chore: update docs and examples

Author: musa-cf

docs/data-sources/account_dns_settings.md

@@ -68,7 +68,7 @@ Read-Only:
 
 - `expire` (Number) Time in seconds of being unable to query the primary server after which secondary servers should stop serving the zone.
 - `min_ttl` (Number) The time to live (TTL) for negative caching of records within the zone.
-- `mname` (String) The primary nameserver, which may be used for outbound zone transfers.
+- `mname` (String) The primary nameserver, which may be used for outbound zone transfers. If null, a Cloudflare-assigned value will be used.
 - `refresh` (Number) Time in seconds after which secondary servers should re-check the SOA record to see if the zone has been updated.
 - `retry` (Number) Time in seconds after which secondary servers should retry queries after the primary server was unresponsive.
 - `rname` (String) The email address of the zone administrator, with the first label representing the local part of the email address.

docs/data-sources/bot_management.md

@@ -30,6 +30,8 @@ data "cloudflare_bot_management" "example_bot_management" {
 Available values: "block", "disabled", "only_on_ad_pages".
 - `auto_update_model` (Boolean) Automatically update to the newest bot detection models created by Cloudflare as they are released. [Learn more.](https://developers.cloudflare.com/bots/reference/machine-learning-models#model-versions-and-release-notes)
 - `bm_cookie_enabled` (Boolean) Indicates that the bot management cookie can be placed on end user devices accessing the site. Defaults to true
+- `cf_robots_variant` (String) Specifies the Robots Access Control License variant to use.
+Available values: "off", "policy_only".
 - `crawler_protection` (String) Enable rule to punish AI Scrapers and Crawlers via a link maze.
 Available values: "enabled", "disabled".
 - `enable_js` (Boolean) Use lightweight, invisible JavaScript detections to improve Bot Management. [Learn more about JavaScript Detections](https://developers.cloudflare.com/bots/reference/javascript-detections/).

docs/data-sources/byo_ip_prefix.md

@@ -31,8 +31,8 @@ data "cloudflare_byo_ip_prefix" "example_byo_ip_prefix" {
 
 ### Read-Only
 
-- `advertised` (Boolean) Prefix advertisement status to the Internet. This field is only not 'null' if on demand is enabled.
-- `advertised_modified_at` (String) Last time the advertisement status was changed. This field is only not 'null' if on demand is enabled.
+- `advertised` (Boolean, Deprecated) Prefix advertisement status to the Internet. This field is only not 'null' if on demand is enabled.
+- `advertised_modified_at` (String, Deprecated) Last time the advertisement status was changed. This field is only not 'null' if on demand is enabled.
 - `approved` (String) Approval state of the prefix (P = pending, V = active).
 - `asn` (Number) Autonomous System Number (ASN) the prefix will be advertised under.
 - `cidr` (String) IP Prefix in Classless Inter-Domain Routing format.
@@ -41,7 +41,7 @@ data "cloudflare_byo_ip_prefix" "example_byo_ip_prefix" {
 - `id` (String) Identifier of an IP Prefix.
 - `loa_document_id` (String) Identifier for the uploaded LOA document.
 - `modified_at` (String)
-- `on_demand_enabled` (Boolean) Whether advertisement of the prefix to the Internet may be dynamically enabled or disabled.
-- `on_demand_locked` (Boolean) Whether advertisement status of the prefix is locked, meaning it cannot be changed.
+- `on_demand_enabled` (Boolean, Deprecated) Whether advertisement of the prefix to the Internet may be dynamically enabled or disabled.
+- `on_demand_locked` (Boolean, Deprecated) Whether advertisement status of the prefix is locked, meaning it cannot be changed.
 
