Category: Uncategorized

We’re excited to announce tf-migrate, a purpose-built CLI tool that simplifies migrating from Cloudflare Terraform Provider v4 to v5.

v5 is stable and ready for production

Terraform Provider v5 is stable and actively receiving updates. We encourage all users to migrate to v5 to take advantage of ongoing enhancements and new capabilities.

Cloudflare uses tf-migrate to migrate our own infrastructure — the same tool we’re providing to the community — ensuring the best possible migration experience.

What tf-migrate does

tf-migrate automates the tedious and error-prone parts of the v4 to v5 migration process:

• Resource type renames – Automatically updates cloudflare_record → cloudflare_dns_record, cloudflare_access_application → cloudflare_zero_trust_access_application, and 40+ other renamed resources
• Attribute transformations – Updates field names (e.g., value → content for DNS records) and restructures nested blocks
• Moved block generation – Creates Terraform 1.8+ moved blocks to prevent resource replacements and ensure zero-downtime migrations
• Cross-file reference updates – Automatically finds and updates all references to renamed resources across your entire configuration
• Dry-run mode – Preview all changes before applying them to ensure safety

Combined with the automatic state upgraders introduced in v5.19+, tf-migrate eliminates the manual work and risk that previously made v5 migrations challenging. Tf-migrate operates directly on the config, and the built-in state upgraders handle the rest.

Supported resources

Tf-migrate currently supports the most common Terraform resources our customers use. We are actively working to expand coverage, with the most commonly used resources prioritized first.

For the complete list of supported resources and their migration status, refer to the v5 Stabilization Tracker. This list is updated regularly as additional resources are stabilized and migration support is added.

Resources not yet supported by tf-migrate will need to be migrated manually using the version 5 upgrade guide. The upgrade guide provides step-by-step instructions for handling resource renames, attribute changes, and state migrations.

Get started

• Download tf-migrate
• Version 5 Migration Guide
• Terraform Provider documentation
• v5 Stabilization Tracker

We have been releasing Betas over the past month and a half while testing this tool. See the full changelog of those Betas here: tf-migrate releases.

Audit Logs v2 now supports organization-level audit logs. Org Admins can retrieve audit events for actions performed at the organization level via the Audit Logs v2 API.

To retrieve organization-level audit logs, use the following endpoint:

GET https://api.cloudflare.com/client/v4/organizations/{organization_id}/logs/audit

This release covers user-initiated actions performed through organization-level APIs. Audit logs for system-initiated actions, a dashboard UI, and Logpush support for organizations will be added in future releases.

For more information, refer to the Audit Logs documentation.

Audit Logs v2 now supports organization-level audit logs. Org Admins can retrieve audit events for actions performed at the organization level via the Audit Logs v2 API.

To retrieve organization-level audit logs, use the following endpoint:

GET https://api.cloudflare.com/client/v4/organizations/{organization_id}/logs/audit

This release covers user-initiated actions performed through organization-level APIs. Audit logs for system-initiated actions, a dashboard UI, and Logpush support for organizations will be added in future releases.

For more information, refer to the Audit Logs documentation.

v6.10.0

In this release, you’ll see a number of breaking changes. This is primarily due to changes in OpenAPI definitions, which our libraries are based off of, and codegen updates that we rely on to read those OpenAPI definitions and produce our SDK libraries.

Please ensure you read through the list of changes below before moving to this version – this will help you understand any down or upstream issues it may cause to your environments.

Breaking Changes

See the v6.10.0 Migration Guide for before/after code examples and actions needed for each change.

Abuse Reports – Registrar WHOIS Report Field Removals

Several fields have been removed from AbuseReportNewParamsBodyAbuseReportsRegistrarWhoisReportRegWhoRequest:

• RegWhoGoodFaithAffirmation
• RegWhoLawfulProcessingAgreement
• RegWhoLegalBasis
• RegWhoRequestType
• RegWhoRequestedDataElements

AI Search – Instance Params Restructured

The InstanceNewParams and InstanceUpdateParams types have been significantly restructured. Many fields have been moved or removed:

