cloudflare · ranbel · Apr 23, 2026
@@ -12,7 +12,7 @@ products:
   - terraform
 ---
 
-import { Render, RuleID } from "~/components";
+import { Render, RuleID, Tabs, TabItem, Details } from "~/components";
 
 This page provides examples of configuring [DDoS managed rulesets](/ddos-protection/managed-rulesets/) in your zone or account using Terraform. It covers the following configurations:
 
@@ -45,7 +45,66 @@ For more information on deploying and configuring rulesets using the Rulesets AP
 
 This example configures the [HTTP DDoS Attack Protection](/ddos-protection/managed-rulesets/http/) managed ruleset for a zone using Terraform.
 
-<Render file="v4-code-snippets" product="terraform" />
+<Tabs syncKey="terraformVersion">
+<TabItem label="Terraform (v5)">
+
+<Details header="Required API token permissions">
+
+At least one of the following [token permissions](/fundamentals/api/reference/permissions/) is required:
+
+- `HTTP DDoS Managed Ruleset Write`
+
+</Details>
+
+Configure the [`cloudflare_ruleset`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset) resource:
+
+```tf
+resource "cloudflare_ruleset" "zone_level_http_ddos_config" {
+  zone_id     = var.cloudflare_zone_id
+  name        = "HTTP DDoS Attack Protection entry point ruleset"
+  description = ""
+  kind        = "zone"
+  phase       = "ddos_l7"
+
+  rules = [{
+    action = "execute"
+    action_parameters = {
+      # Cloudflare L7 DDoS Attack Protection Ruleset
+      id = "4d21379b4f9f4bb088e0729962c8b3cf"
+      overrides = {
+        action            = "block"
+        sensitivity_level = "default"
+        rules = [
+          {
+            # Adaptive DDoS Protection based on Locations (Available only to Enterprise zones with Advanced DDoS service)
+            id                = "a8c6333711ff4b0a81371d1c444be2c3"
+            sensitivity_level = "default"
+            action            = "managed_challenge"
+          },
+          {
+            # Adaptive DDoS Protection based on User-Agents (Available only to Enterprise zones with Advanced DDoS service)
+            id                = "7709d496081e458899c1e3a6e4fe8e55"
+            sensitivity_level = "default"
+            action            = "managed_challenge"
+          },
+          {
+            # HTTP requests causing a high number of origin errors.
+            id                = "dd42da7baabe4e518eaf11c393596a9d"
+            sensitivity_level = "default"
+            action            = "managed_challenge"
+          },
+        ]
+      }
+    }
+    expression  = "true"
+    description = "Zone-wide HTTP DDoS Override"
+    enabled     = true
+  }]
+}
+```
+
+</TabItem>
+<TabItem label="Terraform (v4)">
 
 ```tf
 resource "cloudflare_ruleset" "zone_level_http_ddos_config" {
@@ -90,6 +149,9 @@ resource "cloudflare_ruleset" "zone_level_http_ddos_config" {
 }
 ```
 
+</TabItem>
+</Tabs>
+
 For more information about HTTP DDoS Attack Protection, refer to [HTTP DDoS Attack Protection managed ruleset](/ddos-protection/managed-rulesets/http/).
 
 ## Example: Configure Network-layer DDoS Attack Protection
@@ -103,7 +165,49 @@ This example configures the [Network-layer DDoS Attack Protection](/ddos-protect
 
 :::
 
-<Render file="v4-code-snippets" product="terraform" />
+<Tabs syncKey="terraformVersion">
+<TabItem label="Terraform (v5)">
+
+<Details header="Required API token permissions">
+
+At least one of the following [token permissions](/fundamentals/api/reference/permissions/) is required:
+
+- `L4 DDoS Managed Ruleset Write`
+
+</Details>
+
+Configure the [`cloudflare_ruleset`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset) resource:
+
+```tf
+resource "cloudflare_ruleset" "account_level_network_ddos_config" {
+  account_id  = var.cloudflare_account_id
+  name        = "Network-layer DDoS Attack Protection entry point ruleset"
+  description = ""
+  kind        = "root"
+  phase       = "ddos_l4"
+
+  rules = [{
+    ref         = "override_l7_ddos_ruleset_dst_ip"
+    description = "Override the HTTP DDoS Attack Protection managed ruleset"
+    expression  = "ip.dst in { 192.0.2.0/24 }"
+    action      = "execute"
+    action_parameters = {
+      # Cloudflare L3/4 DDoS Attack Protection Ruleset
+      id = "3b64149bfa6e4220bbbc2bd6db589552"
+      overrides = {
+        rules = [{
+          # Rule: Generic high-volume UDP traffic flows.
+          id                = "599dab0942ff4898ac1b7797e954e98b"
+          sensitivity_level = "low"
+        }]
+      }
+    }
+  }]
+}
+```
+
+</TabItem>
+<TabItem label="Terraform (v4)">
 
 ```tf
 resource "cloudflare_ruleset" "account_level_network_ddos_config" {
@@ -133,6 +237,9 @@ resource "cloudflare_ruleset" "account_level_network_ddos_config" {
 }
 ```
 
+</TabItem>
+</Tabs>
+
 For more information about Network-layer DDoS Attack Protection, refer to [Network-layer DDoS Attack Protection managed ruleset](/ddos-protection/managed-rulesets/network/).
 
