Confirmation

• This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• I have searched the issue tracker and my issue isn't already found.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Versions
Terraform v1.10.5
on darwin_arm64

• provider registry.terraform.io/cloudflare/cloudflare v5.3.0

Issue
When you try to import a "paused" zone, and run terraform plan, then it is detected as a change:

Terraform will perform the following actions:

  # cloudflare_zone.xxx will be updated in-place
  ~ resource "cloudflare_zone" "xxx" {
      ~ activated_on          = "2024-05-29T17:26:39Z" -> (known after apply)
      ~ created_on            = "2024-05-29T16:15:16Z" -> (known after apply)
      ~ development_mode      = 0 -> (known after apply)
        id                    = "redacted"
      ~ meta                  = {
          + cdn_only                 = (known after apply)
          ~ custom_certificate_quota = 1 -> (known after apply)
          + dns_only                 = (known after apply)
          + foundation_dns           = (known after apply)
          ~ page_rule_quota          = 100 -> (known after apply)
          ~ phishing_detected        = false -> (known after apply)
          ~ step                     = 2 -> (known after apply)
        } -> (known after apply)
      ~ modified_on           = "2025-03-25T04:58:24Z" -> (known after apply)
        name                  = "redacted"
      + name_servers          = (known after apply)
      + original_dnshost      = (known after apply)
      ~ original_name_servers = [
          - "redacted.net",
          - "redacted.net",
          - "redacted.net",
          - "redacted.net",
          - "redacted.net",
          - "redacted.net",
          - "redacted.net",
          - "redacted.net",
        ] -> (known after apply)
      + original_registrar    = (known after apply)
      ~ owner                 = {
          ~ id   = "redacted" -> (known after apply)
          ~ name = "redacted" -> (known after apply)
          ~ type = "organization" -> (known after apply)
        } -> (known after apply)
      ~ paused                = true -> false
      ~ status                = "active" -> (known after apply)
      ~ verification_key      = "redacted" -> (known after apply)
        # (2 unchanged attributes hidden)
    } 

However you can't apply the "paused" attribute to the resource, because it is defined as a readonly attribute, even if we apply the resource without the "paused" attribute we get an error from the provider:

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

cloudflare_zone.xxx: Modifying... [id=redacted]
╷
│ Error: failed to make http request
│ 
│   with cloudflare_zone.xxx,
│   on xxx.tf line 3, in resource "cloudflare_zone" "xxx":
│    3: resource "cloudflare_zone" "xxx" {
│ 
│ PATCH "https://api.cloudflare.com/client/v4/zones/redacted": 400 Bad Request {"success":false,"errors":[{"code":1086,"message":"Invalid
│ property"}],"messages":[],"result":null}
╵
Releasing state lock. This may take a few moments...
Error running Terraform apply

Affected resource(s)

cloudflare_zone

Terraform configuration files

resource "cloudflare_zone" "xxx" {
  account = {
    id = local.account_id
  }
  name = "xxx"
  type = "partial"
}

Link to debug output

n.a

Panic output

No response

Expected output

It should be able to import paused zone successfully and subsequent terraform plan should not give any changes
It should be able to successfully run terraform apply

Actual output

plan:
Terraform will perform the following actions:

cloudflare_zone.xxx will be updated in-place

~ resource "cloudflare_zone" "xxx" {
~ activated_on = "2024-05-29T17:26:39Z" -> (known after apply)
~ created_on = "2024-05-29T16:15:16Z" -> (known after apply)
~ development_mode = 0 -> (known after apply)
id = "redacted"
~ meta = {
+ cdn_only = (known after apply)
~ custom_certificate_quota = 1 -> (known after apply)
+ dns_only = (known after apply)
+ foundation_dns = (known after apply)
~ page_rule_quota = 100 -> (known after apply)
~ phishing_detected = false -> (known after apply)
~ step = 2 -> (known after apply)
} -> (known after apply)
~ modified_on = "2025-03-25T04:58:24Z" -> (known after apply)
name = "redacted"
+ name_servers = (known after apply)
+ original_dnshost = (known after apply)
~ original_name_servers = [
- "redacted.net",
- "redacted.net",
- "redacted.net",
- "redacted.net",
- "redacted.net",
- "redacted.net",
- "redacted.net",
- "redacted.net",
] -> (known after apply)
+ original_registrar = (known after apply)
~ owner = {
~ id = "redacted" -> (known after apply)
~ name = "redacted" -> (known after apply)
~ type = "organization" -> (known after apply)
} -> (known after apply)
~ paused = true -> false
~ status = "active" -> (known after apply)
~ verification_key = "redacted" -> (known after apply)
# (2 unchanged attributes hidden)
}

apply:
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.

Enter a value: yes

cloudflare_zone.xxx: Modifying... [id=redacted]
╷
│ Error: failed to make http request
│
│ with cloudflare_zone.xxx,
│ on xxx.tf line 3, in resource "cloudflare_zone" "xxx":
│ 3: resource "cloudflare_zone" "xxx" {
│
│ PATCH "https://api.cloudflare.com/client/v4/zones/redacted": 400 Bad Request {"success":false,"errors":[{"code":1086,"message":"Invalid
│ property"}],"messages":[],"result":null}
╵
Releasing state lock. This may take a few moments...
Error running Terraform apply

Steps to reproduce

1. import a paused zone
2. run terraform plan
3. run terraform apply

Additional factoids

No response

References

No response