release: 5.14.0 (#6481)

* codegen metadata

* chore(zone): update migration tests (#6468)

Updates `cloudflare_zone` migration tests to use `tf-migrate` instead of
`cmd/migrate`.

* feat: feat: BOTS-7562 add bot management feedback endpoints to stainless config (prod)

* feat: BOTS-7562 add bot management feedback endpoints to stainless config (prod)

* feat: chore: point Terraform to Go 'next'

* chore: point Terraform to Go 'next'

* chore(api): update composite API spec

* chore(internal): codegen related update

* fix(zone): datasource model schema parity (#6487)

* fix(zone): make datasource's zone ID computed optional

Resolves #6129

* test(zone): fix datasource model/schema parity

Updates the `ZonesAccountDataSourceModel` type be useful for both filters and
decerilization.

* feat: feat(radar): Add origins endpoints to public api docs

* chore(account_tokens): adding a simple CRUD test (#6484)

* adding a simple CRUD test fo account tokens

* add a test file

* feat: chore(api_shield_discovery_operation): Deprecate api_shield_discovery_operation

* chore(cloudflare_api_shield_operation): Add acceptance tests  (#6491)

* test: Add acceptance tests for cloudflare_api_shield_operation

* chore: Add CI acceptance tests for api_shield_operation

* chore(internal): codegen related update

* chore(logpush_job): add v4 to v5 migration tests (#6483)

* codegen metadata

* add migration test for logpush_job

* add zone level logpush jobs to sweeper

* use MigrationV2TestStep, use zone level job for instant-logs test

* handle instant-logs being returned from the API despite not being a valid config value

* rename resource test name to be consistent

---------

Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com>

* fix(pages_project): use correct field name in test sweeper

  The Pages API response type uses "Name" instead of "ProjectName". Update
  the test sweeper to access the correct field from "ProjectListResponse".

  Fixes compilation error:
  deployment.ProjectName undefined (type pages.ProjectListResponse has no
  field or method ProjectName)

* fix(zero_trust_device_posture_rule): preserve input.version and other fields (#6500)

not returned by API

  The API doesn't return all configured input fields in Read responses,
  causing
  drift. This preserves input.version (critical), input.enabled cleanup, and
  additional fields (path, sha256, os_distro_*) from current state when API
  omits them.

  Fixes perpetual drift for firewall and os_version posture rules.

* feat: feat(r2_data_catalog): Configure SDKs/Terraform to use R2 Data Catalog routes

* feat(r2_data_catalog): Configure SDKs/Terraform to use R2 Data Catalog routes

* DS-15730: Re-enable logpush_dataset_field data source and add acceptance test (#6499)

Co-authored-by: Henry Clausen <hclausen@cloudflare.com>

* DS-15566: Add logpush_job acceptance test for filter update (#6498)

Co-authored-by: Henry Clausen <hclausen@cloudflare.com>

* chore(internal): codegen related update

* Update Subscription and Subscription.RatePlan schema in order to satisfy terraform to no detect changes on no changes to the config (#6497)

* BILLSUB-247 CUSTESC-57375 fix drift issues after apply causing idempotency issues on subsequent applies

* BILLSUB-247 CUSTESC-57375 fix wrong computed_optional syntax

* Fix zone_subscription Sets field type mismatch

---------

Co-authored-by: Sui Mak <sui@cloudflare.com>

* feat: improve and standardize sweepers (#6501)

* fix(zero_trust_device_posture_rule): preserve input.version and other fields (#6503)

not returned by API

  The API doesn't return all configured input fields in Read responses,
  causing
  drift. This preserves input.version (critical), input.enabled cleanup, and
  additional fields (path, sha256, os_distro_*) from current state when API
  omits them.

  Fixes perpetual drift for firewall and os_version posture rules.

