This issue was originally opened by @JorritSalverda as hashicorp/terraform#2551. It was migrated here as part of the provider split. The original body of the issue is below.

In a CloudFlare multi-user organizational account no single user owns the data, but only has access rights to it, while it's owned by the organization. This causes zones seemingly not to exist when you try to add a record using one of the users and their api key.

The old api (https://www.cloudflare.com/docs/client-api.html) does not support the multi-user model, where the new one (https://api.cloudflare.com/) does.

I see the https://github.com/pearkes/cloudflare/ provider still uses the old api. Should I raise this issue with pearkes?

Terraform Version: 0.9.8
Host OS: Windows 7 SP1 x64

Affected Resources: cloudflare_record

I try to create several DNS records. Terraform irregularly fails with the TLS handshake timeout error, the list of affected resources is always different.
Example of error message:

Error refreshing state: 7 error(s) occurred:

* cloudflare_record.ajaxhttpheaders: 1 error(s) occurred:

* cloudflare_record.ajaxhttpheaders: cloudflare_record.ajaxhttpheaders: Error finding zone "fidata.org": ListZones command failed: error from makeRequest: HTTP request failed: Get https://api.cloudflare.com/client/v4/zones?name=fidata.org: net/http: TLS handshake timeout
* cloudflare_record.website: 1 error(s) occurred:

* cloudflare_record.website: cloudflare_record.website: Error finding zone "fidata.org": ListZones command failed: error from makeRequest: HTTP request failed: Get https://api.cloudflare.com/client/v4/zones?name=fidata.org: net/http: TLS handshake timeout
* cloudflare_record.mail: 1 error(s) occurred:

* cloudflare_record.mail: cloudflare_record.mail: Error finding zone "fidata.org": ListZones command failed: error from makeRequest: HTTP request failed: Get https://api.cloudflare.com/client/v4/zones?name=fidata.org: net/http: TLS handshake timeout
* cloudflare_record.yandex_mail_verification: 1 error(s) occurred:

* cloudflare_record.yandex_mail_verification: cloudflare_record.yandex_mail_verification: Error finding zone "fidata.org": ListZones command failed: error from makeRequest: HTTP request failed: Get https://api.cloudflare.com/client/v4/zones?name=fidata.org: net/http: TLS handshake timeout
* cloudflare_record.artifactory: 1 error(s) occurred:

* cloudflare_record.artifactory: cloudflare_record.artifactory: Error finding zone "fidata.org": ListZones command failed: error from makeRequest: HTTP request failed: Get https://api.cloudflare.com/client/v4/zones?name=fidata.org: net/http: TLS handshake timeout
* cloudflare_record.yandex_mail_dkim: 1 error(s) occurred:

* cloudflare_record.yandex_mail_dkim: cloudflare_record.yandex_mail_dkim: Error finding zone "fidata.org": ListZones command failed: error from makeRequest: HTTP request failed: Get https://api.cloudflare.com/client/v4/zones?name=fidata.org: net/http: TLS handshake timeout
* cloudflare_record.google_verification: 1 error(s) occurred:

* cloudflare_record.google_verification: cloudflare_record.google_verification: Error finding zone "fidata.org": ListZones command failed: error from makeRequest: HTTP request failed: Get https://api.cloudflare.com/client/v4/zones?name=fidata.org: net/http: TLS handshake timeout

Whenever I get this error I try to manually delete records from Cloudflare and from tfstate file. Sometimes it helps, sometimes not. Sometimes the problem disappears by itself. So, I'm not sure this is a workaround.

Terraform configuration file and debug output: https://gist.github.com/grv87/905a43851000200c1872fe6ce952cd1f
Note that terraform runs under Gradle, so there is extra output from Gradle. I hope that doesn't confuse you.

Terraform Version

v0.11.7

Affected Resource(s)

• cloudflare_record

Terraform Configuration Files

resource "cloudflare_record" "www-a" {
  domain  = "example.org"
  name    = "www"
  type    = "A"
  value   = "1.2.3.4"
  ttl     = 1
  proxied = "false"
}

Expected Behavior

Toggling proxied from true to false should disable the proxied state of the DNS record.

