cloudflare_pages_domain resource not found upon terraform state refresh after successful apply

[quiqueg]

Confirmation

• This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• I have searched the issue tracker and my issue isn't already found.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

> terraform -v
Terraform v1.10.3
on darwin_arm64
+ provider registry.terraform.io/cloudflare/cloudflare v5.0.0-rc1

Affected resource(s)

• cloudflare_pages_domain

Terraform configuration files

resource "cloudflare_pages_project" "redacted_pages_project" {
  name              = "redacted-pages-project"
  account_id        = var.cf_account_id
  production_branch = "redacted-github-production-branch"

  build_config = {
    build_caching   = true
    build_command   = "yarn build"
    destination_dir = "dist"
    root_dir        = ""
  }

  deployment_configs = {
    preview = null
    production = {}
  }

  lifecycle {
    ignore_changes  = [id]
    prevent_destroy = true
  }
}

resource "cloudflare_pages_domain" "redacted_domain" {
  account_id   = var.cf_account_id
  project_name = cloudflare_pages_project.redacted_pages_project.name
  name         = "redacted.domain.example.com"
}

Link to debug output

https://gist.github.com/quiqueg/c7e7dc9a64e79bd9476c3d0757d9531b

Panic output

No response

Expected output

Expected tf plan output:

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration
and found no differences, so no changes are needed.

Actual output

Actual tf plan output:

Terraform will perform the following actions:

  # cloudflare_pages_domain.redacted_domain will be created
  + resource "cloudflare_pages_domain" "redacted_domain" {
      + account_id            = "redacted-cf-account-id"
      + certificate_authority = (known after apply)
      + created_on            = (known after apply)
      + domain_id             = (known after apply)
      + id                    = (known after apply)
      + name                  = "redacted.domain.example.com"
      + project_name          = "redacted-pages-project"
      + status                = (known after apply)
      + validation_data       = (known after apply)
      + verification_data     = (known after apply)
      + zone_tag              = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.
...
╷
│ Warning: Resource not found
│
│   with cloudflare_pages_domain.redacted_domain,
│   on pages.tf line 81, in resource "cloudflare_pages_domain" "redacted_domain":
│   81: resource "cloudflare_pages_domain" "redacted_domain" {
│
│ The resource was not found on the server and will be removed from state.

Steps to reproduce

1. Create a cloudflare_pages_domain with tf apply
2. Run tf plan

Additional factoids

From looking at the debug output, it seems that when there is a cloudflare_pages_domain in the state, when the provider refreshes the state, it tries to get the existing domain data from the CloudFlare API by hitting the following URL:

• GET /client/v4/accounts/redacted-cf-account-id/pages/projects/redacted-pages-project/domains/6f3098f3-48a1-400f-af47-a2c187b51a6c

Note that the last URL path segment is 6f3098f3-48a1-400f-af47-a2c187b51a6c, which matches the id of the CF Pages domain.

However, per the CloudFlare API documentation for "Get domain", the URL path should be of the form:

• /accounts/{account_id}/pages/projects/{project_name}/domains/{domain_name}

where the last URL path segment is expected to be the CF Pages domain name, not the id.

---

I've confirmed this expectation by curling the CloudFlare API directly.

• When querying with the domain id, we get a 404 response:

> curl https://api.cloudflare.com/client/v4/accounts/redacted-cf-account-id/pages/projects/redacted-pages-project/domains/6f3098f3-48a1-400f-af47-a2c187b51a6c -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

{
  "result": null,
  "success": false,
  "errors": [
    {
      "code": 8000021,
      "message": "The domain you have requested does not exist. Add a custom domain to your Pages project before continuing."
    }
  ],
  "messages": []
}

• When querying with the domain name, we get a 200 response:

> curl https://api.cloudflare.com/client/v4/accounts/redacted-cf-account-id/pages/projects/redacted-pages-project/domains/redacted.domain.example.com -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN"

