Confirmation

• This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• I have searched the issue tracker and my issue isn't already found.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

terraform v1.9.2
provider v5.11.0

Affected resource(s)

cloudflare_dns_record

Terraform configuration files

resource "cloudflare_dns_record" "example" {
  name = "foo.example.com"
  ttl = 3600
  type = "A"
  content = "1.1.1.1"
  zone_id = "023e105f4ecef8ad9ca31a8372d0c353"
}

Link to debug output

n/a

Panic output

No response

Expected output

Changing a DNS record’s type should ideally result in an in-place update, mirroring the Cloudflare API behavior:

• A single PATCH call to update the record (without delete + recreate)
• Consistent with Cloudflare Dashboard behavior

Actual output

Terraform marks the resource for replacement, forcing deletion of the existing record before creating the new one.

This leads to a temporary DNS outage or invalid state during apply.

Example plan output:

# module.zone.cloudflare_dns_record.example must be replaced
-/+ resource "cloudflare_dns_record" "example" {
      name             = "foo.example.com"
!     type             = "CNAME" -> "A" # forces replacement
      ...
  }

Steps to reproduce

1. Create a DNS record via Terraform using the Cloudflare provider:

resource "cloudflare_dns_record" "example" {
  zone_id = var.zone_id
  name    = "test.example.com"
  type    = "CNAME"
  value   = "target.example.net"
  ttl     = 1
  proxied = false
}

2. Apply the configuration:

terraform apply

3. Modify the record type from CNAME → A in your configuration:

resource "cloudflare_dns_record" "example" {
  zone_id = var.zone_id
  name    = "test.example.com"
  type    = "A"
  value   = "1.1.1.1"
  ttl     = 1
  proxied = false
}

4. Run a plan again:

terraform plan

5. Observe the output:

Terraform will show that the record must be replaced (deleted and recreated) rather than updated in place:

# cloudflare_dns_record.example must be replaced
-/+ resource "cloudflare_dns_record" "example" {
      name = "test.example.com"
!     type = "CNAME" -> "A" # forces replacement
    ...
  }

Additional factoids

Impact

This behavior causes unnecessary record deletion and recreation, potentially resulting in downtime or transient DNS inconsistencies during infrastructure updates.

Request

Could this provider be updated to use the PATCH method for record type changes (to align with API and dashboard behavior)?

Alternatively, if this is a known limitation or intentional design choice, clarification in the documentation would be appreciated.

References

• Provider code indicating forced replacement:

  terraform-provider-cloudflare/internal/services/dns_record/schema.go

  Line 90 in e694bcf

  PlanModifiers: []planmodifier.String{stringplanmodifier.RequiresReplace()},

• Cloudflare API documentation (supports PATCH updates): https://developers.cloudflare.com/api/resources/dns/subresources/records/methods/edit/

Example PATCH request used by Cloudflare Dashboard:

curl 'https://dash.cloudflare.com/api/v4/zones/xyz/dns_records/foobar' \
  -X PATCH \
  --data-raw '{"content":"1.1.1.1","data":{},"name":"some.domain.com","proxiable":true,"proxied":false,"ttl":1,"type":"A","zone_id":"xyz","zone_name":"domain.com","settings":{},"tags":[],"id":"foobar"}'