cloudflare_zone_dns_settings drifts on every plan — ignore_changes = all is the fix

Enabled multi-provider DNS on 8 domains via cloudflare_zone_dns_settings:

resource "cloudflare_zone_dns_settings" "multi_provider" {
  count = local.multi_provider ? 1 : 0

  zone_id        = var.cloudflare_zone_id
  multi_provider = true
}

Every terraform plan showed 8 resources changing. Always the same attributes — foundation_dns, nameservers, secondary_overrides, and a handful of others. The planned values were identical to the current values. Nothing actually changed.

The cause

The Cloudflare Terraform provider (v5.x) reads back the full cloudflare_zone_dns_settings object on refresh, including attributes you never set. The provider then compares the API response against the config, sees attributes in state that aren’t in config, and marks them as drift. This is a provider bug — it should treat unset attributes as “don’t care,” not “should be null.”

The fix

resource "cloudflare_zone_dns_settings" "multi_provider" {
  count = local.multi_provider ? 1 : 0

  zone_id        = var.cloudflare_zone_id
  multi_provider = true

  lifecycle {
    ignore_changes = all
  }
}

ignore_changes = all tells Terraform to never update this resource after creation. This is appropriate because the only attribute we set is multi_provider = true, and once it’s enabled, there’s no reason for Terraform to touch it again.

The alternative — listing each drifting attribute individually — is fragile. The Cloudflare provider adds new attributes across versions, and each new one becomes another source of phantom drift.

The tradeoff

If you ever need to flip multi_provider back to false, ignore_changes = all prevents it. But disabling multi-provider DNS is a destructive operation that breaks NS mirroring. That’s manual intervention territory regardless.

Clean plans are worth more than theoretical flexibility on a setting you’ll never change.