Skip to content

cloudflare_address_map: memberships can not be changed without resource recreation #6290

New issue
New issue
Open
Open
cloudflare_address_map: memberships can not be changed without resource recreation#6290
Labels
kind/bugCategorizes issue or PR as related to a bug.version/5Categorizes issue or PR as related to version 5 of the provider.
@D13410N3

Description

@D13410N3
D13410N3
opened on Oct 1, 2025

Confirmation

  • This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
  • I have searched the issue tracker and my issue isn't already found.
  • I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform: v1.12.2
Provider: 5.10.1

Affected resource(s)

cloudflare_address_map

Terraform configuration files

resource "cloudflare_address_map" "entries" {
  for_each = var.entries

  account_id  = var.account_id
  description = each.key
  enabled     = var.address_map_enabled
  ips         = [each.value.ip_address]
  default_sni = var.default_sni

  memberships = [
    for domain in each.value.domains : {
      identifier = local.zone_ids[domain]
      kind       = "zone"
    }
  ]

  depends_on = [cloudflare_byo_ip_prefix.this]
}

Link to debug output

Panic output

No response

Expected output

I expect membership to be patched - i.e. new zone added or deleted instead of total resource recreation

Actual output

module.byoip-main.cloudflare_address_map.entries["test-list"] must be replaced
-/+ resource "cloudflare_address_map" "entries" {
      ~ can_delete     = true -> (known after apply)
      ~ can_modify_ips = true -> (known after apply)
      ~ created_at     = "2025-10-01T16:55:41Z" -> (known after apply)
      ~ description    = "test-list" -> "Address map for BYOIP prefix - test-list"
      ~ id             = "<hidden>" -> (known after apply)
      ~ memberships    = [ # forces replacement
          ~ {
              ~ can_delete = true -> (known after apply)
              ~ created_at = "2025-10-01T16:55:41Z" -> (known after apply)
                # (2 unchanged attributes hidden)
            },
        ]
      ~ modified_at    = "2025-10-01T16:55:41Z" -> (known after apply)
        # (3 unchanged attributes hidden)
    }

## it already sounds awful (we're destroying map and creating it again), but OK, let's continue
│ Error: failed to make http request
│
│ DELETE "https://api.cloudflare.com/client/v4/accounts/<hidden>/addressing/address_maps/<hidden>": 400 Bad Request {
│   "result": null,
│   "success": false,
│   "errors": [
│     {
│       "code": 1003,
│       "message": "cannot_delete_enabled_address_map"
│     }
│   ],
│   "messages": []
│ }
│
## it can't be performed as this address map is active.

Steps to reproduce

  1. Create cloudflare_address_map and add some zones to membership
  2. Apply configuration
  3. Change membership - add or remove some zone
  4. Try to apply configuration

Additional factoids

AFAIK provider now uses actual cloudflare API schema. And yes - it actually doesn't allow edit membership on "edit address map" method - https://developers.cloudflare.com/api/resources/addressing/subresources/address_maps/methods/edit/
So, I suppose there are two options:

  1. Ask cloudflare to change its API behaviour
  2. Use this API methods -https://developers.cloudflare.com/api/resources/addressing/subresources/address_maps/subresources/zones/ to manage cloudflare_address_map.memberships

References

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.version/5Categorizes issue or PR as related to version 5 of the provider.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions