From b992ae32ef8562bf3245f3c1bbe39615bdbdf5ea Mon Sep 17 00:00:00 2001
From: Sukka <isukkaw@gmail.com>
Date: Tue, 25 Nov 2025 09:28:38 +0800
Subject: [PATCH] CLOUDFLAREAPI: Skip read-only records inserted by provider
 (#3850) (#3852)

<!--
## Before submiting a pull request

Please make sure you've run the following commands from the root
directory.

    bin/generate-all.sh

(this runs commands like "go generate", fixes formatting, and so on)

## Release changelog section

Help keep the release changelog clear by pre-naming the proper section
in the GitHub pull request title.

Some examples:
* CICD: Add required GHA permissions for goreleaser
* DOCS: Fixed providers with "contributor support" table
* ROUTE53: Allow R53_ALIAS records to enable target health evaluation

More examples/context can be found in the file .goreleaser.yml under the
'build' > 'changelog' key.
!-->

The PR fixes #3850.
---
 providers/cloudflare/cloudflareProvider.go | 9 +++++++++
 providers/cloudflare/rest.go               | 6 +++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/providers/cloudflare/cloudflareProvider.go b/providers/cloudflare/cloudflareProvider.go
index 54501b438..d3b4fd93c 100644
--- a/providers/cloudflare/cloudflareProvider.go
+++ b/providers/cloudflare/cloudflareProvider.go
@@ -819,6 +819,15 @@ func stringDefault(value interface{}, def string) string {
 }
 
 func (c *cloudflareProvider) nativeToRecord(domain string, cr cloudflare.DNSRecord) (*models.RecordConfig, error) {
+	// Check for read_only metadata
+	// https://github.com/StackExchange/dnscontrol/issues/3850
+	if cr.Meta != nil {
+		if metaMap, ok := cr.Meta.(map[string]interface{}); ok {
+			if readOnly, ok := metaMap["read_only"].(bool); ok && readOnly {
+				return nil, nil
+			}
+		}
+	}
 
 	// ALIAS in Cloudflare works like CNAME.
 	if cr.Type == "ALIAS" {
diff --git a/providers/cloudflare/rest.go b/providers/cloudflare/rest.go
index bc2f0b08c..9efd522ea 100644
--- a/providers/cloudflare/rest.go
+++ b/providers/cloudflare/rest.go
@@ -47,7 +47,11 @@ func (c *cloudflareProvider) getRecordsForDomain(id string, domain string) ([]*m
 		if err != nil {
 			return nil, err
 		}
-		records = append(records, rt)
+		// nativeToRecord may return nil if the record is supposed to be skipped
+		// i.e. read only, cloudflare-managed, etc.
+		if rt != nil {
+			records = append(records, rt)
+		}
 	}
 	return records, nil
 }