cloudflare_zone suddenly started showing drift

[marco-lancini]

Confirmation

• This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• I have searched the issue tracker and my issue isn't already found.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

• Terraform version: 1.9.4
• Cloudflare provider version: 5.5.0

Affected resource(s)

• cloudflare_zone

Terraform configuration files

resource "cloudflare_zone" "domain" {
  account = {
    id = local.cloudflare_account_id
  }
  name = local.domain
}

Link to debug output

n/a

Panic output

No response

Expected output

No drift

Actual output

# cloudflare_zone.domain will be updated in-place
  ~ resource "cloudflare_zone" "domain" {
      ~ activated_on          = "2019-09-13T19:56:52Z" -> (known after apply)
      + cname_suffix          = (known after apply)
      ~ created_on            = "2019-09-13T19:55:41Z" -> (known after apply)
      ~ development_mode      = -14859766 -> (known after apply)
        id                    = "88b132bf8f531f9f43e847de674459ff"
      ~ meta                  = {
          + cdn_only                 = (known after apply)
          ~ custom_certificate_quota = 0 -> (known after apply)
          + dns_only                 = (known after apply)
          + foundation_dns           = (known after apply)
          ~ page_rule_quota          = 3 -> (known after apply)
          ~ phishing_detected        = false -> (known after apply)
          ~ step                     = 3 -> (known after apply)
        } -> (known after apply)
      ~ modified_on           = "2025-02-17T09:55:18Z" -> (known after apply)
        name                  = "redacted.com"
      ~ name_servers          = [
          - "linda.ns.cloudflare.com",
          - "zod.ns.cloudflare.com",
        ] -> (known after apply)
      + original_dnshost      = (known after apply)
      ~ original_name_servers = [
          - "linda.ns.cloudflare.com",
          - "zod.ns.cloudflare.com",
        ] -> (known after apply)
      ~ original_registrar    = "amazon registrar, inc. (id: 468)" -> (known after apply)
      ~ owner                 = {
          + id   = (known after apply)
          + name = (known after apply)
          ~ type = "user" -> (known after apply)
        } -> (known after apply)
      ~ permissions           = [
          - "#zone_settings:read",
          - "#zone_settings:edit",
          - "#dns_records:read",
          - "#dns_records:edit",
          - "#page_shield:read",
          - "#page_shield:edit",
          - "#zone_versioning:read",
          - "#zone_versioning:edit",
          - "#zaraz:edit",
          - "#zaraz:read",
          - "#zone:read",
          - "#waf:read",
          - "#waf:edit",
          - "#api_gateway:read",
          - "#api_gateway:edit",
          - "#web3:read",
          - "#web3:edit",
          - "#healthchecks:edit",
          - "#healthchecks:read",
          - "#waitingroom:read",
          - "#waitingroom:edit",
          - "#access:edit",
          - "#access:read",
          - "#ssl:read",
          - "#zone:edit",
          - "#worker:edit",
          - "#worker:read",
          - "#ssl:edit",
          - "#logs:edit",
          - "#logs:read",
          - "#cache_purge:edit",
          - "#lb:edit",
          - "#lb:read",
          - "#analytics:read",
        ] -> (known after apply)
      ~ plan                  = {
          ~ can_subscribe      = false -> (known after apply)
          ~ currency           = "USD" -> (known after apply)
          ~ externally_managed = false -> (known after apply)
          + frequency          = (known after apply)
          ~ id                 = "0feeeeeeeeeeeeeeeeeeeeeeeeeeeeee" -> (known after apply)
          ~ is_subscribed      = false -> (known after apply)
          ~ legacy_discount    = false -> (known after apply)
          ~ legacy_id          = "free" -> (known after apply)
          ~ name               = "Free Website" -> (known after apply)
          ~ price              = 0 -> (known after apply)
        } -> (known after apply)
      ~ status                = "active" -> (known after apply)
      ~ tenant                = {
          + id   = (known after apply)
          + name = (known after apply)
        } -> (known after apply)
      ~ tenant_unit           = {
          + id = (known after apply)
        } -> (known after apply)
      - vanity_name_servers   = [] -> null
      + verification_key      = (known after apply)
        # (3 unchanged attributes hidden)
    }

Steps to reproduce

• I've been on 5.5.0 (pinned) for a while now.
• This morning this drift unexpectedly did show up, even if no changes were made to the cloudflare zone
• I can confirm yesterday this drift was NOT present

Additional factoids

No response

References

No response

[KaydeeDee]

Thank you for submitting an issue, I've passed it along to the team to investigate.

[mgirouard]

Howdy @marco-lancini, thanks for the heads up.

Looking at the output, this stands out to me:

- vanity_name_servers   = [] -> null

I have a hunch that this is related to the API-side fixes that landed in #5836. The TL/DR of that was that the API was conditionally returning vanity_name_servers depending on whether or not the zone/account plan included the feature, which doesn't play well with Terraform since it doesn't have plan-level context across resources.

I had a quick dig between v5.5.0 and latest, and there are also schema some schema changes which made it computed optional.

v5.5.0:

"vanity_name_servers": schema.ListAttribute{
    Description: "An array of domains used for custom name servers. This is only\navailable for Business and Enterprise plans.",
    Optional:    true,
    ElementType: types.StringType,
},

v5.6.0 through Latest:

"vanity_name_servers": schema.ListAttribute{
    Description: "An array of domains used for custom name servers. This is only\navailable for Business and Enterprise plans.",
    Computed:    true,
    Optional:    true,
    CustomType:  customfield.NewListType[types.String](ctx),
    ElementType: types.StringType,
},

I suspect that bumping to a later version (even v5.6.0 should be enough), should improve things for you. Alternatively, if you prefer to stay on v5.5.0, you can set an explicit value to vanity_name_servers:

+ vanity_name_servers = []

Please let me know if this helps.

[KaydeeDee]

Marking as completed as issue is not persistent in latest versions