diff --git a/cloudflare/resource_cloudflare_zone_settings_override.go b/cloudflare/resource_cloudflare_zone_settings_override.go
index 379ff6d01a..0e694a66dc 100644
--- a/cloudflare/resource_cloudflare_zone_settings_override.go
+++ b/cloudflare/resource_cloudflare_zone_settings_override.go
@@ -364,6 +364,13 @@ var resourceCloudflareZoneSettingsSchema = map[string]*schema.Schema{
 		ValidateFunc: validation.StringInSlice([]string{"off", "flexible", "full", "strict", "origin_pull"}, false), // depends on plan
 	},
 
+	"universal_ssl": {
+		Type:         schema.TypeString,
+		Optional:     true,
+		Computed:     true,
+		ValidateFunc: validation.StringInSlice([]string{"on", "off"}, false),
+	},
+
 	"tls_client_auth": {
 		Type:         schema.TypeString,
 		ValidateFunc: validation.StringInSlice([]string{"on", "off"}, false),
@@ -502,11 +509,17 @@ func resourceCloudflareZoneSettingsOverrideCreate(d *schema.ResourceData, meta i
 		return err
 	}
 
+	// pulling USSL status and wrapping it into a cloudflare.ZoneSetting that we can set initial_settings
+	if err = updateZoneSettingsResponseWithUniversalSSLSettings(zoneSettings, d.Id(), client); err != nil {
+		return err
+	}
+
 	log.Printf("[DEBUG] Read CloudflareZone initial settings: %#v", zoneSettings)
 
 	if err := d.Set("initial_settings", flattenZoneSettings(d, zoneSettings.Result, true)); err != nil {
 		log.Printf("[WARN] Error setting initial_settings for zone %q: %s", d.Id(), err)
 	}
+
 	d.Set("initial_settings_read_at", time.Now().UTC().Format(time.RFC3339Nano))
 
 	// set readonly setting so that update can behave correctly
@@ -530,6 +543,23 @@ func updateZoneSettingsResponseWithSingleZoneSettings(zoneSettings *cloudflare.Z
 	return nil
 }
 
+func updateZoneSettingsResponseWithUniversalSSLSettings(zoneSettings *cloudflare.ZoneSettingResponse, zoneId string, client *cloudflare.API) error {
+	ussl, err := client.UniversalSSLSettingDetails(zoneId)
+	if err != nil {
+		return errors.Wrap(err, fmt.Sprintf("Error reading initial Universal SSL settings for zone %q", zoneId))
+	}
+
+	usslToZoneSetting := cloudflare.ZoneSetting{
+		ID:       "universal_ssl",
+		Value:    stringFromBool(ussl.Enabled),
+		Editable: true,
+	}
+
+	zoneSettings.Result = append(zoneSettings.Result, usslToZoneSetting)
+
+	return nil
+}
+
 func resourceCloudflareZoneSettingsOverrideRead(d *schema.ResourceData, meta interface{}) error {
 	client := meta.(*cloudflare.API)
 
@@ -557,6 +587,10 @@ func resourceCloudflareZoneSettingsOverrideRead(d *schema.ResourceData, meta int
 		return err
 	}
 
+	if err = updateZoneSettingsResponseWithUniversalSSLSettings(zoneSettings, d.Id(), client); err != nil {
+		return err
+	}
+
 	log.Printf("[DEBUG] Read CloudflareZone Settings: %#v", zoneSettings)
 
 	d.Set("status", zone.Status)
@@ -652,6 +686,25 @@ func updateSingleZoneSettings(zoneSettings []cloudflare.ZoneSetting, client *clo
 	return zoneSettings, nil
 }
 
+func updateUniversalSSLSetting(zoneSettings []cloudflare.ZoneSetting, client *cloudflare.API, zoneID string) ([]cloudflare.ZoneSetting, error) {
+	indexToCut := -1
+	for i, setting := range zoneSettings {
+		if setting.ID == "universal_ssl" {
+			_, err := client.EditUniversalSSLSetting(zoneID, cloudflare.UniversalSSLSetting{Enabled: boolFromString(setting.Value.(string))})
+			if err != nil {
+				return zoneSettings, err
+			}
+			indexToCut = i
+		}
+	}
+
+	if indexToCut != -1 {
+		zoneSettings = append(zoneSettings[:indexToCut], zoneSettings[indexToCut+1:]...)
+	}
+
+	return zoneSettings, nil
+}
+
 func resourceCloudflareZoneSettingsOverrideUpdate(d *schema.ResourceData, meta interface{}) error {
 	client := meta.(*cloudflare.API)
 
