Update Terraform cloudflare to v5

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
cloudflare (source)	required_provider	major	4.34.0 → 5.20.0

---

Release Notes

cloudflare/terraform-provider-cloudflare (cloudflare)

v5.20.0

Compare Source

Full Changelog: v5.19.1...v5.20.0

Features

• add 11 new resources/data-sources from staging-next (faab405)
• add acceptance tests for google_tag_gateway resource (f89e15f)
• add acceptance tests for virtual_networks on zero_trust_device_custom_profile (0625153)
• add state upgraders for email_security_block_sender + impersonation_registry (bc22174)
• chore: skip failing deployment_groups tests (614c726)
• chore: skip failing Go SDK tests for workers bulk secret update (69d2591)
• chore: use cloudflare-go v7.5.0 in Terraform build (fd1ab3e)
• chore: use released Go SDK for Terraform build (e31d0f5)
• chore: use released Go SDK for Terraform build (858be78)
• feat: add custom_csrs Stainless config (zone + account) (0c37d4f)
• feat: add custom_csrs Stainless config (zone + account) (408836e)
• feat: add resource library endpoints inside zero trust (8f71612)
• feat: move google_tag_gateway terraform resource from staging to production (b4f6126)
• feat(api): add zero_trust_device_deployment_groups resource (3de6e62)
• feat(api): add zero_trust_device_deployment_groups resource (c852320)
• feat(cache): add create (POST) method for smart_tiered_cache (26568ea)
• feat(cache): Update OPCR config to v2 endpoints (CACHE-13523) (278c81f)
• feat(dex): add device ISPs endpoint mapping (4c7ad2c)
• feat(dlp): add custom prompt topics endpoint [production] (7732fd9)
• feat(dlp): add custom prompt topics endpoint [production] (305dab6)
• feat(dlp): promote classification Stainless config to main (d8803bd)
• feat(flagship): add Flagship feature flag API resource mappings (2b149cf)
• feat(resource_sharing): add Terraform resource definitions for shares (d83b268)
• feat(snippets): add terraform id_property annotations for snippet and snippet_rules (1781d02)
• fix(iam): remove standalone_api from oauth_scopes subresource (8af9cd0)

Bug Fixes

• account_member: missing upgrade path from v5.0-v5.15 (d5c2a93)
• add no-drift plan checks and domain precheck (e4eaf52)
• add read_only field to identity provider migration target model (ac4ec4f)
• align migration target models + schemas to fix parity tests (f5ea496)
• authenticated_origin_pulls_settings: nil pointer panic (cf8099b)
• bot_management: restore content_bots_protection handling in model.go (d559753)
• derive zone name from Read instead of missing API field (0d5feef)
• dns_record: prevent FQDN normalization from swallowing name shortening changes (2131622)
• email_security_trusted_domains: align model JSON tags with Optional schema (5ee457f)
• email: missed Optional revert + email_security_trusted_domains state upgrader (8f3ddad)
• gracefully handle nil pointer dereference when config has attributes_flat during migration (589384d)
• leaked_credential_check_rule: skip tests that require product enablement (fc2d109)
• list: nullify empty nested objects to prevent inconsistent result after apply (7bcee4b)
• load_balancer_pool: accept early-v5 object-shape state at schema_version=0 (23050e1), closes #​7098
• load_balancer_pool: add UseStateForUnknown for load_shedding attribute to prevent drift (3fc31ee)
• r2_custom_domain: restore degraded-response handling in resource.go (b3d01a0)
• regional_hostname: update cloudflare-go imports from v6 to v7 (d4211c4)
• register regional_hostname in provider.go (3a87345)
• resolve pre-existing v6/v7 and codegen-drift build errors (27aed32)
• restore handwritten code stripped from staging-next codegen for acceptance tests (6920a59)
• restore production files lost to codegen drift on staging-next (1bba117)
• restore site_id/queue_id path tags to 'required' in data source models (56b6a34)
• secrets_store: fix model/schema parity and guard acceptance tests (dde9b24)
• set initial schema version to 500 for all new resources (ef71ba4)
• spectrum_application: accept early-v5 object-shape state at schema_version=0 (bdcaa79), closes #​7098
• tests: bump v6→v7 imports in restored hand-written tests (4cf7eff)
• treeshaking required fields from optional (94198f3)
• undo two over-corrections from previous batch (08a3561)
• update go.sum and fix RecipientNewParams field rename (931cb9f)
• worker_version: restore handwritten D1 database_id handling (ed78cd0)
• worker: add propagation_policy to grandparent observability Default (c815f52)
• worker: include propagation_policy in observability.traces parent Default + update data source test (541fe77)
• worker: preserve observability.traces.propagation_policy across reads (458854e)
• workers_custom_domain: Missing CertId field in state migration (17d852f)
• workers_script: restore annotations Computed + workers_triggered_by (d3d033a)
• workers_script: restore annotations Read workaround stripped by staging-next codegen (d4f824f)
• zero_trust_access_application: skip MFA infrastructure test (4dd2f87)
• zero_trust_access_identity_provider: add UseStateForUnknown to SAML-only config fields (451e078)
• zero_trust_access_identity_provider: change read_only from computed to optional (b760efe)
• zero_trust_access_identity_provider: drop universal Default on SAML-only config fields (f297a75)
• zero_trust_access_identity_provider: use UseNonNullStateForUnknown on scim_config.scim_base_url (55a8860)
• zero_trust_access_identity_provider: use UseNonNullStateForUnknown on scim_config.secret (4dab13d)
• zero_trust_access_policy: Missing common_names transform in migration (ce95d8c)
• zero_trust_access_policy: populate account_id when migrating zone-scoped v4 state (513a91c)
• zero_trust_dlp_predefined_profile: skip tests that require account-level OCR (caed432)