* chore(internal): codegen related update

* chore(zero_trust_device_managed_networks): add tests (#6463)

* chore(zero_trust_device_default_profile_local_domain_fallback): add tests (#6464)

* chore(zero_trust_device_posture_integration): update tests for to test with Crowdstrike (#6470)

* fix(zone_subscription|account_subscription): add partners_ent as valid enum for rate_plan.id (#6505)

* fix: add partners_ent as valid enum for rate_plan.id

* fix: remove partners_enterprise enum from account subscription

---------

Co-authored-by: Sui Mak <sui@cloudflare.com>

* chore(api): update composite API spec

* chore(internal): codegen related update

* chore(internal): codegen related update

* feat: add v4->v5 migration tests for pages_project and adjust schema (#6506)

* fix: update import signature to accept account_id/subscription_id in order to import account subscription (#6510)

Co-authored-by: Sui Mak <sui@cloudflare.com>

* fix: r2 sweeper (#6512)

* chore(internal): codegen related update

* codegen metadata

* chore(internal): codegen related update

* chore(internal): codegen related update

* codegen metadata

* feat: chore: update go sdk to v6.4.0 for provider release

* chore: skip invalid change detection

* chore: update go sdk to v6.4.0

* fix(workers_script):  resource drift when worker has unmanaged secret (#6504)

Co-authored-by: Chris Thorwarth <cthorwarth@cloudflare.com>

* fix(workers_script): No longer treating the migrations attribute as WriteOnly (#6489)

* codegen metadata

* wip: moving migrations to be a write-only attribute

---------

Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com>
Co-authored-by: Chris Thorwarth <cthorwarth@cloudflare.com>

* chore(zero_trust_device_default|custom_profile): acceptance test coverage (#6511)

* fix(account_members): making member policies a set (#6488)

* ACCT-11111 making member policies a set

* fixing test resource name

* removing unnecessary

* removing unnecessary

* correct client version

* fixing resource names and sweeping

* manual cleanup of test resources

* making resource groups and perm groups sets

* fix(tests): resolve SDK v6 migration test failures (#6507)

- Change global test resource prefix from cf-tf-test- to cftftest_ to fix
  API name validation errors (fixes list, list_item, snippet)
  - Add certificate_pack hosts order-insensitive comparison in ModifyPlan to
  prevent unnecessary replacements
  - Add UseStateForUnknown() plan modifier to certificate_pack primary_certificate
   field
  - Add UseStateForUnknown() plan modifiers to pages_project deployment_configs
  fields (always_use_latest_compatibility_date, build_image_major_version,
  compatibility_date, fail_open) to prevent state drift

  Fixes test failures in: list, list_item, snippet, certificate_pack,
  pages_domain, pages_project

* chore(tests): cloud connector rules parity tests and add connectivity_directory_service tests (#6513)

* fix(cloud_connector_rules): datasource model schema parity

* fix: rename e2e test for connectivity_directory_service

* fix(account_member): use sdk to setup prereq

* fix(cloud_connector_rules): model and schema

---------

Co-authored-by: Eric Falcao <efalcao@cloudflare.com>

* fix: decoder, build (#6514)

* fix(test_utils): undefined func

* fix(decoder): dont include fields with json tag -

* chore(account_subscription): skip test

* fix: decoder and tests (#6516)

chore(account_member): dont run acceptance with env variable

fix(utils): test assertions

* chore(account_member): fix check for env var (#6517)

* fix(workers_kv): ignore value import state verify (#6521)

* fix(workers_kv): ignore value import state verify

* chore(workers_kv): comment about why we're ignoring value

* chore(account_member): skip until user is dsr enabled (#6522)

* fix(pages_project): non empty refresh plans (#6515)

* chore(docs): update documentation (#6523)

* chore: update changelog (#6525)

* release: 5.14.0

---------

Co-authored-by: stainless-app[bot] <142633134+stainless-app[bot]@users.noreply.github.com>
Co-authored-by: Michael Girouard <206137+mgirouard@users.noreply.github.com>
Co-authored-by: Steve Conrad <sconrad@cloudflare.com>
Co-authored-by: cbertiercloudflare <cbertier@cloudflare.com>
Co-authored-by: Sarah Sicard <18204584+ssicard@users.noreply.github.com>
Co-authored-by: Tamas Jozsa <tamas@cloudflare.com>
Co-authored-by: Henry Clausen <33390934+hc2116@users.noreply.github.com>
Co-authored-by: Henry Clausen <hclausen@cloudflare.com>
Co-authored-by: Sui Mak <smakys501@gmail.com>
Co-authored-by: Sui Mak <sui@cloudflare.com>
Co-authored-by: jlu-cloudflare <124198068+jlu-cloudflare@users.noreply.github.com>
Co-authored-by: Rotem Atzaba <rotem@cloudflare.com>
Co-authored-by: christhorwarth <chris.thorwarth@gmail.com>
Co-authored-by: Chris Thorwarth <cthorwarth@cloudflare.com>
Co-authored-by: Vaishak Dinesh <vaishakpdinesh@gmail.com>
Co-authored-by: Eric Falcao <efalcao@cloudflare.com>

