Perma-diff for cloudflare_zero_trust_gateway_policy

[justinas-b]

Confirmation

• This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• I have searched the issue tracker and my issue isn't already found.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

❯ terraform -v
Terraform v1.12.2
on darwin_arm64
+ provider registry.terraform.io/cloudflare/cloudflare v5.15.0
+ provider registry.terraform.io/hashicorp/random v3.7.2

Affected resource(s)

cloudflare_zero_trust_gateway_policy

Terraform configuration files

resource "cloudflare_zero_trust_gateway_policy" "block_security_blacklist" {
  account_id  = var.cloudflare_account_id
  name        = "Block Security Blacklist"
  description = "Block domains identified by Security as malicious or phishing"
  precedence  = 123
  enabled     = true
  action      = "block"
  filters     = ["http"]


  traffic = chomp(<<-EOT
    any(http.request.domains[*] in {"something.1password.com"})
  EOT
  )

  rule_settings = {
    block_page_enabled = true
    block_page_reason  = "This domain is blocked due to security threats"
  }
}

Link to debug output

N/A

Panic output

N/A

Expected output

Once applied, i am expecting not to see any diff, however after each apply below diff is always present

Actual output

# cloudflare_zero_trust_gateway_policy.block_security_blacklist will be updated in-place
  ~ resource "cloudflare_zero_trust_gateway_policy" "block_security_blacklist" {
      ~ created_at     = "2025-11-25T13:48:02Z" -> (known after apply)
      + deleted_at     = (known after apply)
      + expiration     = (known after apply)
        id             = "12345678-1234-1234-1234-1234567890ab"
        name           = "Block Security Blacklist"
      + read_only      = (known after apply)
      ~ rule_settings  = {
          + allow_child_bypass                 = (known after apply)
          + block_page_enabled                 = true
          + block_reason                       = (known after apply)
          + ignore_cname_category_matches      = (known after apply)
          + insecure_disable_dnssec_validation = (known after apply)
          + ip_categories                      = (known after apply)
          + ip_indicator_feeds                 = (known after apply)
          + override_host                      = (known after apply)
          + override_ips                       = (known after apply)
          + resolve_dns_through_cloudflare     = (known after apply)
        }
      + schedule       = (known after apply)
      ~ sharable       = true -> (known after apply)
      + source_account = (known after apply)
      ~ updated_at     = "2026-01-13T07:24:19Z" -> (known after apply)
      ~ version        = 23 -> (known after apply)
      + warning_status = (known after apply)
        # (9 unchanged attributes hidden)
    }

Steps to reproduce

1. terraform apply -auto-approve
2. terraform plan

Additional factoids

No response

References

Below issues seems to be related, but are already closed:

• cloudflare_zero_trust_gateway_policy: diff on every apply #6360
• Recurring change on cloudflare_zero_trust_gateway_policy after upgrade to V5 provider & also setting expiration fails #5839
• cloudflare_zero_trust_gateway_policy rule_settings keeps changing #5394
• cloudflare_zero_trust_gateway_policy traffic option rule keeps changing and if you change it to what is show its uneditable within console #4672