrate currently supports the most common Terraform resources our customers use. We are actively working to expand coverage, with the most commonly used resources prioritized first.

For the complete list of supported resources and their migration status, refer to the v5 Stabilization Tracker. This list is updated regularly as additional resources are stabilized and migration support is added.

Resources not yet supported by tf-migrate will need to be migrated manually using the version 5 upgrade guide. The upgrade guide provides step-by-step instructions for handling resource renames, attribute changes, and state migrations.

Get started

• Download tf-migrate
• Version 5 Migration Guide
• Terraform Provider documentation
• v5 Stabilization Tracker

We have been releasing Betas over the past month and a half while testing this tool. See the full changelog of those Betas here: tf-migrate releases.

Original source

v6.10.0

In this release, you'll see a number of breaking changes. This is primarily due to changes in OpenAPI definitions, which our libraries are based off of, and codegen updates that we rely on to read those OpenAPI definitions and produce our SDK libraries.

Please ensure you read through the list of changes below before moving to this version - this will help you understand any down or upstream issues it may cause to your environments.

Breaking Changes

See the v6.10.0 Migration Guide for before/after code examples and actions needed for each change.

Abuse Reports - Registrar WHOIS Report Field Removals

Several fields have been removed from AbuseReportNewParamsBodyAbuseReportsRegistrarWhoisReportRegWhoRequest:

• RegWhoGoodFaithAffirmation
• RegWhoLawfulProcessingAgreement
• RegWhoLegalBasis
• RegWhoRequestType
• RegWhoRequestedDataElements

AI Search - Instance Params Restructured

The InstanceNewParams and InstanceUpdateParams types have been significantly restructured. Many fields have been moved or removed:

• InstanceNewParams.TokenID, Type, CreatedFromAISearchWizard, WorkerDomain removed
• InstanceUpdateParams — most configuration fields removed (including IndexMethod, IndexingOptions, MaxNumResults, Metadata, Paused, PublicEndpointParams, Reranking, RerankingModel, RetrievalOptions, RewriteModel, RewriteQuery, ScoreThreshold, SourceParams, Summarization, SummarizationModel, SystemPromptAISearch, SystemPromptIndexSummarization, SystemPromptRewriteQuery, TokenID, CreatedFromAISearchWizard, WorkerDomain)
• InstanceSearchParams.Messages field removed along with InstanceSearchParamsMessage and InstanceSearchParamsMessagesRole types

AI Search - InstanceItem Service Removed

The InstanceItemService type has been removed. The items sub-resource at client.AISearch.Instances.Items no longer exists in the non-namespace path. Use client.AISearch.Namespaces.Instances.Items instead.

AI Search - Token Types Removed

The following types have been removed from the ai_search package:

• TokenDeleteResponse
• TokenListParams (and associated TokenListParamsOrderBy, TokenListParamsOrderByDirection)

Email Security - Investigate Move Return Type Change

The Investigate.Move.New() method now returns a raw slice instead of a paginated wrapper:

• New() returns *[]InvestigateMoveNewResponse instead of *pagination.SinglePage[InvestigateMoveNewResponse]
• NewAutoPaging() method removed

Hyperdrive - Config Params Restructured

The ConfigEditParams type lost its MTLS and Name fields. The HyperdriveMTLSParam type lost MTLS and Host fields. The Host field on origin config changed from param.Field[string] to a plain string.

IAM - UserGroupMember Params and Return Types Changed

The UserGroupMemberNewParams struct has been restructured and the New() method now returns a paginated response:

• UserGroupMemberNewParams.Body renamed to UserGroupMemberNewParams.Members
• UserGroupMemberNewParamsBody renamed to UserGroupMemberNewParamsMember
• UserGroupMemberUpdateParams.Body renamed to UserGroupMemberUpdateParams.Members
• UserGroupMemberUpdateParamsBody renamed to UserGroupMemberUpdateParamsMember
• UserGroups.Members.New() returns *pagination.SinglePage[UserGroupMemberNewResponse] instead of *UserGroupMemberNewResponse

IAM - UserGroup List Direction Type Changed

The UserGroupListParams.Direction field changed from param.Field[string] to param.Field[UserGroupListParamsDirection] (typed enum with asc/desc values).