Author: 16 people

.github/workflows/acceptance-tests.yml

@@ -13,8 +13,8 @@ jobs:
     runs-on: ${{ github.repository == 'stainless-sdks/cloudflare-terraform' && 'depot-ubuntu-24.04' || 'lx64' }}
     env:
       CLOUDFLARE_ACCOUNT_ID: f037e56e89293a057740de681ac9abbe
-      CLOUDFLARE_ALT_DOMAIN: terraform2.cfapi.net
-      CLOUDFLARE_ALT_ZONE_ID: b72110c08e3382597095c29ba7e661ea
+      CLOUDFLARE_ALT_DOMAIN: terraform-alt.cfapi.net
+      CLOUDFLARE_ALT_ZONE_ID: ed9caae55809bfe3209699f602ce17fc
       CLOUDFLARE_DOMAIN: terraform.cfapi.net
       CLOUDFLARE_EMAIL: terraform-acceptance-test@cfapi.net
       CLOUDFLARE_ZONE_ID: 0da42c8d2132a9ddaf714f9e7c920711

.golangci.yml

@@ -0,0 +1,20 @@
+# yaml-language-server: schema=https://golangci-lint.run/jsonschema/golangci.jsonschema.json
+---
+version: '2'
+linters:
+  settings:
+    staticcheck:
+      checks:
+        - all
+
+        - -SA1019
+        - -SA5008
+        - -ST1000
+        - -ST1003
+        - -ST1020
+        - -ST1022
+
+        - -QF1008
+    govet:
+      disable:
+        - structtag

.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "5.13.0"
+  ".": "5.14.0"
 }

.stats.yml

@@ -1,4 +1,4 @@
-configured_endpoints: 1905
-openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/cloudflare%2Fcloudflare-cc732ca8d1d7f1c11a1ee579060ddfd8f953a3ad94fd5053056b53370129d040.yml
-openapi_spec_hash: a3e1e833dfe13845abd1e2227993a979
-config_hash: 9e3a3f3e68822e0dc6f40af202c6c57e
+configured_endpoints: 1922
+openapi_spec_url: https://storage.googleapis.com/stainless-sdk-openapi-specs/cloudflare%2Fcloudflare-6183ef87f1b8eea6ad4bae542bfde2ec23a5526ae2b7bacdf6c6a4c48d990995.yml
+openapi_spec_hash: 9c8ac3d56571ebf1e170d993b71ccb4d
+config_hash: 56e587ca83a584af152a4bf8a9cfb29e

CHANGELOG.md

@@ -20,7 +20,7 @@ terraform {
   required_providers {
     cloudflare = {
       source  = "cloudflare/cloudflare"
-      version = "~> 5.13.0"
+      version = "~> 5.14.0"
     }
   }
 }

README.md

@@ -45,7 +45,7 @@ Read-Only:
 - `currency` (String) The currency applied to the rate plan subscription.
 - `externally_managed` (Boolean) Whether this rate plan is managed externally from Cloudflare.
 - `id` (String) The ID of the rate plan.
-Available values: "free", "lite", "pro", "pro_plus", "business", "enterprise", "partners_free", "partners_pro", "partners_business", "partners_enterprise".
+Available values: "free", "lite", "pro", "pro_plus", "business", "enterprise", "partners_free", "partners_pro", "partners_business", "partners_ent".
 - `is_contract` (Boolean) Whether a rate plan is enterprise-based (or newly adopted term contract).
 - `public_name` (String) The full name of the rate plan.
 - `scope` (String) The scope that this rate plan applies to.

docs/data-sources/account_subscription.md

@@ -23,11 +23,86 @@ data "cloudflare_certificate_pack" "example_certificate_pack" {
 
 ### Required
 
-- `certificate_pack_id` (String) Identifier.
 - `zone_id` (String) Identifier.
 