Actual Behavior

The changes are reported to be applied successfully, but the record stays proxied at Cloudflare, running terraform again also tries to apply changes again. Setting an unproxied record to proxied works, disabling it does not. Both work with provider version 1.0.0, but setting to false doesn't with 1.1.0.

This issue was originally opened by @mwarkentin as hashicorp/terraform#11219. It was migrated here as part of the provider split. The original body of the issue is below.

Terraform Version

All.

Affected Resource(s)

Please list the resources as a list, for example:

• cloudflare_record

Expected Behavior

Terraform supports import of existing cloudflare records into state.

Important Factoids

Need to determine how the record would be referenced:

• Record ID
• Full DNS name (may be ambiguous as you could have multiple types of records for the same domain)

References

First reported in hashicorp/terraform#3715 but closed as terraform import wasn't a thing.

Any possibility that the functionality to setup page rules could be implemented.

DNS Firewall support is already in cloudflare-go, under the name "virtualdns" (what we used to call the product): https://github.com/cloudflare/cloudflare-go/blob/master/virtualdns.go.

Like Load Balancers, DNS Firewall operates at both the organization and user level:

• https://api.cloudflare.com/#virtual-dns-users--properties
• https://api.cloudflare.com/#virtual-dns-organizations--properties

Terraform Version

Terraform v0.11.7
+ provider.cloudflare v1.1.0

Affected Resource(s)

Please list the resources as a list, for example:

• cloudflare_zone_settings_override

Terraform Configuration Files

resource "cloudflare_zone_settings_override" "flexible_ssl" {
  name = "${var.zone}"

  settings {
    ssl = "flexible"
    security_level = "off_enterprise"
  }
}

Expected Behavior

When I enter "off_enterprise" as a value for security_level, which is available for enterprise accounts, this should be accepted as a valid value.

Actual Behavior

Terraform failed with the following output:

Error: cloudflare_zone_settings_override.flexible_ssl: expected settings.0.security_level to be one of [essentially_off low medium high under_attack], got off_enterprise

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform plan

Important Factoids

The account in question is an Enterprise account.

Terraform Version

Terraform v0.11.7
+ provider.cloudflare v1.0.0

Affected Resource(s)

• cloudflare_load_balancer_monitor
• cloudflare_load_balancer_pool

Terraform Configuration Files

provider "cloudflare" {
  # export CLOUDFLARE_EMAIL=
  # export CLOUDFLARE_TOKEN=
  org_id = "${var.cloudflare_organization_id}"
}

Debug Output

Panic Output

Expected Behavior

it should fetch pools and monitors successfully for an organization

Actual Behavior

it responses 403

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform plan

Important Factoids

the underlying SDK call deprecated api and so it responses 403.
terraform-provider-cloudflare may need re-compile and new version after cloudflare/cloudflare-go#197 is fixed?

References

• cloudflare/cloudflare-go#197

Thanks for all the recent progress on this provider! Is it possible to get CreateZone added in or is there a technical challenge with it?

Hi, I'm trying to use cloudflare records with terraform but I'm having a issue with SRV records in weight

Terraform Version

Terraform v0.11.7

Affected Resource(s)

• cloudflare_record (SRV)

Terraform Configuration Files

resource "cloudflare_record" "_sipfederationtls_tcp_SRV" {
  domain = "${var.cloudflare_domain}"
  name   = "_sipfederationtls._tcp.${var.cloudflare_domain}"
  type   = "SRV"


  data = {
    service  = "_sipfederationtls"
    proto    = "_tcp"
    name     = "${var.cloudflare_domain}."
    priority = 100
    weight   = 1
    port     = 443
    target   = "sipfed.online.lync.com."
  }
}

Debug Output

The thing is that I'm getting a error validating the DNS, the response from the cloudflare API:

https://gist.github.com/xabim/807230a41aaceb2699d426d1f9b8e88a

Expected Behavior

Create SRV records

Actual Behavior

It doesn't create the record

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform plan
2. terraform apply

Hi there,

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

Terraform Version

Run terraform -v to show the version. If you are not running the latest version of Terraform, please
upgrade because your issue may have already been fixed.

