Terraform can manage Cloudflare resources, but it’s not just about creating DNS records; it’s a powerful way to treat your entire Cloudflare configuration as code, enabling version control, collaboration, and automated deployments.
Let’s see it in action. Imagine you want to set up a new website with Cloudflare. You’ll need a zone (your domain), some DNS records, and potentially some security features like a firewall rule.
Here’s a simplified Terraform configuration to get you started:
# Configure the Cloudflare provider
provider "cloudflare" {
api_token = "YOUR_CLOUDFLARE_API_TOKEN" # Get this from your Cloudflare API Tokens page
}
# Create a new zone (if you don't have one already)
resource "cloudflare_zone" "example_domain" {
zone_name = "example.com" # Replace with your actual domain
account_id = "YOUR_CLOUDFLARE_ACCOUNT_ID" # Find this in your Cloudflare dashboard under Account Home
}
# Add an A record pointing to your server's IP
resource "cloudflare_record" "www" {
zone_id = cloudflare_zone.example_domain.id
name = "www"
value = "192.0.2.1" # Replace with your server's IP address
type = "A"
ttl = 300
proxied = true # Enable Cloudflare's proxy for performance and security
}
# Add a CNAME record for the root domain, pointing to www
resource "cloudflare_record" "root" {
zone_id = cloudflare_zone.example_domain.id
name = "@" # Represents the root domain
value = "www.example.com"
type = "CNAME"
ttl = 300
proxied = true
}
# Create a basic firewall rule to block common malicious bots
resource "cloudflare_filter" "block_bad_bots" {
zone_id = cloudflare_zone.example_domain.id
description = "Block known malicious bots"
expression = "(cf.threat_score > 10) or (http.user_agent contains \"BadBot\")"
}
resource "cloudflare_firewall_rule" "block_bad_bots_rule" {
zone_id = cloudflare_zone.example_domain.id
description = "Block known malicious bots"
action = "block"
filter_id = cloudflare_filter.block_bad_bots.id
}
To use this, you’d first install Terraform, then save the code above as main.tf. You’d replace the placeholders with your actual Cloudflare API token, account ID, and domain.
Run terraform init in the directory where you saved main.tf. This downloads the necessary Cloudflare provider.
Then, terraform plan will show you exactly what changes Terraform intends to make to your Cloudflare configuration.
Finally, terraform apply will execute those changes, creating the zone, DNS records, and firewall rule in your Cloudflare account.
The problem this solves is the manual, error-prone process of configuring Cloudflare. Instead of clicking through the dashboard, you have a declarative configuration that’s version-controlled. You can easily replicate your Cloudflare setup across different accounts or environments, track who changed what and when, and even roll back changes if something goes wrong.
Internally, the Terraform Cloudflare provider uses the Cloudflare API. When you run terraform apply, Terraform makes API calls to Cloudflare to create, update, or delete resources based on your main.tf file. It keeps track of the resources it manages in a state file, so it knows what’s already deployed and what needs to be changed.
The levers you control are the resource types available in the Cloudflare provider. These map directly to Cloudflare features: cloudflare_zone for domains, cloudflare_record for DNS, cloudflare_firewall_rule for security, cloudflare_workers_script for serverless functions, cloudflare_spectrum_application for advanced TCP/UDP proxying, and many more. You define the desired state of these resources in your .tf files, and Terraform handles the API interactions to achieve that state.
Many users focus on DNS records, but the real power lies in managing Cloudflare’s edge security and performance features as code. For instance, you can define cloudflare_spectrum_application resources to manage custom TCP/UDP proxying for non-HTTP traffic, specifying load balancing methods, origin settings, and SSL/TLS profiles. This allows you to automate the configuration of advanced network services that are typically only accessible via the Cloudflare dashboard, bringing consistency and auditability to even complex network setups.
The next concept you’ll likely explore is managing Cloudflare Workers, Cloudflare’s serverless compute platform, using Terraform.