 

docs/data-sources/byo_ip_prefixes.md

@@ -38,8 +38,8 @@ data "cloudflare_byo_ip_prefixes" "example_byo_ip_prefixes" {
 Read-Only:
 
 - `account_id` (String) Identifier of a Cloudflare account.
-- `advertised` (Boolean) Prefix advertisement status to the Internet. This field is only not 'null' if on demand is enabled.
-- `advertised_modified_at` (String) Last time the advertisement status was changed. This field is only not 'null' if on demand is enabled.
+- `advertised` (Boolean, Deprecated) Prefix advertisement status to the Internet. This field is only not 'null' if on demand is enabled.
+- `advertised_modified_at` (String, Deprecated) Last time the advertisement status was changed. This field is only not 'null' if on demand is enabled.
 - `approved` (String) Approval state of the prefix (P = pending, V = active).
 - `asn` (Number) Autonomous System Number (ASN) the prefix will be advertised under.
 - `cidr` (String) IP Prefix in Classless Inter-Domain Routing format.
@@ -48,7 +48,7 @@ Read-Only:
 - `id` (String) Identifier of an IP Prefix.
 - `loa_document_id` (String) Identifier for the uploaded LOA document.
 - `modified_at` (String)
-- `on_demand_enabled` (Boolean) Whether advertisement of the prefix to the Internet may be dynamically enabled or disabled.
-- `on_demand_locked` (Boolean) Whether advertisement status of the prefix is locked, meaning it cannot be changed.
+- `on_demand_enabled` (Boolean, Deprecated) Whether advertisement of the prefix to the Internet may be dynamically enabled or disabled.
+- `on_demand_locked` (Boolean, Deprecated) Whether advertisement status of the prefix is locked, meaning it cannot be changed.
 
 

docs/data-sources/dns_firewall.md

@@ -36,11 +36,35 @@ data "cloudflare_dns_firewall" "example_dns_firewall" {
 - `dns_firewall_ips` (Set of String)
 - `ecs_fallback` (Boolean) Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent
 - `id` (String) Identifier.
-- `maximum_cache_ttl` (Number) Maximum DNS cache TTL This setting sets an upper bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Higher TTLs will be decreased to the maximum defined here for caching purposes.
-- `minimum_cache_ttl` (Number) Minimum DNS cache TTL This setting sets a lower bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Lower TTLs will be increased to the minimum defined here for caching purposes.
+- `maximum_cache_ttl` (Number) By default, Cloudflare attempts to cache responses for as long as
+indicated by the TTL received from upstream nameservers. This setting
+sets an upper bound on this duration. For caching purposes, higher TTLs
+will be decreased to the maximum value defined by this setting.
+
+This setting does not affect the TTL value in the DNS response
+Cloudflare returns to clients. Cloudflare will always forward the TTL
+value received from upstream nameservers.
+- `minimum_cache_ttl` (Number) By default, Cloudflare attempts to cache responses for as long as
+indicated by the TTL received from upstream nameservers. This setting
+sets a lower bound on this duration. For caching purposes, lower TTLs
+will be increased to the minimum value defined by this setting.
+
+This setting does not affect the TTL value in the DNS response
+Cloudflare returns to clients. Cloudflare will always forward the TTL
+value received from upstream nameservers.
+
+Note that, even with this setting, there is no guarantee that a
+response will be cached for at least the specified duration. Cached
+responses may be removed earlier for capacity or other operational
+reasons.
 - `modified_on` (String) Last modification of DNS Firewall cluster
 - `name` (String) DNS Firewall cluster name
-- `negative_cache_ttl` (Number) Negative DNS cache TTL This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.
+- `negative_cache_ttl` (Number) This setting controls how long DNS Firewall should cache negative
+responses (e.g., NXDOMAIN) from the upstream servers.
+
+This setting does not affect the TTL value in the DNS response
+Cloudflare returns to clients. Cloudflare will always forward the TTL
+value received from upstream nameservers.
 - `ratelimit` (Number) Ratelimit in queries per second per datacenter (applies to DNS queries sent to the upstream nameservers configured on the cluster)
 - `retries` (Number) Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)
 - `upstream_ips` (Set of String)