Reverts

• token: drop custom.go restore to let PR #​7148 land cleanly (04f46b5)

Chores

• add feature request issue template (eee01fe)
• api_token: skip test not supported by account (5056f63)
• api: update composite API spec (fdcb705)
• api: update composite API spec (b4ace62)
• api: update composite API spec (408be20)
• api: update composite API spec (37e67c1)
• api: update composite API spec (5f2a7bd)
• api: update composite API spec (06e6ffc)
• api: update composite API spec (63b0963)
• api: update composite API spec (d634850)
• api: update composite API spec (0861a6a)
• api: update composite API spec (7d350ac)
• api: update composite API spec (14e308c)
• api: update composite API spec (9376903)
• api: update composite API spec (a83865d)
• api: update composite API spec (1c1ae98)
• api: update composite API spec (17d1f43)
• api: update composite API spec (7537630)
• api: update composite API spec (630c740)
• api: update composite API spec (921b330)
• api: update composite API spec (61b0057)
• api: update composite API spec (007d65d)
• api: update composite API spec (87325df)
• api: update composite API spec (5b6f63b)
• api: update composite API spec (796b467)
• api: update composite API spec (29cb63f)
• api: update composite API spec (6fb099e)
• api: update composite API spec (c0f463a)
• api: update composite API spec (4b4f4e1)
• api: update composite API spec (cced166)
• api: update composite API spec (1f0ef10)
• api: update composite API spec (3d0cc20)
• api: update composite API spec (3bfa07f)
• api: update composite API spec (b8d2fcb)
• api: update composite API spec (87be50c)
• api: update composite API spec (0165de6)
• api: update composite API spec (9cf975a)
• api: update composite API spec (f0f1f80)
• api: update composite API spec (04bd66d)
• api: update composite API spec (2309417)
• clarify description in feature request template (892847a)
• deps: migrate from cloudflare-go/v6 to /v7 (6d752b6)
• docs and examples (cd5cd44)
• generate docs (420ed0b)
• internal: codegen related update (61c4f94)
• internal: codegen related update (22d50b7)
• internal: codegen related update (6000928)
• internal: codegen related update (8d83c78)
• internal: codegen related update (f564ed6)
• internal: codegen related update (9b7e360)
• internal: codegen related update (9666ea8)
• internal: codegen related update (0419104)
• internal: codegen related update (4e2a053)
• internal: codegen related update (5f7e773)
• internal: codegen related update (0ea98f0)
• restore schema version (470abf1)
• revert unwanted generated code (5e2e81d)
• use 'next' for Terraform builds (5e3bd48)
• use v7 (a9b2b8e)
• use v7 for all test; 2 resources have missing methods in v7 so use v6 for those two resources (1c6e86c)
• zero_trust_device_custom_profile: skip virtual network test (48cc36f)