Pipelines - Delete Methods Now Return Typed Responses

Several delete methods across Pipelines now return typed responses instead of bare error:

• Pipelines.DeleteV1() returns (*PipelineDeleteV1Response, error) instead of error
• Pipelines.Sinks.Delete() returns (*SinkDeleteResponse, error) instead of error
• Pipelines.Streams.Delete() returns (*StreamDeleteResponse, error) instead of error

Queues - Message Response Types Removed

The following response envelope types have been removed:

• MessageBulkPushResponseSuccess
• MessagePushResponseSuccess
• MessageAckResponse fields RetryCount and Warnings removed

Secrets Store - Pagination Wrapper Removal and Type Changes

Methods now return direct types instead of SinglePage wrappers, and several internal types have been removed. Associated AutoPaging methods have also been removed:

• Stores.New() returns *StoreNewResponse instead of *pagination.SinglePage[StoreNewResponse]
• Stores.NewAutoPaging() method removed
• Stores.Secrets.BulkDelete() returns *StoreSecretBulkDeleteResponse instead of *pagination.SinglePage[StoreSecretBulkDeleteResponse]
• Stores.Secrets.BulkDeleteAutoPaging() method removed
• Removed types: StoreDeleteResponse, StoreDeleteResponseEnvelopeResultInfo, StoreSecretDeleteResponse, StoreSecretDeleteResponseStatus, StoreSecretBulkDeleteResponse (old shape), StoreSecretBulkDeleteResponseStatus, StoreSecretDeleteResponseEnvelopeResultInfo
• StoreNewParams restructured (old StoreNewParamsBody removed)
• StoreSecretBulkDeleteParams restructured

Stream - AudioTracks Return Type Change

The AudioTracks.Get() method now returns a dedicated response type instead of a paginated list. The GetAutoPaging() method has been removed:

• Get() returns *AudioTrackGetResponse instead of *pagination.SinglePage[Audio]
• GetAutoPaging() method removed

Stream - Clip Type Removal and Return Type Change

The Clip.New() method now returns the shared Video type. The following types have been entirely removed:

• Clip, ClipPlayback, ClipStatus, ClipWatermark

Stream - Copy and Clip Params Field Removals

• ClipNewParams.MaxDurationSeconds, ThumbnailTimestampPct, Watermark removed
• CopyNewParams.ThumbnailTimestampPct, Watermark removed

Stream - Download and Webhook Changes

• DownloadNewResponseStatus type removed
• WebhookUpdateResponse and WebhookGetResponse changed from interface{} type aliases to full struct types

Zero Trust - Access AI Control MCP Portal Union Types Removed

The following union interface types have been removed:

• AccessAIControlMcpPortalListResponseServersUpdatedPromptsUnion
• AccessAIControlMcpPortalListResponseServersUpdatedToolsUnion
• AccessAIControlMcpPortalReadResponseServersUpdatedPromptsUnion
• AccessAIControlMcpPortalReadResponseServersUpdatedToolsUnion

Features

Vulnerability Scanner (client.VulnerabilityScanner)

NEW SERVICE: Full vulnerability scanning management

• CredentialSets - CRUD for credential sets (New, Update, List, Delete, Edit, Get)
• Credentials - Manage credentials within sets (New, Update, List, Delete, Edit, Get)
• Scans - Create and manage vulnerability scans (New, List, Get)
• TargetEnvironments - Manage scan target environments (New, Update, List, Delete, Edit, Get)

AI Search - Namespaces (client.AISearch.Namespaces)