 ---
@@ -154,7 +261,106 @@ The order of the rules is important: the rule with the highest sensitivity level
 
 :::
 
-<Render file="v4-code-snippets" product="terraform" />
+<Tabs syncKey="terraformVersion">
+<TabItem label="Terraform (v5)">
+
+<Details header="Required API token permissions">
+
+At least one of the following [token permissions](/fundamentals/api/reference/permissions/) is required:
+
+- `HTTP DDoS Managed Ruleset Write`
+
+</Details>
+
+Configure the [`cloudflare_ruleset`](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/ruleset) resource:
+
+```tf
+resource "cloudflare_ruleset" "zone_level_http_ddos_config" {
+  zone_id     = var.cloudflare_zone_id
+  name        = "HTTP DDoS - Terraform managed"
+  description = ""
+  kind        = "zone"
+  phase       = "ddos_l7"
+
+  # The resource configuration contains two rules:
+  #  1. The first rule has the lowest sensitivity level (highest threshold)
+  #     and it will block attacks.
+  #  2. The second rule has a higher sensitivity level (lower threshold) and
+  #     will only apply a Log action.
+  #
+  # In practice, evaluation stops whenever a rule matches both the expression
+  # and the threshold, so the rule order is important:
+  #   - When the traffic rate is below the (low) threshold of the default
+  #     sensitivity level ('High'), no rules match (no action is applied).
+  #   - When the traffic rate is between the thresholds of the 'Low' and
+  #     default ('High') sensitivity levels, the first rule does not match,
+  #     but the second rule does (traffic gets logged).
+  #   - When the traffic rate goes above the (high) threshold of the 'Low'
+  #     sensitivity level, the first rule matches (traffic gets blocked).
+  #
+  # The DDoS protection systems will still apply mitigation actions to incoming
+  # traffic when rates exceed the threshold of the _Essentially Off_ sensitivity
+  # level.
+
+  rules = [
+    {
+      ref         = "l7_ddos_block_traffic_low_threshold"
+      description = "At the low sensitivity threshold, block the traffic"
+      expression  = "true"
+      action      = "execute"
+      action_parameters = {
+        # Cloudflare L7 DDoS Attack Protection Ruleset
+        id = "4d21379b4f9f4bb088e0729962c8b3cf"
+        overrides = {
+          rules = [
+            {
+              # Rule: HTTP requests from known botnet (signature #4).
+              id                = "29d170ba2f004cc787b1ac272c9e04e7"
+              sensitivity_level = "low"
+              action            = "block"
+            },
+            {
+              # Rule: HTTP requests with unusual HTTP headers or URI path (signature #16).
+              id                = "60a48054bbcf4014ac63c44f1712a123"
+              sensitivity_level = "low"
+              action            = "block"
+            },
+          ]
+        }
+      }
+    },
+    {
+      ref         = "l7_ddos_log_default_threshold"
+      description = "At the default sensitivity threshold, log to see if any legitimate traffic gets caught"
+      expression  = "true"
+      action      = "execute"
+      action_parameters = {
+        # Cloudflare L7 DDoS Attack Protection Ruleset
+        id = "4d21379b4f9f4bb088e0729962c8b3cf"
+        overrides = {
+          rules = [
+            {
+              # Rule: HTTP requests from known botnet (signature #4).
+              id                = "29d170ba2f004cc787b1ac272c9e04e7"
+              sensitivity_level = "default"
+              action            = "log"
+            },
+            {
+              # Rule: HTTP requests with unusual HTTP headers or URI path (signature #16).
+              id                = "60a48054bbcf4014ac63c44f1712a123"
+              sensitivity_level = "default"
+              action            = "log"
+            },
+          ]
+        }
+      }
+    },
+  ]
+}
+```
+
+</TabItem>
+<TabItem label="Terraform (v4)">
 
 ```tf
 variable "zone_id" {
@@ -239,3 +445,6 @@ resource "cloudflare_ruleset" "zone_level_http_ddos_config" {
   }
 }
 ```
+
+</TabItem>
+</Tabs>