Docs Collections Release Notes

Earlier this year, we announced the launch of the new Terraform v5 Provider. We are aware of the high number of issues reported by the Cloudflare community related to the v5 release. We have committed to releasing improvements on a 2-3 week cadence to ensure its stability and reliability, including the v5.14 release. We have also pivoted from an issue-to-issue approach to a resource-per-resource approach - we will be focusing on specific resources to not only stabilize the resource but also ensure it is migration-friendly for those migrating from v4 to v5.

Thank you for continuing to raise issues. They make our provider stronger and help us build products that reflect your needs.

This release includes bug fixes, the stabilization of even more popular resources, and more.

Deprecation notice

Resource affected

api_shield_discovery_operation

Cloudflare continuously discovers and updates API endpoints and web assets of your web applications. To improve the maintainability of these dynamic resources, we are working on reducing the need to actively engage with discovered operations.

The corresponding public API endpoint of discovered operations is not affected and will continue to be supported.

Features

• pages_project: Add v4 -> v5 migration tests (#6506)

Bug fixes

• account_members: Makes member policies a set (#6488)
• pages_project: Ensures non empty refresh plans (#6515)
• R2: Improves sweeper (#6512)
• workers_kv: Ignores value import state for verify (#6521)
• workers_script: No longer treats the migrations attribute as WriteOnly (#6489)
• workers_script: Resolves resource drift when worker has unmanaged secret (#6504)
• zero_trust_device_posture_rule: Preserves input.version and other fields (#6500) and (#6503)
• zero_trust_dlp_custom_profile: Adds sweepers for dlp_custom_profile
• zone_subscription|account_subscription: Adds partners_ent as valid enum for rate_plan.id (#6505)
• zone: Ensures datasource model schema parity (#6487)
• subscription: Updates import signature to accept account_id/subscription_id to import account subscription (#6510)

Upgrade to newer version

We suggest waiting to migrate to v5 while we work on stabilization. This helps with avoiding any blocking issues while the Terraform resources are actively being stabilized. We will be releasing a new migration tool in March 2026 to help support v4 to v5 transitions for our most popular resources.

For more information

• Terraform Provider
• Documentation on using Terraform with Cloudflare

Earlier this year, we announced the launch of the new Terraform v5 Provider. We are aware of the high number of issues reported by the Cloudflare community related to the v5 release. We have committed to releasing improvements on a 2-3 week cadence to ensure its stability and reliability, including the v5.13 release. We have also pivoted from an issue-to-issue approach to a resource-per-resource approach - we will be focusing on specific resources to not only stabilize the resource but also ensure it is migration-friendly for those migrating from v4 to v5.

Thank you for continuing to raise issues. They make our provider stronger and help us build products that reflect your needs.

This release includes new features, new resources and data sources, bug fixes, updates to our Developer Documentation, and more.

Breaking Change

Please be aware that there are breaking changes for the cloudflare_api_token and cloudflare_account_token resources. These changes eliminate configuration drift caused by policy ordering differences in the Cloudflare API.

For more specific information about the changes or the actions required, please see the detailed Repository changelog.

Features

• New resources and data sources added
  • cloudflare_connectivity_directory
  • cloudflare_sso_connector
  • cloudflare_universal_ssl_setting
• api_token+account_tokens: state upgrader and schema bump (#6472)
• docs: make docs explicit when a resource does not have import support
• magic_transit_connector: support self-serve license key (#6398)
• worker_version: add content_base64 support
• worker_version: boolean support for run_worker_first (#6407)
• workers_script_subdomains: add import support (#6375)
• zero_trust_access_application: add proxy_endpoint for ZT Access Application (#6453)
• zero_trust_dlp_predefined_profile: Switch DLP Predefined Profile endpoints, introduce enabled_entries attribut

Bug Fixes

• account_token: token policy order and nested resources (#6440)
• allow r2_bucket_event_notification to be applied twice without failing (#6419)
• cloudflare_worker+cloudflare_worker_version: import for the resources (#6357)
• dns_record: inconsistent apply error (#6452)
• pages_domain: resource tests (#6338)
• pages_project: unintended resource state drift (#6377)
• queue_consumer: id population (#6181)
• workers_kv: multipart request (#6367)
• workers_kv: updating workers metadata attribute to be read from endpoint (#6386)
• workers_script_subdomain: add note to cloudflare_workers_script_subdomain about redundancy with cloudflare_worker (#6383)
• workers_script: allow config.run_worker_first to accept list input
• zero_trust_device_custom_profile_local_domain_fallback: drift issues (#6365)
• zero_trust_device_custom_profile: resolve drift issues (#6364)
• zero_trust_dex_test: correct configurability for 'targeted' attribute to fix drift
• zero_trust_tunnel_cloudflared_config: remove warp_routing from cloudflared_config (#6471)

Upgrading

We suggest holding off on migration to v5 while we work on stabilization. This help will you avoid any blocking issues while the Terraform resources are actively being stabilized. We will be releasing a new migration tool in March 2026 to help support v4 to v5 transitions for our most popular resources.