docs/data-sources/dns_firewalls.md

@@ -42,11 +42,35 @@ Read-Only:
 - `dns_firewall_ips` (Set of String)
 - `ecs_fallback` (Boolean) Whether to forward client IP (resolver) subnet if no EDNS Client Subnet is sent
 - `id` (String) Identifier.
-- `maximum_cache_ttl` (Number) Maximum DNS cache TTL This setting sets an upper bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Higher TTLs will be decreased to the maximum defined here for caching purposes.
-- `minimum_cache_ttl` (Number) Minimum DNS cache TTL This setting sets a lower bound on DNS TTLs for purposes of caching between DNS Firewall and the upstream servers. Lower TTLs will be increased to the minimum defined here for caching purposes.
+- `maximum_cache_ttl` (Number) By default, Cloudflare attempts to cache responses for as long as
+indicated by the TTL received from upstream nameservers. This setting
+sets an upper bound on this duration. For caching purposes, higher TTLs
+will be decreased to the maximum value defined by this setting.
+
+This setting does not affect the TTL value in the DNS response
+Cloudflare returns to clients. Cloudflare will always forward the TTL
+value received from upstream nameservers.
+- `minimum_cache_ttl` (Number) By default, Cloudflare attempts to cache responses for as long as
+indicated by the TTL received from upstream nameservers. This setting
+sets a lower bound on this duration. For caching purposes, lower TTLs
+will be increased to the minimum value defined by this setting.
+
+This setting does not affect the TTL value in the DNS response
+Cloudflare returns to clients. Cloudflare will always forward the TTL
+value received from upstream nameservers.
+
+Note that, even with this setting, there is no guarantee that a
+response will be cached for at least the specified duration. Cached
+responses may be removed earlier for capacity or other operational
+reasons.
 - `modified_on` (String) Last modification of DNS Firewall cluster
 - `name` (String) DNS Firewall cluster name
-- `negative_cache_ttl` (Number) Negative DNS cache TTL This setting controls how long DNS Firewall should cache negative responses (e.g., NXDOMAIN) from the upstream servers.
+- `negative_cache_ttl` (Number) This setting controls how long DNS Firewall should cache negative
+responses (e.g., NXDOMAIN) from the upstream servers.
+
+This setting does not affect the TTL value in the DNS response
+Cloudflare returns to clients. Cloudflare will always forward the TTL
+value received from upstream nameservers.
 - `ratelimit` (Number) Ratelimit in queries per second per datacenter (applies to DNS queries sent to the upstream nameservers configured on the cluster)
 - `retries` (Number) Number of retries for fetching DNS responses from upstream nameservers (not counting the initial attempt)
 - `upstream_ips` (Set of String)

docs/data-sources/load_balancer_pool.md

@@ -44,6 +44,7 @@ data "cloudflare_load_balancer_pool" "example_load_balancer_pool" {
 - `minimum_origins` (Number) The minimum number of origins that must be healthy for this pool to serve traffic. If the number of healthy origins falls below this number, the pool will be marked unhealthy and will failover to the next available pool.
 - `modified_on` (String)
 - `monitor` (String) The ID of the Monitor to use for checking the health of origins within this pool.
+- `monitor_group` (String) The ID of the Monitor Group to use for checking the health of origins within this pool.
 - `name` (String) A short name (tag) for the pool. Only alphanumeric characters, hyphens, and underscores are allowed.
 - `networks` (List of String) List of networks where Load Balancer or Pool is enabled.
 - `notification_email` (String) This field is now deprecated. It has been moved to Cloudflare's Centralized Notification service https://developers.cloudflare.com/fundamentals/notifications/. The email address to send health status notifications to. This can be an individual mailbox or a mailing list. Multiple emails can be supplied as a comma delimited list.