Documentation

• regenerate provider docs (e86855d)
• zero_trust_access_application: document in-place migration for policy UUIDs (555fa3f)

Refactors

• extract MoveState nil guard into shared helper (737caf9)

v5.19.1

Compare Source

Full Changelog: v5.19.0...v5.19.1

Features

• add user_group and user_group_members acceptance tests + custom delete (7f2420e)

Bug Fixes

• iam: tokens migrations (52c5675)
• list_item: ambigous schema while upgrade (8d75670)
• zero_trust_access_group: fix v4 migration of same name (918f9b6)

Chores

• unskip rate limited test for future (5f785f9)
• zone_settings: document available settings (26711da)
• zone_settings: document available settings dynamically (a885ddc)

v5.19.0

Compare Source

Full Changelog: v5.18.0...v5.19.0

New Resources

• cloudflare_ai_gateway: Manage AI Gateway instances (e8d7f3b)
• cloudflare_certificate_authorities_hostname_associations: Manage mTLS certificate hostname associations (97df6f2)
• cloudflare_custom_page_asset: Manage custom page assets (8b71d20)
• cloudflare_pipeline: Manage Cloudflare Pipelines (de21a25)
• cloudflare_r2_data_catalog: Manage R2 Data Catalog (e8d7f3b)
• cloudflare_user_group: Manage user groups (4cf8755)
• cloudflare_user_group_members: Manage user group memberships (4cf8755)
• cloudflare_vulnerability_scanner_credential: Manage vulnerability scanner credentials (4cf8755)
• cloudflare_vulnerability_scanner_credential_set: Manage vulnerability scanner credential sets (4cf8755)
• cloudflare_vulnerability_scanner_target_environment: Manage vulnerability scanner target environments (4cf8755)
• cloudflare_workers_observability_destination: Manage Workers Observability destinations (312d3af)
• cloudflare_zero_trust_device_ip_profile: Manage Zero Trust device IP profiles (7b251d2)
• cloudflare_zero_trust_device_subnet: Manage Zero Trust device subnets (ebb8216)
• cloudflare_zero_trust_dlp_settings: Manage Zero Trust DLP settings (4cf8755)

Features

• account: state upgrader for v4 to v5 migration (82ee06e)
• account_member: state upgrader for v4 to v5 migration (62d0ea7)
• account_token: state upgrader for v4 to v5 migration (a0469d7)
• authenticated_origin_pulls: state upgrader for v4 to v5 migration (c4054b7)
• authenticated_origin_pulls_hostname_certificate: state upgrader for v4 to v5 migration (c4054b7)
• byo_ip_prefix: state upgrader for v4 to v5 migration (8d58cab)
• custom_hostname: state upgrader for v4 to v5 migration (24e4f0e)
• custom_ssl: state upgrader for v4 to v5 migration (ada4f8f)
• leaked_credential_check: state upgrader for v4 to v5 migration (9372a7d)
• leaked_credential_check_rule: state upgrader for v4 to v5 migration (745f1e2)
• logpush_ownership_challenge: state upgrader for v4 to v5 migration (25785268)
• mtls_certificate: state upgrader for v4 to v5 migration (70d46e0)
• observatory_scheduled_test: state upgrader for v4 to v5 migration (a2883c9)
• pages_domain: state upgrader for v4 to v5 migration (91c6024)
• regional_tiered_cache: state upgrader for v4 to v5 migration (430edbd)
• ruleset: add content_converter and redirects_for_ai_training support to configuration rules (726b8e7)
• turnstile_widget: state upgrader for v4 to v5 migration (94b9515)
• workers_custom_domain: state upgrader for v4 to v5 migration (6a40c69)
• zero_trust_device_custom_profile: state upgrader for v4 to v5 migration (77090dc)
• zero_trust_device_default_profile: state upgrader for v4 to v5 migration (77090dc)
• zero_trust_device_posture_integration: state upgrader for v4 to v5 migration (32bc328)
• zero_trust_gateway_certificate: state upgrader for v4 to v5 migration (ceff5a4)
• zero_trust_gateway_settings: state upgrader for v4 to v5 migration (3dae4a3)
• zero_trust_gateway_logging: make importable (c5d144b)
• zero_trust_organization: state upgrader for v4 to v5 migration (9eb3a25)
• zero_trust_tunnel_cloudflared_virtual_network: state upgrader for v4 to v5 migration (1f0f135)
• zone_setting: state upgrader for v4 to v5 migration (7ba7600)
• add browser rendering devtools methods (7f83203)
• bump go sdk version (070ea0b)
• enable treeshaking and client options for setting zone and account IDs (43b90cb)
• promote AI Gateway Terraform config from staging to main (75baa04)