$ terraform -v
Terraform v0.10.0

Affected Resource(s)

Please list the resources as a list, for example:

• opc_instance
• opc_storage_volume

It's not a resource, it's the provider config.

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

# The current version
provider "cloudflare" {
  email = "[email protected]"
  token = "this is obviously fake"
}

# My preferred version
provider "cloudflare" {
  credentials = {
    email = "[email protected]"
    token = "this is obviously fake"
  }
}

# What I want in my config
provider "cloudflare" {
  credentials = "${file('~/.config/cloudflare/credentials.json')}"
}

Debug Output

Please provider a link to a GitHub Gist containing the complete debug output: https://www.terraform.io/docs/internals/debugging.html. Please do NOT paste the debug output in the issue; just paste a link to the Gist.

Panic Output

If Terraform produced a panic, please provide a link to a GitHub Gist containing the output of the crash.log.

Expected Behavior

What should have happened?

I'd like to be able to have dynamic CloudFlare credentials. So far, loading them via reading a file
has not worked, as it appends a "\n" to the end of the strings on systems/editors that do such.

Actual Behavior

What actually happened?

Not relevant.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply

Not relevant.

Important Factoids

Are there anything atypical about your accounts that we should know? For example: Running in EC2 Classic? Custom version of OpenStack? Tight ACLs?

References

Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:

• GH-1234

No.

Hi there,

It would be good if the Cloudflare Terraform resource supported Cloudflare Access, including the new IP policy options as well.

Terraform Version
$ terraform -v
Terraform v0.11.7

Affected Resource(s)
New resource(s) needed for Cloudflare Access.

Expected Behavior
Terraform provisions a Cloudflare Access policy resource.

Actual Behavior
Not supported yet.

References
https://developers.cloudflare.com/access/setting-up-access/securing-applications/

This issue was originally opened by @omarabid as hashicorp/terraform#9040. It was migrated here as part of the provider split. The original body of the issue is below.

This is not a bug report but rather a feature request. The cloudflare API currently supports only the "Record" resource. The GO API Library has many other features, though.

https://godoc.org/github.com/cloudflare/cloudflare-go

Any chances of getting some of these into the Cloudflare Provider?

Hello,

I'm attempting to import some existing organization wide load balancer pools and monitors. I've gone ahead and fetched the appropriate ids using the Cloudflare api.

I successfully made requests to the following api endpoints in order to get the ids.
https://api.cloudflare.com/client/v4/organizations/<organization_id>/load_balancers/monitors
https://api.cloudflare.com/client/v4/organizations/<organization_id>/load_balancers/pools

The importing state documentation doesn't contain any examples on how to import organization wide resources but I would assume that the correct approach here is just to disregard the zone name.

My attempts to import these resources looked like this:
terraform import cloudflare_load_balancer_monitor.<name> <id>

Unfortunately, I'm provided with the following error if I try this:

* import cloudflare_load_balancer_monitor.healthy result: <id>: import cloudflare_load_balancer_monitor.<name> (id: <id>): Terraform detected a resource with this ID doesn't
exist. Please verify the ID is correct. You cannot import non-existent
resources using Terraform import.

I've double checked that I'm using the correct ids for the resources. Is the import functionality supported for these resources? If so, what is the correct approach here?

Note that I've been able to successfully import other zone specific resources like records and page rules just fine.

I've also attempted to create new load balancer pool resources but have had my efforts blocked because of issue #54

Terraform Version

Terraform v0.11.7

Affected Resource(s)

• cloudflare_load_balancer_monitor
• cloudflare_load_balancer_pool

This issue was originally opened by @abacao as hashicorp/terraform#17948. It was migrated here as a result of the provider split. The original body of the issue is below.