docs/data-sources/load_balancer_pools.md

@@ -51,6 +51,7 @@ Read-Only:
 - `minimum_origins` (Number) The minimum number of origins that must be healthy for this pool to serve traffic. If the number of healthy origins falls below this number, the pool will be marked unhealthy and will failover to the next available pool.
 - `modified_on` (String)
 - `monitor` (String) The ID of the Monitor to use for checking the health of origins within this pool.
+- `monitor_group` (String) The ID of the Monitor Group to use for checking the health of origins within this pool.
 - `name` (String) A short name (tag) for the pool. Only alphanumeric characters, hyphens, and underscores are allowed.
 - `networks` (List of String) List of networks where Load Balancer or Pool is enabled.
 - `notification_email` (String) This field is now deprecated. It has been moved to Cloudflare's Centralized Notification service https://developers.cloudflare.com/fundamentals/notifications/. The email address to send health status notifications to. This can be an individual mailbox or a mailing list. Multiple emails can be supplied as a comma delimited list.

docs/data-sources/magic_wan_gre_tunnel.md

@@ -35,6 +35,7 @@ data "cloudflare_magic_wan_gre_tunnel" "example_magic_wan_gre_tunnel" {
 
 Read-Only:
 
+- `automatic_return_routing` (Boolean) True if automatic stateful return routing should be enabled for a tunnel, false otherwise.
 - `bgp` (Attributes) (see [below for nested schema](#nestedatt--gre_tunnel--bgp))
 - `bgp_status` (Attributes) (see [below for nested schema](#nestedatt--gre_tunnel--bgp_status))
 - `cloudflare_gre_endpoint` (String) The IP address assigned to the Cloudflare side of the GRE tunnel.

docs/data-sources/magic_wan_ipsec_tunnel.md

@@ -36,10 +36,12 @@ data "cloudflare_magic_wan_ipsec_tunnel" "example_magic_wan_ipsec_tunnel" {
 Read-Only:
 
 - `allow_null_cipher` (Boolean) When `true`, the tunnel can use a null-cipher (`ENCR_NULL`) in the ESP tunnel (Phase 2).
+- `automatic_return_routing` (Boolean) True if automatic stateful return routing should be enabled for a tunnel, false otherwise.
 - `bgp` (Attributes) (see [below for nested schema](#nestedatt--ipsec_tunnel--bgp))
 - `bgp_status` (Attributes) (see [below for nested schema](#nestedatt--ipsec_tunnel--bgp_status))
 - `cloudflare_endpoint` (String) The IP address assigned to the Cloudflare side of the IPsec tunnel.
 - `created_on` (String) The date and time the tunnel was created.
+- `custom_remote_identities` (Attributes) (see [below for nested schema](#nestedatt--ipsec_tunnel--custom_remote_identities))
 - `customer_endpoint` (String) The IP address assigned to the customer side of the IPsec tunnel. Not required, but must be set for proactive traceroutes to work.
 - `description` (String) An optional description forthe IPsec tunnel.
 - `health_check` (Attributes) (see [below for nested schema](#nestedatt--ipsec_tunnel--health_check))
@@ -91,6 +93,21 @@ Read-Only:
 - `updated_at` (String)
 
 
+<a id="nestedatt--ipsec_tunnel--custom_remote_identities"></a>
+### Nested Schema for `ipsec_tunnel.custom_remote_identities`
+
+Read-Only:
+
+- `fqdn_id` (String) A custom IKE ID of type FQDN that may be used to identity the IPsec tunnel. The
+generated IKE IDs can still be used even if this custom value is specified.
+
+Must be of the form `<custom label>.<account ID>.custom.ipsec.cloudflare.com`.
+
+This custom ID does not need to be unique. Two IPsec tunnels may have the same custom 
+fqdn_id. However, if another IPsec tunnel has the same value then the two tunnels 
+cannot have the same cloudflare_endpoint.
+
+
 <a id="nestedatt--ipsec_tunnel--health_check"></a>
 ### Nested Schema for `ipsec_tunnel.health_check`