cloudflare/terraform-provider-cloudflare v5.18.0 on GitHub

5.18.0 (2026-02-28)

Full Changelog: v5.17.0...v5.18.0

Features

New Resources

cloudflare_client_certificate: add new resource for managing zone-level client certificates used in mutual TLS (mTLS) authentication
cloudflare_custom_origin_trust_store: add new resource for managing custom CA certificates in a zone's origin trust store
cloudflare_zero_trust_dex_rule: add new resource for managing Zero Trust DEX (Digital Experience Monitoring) rules that target WARP client network tests via wirefilter expressions
cloudflare_zero_trust_gateway_pacfile: add new resource for managing Zero Trust Gateway PAC (Proxy Auto-Configuration) files including contents, slug, and download URL

New Data Sources

cloudflare_client_certificate: add new data source to read a single client certificate by ID
cloudflare_client_certificates: add new data source to list client certificates for a zone with status, limit, and offset filtering
cloudflare_custom_origin_trust_store: add new data source to read a single custom origin trust store certificate
cloudflare_custom_origin_trust_stores: add new data source to list custom origin trust store certificates for a zone
cloudflare_zero_trust_dex_rule: add new data source to read a single Zero Trust DEX rule by account and rule ID
cloudflare_zero_trust_dex_rules: add new data source to list Zero Trust DEX rules with filtering by name and sorting options
cloudflare_zero_trust_gateway_pacfile: add new data source to read a single Zero Trust Gateway PAC file
cloudflare_zero_trust_gateway_pacfiles: add new data source to list all Zero Trust Gateway PAC files for an account

New Attributes

cloudflare_ai_search_instance: add fusion_method attribute to control hybrid search result fusion strategy (max or rrf)
cloudflare_ai_search_instance: add retrieval_options block with keyword_match_mode to control keyword search matching behavior (exact_match or fuzzy_match)
cloudflare_ai_search_instance: add description attribute under public_endpoint_params block
cloudflare_ai_search_instance: expand model enumerations for aisearch_model, rewrite_model, and summarization_model with new options
cloudflare_certificate_pack: add dcv_delegation_records read-only block exposing DCV delegation CNAME, email, HTTP, and TXT validation record details
cloudflare_certificate_pack: add cname, cname_target, and status fields to validation_records nested block
cloudflare_custom_ssl: add deploy optional attribute to specify deployment environment (staging or production)
cloudflare_page_shield_policy: add "add_reporting_directives" as a valid value for the action attribute
cloudflare_ruleset: add "http_response_cache_settings" phase and new "set_cache_control" / "set_cache_tags" rule actions
cloudflare_ruleset: add action_parameters.strip_etags, action_parameters.strip_last_modified, and action_parameters.strip_set_cookie boolean attributes for cache header control
cloudflare_ruleset: add full suite of HTTP Cache-Control directive attributes under action_parameters (immutable, max_age, must_revalidate, no_cache, no_store, private, public, s_maxage, stale_if_error, stale_while_revalidate, and more)
cloudflare_stream_live_input: add enabled boolean attribute to control whether the live input can accept streams
cloudflare_worker_version: add bindings.outbound.worker.entrypoint string attribute for specifying the outbound worker entrypoint
cloudflare_zero_trust_access_application: add policies.connection_rules.rdp block with allowed_clipboard_local_to_remote_formats and allowed_clipboard_remote_to_local_formats for RDP clipboard control
cloudflare_zero_trust_access_policy: add connection_rules.rdp block with allowed_clipboard_local_to_remote_formats and allowed_clipboard_remote_to_local_formats for RDP clipboard control
cloudflare_zero_trust_access_policy: add mfa_config block with allowed_authenticators, mfa_bypass, and session_duration for per-policy MFA configuration
cloudflare_zero_trust_dlp_custom_entry: add optional description attribute
cloudflare_zero_trust_dlp_custom_profile: add shared_entries attribute list as the replacement for the now-deprecated entries attribute, with richer schema including description, variant, word_list, and expanded type enum
cloudflare_zero_trust_dlp_entry: add optional description attribute
cloudflare_zero_trust_dlp_integration_entry: add description attribute
cloudflare_zero_trust_dlp_predefined_entry: add description attribute
cloudflare_zero_trust_organization: add mfa_config block (allowed_authenticators, session_duration) for organization-level MFA configuration
cloudflare_zero_trust_organization: add mfa_configuration_allowed boolean to indicate if the organization can enforce MFA at the application or policy level
cloudflare_zero_trust_organization: add mfa_required_for_all_apps boolean to control whether global MFA settings apply to all applications by default

Bug Fixes

cloudflare_authenticated_origin_pulls_certificate: add serial_number read-only attribute exposing the certificate serial number
cloudflare_custom_ssl: rename policy to policy_restrictions in the data source to match the API response field name
cloudflare_hostname_tls_setting: correct value attribute type from Number to String in the data source
cloudflare_load_balancer_pool: change origins attribute type from List to Set to prevent ordering-related drift
cloudflare_load_balancer_pool: move disabled_at from read-only to optional within the origins block
cloudflare_queue: replace consumers.queue_id and consumers.script with consumers.dead_letter_queue and consumers.queue_name to match current API schema
cloudflare_queue_consumer: promote type attribute from Optional to Required; replace script with queue_name and add dead_letter_queue read-only attributes
cloudflare_worker_version: change bindings.outbound.params from a flat list of strings to a structured attribute list where each item exposes a name field
cloudflare_worker_version: fix doubly encoded json attribute
cloudflare_workers_script: fix doubly encoded json attribute
cloudflare_zero_trust_access_application: prevent RDP connection rules drift in connection_rules attribute
cloudflare_zero_trust_access_policy: prevent RDP connection rules drift in connection_rules attribute
cloudflare_zero_trust_device_default_profile_local_domain_fallback: change domains attribute type from List to Set to prevent ordering-related drift
cloudflare_zero_trust_device_posture_rule: relax name attribute from Required to Optional
cloudflare_zero_trust_dlp_custom_profile: relax context_awareness.enabled and context_awareness.skip.files from Required to Optional

Documentation

cloudflare_account_member: improve status attribute description to clarify default value and replacement behavior when transitioning from accepted to pending
cloudflare_ai_search_token: mark cf_api_key attribute as Sensitive
cloudflare_hostname_tls_setting: improve setting_id and value attribute documentation to clarify per-setting type expectations and enumerate available values
cloudflare_origin_ca_certificate: expand hostnames description to document FQDN requirements, single-level wildcard rules, and IDN/Unicode hostname support