github cloudflare/terraform-provider-cloudflare v5.13.0
on GitHub

6 hours ago

5.13.0 (2025-11-21)

Full Changelog: v5.12.0...v5.13.0

⚠ BREAKING CHANGES: cloudflare_api_token & cloudflare_account_token Schema Update

The 5.13 release includes major updates to the cloudflare_api_token resource to eliminate configuration drift caused by policy ordering differences in the Cloudflare API.

Fixes: #6092

Whats changed

  • policies are now a Set; order is ignored to prevent drift.
  • When defining a policy, resources must use jsonencode(); all policy resource values must now be JSON-encoded strings.
  • Removed fields: id, name, and meta have been removed from policy blocks.

Required Action (v5.13+)
Customers looking to upgrade to v5.13+ must update all cloudflare_api_token & cloudflare_account_token resources to wrap policy resource values in jsonencode()

Before: 

resources = {
  "com.cloudflare.api.account.${var.cf_account_id}" = "*"
}

After: 

resources = jsonencode({
  "com.cloudflare.api.account.${var.cf_account_id}" = "*"
})
  • account_token: token policy order and nested resources (#6440)

Features

  • add new resources and data sources (7ce3dec)
  • api_token+account_tokens: state upgrader and schema bump (#6472) (42f7db2)
  • chore(build): point Terraform to released Go v6.3.0 (6d06b46)
  • docs: make docs explicit when a resource does not have import support (02699f6)
  • magic_transit_connector: support self-serve license key (#6398) (a6ec134)
  • worker_version: add content_base64 support (6ff643f)
  • worker_version: boolean support for run_worker_first (#6407) (116a67b)
  • workers_script_subdomains: add import support (#6375) (40f7ed8)
  • zero_trust_access_application: add proxy_endpoint for ZT Access Application (#6453) (177f20a)
  • zero_trust_dlp_predefined_profile: Switch DLP Predefined Profile endpoints, introduce enabled_entries attribute (bc69569)
  • zero_trust_tunnel_cloudflared: v4 to v5 migration tests (#6461) (ffa0fef)

Bug Fixes

  • account_token: token policy order and nested resources (#6440) (86c5972)
  • allow r2_bucket_event_notification to be applied twice without failing (#6419) (6fbd4c5)
  • cloudflare_worker+cloudflare_worker_version: import for the resources (#6357) (b98e0be)
  • dns_record: inconsistent apply error (#6452) (f289994)
  • pages_domain: resource tests (#6338) (d769e29)
  • pages_project: unintended resource state drift (#6377) (1a3955a)
  • queue_consumer: id population (#6181) (f3c6498)
  • workers_kv: multipart request (#6367) (65f8c19)
  • workers_kv: updating workers metadata attribute to be read from endpoint (#6386) (3a35757)
  • workers_script_subdomain: add note to cloudflare_workers_script_subdomain about redundancy with cloudflare_worker (#6383) (9cc9b59)
  • workers_script: allow config.run_worker_first to accept list input (fab567c)
  • zero_trust_device_custom_profile_local_domain_fallback: drift issues (#6365) (65c0c18)
  • zero_trust_device_custom_profile: resolve drift issues (#6364) (4cd2cbd)
  • zero_trust_dex_test: correct configurability for 'targeted' attribute to fix drift (cd81178)
  • zero_trust_tunnel_cloudflared_config: remove warp_routing from cloudflared_config (#6471) (dc9d557)

Chores

  • account_member: add migration test (#6425) (967a972)
  • byoip: integrate generated changes for BYOIP resources (432160e)
  • certificate_pack: docs show safe rotation instructions (#6388) (3d37264)
  • ci: clean up leftover files in resources (#6474) (e8aee72)
  • ci: drop migration tests from CI (#6476) (968565f)
  • ci: fix tests ran on release PR (#6478) (0b43c46)
  • ci: fixes for parity tests and build failures (#6475) (3561876)
  • ci: modify sweepers (#6479) (4c8915d)
  • ci: skip flaky test in CI (fb14d86)
  • cloudflare_zero_trust_dlp_custom_profile: migration test and ignore order as set (#6428) (1659ff3)
  • d1: integrate generated changes for D1 resources (cfa3472)
  • dns_record: improve dns sweepers (#6430) (5e62468)
  • docs: document configurations and examples (#6449) (59430e0)
  • docs: generate docs and examples (cdd77ec)
  • email_routing: improved email routing sweepers (#6429) (133c81e)
  • iam: integrate generated changes for IAM resources (a87806e)
  • include new sections for pr template (#6395) (81c07e1)
  • load_balancing: integrate generated changes for Load Balancing resources (4c6b34d)
  • logpull_retention: add migration test for (#6426) (529f313)
  • logpull_retention: update acceptance test (#6277) (3766b3f)
  • logpush_job: add import tests for resource (#6402) (cded8ec)
  • logpush: integrate generated changes for Logpush resources (06e8446)
  • notification_policy_webhook: add migration test for notification-policy-webhook (#6443) (742d647)
  • pages: integrate generated changes for Pages resources (64855ea)
  • queue_consumer: testdata refactor (d301974)
  • r2_bucket: v4 to v5 migration tests for cloudflare_r2_bucket (#6437) (99ed1ee)
  • sso_connector: add acceptance tests (#6427) (8b54303)
  • stainless: integrate changes from unpinned codegen version (9cb3b8e)
  • test: acceptance tests for token validation resources (#6417) (4d94bdd)
  • test: add schema and token validation acceptance tests to CI (#6421) (b805abc)
  • test: increase legacy migrator test coverage (#6401) (9a8c48a)
  • universal_ssl_setting: add acceptance tests for universal_ssl_setting (2601c45)
  • worker: integrate generated changes for Worker resources (1da2bf2)
  • workers_kv_namespace: v4 to v5 migration tests for workers_kv_namespace (#6424) (433010f)
  • workers_kv: v4 to v5 migration tests for workers_kv (#6435) (58ca912)
  • workers_script: add workers scripts sweeper (#6351) (f439a08)
  • workers_script: fix resource name in TestAccCloudflareWorkerScript_ModuleWithDurableObject (614d8d3)
  • workers_script: fix resource names in tests (788e73a)
  • workers: integrate generated changes for Workers resources (ab0a330)
  • zero_trust_access_service_token: add migration test for zero_trust_access_service_token (#6416) (c77d5d5)
  • zero_trust_gateway_policy: v4 to v5 migration for zero_trust_gateway_policy (#6413) (1c1952b)
  • zero_trust_list: v4 to v5 migration tests for zero trust list records (#6400) (6ed55d6)
  • zero_trust_tunnel_cloudflared_route: v4 to v5 migration tests for zero_trust_tunnel_cloudflared_route (#6409) (5dc2094)
  • zero_trust, cfone: integrate generated changes for ZT and CFONE resources (b7131b2)
  • zone_dnssec: v4 to v5 migration tests for zone_dnssec (#6432) (86abd1f)
  • zone_settings: acceptance test to repro issue #6363 (#6445) (707c154)
  • zones: data source tests (#6414) (4d58e56)
  • zt_access: add sweepers for policy and service token (#6465) (9f4fa94)
Check out latest releases or
releases around cloudflare/terraform-provider-cloudflare v5.13.0

Don't miss a new terraform-provider-cloudflare release

NewReleases is sending notifications on new releases.

Get notifications