+### Optional
+
+- `certificate_pack_id` (String) Identifier.
+- `filter` (Attributes) (see [below for nested schema](#nestedatt--filter))
+
 ### Read-Only
 
+- `certificate_authority` (String) Certificate Authority selected for the order.  For information on any certificate authority specific details or restrictions [see this page for more details.](https://developers.cloudflare.com/ssl/reference/certificate-authorities)
+Available values: "google", "lets_encrypt", "ssl_com".
+- `certificates` (Attributes List) Array of certificates in this pack. (see [below for nested schema](#nestedatt--certificates))
+- `cloudflare_branding` (Boolean) Whether or not to add Cloudflare Branding for the order.  This will add a subdomain of sni.cloudflaressl.com as the Common Name if set to true.
+- `hosts` (List of String) Comma separated list of valid host names for the certificate packs. Must contain the zone apex, may not contain more than 50 hosts, and may not be empty.
 - `id` (String) Identifier.
+- `primary_certificate` (String) Identifier of the primary certificate in a pack.
+- `status` (String) Status of certificate pack.
+Available values: "initializing", "pending_validation", "deleted", "pending_issuance", "pending_deployment", "pending_deletion", "pending_expiration", "expired", "active", "initializing_timed_out", "validation_timed_out", "issuance_timed_out", "deployment_timed_out", "deletion_timed_out", "pending_cleanup", "staging_deployment", "staging_active", "deactivating", "inactive", "backup_issued", "holding_deployment".
+- `type` (String) Type of certificate pack.
+Available values: "mh_custom", "managed_hostname", "sni_custom", "universal", "advanced", "total_tls", "keyless", "legacy_custom".
+- `validation_errors` (Attributes List) Domain validation errors that have been received by the certificate authority (CA). (see [below for nested schema](#nestedatt--validation_errors))
+- `validation_method` (String) Validation Method selected for the order.
+Available values: "txt", "http", "email".
+- `validation_records` (Attributes List) Certificates' validation records. (see [below for nested schema](#nestedatt--validation_records))
+- `validity_days` (Number) Validity Days selected for the order.
+Available values: 14, 30, 90, 365.
+
+<a id="nestedatt--filter"></a>
+### Nested Schema for `filter`
+
+Optional:
+
+- `status` (String) Include Certificate Packs of all statuses, not just active ones.
+Available values: "all".
+
+
+<a id="nestedatt--certificates"></a>
+### Nested Schema for `certificates`
+
+Read-Only:
+
+- `bundle_method` (String) Certificate bundle method.
+- `expires_on` (String) When the certificate from the authority expires.
+- `geo_restrictions` (Attributes) Specify the region where your private key can be held locally. (see [below for nested schema](#nestedatt--certificates--geo_restrictions))
+- `hosts` (List of String) Hostnames covered by this certificate.
+- `id` (String) Certificate identifier.
+- `issuer` (String) The certificate authority that issued the certificate.
+- `modified_on` (String) When the certificate was last modified.
+- `priority` (Number) The order/priority in which the certificate will be used.
+- `signature` (String) The type of hash used for the certificate.
+- `status` (String) Certificate status.
+- `uploaded_on` (String) When the certificate was uploaded to Cloudflare.
+- `zone_id` (String) Identifier.
+
+<a id="nestedatt--certificates--geo_restrictions"></a>
+### Nested Schema for `certificates.geo_restrictions`
+
+Read-Only:
+
+- `label` (String) Available values: "us", "eu", "highest_security".
+
+
+
+<a id="nestedatt--validation_errors"></a>
+### Nested Schema for `validation_errors`
+
+Read-Only:
+
+- `message` (String) A domain validation error.
+
+
+<a id="nestedatt--validation_records"></a>
+### Nested Schema for `validation_records`
+
+Read-Only:
+
+- `emails` (List of String) The set of email addresses that the certificate authority (CA) will use to complete domain validation.
+- `http_body` (String) The content that the certificate authority (CA) will expect to find at the http_url during the domain validation.
+- `http_url` (String) The url that will be checked during domain validation.
+- `txt_name` (String) The hostname that the certificate authority (CA) will check for a TXT record during domain validation .
+- `txt_value` (String) The TXT record that the certificate authority (CA) will check during domain validation.
 