@@ -669,6 +722,10 @@ func resourceCloudflareZoneSettingsOverrideUpdate(d *schema.ResourceData, meta i
 			return err
 		}
 
+		if zoneSettings, err = updateUniversalSSLSetting(zoneSettings, client, d.Id()); err != nil {
+			return err
+		}
+
 		if len(zoneSettings) > 0 {
 			_, err = client.UpdateZoneSettings(d.Id(), zoneSettings)
 			if err != nil {
@@ -778,6 +835,10 @@ func resourceCloudflareZoneSettingsOverrideDelete(d *schema.ResourceData, meta i
 			return err
 		}
 
+		if zoneSettings, err = updateUniversalSSLSetting(zoneSettings, client, d.Id()); err != nil {
+			return err
+		}
+
 		if len(zoneSettings) > 0 {
 			_, err = client.UpdateZoneSettings(d.Id(), zoneSettings)
 			if err != nil {
@@ -834,3 +895,17 @@ func schemaValueEquals(a, b interface{}) bool {
 
 	return reflect.DeepEqual(a, b)
 }
+
+func boolFromString(status string) bool {
+	if status == "on" {
+		return true
+	}
+	return false
+}
+
+func stringFromBool(status bool) string {
+	if status {
+		return "on"
+	}
+	return "off"
+}
diff --git a/cloudflare/resource_cloudflare_zone_settings_override_test.go b/cloudflare/resource_cloudflare_zone_settings_override_test.go
index b1f8a821c5..4bbd583b2c 100644
--- a/cloudflare/resource_cloudflare_zone_settings_override_test.go
+++ b/cloudflare/resource_cloudflare_zone_settings_override_test.go
@@ -60,6 +60,8 @@ func TestAccCloudflareZoneSettingsOverride_Full(t *testing.T) {
 						name, "settings.0.h2_prioritization", "on"),
 					resource.TestCheckResourceAttr(
 						name, "settings.0.zero_rtt", "off"),
+					resource.TestCheckResourceAttr(
+						name, "settings.0.universal_ssl", "off"),
 				),
 			},
 		},
@@ -181,6 +183,10 @@ func testAccGetInitialZoneSettings(t *testing.T, zoneID string, settings map[str
 			return err
 		}
 
+		if err = updateZoneSettingsResponseWithUniversalSSLSettings(foundZone, zoneID, client); err != nil {
+			return err
+		}
+
 		for _, zs := range foundZone.Result {
 			settings[zs.ID] = zs.Value
 		}
@@ -205,6 +211,10 @@ func testAccCheckInitialZoneSettings(zoneID string, initialSettings map[string]i
 			return err
 		}
 
+		if err = updateZoneSettingsResponseWithUniversalSSLSettings(foundZone, zoneID, client); err != nil {
+			return err
+		}
+
 		for _, zs := range foundZone.Result {
 			if !reflect.DeepEqual(zs.Value, initialSettings[zs.ID]) {
 				return fmt.Errorf("Final setting for %q: %+v not equal to initial setting: %+v", zs.ID, zs.Value, initialSettings[zs.ID])
@@ -232,6 +242,7 @@ resource "cloudflare_zone_settings_override" "test" {
 		opportunistic_encryption = "on"
 		automatic_https_rewrites = "on"
 		h2_prioritization = "on"
+		universal_ssl = "off"
 		minify {
 			css = "on"
 			js = "off"
diff --git a/website/docs/r/zone_settings_override.html.markdown b/website/docs/r/zone_settings_override.html.markdown
index 38c890b9da..d48d77e04c 100644
--- a/website/docs/r/zone_settings_override.html.markdown
+++ b/website/docs/r/zone_settings_override.html.markdown
@@ -72,6 +72,7 @@ These can be specified as "on" or "off" string. Similar to boolean values, but h
 * `sort_query_string_for_cache` (default: `off`)
 * `tls_client_auth` (default: `on`)
 * `true_client_ip_header` (default: `off`)
+* `universal_ssl` (default: `on`)
 * `waf` (default: `off`)
 * `webp` (default: `off`). Note that the value specified will be ignored unless `polish` is turned on (i.e. is "lossless" or "lossy")
 * `websockets` (default: `off`)