Using a timeout of 86400 in rate limiting results in an error with Terraform

Hello there,

We are using Terraform to manage our company’s WAF on Cloudflare. Here is the problematic resource:

resource "cloudflare_rate_limit" "[redacted]__too_many_authentication_failures_long" {
  zone_id   =
  threshold = 20
  period    = 86400
  match {
    request {
      url_pattern = "[redacted].com/*auth"
      schemes     = ["HTTP", "HTTPS"]
      methods     = ["POST"]
    response {
      statuses = [400, 403]
  action {
    mode    = "ban"
    timeout = 86400
  disabled    = false
  description = "[redacted] - Too many authentication failures long"

However, when applying this we have the following error message:

Terraform v1.0.11
on linux_amd64
Initializing plugins and modules...
cloudflare_rate_limit.[redacted]__too_many_authentication_failures_long: Modifying... [id=xxxxxxxxxxxxxxxxxxxxxxxx]
│ Error: error creating rate limit for zone: HTTP status 400: ratelimit.api.not_entitled.period (10027)
│   with cloudflare_rate_limit.[redacted]__too_many_authentication_failures_long,
│   on line 77, in resource "cloudflare_rate_limit" "[redacted]__too_many_authentication_failures_long":
│   77: resource "cloudflare_rate_limit" "[redacted]__too_many_authentication_failures_long" {

From the provider doc, we can see that the value should be between 1 and 86400, so this value should be allowed. I also tried with 86399 just to be sure, and the error stays the same.

Do you have any idea why this value doesn’t work? Am I missing something?


You linked to timeout in the provider documentation - the error is about your period - of which, 86400 is not valid.

Or rather, it is valid but not without an Enterprise contract & getting an entitlement to use that high of a value.

Yes indeed, but in the doc the period can also be between 1 and 86400:

We have an enterprise license, so I guess we are entitled (except is a manual action is required to enable this).

Terraform (and the API) will show you the validation around a value.

If your account or zone is actually allowed to use the lowest or highest values in there is another question.

Reach out to your CSM in regards to the entitlement though, I’m not sure if it’s possible but I don’t see why not.

Thanks, I’ll contact our CSM and post updates in this thread.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.