{
  "result": {
    "id": "6f3098f3-48a1-400f-af47-a2c187b51a6c",
    "domain_id": "6f3098f3-48a1-400f-af47-a2c187b51a6c",
    "name": "redacted.domain.example.com",
    "status": "active",
    "verification_data": {
      "status": "active"
    },
    "validation_data": {
      "status": "active",
      "method": "http"
    },
    "certificate_authority": "google",
    "created_on": "2025-01-16T17:45:35.235514Z"
  },
  "success": true,
  "errors": [],
  "messages": []
}

---

Here's my tf state show output:

> tf state show cloudflare_pages_domain.redacted_domain

# cloudflare_pages_domain.redacted_domain:
resource "cloudflare_pages_domain" "redacted_domain" {
    account_id            = "redacted-cf-account-id"
    certificate_authority = "google"
    created_on            = "2025-01-16T17:45:35.235514Z"
    domain_id             = "6f3098f3-48a1-400f-af47-a2c187b51a6c"
    id                    = "6f3098f3-48a1-400f-af47-a2c187b51a6c"
    name                  = "redacted.domain.example.com"
    project_name          = "redacted-pages-project"
    status                = "initializing"
    validation_data       = {
        method = "http"
        status = "initializing"
    }
    verification_data     = {
        status = "pending"
    }
}

---

I also tried removing the resource from my terraform state and importing it instead, but ran into a similar issue:

> tf state rm cloudflare_pages_domain.redacted_domain

Removed cloudflare_pages_domain.redacted_domain
Successfully removed 1 resource instance(s).

> tf import cloudflare_pages_domain.redacted_domain 'redacted-cf-account-id/redacted-pages-project/redacted.domain.example.com'

cloudflare_pages_domain.redacted_domain: Importing from ID "redacted-cf-account-id/redacted-pages-project/redacted.domain.example.com"...
cloudflare_pages_domain.redacted_domain: Import prepared!
  Prepared cloudflare_pages_domain for import
cloudflare_pages_domain.redacted_domain: Refreshing state... [id=6f3098f3-48a1-400f-af47-a2c187b51a6c]
╷
│ Error: Cannot import non-existent remote object
│ 
│ While attempting to import an existing object to "cloudflare_pages_domain.redacted_domain", the provider detected that no
│ object exists with the given id. Only pre-existing objects can be imported; check that the id is correct and that it is associated with
│ the provider's configured region or endpoint, or use "terraform apply" to create a new remote object for this resource.
╵

I've captured the debug output from tf import ... and added it to a tf-import.log file in the gist linked above.

References

N/A

[github-actions]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[npearson72]

It seems to fail at creating the DNS and TLS cert (assuming you automate that with Total TLS).

If I go in and manually add a custom domain, it works.

That explains why the resource is not found on the server.

[quiqueg]

It seems to fail at creating the DNS and TLS cert (assuming you automate that with Total TLS).

I don't think we are using Total TLS.

[npearson72]

It seems to fail at creating the DNS and TLS cert (assuming you automate that with Total TLS).

I don't think we are using Total TLS.

Still failing to create the DNS for me. Are you seeing an entry added?

[quiqueg]

Still failing to create the DNS for me. Are you seeing an entry added?

We're not using CloudFlare DNS, we're using an external DNS provider. Once I added the required CNAME record in our DNS provider, the custom domain shows as "Active" in CloudFlare. But I'm still unable to tf import because of the above errors.

[olekfur]

We are facing what seems to be a related issue. We are able to manually create the custom domain and get the expected output from terraform plan as described above.

However, if we try to create a new cloudflare_pages_domain resource using the method described above (with a manually created dns record) we are faced with this error message

Error: error creating domain for project "f3880cd074eb04d4da083101faeec692": The domain you have requested does not exist. Add a custom domain to your Pages project before continuing. (8000021)

Which is strage, considering adding a custom domain to the Pages project is exactly what we are trying to do