For more info

• Terraform Provider
• Documentation on using Terraform with Cloudflare

What's New

• Refreshed member invite flow
  We overhauled the Invite Members UI to simplify inviting users and assigning permissions.

• Refreshed Members Overview Page
  We've updated the Members Overview Page to clearly display:

  • Member 2FA status
  • Which members hold Super Admin privileges
  • API access settings per member
  • Member onboarding state (accepted vs pending invite)

• New Member Permission Policies Details View
  We've created a new member details screen that shows all permission policies associated with a member; including policies inherited from group associations to make it easier for members to understand the effective permissions they have.

• Improved Member Permission Workflow
  We redesigned the permission management experience to make it faster and easier for administrators to review roles and grant access.

• Account-scoped Policies Restrictions Relaxed
  Previously, customers could only associate a single account-scoped policy with a member. We've relaxed this restriction, and now Administrators can now assign multiple account-scoped policies to the same member; bringing policy assignment behavior in-line with user-groups and providing greater flexibility in managing member permissions.

Two-factor authentication (2FA) is one of the best ways to protect your account from the risk of account takeover.

Cloudflare has offered phishing resistant 2FA options including hardware based keys (for example, a Yubikey) and app based TOTP (time-based one-time password) options which use apps like Google or Microsoft's Authenticator app. Unfortunately, while these solutions are very secure, they can be lost if you misplace the hardware based key, or lose the phone which includes that app. The result is that users sometimes get locked out of their accounts and need to contact support.

Today, we are announcing the addition of email as a 2FA factor for all Cloudflare accounts. Email 2FA is in wide use across the industry as a least common denominator for 2FA because it is low friction, loss resistant, and still improves security over username/password login only. We also know that most commercial email providers already require 2FA, so your email address is usually well protected already.

You can now enable email 2FA on the Cloudflare dashboard:

• Go to Profile at the top right corner.
• Select Authentication.
• Under Two-Factor Authentication, select Set up.

Sign-in security best practices

Cloudflare is critical infrastructure, and you should protect it as such. Review the following best practices and make sure you are doing your part to secure your account:

• Use a unique password for every website, including Cloudflare, and store it in a password manager like 1Password or Keeper. These services are cross-platform and simplify the process of managing secure passwords.
• Use 2FA to make it harder for an attacker to get into your account in the event your password is leaked.
• Store your backup codes securely. A password manager is the best place since it keeps the backup codes encrypted, but you can also print them and put them somewhere safe in your home.
• If you use an app to manage your 2FA keys, enable cloud backup, so that you don't lose your keys in the event you lose your phone.
• If you use a custom email domain to sign in, configure SSO.
• If you use a public email domain like Gmail or Hotmail, you can also use social login with Apple, GitHub, or Google to sign in.
• If you manage a Cloudflare account for work:
  • Have at least two administrators in case one of them unexpectedly leaves your company.
  • Use SCIM to automate permissions management for members in your Cloudflare account.

We're excited to announce a significant increase in the maximum header size supported by Cloudflare's Content Delivery Network (CDN). Cloudflare now supports up to 128 KB for both request and response headers.

Previously, customers were limited to a total of 32 KB for request or response headers, with a maximum of 16 KB per individual header. Larger headers could cause requests to fail with HTTP 413 (Request Header Fields Too Large) errors.

What's new?

• Support for large headers: You can now utilize much larger headers, whether as a single large header up to 128 KB or split over multiple headers.
• Reduces 413 and 520 HTTP errors: This change drastically reduces the likelihood of customers encountering HTTP 413 errors from large request headers or HTTP 520 errors caused by oversized response headers, improving the overall reliability of your web applications.
• Enhanced functionality: This is especially beneficial for applications that rely on:
  • A large number of cookies.
  • Large Content-Security-Policy (CSP) response headers.
  • Advanced use cases with Cloudflare Workers that generate large response headers.

This enhancement improves compatibility with Cloudflare's CDN, enabling more use cases that previously failed due to header size limits.

To learn more and get started, refer to the Cloudflare Fundamentals documentation.

Birthday Week

During Birthday Week, we announced that single sign-on (SSO) is available for free to everyone who signs in with a custom email domain and maintains a compatible identity provider. SSO minimizes user friction around login and provides the strongest security posture available. At the time, this could only be configured using the API.

Today, we are launching a new user experience which allows users to manage their SSO configuration from within the Cloudflare dashboard. You can access this by going to Manage account > Members > Settings .

For more information

• Cloudflare dashboard SSO

The most common reason users contact Cloudflare support is lost two-factor authentication (2FA) credentials. Cloudflare supports both app-based and hardware keys for 2FA, but you could lose access to your account if you lose these. Over the past few weeks, we have been rolling out email and in-product reminders that remind you to also download backup codes (sometimes called recovery keys) that can get you back into your account in the event you lose your 2FA credentials. Download your backup codes now by logging into Cloudflare, then navigating to Profile > Security & Authentication > Backup codes .

Sign-in security best practices
Cloudflare is critical infrastructure, and you should protect it as such. Please review the following best practices and make sure you are doing your part to secure your account.