I'm able to set all the DNS entries just fine but when I'm trying to provision the Load Balancer as shown in the examples pages:
https://www.terraform.io/docs/providers/cloudflare/r/load_balancer.html
and
https://www.terraform.io/docs/providers/cloudflare/r/load_balancer_pool.html

What I get is this:

• cloudflare_load_balancer_pool.foo: 1 error(s) occurred:

• cloudflare_load_balancer_pool.foo: error creating load balancer pool: error from makeRequest: HTTP status 400: content "{\n "result": null,\n "success": false,\n "errors": [\n {\n "code": 1002,\n "message": "the origin list length must be in range [1, 0]: validation failed"\n }\n ],\n "messages": []\n}\n"

From the example, I have only changed the zone name to correspond my own.
The output message is not helping me to figure it out either.

the complete tf file is this:
`
resource "cloudflare_load_balancer" "bar" {
zone = "example.com"
name = "example-load-balancer"
fallback_pool_id = "${cloudflare_load_balancer_pool.foo.id}"
default_pool_ids = ["${cloudflare_load_balancer_pool.foo.id}"]
description = "example load balancer using geo-balancing"
proxied = true
pop_pools {
pop = "LAX"
pool_ids = ["${cloudflare_load_balancer_pool.foo.id}"]
}
region_pools {
region = "WNAM"
pool_ids = ["${cloudflare_load_balancer_pool.foo.id}"]
}
}

resource "cloudflare_load_balancer_pool" "foo" {
name = "example-lb-pool"
origins {
name = "example-1"
address = "192.0.2.1"
enabled = false
}
}
`

PS - the terraform plan runs OK, it's only when applying that the $*** hits the fan...

terraform-provider-cloudflare v1.0.0

resource "cloudflare_page_rule" "testing123" {
  zone = "domain.com
  target = "http://testing123.domain.com/*"
  priority = 3
  actions = {
    forwarding_url = {
      url = "http://http.invalid/"
      status_code = "302"
    }
  }
  status = "paused"
}

terraform apply
...
1 error(s) occurred:

* cloudflare_page_rule.testing123: 1 error(s) occurred:

* cloudflare_page_rule.testing123: Failed to create page rule: error from makeRequest: HTTP status 400: content "{\"success\":false,\"errors\":[{\"code\":1004,\"message\":\"Page Rule validation failed: See messages for details.\"}],\"messages\":[{\"code\":1,\"message\":\".status: Invalid page rule status\",\"type\":null}],\"result\":null}"

This is because the status for page rules should be active or disabled (not paused).

It seems like it hasn't been implemented but it's in cloudflare-go
https://github.com/cloudflare/cloudflare-go/blob/master/firewall.go

tl;dr; attempting to create a resource that already exists should be treated as success and information loaded into state.

Terraform Version

Version: 0.9.8

Affected Resource(s)

Please list the resources as a list, for example:

• cloudflare_record

Terraform Configuration Files

provider "cloudflare" {
  email = "${var.cloudflare_email}"
  token = "${var.cloudflare_token}"
}

resource "cloudflare_record" "foobar" {
  domain = "example"
  name   = "terraform"
  value  = "192.168.0.11"
  type   = "A"
  ttl    = 3600
  priority = 50
  proxied = false
}

Expected Behavior

If the DNS record already exists and matches what is defined in the TF configuration, attempting to create via Terraform should (I believe) consider it existing as success and import attributes about the record into the state.

This is also important because the cloudflare_record resource does not support importing existing records. So to move from managing via Cloudflare directly to managing via Terraform requires deleting records in Cloudflare and then recreating via Terraform which could cause downtime.

Actual Behavior

Terraform errors that it cannot create the record.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. Create DNS entry directly in Cloudflare
2. Attempt to create it via Terraform by updating config above and running terraform apply

Is there a new release planned to this module?

I'm asking that because @brunopadz and I want to use the updates from https://github.com/terraform-providers/terraform-provider-cloudflare/pull/83 but when we run terraform init we get the same release from April 6 (https://github.com/terraform-providers/terraform-provider-cloudflare/releases/tag/v1.0.0)

Hello,
I am having an issue with this terraform provider, due to the rate limit in the CloudFlare API.

