Cloudflare

cf-terraform

Retrieve records from cloudflare to convert to local terraform states

Cloudflare DNS

Export records from cloudflare

# if using API Token from Account Icon > Profiles > API Token
export CLOUDFLARE_API_TOKEN="Hzsq3Vub-7Y-hSTlAaLH3Jq_YfTUOCcgf22_Fs-j"

# if using API Key
export CLOUDFLARE_EMAIL='[email protected]'
export CLOUDFLARE_API_KEY='1150bed3f45247b99f7db9696fffa17cbx9'

# specify zone ID from Account Home > Select Domain > Select Zone ID from API Section on bottom right
export CLOUDFLARE_ZONE_ID='81b06ss3228f488fh84e5e993c2dc17'

# now call cf-terraforming, from terraform folder
cf-terraforming generate \
  --resource-type "cloudflare_dns_record" \
  --zone $CLOUDFLARE_ZONE_ID

|- Alternately, can use config file:

# cat .cf-terraforming.yaml
email: "[email protected]"
key: "<key>"
#or
token: "<token>"

Then, save generated records to .tf file. But these records haven't become terraform state yet. Follow next step to import them.

Import records into terraform state

cf-terraforming import \
  --resource-type "cloudflare_record" \
  --zone $CLOUDFLARE_ZONE_ID

Above commands will generate a list of terraform import commands. Then copy them and paste to run the generated terraform import commands
After that check state list using: terraform state list

Terraform

terraform {
  required_providers {
    cloudflare = {
      source  = "cloudflare/cloudflare"
      version = "~> 4.0"
    }
  }
}

provider "cloudflare" {
  api_token = "$api-token"
}

variable "zone_id" {
  default = "$zone-id"
}

resource "cloudflare_dns_record" "www" {
  name    = "www"
  proxied = true
  ttl     = 1
  type    = "A"
  value   = "$ipaddress"
  zone_id = var.zone_id
}

terraform plan [-out=$filename]: to dry run
TF_LOG=DEBUG terraform plan: dry run with debug log
terraform apply [$filename - from terraform plan]: to apply

Using Environment Variable as Variable

Define env variable with TF_VAR Prefix: export TF_VAR_api_token="Token"
- Terraform will automatically recognize TF_VAR_api_token as the value for the api_token variable.
Define Variable in Terraform file: variables.tf

variable "api_token" {
  type = string
}

Use variable in terraform code

provider "cloudflare" {
  api_token = var.api_token
}

Another way to use env variable

This method allows Terraform to read any environment variable, even if it doesn’t follow the TF_VAR_ naming convention.

# below code will generate a json dictionary api_token: value
data "external" "env" {
  program = [
    "bash", 
    "-c", 
    "echo '{\"api_token\": \"'$CLOUDFLARE_API_TOKEN'\", \"zone_id\": \"'$CLOUDFLARE_ZONE_ID'\"}'"
  ]
}

output "api_token" {
  value = data.external.env.result["api_token"]
}

Another way:

# Create get_env.sh
#!/bin/bash
echo '{
  "api_token": "'"$CLOUDFLARE_API_TOKEN"'",
  "zone_id": "'"$CLOUDFLARE_ZONE_ID"'"
}'

# Use in terraform 
data "external" "env" {
  program = ["bash", "${path.module}/get_env.sh"]
}

Remove Terraform State

terraform state list
terraform state rm $resource_address
rm -rf terraform.tfstate terraform.tfstate.backup: reset terraform state completely
terraform init: reinitialize terraform which make it lose track of all existing resources

Revert to a previous state

copy terraform.tfstate.backup terraform.tfstate
terraform refresh

Compare terraform state

terraform show -json terraform.tfstate > current_state.json
terraform show -json terraform.tfstate.backup > backup_state.json
diff -u backup_state.json current_state.json
or sort keys to ensure consistent ordering before comparing

jq --sort-keys . backup_state.json > sorted_backup.json
jq --sort-keys . current_state.json > sorted_current.json
diff -u sorted_backup.json sorted_current.json

Check differences in terraform state list

terraform state list > current_resources.txt
terraform state list -state=terraform.tfstate.backup > backup_resources.txt
diff -u backup_resources.txt current_resources.txt

Troubleshooting Terraform

Fixing Existing Records

Rename resource in terraform state

terraform state mv cloudflare_record.terraform_managed_resource_ad1bc14241c6e688af36a14842c1d83a cloudflare_record.routerlocal
then, terraform apply

Importing Existing Record

terraform import cloudflare_record.routerlocal $zone_id/$record_id: import to terraform local state, order is $localname $zoneid/$remotename

Allow Overwriting

resource "cloudflare_record" "routerlocal" {
  name    = "routerlocal"
  proxied = false
  ttl     = 1
  type    = "A"
  value   = "192.168.3.1"
  zone_id = data.external.env.result["zone_id"]
  allow_overwrite = true
}

Cloudflare Zero Trust Tunnel

Exporting Tunnel

Define Terraform Config main.tf

terraform {
  required_providers {
    cloudflare = {
      source  = "cloudflare/cloudflare"
      version = "~> 5.0"
    }
  }
}

data "external" "env" {
  program = [
    "bash",
    "-c",
  "echo '{\"api_token\": \"'$CLOUDFLARE_API_TOKEN'\", \"account_id\": \"'$CLOUDFLARE_ACCOUNT_ID'\"}'"]
}

provider "cloudflare" {
  #   api_token = var.cloudflare_api_token
  api_token = data.external.env.result["api_token"]
}

Generate Terraform Config

cf-terraforming generate \
  --resource-type "cloudflare_zero_trust_tunnel_cloudflared"

Then copy generated config to terraform main.tf file above

#### omitted config ####
resource "cloudflare_zero_trust_tunnel_cloudflared" "terraform_managed_resource_0a2e959f-06" {
  account_id = "5edbee2d271d7a12"
  name       = "Tunnel 1"
}

resource "cloudflare_zero_trust_tunnel_cloudflared" "terraform_managed_resource_2599d24a-ca" {
  account_id = "5edbee2d271d7a12"
  name       = "Tunnel 2"
}

Import Tunnel Config into Terraform State

# Generate Import commands
cf-terraforming import \
  --resource-type "cloudflare_zero_trust_tunnel_cloudflared"

Then copy the terraform import command of the tunnel to be imported, then paste and run it

Reference

https://www.youtube.com/watch?v=FmYvrxYvBP0&t=3s
https://github.com/cloudflare/cf-terraforming
https://blog.cloudflare.com/getting-started-with-terraform-and-cloudflare-part-1/

PreviousAWS NextTerraform

Last updated 6 months ago