• Use a unique password for every website, including Cloudflare, and store it in a password manager like 1Password or Keeper. These services are cross-platform and simplify the process of managing secure passwords.
• Use 2FA to make it harder for an attacker to get into your account in the event your password is leaked
• Store your backup codes securely. A password manager is the best place since it keeps the backup codes encrypted, but you can also print them and put them somewhere safe in your home.
• If you use an app to manage your 2FA keys, enable cloud backup, so that you don't lose your keys in the event you lose your phone.
• If you use a custom email domain to sign in, configure SSO .
• If you use a public email domain like Gmail or Hotmail, you can also use social login with Apple, GitHub, or Google to sign in.
• If you manage a Cloudflare account for work:
  • Have at least two administrators in case one of them unexpectedly leaves your company
  • Use SCIM to automate permissions management for members in your Cloudflare account

What's New

• Access Applications: Grant admin permissions to specific Access Applications.
• Identity Providers: Grant admin permissions to individual Identity Providers.
• Targets: Grant admin rights to specific Targets

During the public beta, members must also be assigned an account-scoped, read only role to view resources in the dashboard. This restriction will be lifted in a future release.

• Account Read Only plus a fine-grained permission for a specific App, IdP, or Target
• Cloudflare Zero Trust Read Only plus fine-grained permission for a specific App, IdP, or Target

For more info

• Get started with Cloudflare Permissioning
• Manage Member Permissioning via the UI & API

Release notes

Earlier this year, we announced the launch of the new Terraform v5 Provider. We are aware of the high number of issues reported by the Cloudflare community related to the v5 release. We have committed to releasing improvements on a 2 week cadence to ensure its stability and reliability, including the v5.9 release. We have also pivoted from an issue-to-issue approach to a resource-per-resource approach - we will be focusing on specific resources for every release, stabilizing the release, and closing all associated bugs with that resource before moving onto resolving migration issues.

Thank you for continuing to raise issues. We triage them weekly and they help make our products stronger.

This release includes a new resource, cloudflare_snippet, which replaces cloudflare_snippets. cloudflare_snippet is now considered deprecated but can still be used. Please utilize cloudflare_snippet as soon as possible.

Changes

• Resources stabilized:
  • cloudfare_zone_setting
  • cloudflare_worker_script
  • cloudflare_worker_route
  • tiered_cache
• NEW resource cloudflare_snippet which should be used in place of cloudflare_snippets. cloudflare_snippets is now deprecated. This enables the management of Cloudflare's snippet functionality through Terraform.
• DNS Record Improvements: Enhanced handling of DNS record drift detection
• Load Balancer Fixes: Resolved created_on field inconsistencies and improved pool configuration handling
• Bot Management: Enhanced auto-update model state consistency and fight mode configurations
• Other bug fixes

For a more detailed look at all of the changes, refer to the changelog in GitHub.

Issues Closed

• #5921: In cloudflare_ruleset removing an existing rule causes recreation of later rules
• #5904: cloudflare_zero_trust_access_application is not idempotent
• #5898: (cloudflare_workers_script) Durable Object migrations not applied
• #5892: cloudflare_workers_script secret_text environment variable gets replaced on every deploy
• #5891: cloudflare_zone suddenly started showing drift
• #5882: cloudflare_zero_trust_list always marked for change due to read only attributes
• #5879: cloudflare_zero_trust_gateway_certificate unable to manage resource (cant mark as active/inactive)
• #5858: cloudflare_dns_records is always updated in-place
• #5839: Recurring change on cloudflare_zero_trust_gateway_policy after upgrade to V5 provider & also setting expiration fails
• #5811: Reusable policies are imported as inline type for cloudflare_zero_trust_access_application
• #5795: cloudflare_zone_setting inconsistent value of "editable" upon apply
• #5789: Pagination issue fetching all policies in "cloudflare_zero_trust_access_policies" data source
• #5770: cloudflare_zero_trust_access_application type warp diff on every apply
• #5765: V5 / cloudflare_zone_dnssec fails with HTTP/400 "Malformed request body"
• #5755: Unable to manage Cloudflare managed WAF rules via Terraform
• #5738: v4 to v5 upgrade failing Error: no schema available AND Unable to Read Previously Saved State for UpgradeResourceState
• #5727: cloudflare_ruleset http_request_cache_settings bypass mismatch between dashboard and terraform
• #5700: cloudflare_account_member invalid type 'string' for field 'roles'

If you have an unaddressed issue with the provider, we encourage you to check the open issues and open a new issue if one does not already exist for what you are experiencing.

Upgrading

We suggest holding off on migration to v5 while we work on stabilization. This help will you avoid any blocking issues while the Terraform resources are actively being stabilized.

If you'd like more information on migrating from v4 to v5, please make use of the migration guide. We have provided automated migration scripts using Grit which simplify the transition. These do not support implementations which use Terraform modules, so customers making use of modules need to migrate manually. Please make use of terraform plan to test your changes before applying, and let us know if you encounter any additional issues by reporting to our GitHub repository.

For more info

• Terraform provider
• Documentation on using Terraform with Cloudflare
• GitHub Repository