• InstanceNewParams.TokenID, Type, CreatedFromAISearchWizard, WorkerDomain removed
• InstanceUpdateParams — most configuration fields removed (including IndexMethod, IndexingOptions, MaxNumResults, Metadata, Paused, PublicEndpointParams, Reranking, RerankingModel, RetrievalOptions, RewriteModel, RewriteQuery, ScoreThreshold, SourceParams, Summarization, SummarizationModel, SystemPromptAISearch, SystemPromptIndexSummarization, SystemPromptRewriteQuery, TokenID, CreatedFromAISearchWizard, WorkerDomain)
• InstanceSearchParams.Messages field removed along with InstanceSearchParamsMessage and InstanceSearchParamsMessagesRole types

AI Search – InstanceItem Service Removed

The InstanceItemService type has been removed. The items sub-resource at client.AISearch.Instances.Items no longer exists in the non-namespace path. Use client.AISearch.Namespaces.Instances.Items instead.

AI Search – Token Types Removed

The following types have been removed from the ai_search package:

• TokenDeleteResponse
• TokenListParams (and associated TokenListParamsOrderBy, TokenListParamsOrderByDirection)

Email Security – Investigate Move Return Type Change

The Investigate.Move.New() method now returns a raw slice instead of a paginated wrapper:

• New() returns *[]InvestigateMoveNewResponse instead of *pagination.SinglePage[InvestigateMoveNewResponse]
• NewAutoPaging() method removed

Hyperdrive – Config Params Restructured

The ConfigEditParams type lost its MTLS and Name fields. The HyperdriveMTLSParam type lost MTLS and Host fields. The Host field on origin config changed from param.Field[string] to a plain string.

IAM – UserGroupMember Params and Return Types Changed

The UserGroupMemberNewParams struct has been restructured and the New() method now returns a paginated response:

• UserGroupMemberNewParams.Body renamed to UserGroupMemberNewParams.Members
• UserGroupMemberNewParamsBody renamed to UserGroupMemberNewParamsMember
• UserGroupMemberUpdateParams.Body renamed to UserGroupMemberUpdateParams.Members
• UserGroupMemberUpdateParamsBody renamed to UserGroupMemberUpdateParamsMember
• UserGroups.Members.New() returns *pagination.SinglePage[UserGroupMemberNewResponse] instead of *UserGroupMemberNewResponse

IAM – UserGroup List Direction Type Changed

The UserGroupListParams.Direction field changed from param.Field[string] to param.Field[UserGroupListParamsDirection] (typed enum with asc/desc values).

Pipelines – Delete Methods Now Return Typed Responses

Several delete methods across Pipelines now return typed responses instead of bare error:

• Pipelines.DeleteV1() returns (*PipelineDeleteV1Response, error) instead of error
• Pipelines.Sinks.Delete() returns (*SinkDeleteResponse, error) instead of error
• Pipelines.Streams.Delete() returns (*StreamDeleteResponse, error) instead of error

Queues – Message Response Types Removed

The following response envelope types have been removed:

• MessageBulkPushResponseSuccess
• MessagePushResponseSuccess
• MessageAckResponse fields RetryCount and Warnings removed

Secrets Store – Pagination Wrapper Removal and Type Changes

Methods now return direct types instead of SinglePage wrappers, and several internal types have been removed. Associated AutoPaging methods have also been removed:

• Stores.New() returns *StoreNewResponse instead of *pagination.SinglePage[StoreNewResponse]
• Stores.NewAutoPaging() method removed
• Stores.Secrets.BulkDelete() returns *StoreSecretBulkDeleteResponse instead of *pagination.SinglePage[StoreSecretBulkDeleteResponse]
• Stores.Secrets.BulkDeleteAutoPaging() method removed
• Removed types: StoreDeleteResponse, StoreDeleteResponseEnvelopeResultInfo, StoreSecretDeleteResponse, StoreSecretDeleteResponseStatus, StoreSecretBulkDeleteResponse (old shape), StoreSecretBulkDeleteResponseStatus, StoreSecretDeleteResponseEnvelopeResultInfo
• StoreNewParams restructured (old StoreNewParamsBody removed)
• StoreSecretBulkDeleteParams restructured

Stream – AudioTracks Return Type Change

The AudioTracks.Get() method now returns a dedicated response type instead of a paginated list. The GetAutoPaging() method has been removed:

