Terraforming Cloudflare DNS Records

Oct 19, 2023

The background

Terraform is an infrastructure-as-code (IaC) software tool by HashiCorp, which had a recent license change1. Cloudflare is a company providing multiple network-and-security related services. We had multiple records configured on Cloudflare DNS for a domain that we’ve set up partially2. The said records were configred via the Cloudflare dashboard. Adhering to IaC practices, we wanted to begin managing these records with Terraform. However, it can only manage configuration it created or was explicitly told about after the fact, the reason for this limitation being that Terraform expects to be authoritative for the resources it manages. For understanding what resources it controls and what state they are in, it relies on two types of files.

  • A configuration file (ending in .tf) that defines the configuration of resources for Terraform to manage.

  • A state file that maps the resource names defined in the configuration file to the actual(existing) resources.

Following goes through the steps involved with importing existing DNS record resources for Terraform to manage.

The process of importing resources

First, we need to have the Terraform configuration file defined with the provider block as follows.

provider 'cloudflare' {
 # Cloudflare email saved in $CLOUDFLARE_EMAIL
 # Cloudflare API token saved in $CLOUDFLARE_API_TOKEN
}

Second, to assist in creating Terraform configuration for the DNS records we want to manage, we can use the cf-terraforming tool provided3 by Cloudflare.

Below command shall be used for generating the Terraform configuration. Note the redirection of stdout to a file.

cf-terraforming generate \
--email $CLOUDFLARE_EMAIL \
--token $CLOUDFLARE_API_TOKEN \
--zone $CLOUDFLARE_ZONE_ID \
--resource-type cloudflare_record \
> cloudflare-records.tf

Call terraform plan? not yet. While we have the configurations sitting locally, the Terraform state file does not yet contain the resources described in these configurations. So, we need to import the real state of these resources into Terraform state file.

Below command will output commands for importing relevant resources into Terraform state file.

cf-terraforming import \
--resource-type "cloudflare_record" \
--email $CLOUDFLARE_EMAIL \
--key $CLOUDFLARE_API_KEY \
--zone $CLOUDFLARE_ZONE_ID \
> import-commands.sh

Note that we’ve redirected the stdout in above to a file with extenstion .sh. If we needn’t any exceptions when importing Cloudflare records, we can execute the commands (of course, after inspecting the file) by making the file executble, or passing it directly to a compatible shell, or in any other way how we could execute a list of commands from a file.

And once that is completed, we’ll be having the Terraform state file updated with new information on relevant resorces. We can then begin managing these with IaC best-practices.

  1. Switched from the MPL v2 license to a “Business Source License” (BSL), see https://www.hashicorp.com/license-faqhttps://www.hashicorp.com/license-faq#aug-10-announcement and https://opentofu.org/blog/opentofu-announces-fork-of-terraform/ ↩︎

  2. https://developers.cloudflare.com/dns/zone-setups/partial-setup/ ↩︎

  3. https://github.com/cloudflare/cf-terraforming ↩︎

TerraformCloudflareDNS

Exclusively Installing Security Updates on Ubuntu

Certified Kubernetes Administrator Exam