Setup a new domain name on CloudFlare. Previously I used GoDaddy for all my DNS needs but they lack a Terraform provider so I have been let’s just say, less than satisfied with the arrangement.

Setup the Terraform Provider

CloudFlare appears to have a rather mature Terraform provider. It is published in the official HashiCorp Terraform registry.

https://registry.terraform.io/providers/cloudflare/cloudflare/latest

terraform {
  required_providers {
    cloudflare = {
      source  = "cloudflare/cloudflare"
      version = "~> 4.46.0"
    }
  }
}

provider "cloudflare" {
  api_token = var.cloudflare_api_token
}

Get an API Token

Now let’s go get that API Token. The menu you need is a bit out of the way. It’s way down at the bottom on the left hand navigation.

Alt

Under Manage Account, select the “Account API Tokens” menu item.

Alt

Once you click “Create Token” you’ll be greeted by what appears to be a collection of templates to choose from to make things easier on you. Or if you wanna roll your own you can go with “Custom token” way down at the bottom. Since this is my first rodeo, I think I’ll stick with “Edit Zone DNS”

Alt

I like how I can grant specific permissions to control only specific DNS names. Very nice application of the “Principle of Least Privledge”

Alt

I’ve selected my new domain “qonq.io”. I don’t think I want to setup Client IP Address filtering because I plan on running this from GitHub Actions.

Alt

Now just one more button smash and I think we’re done.

Alt

I’ve hidden the scary bits so you can rock my world (that would be very rude of you — and quite foolish of me!).

Setup a Secret in GitHub Actions

Now I just drop this little buddy into my GitHub Actions Secrets for the GitHub repository I am using for the CloudFlare Terraform workspace.

Alt

It looks like I can tell the CloudFlare Terraform provider about this using an environment variable.

api_token (String) The API Token for operations. Alternatively, can be configured using the CLOUDFLARE_API_TOKEN environment variable. Must provide only one of api_key, api_token, api_user_service_key.

I updated the provider configuration to drop the attribute in code.

terraform {
  required_providers {
    cloudflare = {
      source  = "cloudflare/cloudflare"
      version = "~> 4.46.0"
    }
  }
}

provider "cloudflare" {
}

Now I can just set an environment variable for CLOUDFLARE_API_TOKEN and be off to the races!

Reference the Existing Zone

Now we need to get a reference to my existing zone

data "cloudflare_zone" "main" {
  name = "qonq.io"
}

Let’s start small and build from here. Sometimes kicking the tires on an initial resource like this can be good just to verify connectivity with the external system.

It runs in the blink of an eye. So much so I decide to drop into terraform console to double check.

Now that we have verified connectivity to CloudFlare we are ready to start setting up our first DNS records!

resource "cloudflare_record" "example" {
  zone_id = var.cloudflare_zone_id
  name    = "terraform"
  content = "192.0.2.1"
  type    = "A"
  ttl     = 3600
}

Resources can be added / managed pretty easily using the cloudflare_record resource. Just be careful not to get confused by the 5.x alpha doppleganger cloudflare_dns_record. It can be very confusing if you happen to stumble onto the “latest” provider documentation for CloudFlare!