• Get() returns *AudioTrackGetResponse instead of *pagination.SinglePage[Audio]
• GetAutoPaging() method removed

Stream – Clip Type Removal and Return Type Change

The Clip.New() method now returns the shared Video type. The following types have been entirely removed:

• Clip, ClipPlayback, ClipStatus, ClipWatermark

Stream – Copy and Clip Params Field Removals

• ClipNewParams.MaxDurationSeconds, ThumbnailTimestampPct, Watermark removed
• CopyNewParams.ThumbnailTimestampPct, Watermark removed

Stream – Download and Webhook Changes

• DownloadNewResponseStatus type removed
• WebhookUpdateResponse and WebhookGetResponse changed from interface{} type aliases to full struct types

Zero Trust – Access AI Control MCP Portal Union Types Removed

The following union interface types have been removed:

• AccessAIControlMcpPortalListResponseServersUpdatedPromptsUnion
• AccessAIControlMcpPortalListResponseServersUpdatedToolsUnion
• AccessAIControlMcpPortalReadResponseServersUpdatedPromptsUnion
• AccessAIControlMcpPortalReadResponseServersUpdatedToolsUnion

Features

Vulnerability Scanner (client.VulnerabilityScanner)

NEW SERVICE: Full vulnerability scanning management

• CredentialSets – CRUD for credential sets (New, Update, List, Delete, Edit, Get)
• Credentials – Manage credentials within sets (New, Update, List, Delete, Edit, Get)
• Scans – Create and manage vulnerability scans (New, List, Get)
• TargetEnvironments – Manage scan target environments (New, Update, List, Delete, Edit, Get)

AI Search – Namespaces (client.AISearch.Namespaces)

NEW SERVICE: Namespace-scoped AI Search management

• New(), Update(), List(), Delete(), ChatCompletions(), Read(), Search()
• Instances – Namespace-scoped instances (New, Update, List, Delete, ChatCompletions, Read, Search, Stats)
• Jobs – Instance job management (New, Update, List, Get, Logs)
• Items – Instance item management (List, Delete, Chunks, NewOrUpdate, Download, Get, Logs, Sync, Upload)

Browser Rendering – Devtools (client.BrowserRendering.Devtools)

NEW SERVICE: DevTools protocol browser control

• Session – List and get devtools sessions
• Browser – Browser lifecycle management (New, Delete, Connect, Launch, Protocol, Version)
• Page – Get page by target ID
• Targets – Manage browser targets (New, List, Activate, Get)

Registrar (client.Registrar)

NEW: Domain check and search endpoints

• Check() – POST /accounts/{account_id}/registrar/domain-check
• Search() – GET /accounts/{account_id}/registrar/domain-search

NEW: Registration management (client.Registrar.Registrations)

• New(), List(), Edit(), Get()
• RegistrationStatus.Get() – Get registration workflow status
• UpdateStatus.Get() – Get update workflow status

Cache – Origin Cloud Regions (client.Cache.OriginCloudRegions)

NEW SERVICE: Manage origin cloud region configurations

• New(), List(), Delete(), BulkDelete(), BulkEdit(), Edit(), Get(), SupportedRegions()

Zero Trust – DLP Settings (client.ZeroTrust.DLP.Settings)

NEW SERVICE: DLP settings management

• Update(), Delete(), Edit(), Get()

Radar

• AgentReadiness.Summary() – Agent readiness summary by dimension
• AI.MarkdownForAgents.Summary() – Markdown-for-agents summary
• AI.MarkdownForAgents.Timeseries() – Markdown-for-agents timeseries

IAM (client.IAM)

• UserGroups.Members.Get() – Get details of a specific member in a user group
• UserGroups.Members.NewAutoPaging() – Auto-paging variant for adding members
• UserGroups.NewParams.Policies changed from required to optional

Bot Management

• ContentBotsProtection field added to BotFightModeConfiguration and SubscriptionConfiguration (block/disabled)

Deprecations

None in this release.

Get started

• Download Go SDK v6.10.0
• Go SDK documentation
• Migration Guide

Audit Logs v2 now supports organization-level audit logs. Org Admins can retrieve audit events for actions performed at the organization level via the Audit Logs v2 API.