NEW SERVICE: Namespace-scoped AI Search management

• New(), Update(), List(), Delete(), ChatCompletions(), Read(), Search()
• Instances - Namespace-scoped instances (New, Update, List, Delete, ChatCompletions, Read, Search, Stats)
• Jobs - Instance job management (New, Update, List, Get, Logs)
• Items - Instance item management (List, Delete, Chunks, NewOrUpdate, Download, Get, Logs, Sync, Upload)

Browser Rendering - Devtools (client.BrowserRendering.Devtools)

NEW SERVICE: DevTools protocol browser control

• Session - List and get devtools sessions
• Browser - Browser lifecycle management (New, Delete, Connect, Launch, Protocol, Version)
• Page - Get page by target ID
• Targets - Manage browser targets (New, List, Activate, Get)

Registrar (client.Registrar)

NEW: Domain check and search endpoints

• Check() - POST /accounts/{account_id}/registrar/domain-check
• Search() - GET /accounts/{account_id}/registrar/domain-search

NEW: Registration management (client.Registrar.Registrations)

• New(), List(), Edit(), Get()
• RegistrationStatus.Get() - Get registration workflow status
• UpdateStatus.Get() - Get update workflow status

Cache - Origin Cloud Regions (client.Cache.OriginCloudRegions)

NEW SERVICE: Manage origin cloud region configurations

• New(), List(), Delete(), BulkDelete(), BulkEdit(), Edit(), Get(), SupportedRegions()

Zero Trust - DLP Settings (client.ZeroTrust.DLP.Settings)

NEW SERVICE: DLP settings management

• Update(), Delete(), Edit(), Get()

Radar

• AgentReadiness.Summary() - Agent readiness summary by dimension
• AI.MarkdownForAgents.Summary() - Markdown-for-agents summary
• AI.MarkdownForAgents.Timeseries() - Markdown-for-agents timeseries

IAM (client.IAM)

• UserGroups.Members.Get() - Get details of a specific member in a user group
• UserGroups.Members.NewAutoPaging() - Auto-paging variant for adding members
• UserGroups.NewParams.Policies changed from required to optional

Bot Management

• ContentBotsProtection field added to BotFightModeConfiguration and SubscriptionConfiguration (block/disabled)

Deprecations

None in this release.

Get started

• Download Go SDK v6.10.0
• Go SDK documentation
• Migration Guide

Original source

Audit Logs v2 now supports organization-level audit logs. Org Admins can retrieve audit events for actions performed at the organization level via the Audit Logs v2 API.

To retrieve organization-level audit logs, use the following endpoint:

GET https://api.cloudflare.com/client/v4/organizations/{organization_id}/logs/audit

This release covers user-initiated actions performed through organization-level APIs. Audit logs for system-initiated actions, a dashboard UI, and Logpush support for organizations will be added in future releases.

Note

Organization-level audit logs are separate from account-level audit logs. Actions performed within a specific account continue to be available via the account-level Audit Logs UI, Audit Logs v2 API, and Logpush.

For more information, refer to the Audit Logs documentation.

Original source

Custom Dashboards are now available to all Cloudflare customers. Build personalized views that highlight the metrics most critical to your infrastructure and security posture, moving beyond standard product dashboards.

This update significantly expands the data available for visualization. Build charts based on any of the 100+ datasets available via the Cloudflare GraphQL API, covering everything from WAF events and Workers metrics to Load Balancing and Zero Trust logs.

Log Explorer integration

For Log Explorer customers, you can now turn raw log queries directly into dashboard charts. When you identify a specific pattern or spike while investigating logs, save that query as a visualization to monitor those signals in real-time without leaving the dashboard.

Key benefits

• Unified visibility: Consolidate signals from different Cloudflare products (for example, HTTP Traffic and R2 Storage) into a single view.
• Flexible monitoring: Create charts that focus on specific status codes, ASN regions, or security actions that matter to your business.
• Expanded limits: Log Explorer customers can create up to 100 dashboards (up from 25 for standard customers).

To get started, refer to the Custom Dashboards documentation.

Original source