Cloudflare

cf-terraform

Retrieve records from cloudflare to convert to local terraform states

Cloudflare DNS

Export records from cloudflare

# if using API Token from Account Icon > Profiles > API Token
export CLOUDFLARE_API_TOKEN="Hzsq3Vub-7Y-hSTlAaLH3Jq_YfTUOCcgf22_Fs-j"

# if using API Key
export CLOUDFLARE_EMAIL='[email protected]'
export CLOUDFLARE_API_KEY='1150bed3f45247b99f7db9696fffa17cbx9'

# specify zone ID from Account Home > Select Domain > Select Zone ID from API Section on bottom right
export CLOUDFLARE_ZONE_ID='81b06ss3228f488fh84e5e993c2dc17'

# now call cf-terraforming, from terraform folder
cf-terraforming generate \
  --resource-type "cloudflare_dns_record" \
  --zone $CLOUDFLARE_ZONE_ID

|- Alternately, can use config file:

# cat .cf-terraforming.yaml
email: "[email protected]"
key: "<key>"
#or
token: "<token>"

Then, save generated records to .tf file. But these records haven't become terraform state yet. Follow next step to import them.

Import records into terraform state

cf-terraforming import \
  --resource-type "cloudflare_record" \
  --zone $CLOUDFLARE_ZONE_ID

Above commands will generate a list of terraform import commands. Then copy them and paste to run the generated terraform import commands
After that check state list using: terraform state list

Terraform

terraform {
  required_providers {
    cloudflare = {
      source  = "cloudflare/cloudflare"
      version = "~> 4.0"
    }
  }
}

provider "cloudflare" {
  api_token = "$api-token"
}

variable "zone_id" {
  default = "$zone-id"
}

resource "cloudflare_dns_record" "www" {
  name    = "www"
  proxied = true
  ttl     = 1
  type    = "A"
  value   = "$ipaddress"
  zone_id = var.zone_id
}

terraform plan [-out=$filename]: to dry run
TF_LOG=DEBUG terraform plan: dry run with debug log
terraform apply [$filename - from terraform plan]: to apply

Using Environment Variable as Variable

Define env variable with TF_VAR Prefix: export TF_VAR_api_token="Token"
- Terraform will automatically recognize TF_VAR_api_token as the value for the api_token variable.
Define Variable in Terraform file: variables.tf

variable "api_token" {
  type = string
}

Use variable in terraform code

provider "cloudflare" {
  api_token = var.api_token
}

Another way to use env variable

This method allows Terraform to read any environment variable, even if it doesn’t follow the TF_VAR_ naming convention.

# below code will generate a json dictionary api_token: value
data "external" "env" {
  program = [
    "bash", 
    "-c", 
    "echo '{\"api_token\": \"'$CLOUDFLARE_API_TOKEN'\", \"zone_id\": \"'$CLOUDFLARE_ZONE_ID'\"}'"
  ]
}

output "api_token" {
  value = data.external.env.result["api_token"]
}

Another way:

# Create get_env.sh
#!/bin/bash
echo '{
  "api_token": "'"$CLOUDFLARE_API_TOKEN"'",
  "zone_id": "'"$CLOUDFLARE_ZONE_ID"'"
}'

# Use in terraform 
data "external" "env" {
  program = ["bash", "${path.module}/get_env.sh"]
}

Remove Terraform State

terraform state list
terraform state rm $resource_address
rm -rf terraform.tfstate terraform.tfstate.backup: reset terraform state completely
terraform init: reinitialize terraform which make it lose track of all existing resources

Revert to a previous state

copy terraform.tfstate.backup terraform.tfstate
terraform refresh

Compare terraform state

terraform show -json terraform.tfstate > current_state.json
terraform show -json terraform.tfstate.backup > backup_state.json
diff -u backup_state.json current_state.json
or sort keys to ensure consistent ordering before comparing

jq --sort-keys . backup_state.json > sorted_backup.json
jq --sort-keys . current_state.json > sorted_current.json
diff -u sorted_backup.json sorted_current.json

Check differences in terraform state list

terraform state list > current_resources.txt
terraform state list -state=terraform.tfstate.backup > backup_resources.txt
diff -u backup_resources.txt current_resources.txt

Troubleshooting Terraform

Fixing Existing Records

Rename resource in terraform state

terraform state mv cloudflare_record.terraform_managed_resource_ad1bc14241c6e688af36a14842c1d83a cloudflare_record.routerlocal
then, terraform apply

Importing Existing Record

terraform import cloudflare_record.routerlocal $zone_id/$record_id: import to terraform local state, order is $localname $zoneid/$remotename

Allow Overwriting

resource "cloudflare_record" "routerlocal" {
  name    = "routerlocal"
  proxied = false
  ttl     = 1
  type    = "A"
  value   = "192.168.3.1"
  zone_id = data.external.env.result["zone_id"]
  allow_overwrite = true
}

Cloudflare Zero Trust Tunnel

Exporting Tunnel

Define Terraform Config main.tf

terraform {
  required_providers {
    cloudflare = {
      source  = "cloudflare/cloudflare"
      version = "~> 5.0"
    }
  }
}

data "external" "env" {
  program = [
    "bash",
    "-c",
  "echo '{\"api_token\": \"'$CLOUDFLARE_API_TOKEN'\", \"account_id\": \"'$CLOUDFLARE_ACCOUNT_ID'\"}'"]
}

provider "cloudflare" {
  #   api_token = var.cloudflare_api_token
  api_token = data.external.env.result["api_token"]
}

Generate Terraform Config

cf-terraforming generate \
  --resource-type "cloudflare_zero_trust_tunnel_cloudflared"

Then copy generated config to terraform main.tf file above

#### omitted config ####
resource "cloudflare_zero_trust_tunnel_cloudflared" "terraform_managed_resource_0a2e959f-06" {
  account_id = "5edbee2d271d7a12"
  name       = "Tunnel 1"
}

resource "cloudflare_zero_trust_tunnel_cloudflared" "terraform_managed_resource_2599d24a-ca" {
  account_id = "5edbee2d271d7a12"
  name       = "Tunnel 2"
}

Import Tunnel Config into Terraform State

# Generate Import commands
cf-terraforming import \
  --resource-type "cloudflare_zero_trust_tunnel_cloudflared"

Then copy the terraform import command of the tunnel to be imported, then paste and run it

Reference

https://www.youtube.com/watch?v=FmYvrxYvBP0&t=3s
https://github.com/cloudflare/cf-terraforming
https://blog.cloudflare.com/getting-started-with-terraform-and-cloudflare-part-1/

PreviousAWS NextTerraform

Last updated 8 months ago

hashtagcf-terraform

hashtagCloudflare DNS

hashtagExport records from cloudflare

hashtagImport records into terraform state

hashtagTerraform

hashtagUsing Environment Variable as Variable

hashtagAnother way to use env variable

hashtagRemove Terraform State

hashtagRevert to a previous state

hashtagCompare terraform state

hashtagCheck differences in terraform state list

hashtagTroubleshooting Terraform

hashtagFixing Existing Records

hashtagRename resource in terraform state

hashtagImporting Existing Record

hashtagAllow Overwriting

hashtagCloudflare Zero Trust Tunnel

hashtagExporting Tunnel

hashtagReference