To retrieve organization-level audit logs, use the following endpoint:

GET https://api.cloudflare.com/client/v4/organizations/{organization_id}/logs/audit

This release covers user-initiated actions performed through organization-level APIs. Audit logs for system-initiated actions, a dashboard UI, and Logpush support for organizations will be added in future releases.

For more information, refer to the Audit Logs documentation.

v6.10.0

In this release, you’ll see a number of breaking changes. This is primarily due to changes in OpenAPI definitions, which our libraries are based off of, and codegen updates that we rely on to read those OpenAPI definitions and produce our SDK libraries.

Please ensure you read through the list of changes below before moving to this version – this will help you understand any down or upstream issues it may cause to your environments.

Breaking Changes

See the v6.10.0 Migration Guide for before/after code examples and actions needed for each change.

Abuse Reports – Registrar WHOIS Report Field Removals

Several fields have been removed from AbuseReportNewParamsBodyAbuseReportsRegistrarWhoisReportRegWhoRequest:

• RegWhoGoodFaithAffirmation
• RegWhoLawfulProcessingAgreement
• RegWhoLegalBasis
• RegWhoRequestType
• RegWhoRequestedDataElements

AI Search – Instance Params Restructured

The InstanceNewParams and InstanceUpdateParams types have been significantly restructured. Many fields have been moved or removed:

• InstanceNewParams.TokenID, Type, CreatedFromAISearchWizard, WorkerDomain removed
• InstanceUpdateParams — most configuration fields removed (including IndexMethod, IndexingOptions, MaxNumResults, Metadata, Paused, PublicEndpointParams, Reranking, RerankingModel, RetrievalOptions, RewriteModel, RewriteQuery, ScoreThreshold, SourceParams, Summarization, SummarizationModel, SystemPromptAISearch, SystemPromptIndexSummarization, SystemPromptRewriteQuery, TokenID, CreatedFromAISearchWizard, WorkerDomain)
• InstanceSearchParams.Messages field removed along with InstanceSearchParamsMessage and InstanceSearchParamsMessagesRole types

AI Search – InstanceItem Service Removed

The InstanceItemService type has been removed. The items sub-resource at client.AISearch.Instances.Items no longer exists in the non-namespace path. Use client.AISearch.Namespaces.Instances.Items instead.

AI Search – Token Types Removed

The following types have been removed from the ai_search package:

• TokenDeleteResponse
• TokenListParams (and associated TokenListParamsOrderBy, TokenListParamsOrderByDirection)

Email Security – Investigate Move Return Type Change

The Investigate.Move.New() method now returns a raw slice instead of a paginated wrapper:

• New() returns *[]InvestigateMoveNewResponse instead of *pagination.SinglePage[InvestigateMoveNewResponse]
• NewAutoPaging() method removed

Hyperdrive – Config Params Restructured

The ConfigEditParams type lost its MTLS and Name fields. The HyperdriveMTLSParam type lost MTLS and Host fields. The Host field on origin config changed from param.Field[string] to a plain string.

IAM – UserGroupMember Params and Return Types Changed

The UserGroupMemberNewParams struct has been restructured and the New() method now returns a paginated response:

• UserGroupMemberNewParams.Body renamed to UserGroupMemberNewParams.Members
• UserGroupMemberNewParamsBody renamed to UserGroupMemberNewParamsMember
• UserGroupMemberUpdateParams.Body renamed to UserGroupMemberUpdateParams.Members
• UserGroupMemberUpdateParamsBody renamed to UserGroupMemberUpdateParamsMember
• UserGroups.Members.New() returns *pagination.SinglePage[UserGroupMemberNewResponse] instead of *UserGroupMemberNewResponse

IAM – UserGroup List Direction Type Changed

The UserGroupListParams.Direction field changed from param.Field[string] to param.Field[UserGroupListParamsDirection] (typed enum with asc/desc values).