 

docs/data-sources/certificate_pack.md

@@ -38,4 +38,70 @@ Available values: "all".
 <a id="nestedatt--result"></a>
 ### Nested Schema for `result`
 
+Read-Only:
+
+- `certificate_authority` (String) Certificate Authority selected for the order.  For information on any certificate authority specific details or restrictions [see this page for more details.](https://developers.cloudflare.com/ssl/reference/certificate-authorities)
+Available values: "google", "lets_encrypt", "ssl_com".
+- `certificates` (Attributes List) Array of certificates in this pack. (see [below for nested schema](#nestedatt--result--certificates))
+- `cloudflare_branding` (Boolean) Whether or not to add Cloudflare Branding for the order.  This will add a subdomain of sni.cloudflaressl.com as the Common Name if set to true.
+- `hosts` (List of String) Comma separated list of valid host names for the certificate packs. Must contain the zone apex, may not contain more than 50 hosts, and may not be empty.
+- `id` (String) Identifier.
+- `primary_certificate` (String) Identifier of the primary certificate in a pack.
+- `status` (String) Status of certificate pack.
+Available values: "initializing", "pending_validation", "deleted", "pending_issuance", "pending_deployment", "pending_deletion", "pending_expiration", "expired", "active", "initializing_timed_out", "validation_timed_out", "issuance_timed_out", "deployment_timed_out", "deletion_timed_out", "pending_cleanup", "staging_deployment", "staging_active", "deactivating", "inactive", "backup_issued", "holding_deployment".
+- `type` (String) Type of certificate pack.
+Available values: "mh_custom", "managed_hostname", "sni_custom", "universal", "advanced", "total_tls", "keyless", "legacy_custom".
+- `validation_errors` (Attributes List) Domain validation errors that have been received by the certificate authority (CA). (see [below for nested schema](#nestedatt--result--validation_errors))
+- `validation_method` (String) Validation Method selected for the order.
+Available values: "txt", "http", "email".
+- `validation_records` (Attributes List) Certificates' validation records. (see [below for nested schema](#nestedatt--result--validation_records))
+- `validity_days` (Number) Validity Days selected for the order.
+Available values: 14, 30, 90, 365.
+
+<a id="nestedatt--result--certificates"></a>
+### Nested Schema for `result.certificates`
+
+Read-Only:
+
+- `bundle_method` (String) Certificate bundle method.
+- `expires_on` (String) When the certificate from the authority expires.
+- `geo_restrictions` (Attributes) Specify the region where your private key can be held locally. (see [below for nested schema](#nestedatt--result--certificates--geo_restrictions))
+- `hosts` (List of String) Hostnames covered by this certificate.
+- `id` (String) Certificate identifier.
+- `issuer` (String) The certificate authority that issued the certificate.
+- `modified_on` (String) When the certificate was last modified.
+- `priority` (Number) The order/priority in which the certificate will be used.
+- `signature` (String) The type of hash used for the certificate.
+- `status` (String) Certificate status.
+- `uploaded_on` (String) When the certificate was uploaded to Cloudflare.
+- `zone_id` (String) Identifier.
+
+<a id="nestedatt--result--certificates--geo_restrictions"></a>
+### Nested Schema for `result.certificates.geo_restrictions`
+
+Read-Only:
+
+- `label` (String) Available values: "us", "eu", "highest_security".
+
+
+
+<a id="nestedatt--result--validation_errors"></a>
+### Nested Schema for `result.validation_errors`
+
+Read-Only:
+
+- `message` (String) A domain validation error.
+
+
+<a id="nestedatt--result--validation_records"></a>
+### Nested Schema for `result.validation_records`
+
+Read-Only:
+
+- `emails` (List of String) The set of email addresses that the certificate authority (CA) will use to complete domain validation.
+- `http_body` (String) The content that the certificate authority (CA) will expect to find at the http_url during the domain validation.
+- `http_url` (String) The url that will be checked during domain validation.
+- `txt_name` (String) The hostname that the certificate authority (CA) will check for a TXT record during domain validation .
+- `txt_value` (String) The TXT record that the certificate authority (CA) will check during domain validation.
+
 

docs/data-sources/certificate_packs.md

@@ -33,6 +33,7 @@ data "cloudflare_cloudforce_one_request_asset" "example_cloudforce_one_request_a
 - `created` (String) Defines the asset creation time.
 - `description` (String) Asset description.
 - `file_type` (String) Asset file type.
+- `id` (String) UUID.
 - `name` (String) Asset name.