Bug Fixes

• account_member: add UseStateForUnknown to status field to prevent drift (841d6f9)
• ai_search_instance: restore original defaults for cache and cache_threshold (d28ee6b)
• apijson: return empty object from MarshalForPatch when no fields are serialisable (270fe86)
• authenticated_origin_pulls_settings: fix no prior schema and no-op upgrade (9804de7)
• certificate_pack: initialize empty lists instead of null in state upgrader to prevent drift (2017a43)
• client_certificate: fix CSR drift with normalization (a755419)
• custom_hostname: allow ssl as null (6e17010)
• custom_hostname_fallback_origin: eventual consistency (d55a74a)
• custom_origin_trust_store: fix certificate drift with normalization (42de890)
• custom_ssl: fix patch cert replacement and send bundle_method (bebe53b)
• dlp_predefined_profile: eliminate perpetual entries and enabled_entries drift (92dcfc0)
• dns_record: avoid unnecessary drift for ipv4_only and ipv6_only attributes (3df5e03)
• dns_record: remove private_routing default value (ada77b4)
• drift: preserve prior state for optional fields not returned by API (access_rule, gateway_policy, gateway_settings, zone_dnssec, dlp_predefined_profile) (b717f4d)
• leaked_credential_check_rule: handle empty ID from v4 provider state migration (70f0337)
• list_item: remove context (69f751d)
• logpush_job: update model for migration (b789273)
• logpush_job: fix acceptance tests failing due to destination re-validation on PUT (87243a1)
• managed_transforms: remove unavailable rule and fix nil pointer in state upgrade (d14644e)
• migrations: handle ambiguous schema_version state for v4/v5 coexistence (2b6246f)
• page_rule: properly encode automatic_https_rewrites (47ebbf4)
• provider credential fields marked sensitive and validation regex updated (5f6ff4f)
• r2: add degraded-response handling to the R2 custom domain resource (c8d0e0f)
• ruleset: restore phase-entrypoint fallbacks (b92500b)
• ruleset: add redirects_for_ai_training to v4 action parameters model (16470fa)
• tokens: change from set to list for token policies (9937847)
• tokens: handle revoked and expired tokens (63319ed)
• UpgradeFromV0 handles both v4 and early-v5 state formats (b09f658)
• use raw JSON deserialization in UpgradeState handlers (0e93ea6)
• workers_custom_domain: handle HTTP 200 no content header (ea0ca97)
• workers_script: add missing ratelimit binding type to schema validator (30c49a6)
• workers_script: model drift (5ae89c4)
• zero_trust_access_identity_provider: boolean drifts (421bb50)
• zero_trust_access_policy: nil pointer panic in state upgrader (ebe2b68)
• zero_trust_access_policy: normalize transforms and use raw JSON deserialization for state upgrade (18c2ae3)
• zero_trust_device_managed_networks: upgrade resource state (7c14bf5)
• zero_trust_device_posture_rule: schema default removed intentionally (eef56df)
• zero_trust_gateway_policy: make filters Computed+Optional to prevent drift (8f52f45)
• zero_trust_gateway_settings: breaking changes and reset to clean defaults (b5ca509)
• zero_trust_tunnel_cloudflared_config: dont use init (090ff6a)