Pipelines – Delete Methods Now Return Typed Responses

Several delete methods across Pipelines now return typed responses instead of bare error:

• Pipelines.DeleteV1() returns (*PipelineDeleteV1Response, error) instead of error
• Pipelines.Sinks.Delete() returns (*SinkDeleteResponse, error) instead of error
• Pipelines.Streams.Delete() returns (*StreamDeleteResponse, error) instead of error

Queues – Message Response Types Removed

The following response envelope types have been removed:

• MessageBulkPushResponseSuccess
• MessagePushResponseSuccess
• MessageAckResponse fields RetryCount and Warnings removed

Secrets Store – Pagination Wrapper Removal and Type Changes

Methods now return direct types instead of SinglePage wrappers, and several internal types have been removed. Associated AutoPaging methods have also been removed:

• Stores.New() returns *StoreNewResponse instead of *pagination.SinglePage[StoreNewResponse]
• Stores.NewAutoPaging() method removed
• Stores.Secrets.BulkDelete() returns *StoreSecretBulkDeleteResponse instead of *pagination.SinglePage[StoreSecretBulkDeleteResponse]
• Stores.Secrets.BulkDeleteAutoPaging() method removed
• Removed types: StoreDeleteResponse, StoreDeleteResponseEnvelopeResultInfo, StoreSecretDeleteResponse, StoreSecretDeleteResponseStatus, StoreSecretBulkDeleteResponse (old shape), StoreSecretBulkDeleteResponseStatus, StoreSecretDeleteResponseEnvelopeResultInfo
• StoreNewParams restructured (old StoreNewParamsBody removed)
• StoreSecretBulkDeleteParams restructured

Stream – AudioTracks Return Type Change

The AudioTracks.Get() method now returns a dedicated response type instead of a paginated list. The GetAutoPaging() method has been removed:

• Get() returns *AudioTrackGetResponse instead of *pagination.SinglePage[Audio]
• GetAutoPaging() method removed

Stream – Clip Type Removal and Return Type Change

The Clip.New() method now returns the shared Video type. The following types have been entirely removed:

• Clip, ClipPlayback, ClipStatus, ClipWatermark

Stream – Copy and Clip Params Field Removals

• ClipNewParams.MaxDurationSeconds, ThumbnailTimestampPct, Watermark removed
• CopyNewParams.ThumbnailTimestampPct, Watermark removed

Stream – Download and Webhook Changes

• DownloadNewResponseStatus type removed
• WebhookUpdateResponse and WebhookGetResponse changed from interface{} type aliases to full struct types

Zero Trust – Access AI Control MCP Portal Union Types Removed

The following union interface types have been removed:

• AccessAIControlMcpPortalListResponseServersUpdatedPromptsUnion
• AccessAIControlMcpPortalListResponseServersUpdatedToolsUnion
• AccessAIControlMcpPortalReadResponseServersUpdatedPromptsUnion
• AccessAIControlMcpPortalReadResponseServersUpdatedToolsUnion

Features

Vulnerability Scanner (client.VulnerabilityScanner)

NEW SERVICE: Full vulnerability scanning management

• CredentialSets – CRUD for credential sets (New, Update, List, Delete, Edit, Get)
• Credentials – Manage credentials within sets (New, Update, List, Delete, Edit, Get)
• Scans – Create and manage vulnerability scans (New, List, Get)
• TargetEnvironments – Manage scan target environments (New, Update, List, Delete, Edit, Get)

AI Search – Namespaces (client.AISearch.Namespaces)

NEW SERVICE: Namespace-scoped AI Search management

• New(), Update(), List(), Delete(), ChatCompletions(), Read(), Search()
• Instances – Namespace-scoped instances (New, Update, List, Delete, ChatCompletions, Read, Search, Stats)
• Jobs – Instance job management (New, Update, List, Get, Logs)
• Items – Instance item management (List, Delete, Chunks, NewOrUpdate, Download, Get, Logs, Sync, Upload)

Browser Rendering – Devtools (client.BrowserRendering.Devtools)

NEW SERVICE: DevTools protocol browser control

• Session – List and get devtools sessions
• Browser – Browser lifecycle management (New, Delete, Connect, Launch, Protocol, Version)
• Page – Get page by target ID
• Targets – Manage browser targets (New, List, Activate, Get)

Registrar (client.Registrar)

NEW: Domain check and search endpoints

• Check() – POST /accounts/{account_id}/registrar/domain-check
• Search() – GET /accounts/{account_id}/registrar/domain-search

NEW: Registration management (client.Registrar.Registrations)

• New(), List(), Edit(), Get()
• RegistrationStatus.Get() – Get registration workflow status
• UpdateStatus.Get() – Get update workflow status

Cache – Origin Cloud Regions (client.Cache.OriginCloudRegions)

NEW SERVICE: Manage origin cloud region configurations

• New(), List(), Delete(), BulkDelete(), BulkEdit(), Edit(), Get(), SupportedRegions()

Zero Trust – DLP Settings (client.ZeroTrust.DLP.Settings)

NEW SERVICE: DLP settings management

• Update(), Delete(), Edit(), Get()

Radar

• AgentReadiness.Summary() – Agent readiness summary by dimension
• AI.MarkdownForAgents.Summary() – Markdown-for-agents summary
• AI.MarkdownForAgents.Timeseries() – Markdown-for-agents timeseries

IAM (client.IAM)

• UserGroups.Members.Get() – Get details of a specific member in a user group
• UserGroups.Members.NewAutoPaging() – Auto-paging variant for adding members
• UserGroups.NewParams.Policies changed from required to optional

Bot Management

• ContentBotsProtection field added to BotFightModeConfiguration and SubscriptionConfiguration (block/disabled)

Deprecations

None in this release.

Get started

• Download Go SDK v6.10.0
• Go SDK documentation
• Migration Guide

Audit Logs v2 now supports organization-level audit logs. Org Admins can retrieve audit events for actions performed at the organization level via the Audit Logs v2 API.

To retrieve organization-level audit logs, use the following endpoint:

GET https://api.cloudflare.com/client/v4/organizations/{organization_id}/logs/audit

This release covers user-initiated actions performed through organization-level APIs. Audit logs for system-initiated actions, a dashboard UI, and Logpush support for organizations will be added in future releases.

For more information, refer to the Audit Logs documentation.

Audit Logs v2 now supports organization-level audit logs. Org Admins can retrieve audit events for actions performed at the organization level via the Audit Logs v2 API.

To retrieve organization-level audit logs, use the following endpoint:

GET https://api.cloudflare.com/client/v4/organizations/{organization_id}/logs/audit

This release covers user-initiated actions performed through organization-level APIs. Audit logs for system-initiated actions, a dashboard UI, and Logpush support for organizations will be added in future releases.

For more information, refer to the Audit Logs documentation.

R2 Data Catalog, a managed Apache Iceberg catalog built into R2, now removes unreferenced data files during automatic snapshot expiration. This improvement reduces storage costs and eliminates the need to run manual maintenance jobs to reclaim space from deleted data.

Previously, snapshot expiration only cleaned up Iceberg metadata files such as manifests and manifest lists. Data files that were no longer referenced by active snapshots remained in R2 storage until you manually ran remove_orphan_files or expire_snapshots through an engine like Spark. This required extra operational overhead and left stale data files consuming storage.

Snapshot expiration now handles both metadata and data file cleanup automatically. When a snapshot is expired, any data files that are no longer referenced by retained snapshots are removed from R2 storage.

# Enable catalog-level snapshot expiration
npx wrangler r2 bucket catalog snapshot-expiration enable my-bucket 
  --older-than-days 7 
  --retain-last 10

To learn more about snapshot expiration and other automatic maintenance operations, refer to the table maintenance documentation.

R2 Data Catalog, a managed Apache Iceberg catalog built into R2, now removes unreferenced data files during automatic snapshot expiration. This improvement reduces storage costs and eliminates the need to run manual maintenance jobs to reclaim space from deleted data.

Previously, snapshot expiration only cleaned up Iceberg metadata files such as manifests and manifest lists. Data files that were no longer referenced by active snapshots remained in R2 storage until you manually ran remove_orphan_files or expire_snapshots through an engine like Spark. This required extra operational overhead and left stale data files consuming storage.

Snapshot expiration now handles both metadata and data file cleanup automatically. When a snapshot is expired, any data files that are no longer referenced by retained snapshots are removed from R2 storage.

# Enable catalog-level snapshot expiration
npx wrangler r2 bucket catalog snapshot-expiration enable my-bucket 
  --older-than-days 7 
  --retain-last 10

To learn more about snapshot expiration and other automatic maintenance operations, refer to the table maintenance documentation.