Chores

• api: update composite API spec (db5b37e)
• cmd/migrate: deprecated in favor of tf-migrate; will be removed in a future release (#​7062)
• docs: caveats and callouts (31c0d88)
• internal: codegen related update (4cf8755)
• update tf-migrate version (d023e25)

Documentation

• remove TBD wording from deprecation timeline (bce670f)

v5.18.0

Compare Source

Full Changelog: v5.17.0...v5.18.0

Features

• access_rule: support state upgraders for migration (67fd741)
• api_shield_operation: state upgrader (ecd51d4)
• api_token: state upgrader (ac5eb62)
• authenticated_origin_pulls_certificate: v4 to v5 migration (8d9930d)
• bot_management: state upgrader (4d9ee27)
• chore: clean up removed endpoint from config (52f120d)
• chore: update cloudflare-go dependency to next (c92a4cb)
• chore: use Go SDK v6.8.0 for release (b695914)
• feat: GIN-1439: Add gateway PAC files (9de415f)
• feat(client_certificate): enable terraform for client_certificates (58f6a08)
• feat(custom_origin_trust_store): enable custom_origin_trust_store (1c0f313)
• feat(stainless): AUTH-7071 Complete Access Users endpoint (2d4101d)
• fix: add 'rdp' as an initialism (9aa6e67)
• list_item: state upgrader (70b70c5)
• list: state upgrader (41def2f)
• logpull_retention: support state upgrader #​6754 (78409e1)
• logpush_job: support state upgrader (275efd5)
• managed_transforms: state upgrader (8de2938)
• notication_policy: state upgrader (dbcbda8)
• regional_hostname: state upgrader (ed98d9e)
• ruleset: add new actions for http_response_cache_settings phase (beeb49e)
• snippet_rules: use state upgrade (91a7d1a)
• snippet: use state upgrade (dbc8107)
• spectrum_application: state upgrader (0957f09)
• state upgrader (bbd68e0)
• url_normalization_settings: state upgrader (f933791)
• workers_kv_namespace: add state upgrader logic (695a1e1)
• workers_route: implement state upgrader (cef2a35)
• workers_script: implement state upgrader and move state (f7e20f8)
• zero_trust_access_application: state upgrader (5427fd9)
• zero_trust_access_group: add state upgrader logic and tests (5d0c09f)
• zero_trust_access_identity_provider: state upgraders (c8c88f0)
• zero_trust_access_mtls_certificate: state upgraders (15c5b8e)
• zero_trust_access_mtls_hostname_settings: state upgraders (fe7a900)
• zero_trust_device_managed_networks: state upgrader (0ee822f)
• zero_trust_device_posture_rule: state upgrader (e4bdf6b)
• zero_trust_dex_test: state upgrader (4b61d73)
• zero_trust_dlp_custom_profile: state upgrader (ca47a4d)
• zero_trust_dlp_entries: feat no-op state upgraders (808c706)
• zero_trust_dlp_predefined_profile: state upgrader (71278f0)
• zero_trust_gateway_policy: state upgrader (cb4ff67)
• zero_trust_list: implement state upgrader (5134e5c)
• zero_trust_tunnel_cloudflared_config: support state upgrader (a79e6ea)
• zero_trust_tunnel_cloudflared_route: state upgrader (40289a3)
• zone_dnssec: add state upgrader logic (1103393)
• zone_subscription: add state upgraders for zone_subscription (3512262)
• zone: add resource state migrations (049e9a9)

Bug Fixes

• authenticated_origin_pulls_certificate and authenticated_origin_pulls_hostname_certificate model and schema (8287f8a)
• custom_ssl: 'deploy' default removed due to entitlements requirement (267abd5)
• docs: v5 migration for authenticated_origin_pulls (zone and hostname) (917dc79)
• docs: v5 migration for authenticated_origin_pulls certs (zone and hostname) (502766d)
• handling case where directory is null (72f78a7)
• list: published version (4f695aa)
• load_balancer: improve recurring drift in origins attribute ([248c746]

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.