CloudFlare limits API requests to 1200 requests in 300 seconds.
https://support.cloudflare.com/hc/en-us/articles/200171456-How-many-API-calls-can-I-make-

grep resource foo.bar.tf | wc -l
615

Terraform Version

$ terraform -v
Terraform v0.10.7

Panic Output

* cloudflare_record.foo: cloudflare_record.foo: Error finding zone "foo.bar": ListZones command 
failed: error from makeRequest: HTTP status 429: content "{\"success\":false,\"errors\":[{\"code\":10100,\"message\":\"More than 1200 requests per 300 seconds
 reached. Please wait and consider throttling your request speed\"}],\"messages\":[],\"result\":null}"

Expected Behavior

terraform plan should not crash

Actual Behavior

terraform plan crashes due to the rate limit in the CloudFlare API

Steps to Reproduce

terraform plan

References

https://support.cloudflare.com/hc/en-us/articles/200171456-How-many-API-calls-can-I-make-

Would like to put in a request for destroy protection, similar to terraform Fastly's.

Feature request: Validation of TXT contents.

Reproduce an error with, eg. creating the following cloudflare record:

resource "cloudflare_record" "bad_txt_record" {
	domain = "example.com"
	name = "example"
	type = "TXT"
	value = "\n"
}

You will get the error:

Failed to create record: error from makeRequest: HTTP status 400: content "{\"success\":false,\"errors\":[{\"code\":1004,\"message\":\"DNS Validation Error\",\"error_chain\":[{\"code\":9051,\"message\":\"Invalid TXT record. Record may only contain printable ASCII!\"}]}],\"messages\":[],\"result\":null}" 

This issue was originally opened by @jleclanche as hashicorp/terraform#13068. It was migrated here as part of the provider split. The original body of the issue is below.

Terraform 0.9.1, recently upgraded from 0.8 to the new backend system to the new backend system (I was using an s3 remote state before).

I have the following record:

resource "cloudflare_record" "uploads-db" {
	domain = "example.com"
	name = "uploads-db"
	type = "CNAME"
	value = "${aws_db_instance.uploads-db.address}"
	proxied = false
}

I've had this record for a while, but now after the upgrade every time I do terraform plan, I get the following error:

Error refreshing state: 1 error(s) occurred:
2017/03/25 17:22:34 [DEBUG] plugin: terraform: local-exec-provisioner (internal) 2017/03/25 17:22:34 [DEBUG] plugin: waiting for all plugin processes to complete...
2017/03/25 17:22:34 [DEBUG] plugin: terraform: aws-provider (internal) 2017/03/25 17:22:34 [DEBUG] plugin: waiting for all plugin processes to complete...

* cloudflare_record.uploads-db: cloudflare_record.uploads-db: error from makeRequest: HTTP status 400: content "{\"success\":false,\"errors\":[{\"code\":1002,\"message\":\"Invalid dns record identifier\"}],\"messages\":[],\"result\":null}"

I tried deleting and even tainting the record, but it always gives me that error, rendering terraform completely unusable :(

Terraform Version

holms@debian ~/D/c/l/a/p/terraform> terraform -v
Terraform v0.11.7
+ provider.ansible v0.0.4
+ provider.aws v1.33.0
+ provider.cloudflare v1.2.0
+ provider.digitalocean v0.1.3
+ provider.mysql v1.1.0

Affected Resource(s)

• cloudflare_record

Terraform Configuration Files

resource "cloudflare_record" "swarm-lb" {
  domain = "whatever.io"
  name   = "*"
  value  = "${digitalocean_loadbalancer.public.ip}"
  type   = "A"
  ttl    = 1600
}

Expected Behavior

My case is when I'm included as a member of another account which has a dns zone with name "whatever.io" with status moved. I've added same zone in my account and initialized name server changes on that domain. I've left old zone on another account because I wanted to have a backup of all dns records, because when moving domain CF doesn't find all records automatically so wanted to have backup just in case.

After creating this record, I've noticed that nothing happened on my account whatever.io zone. I've expected to get wildcard record in there. Actually I've expected that records will be added on the zone which is active, not the one which is marked as "moved"

Actual Behavior

When launched terraform show it appears to be zone_id is from old account. All records appeared under old account dns zone. You seems to be didn't except to have multiple same named dns zones in CF did you :)?

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. Create 2 accounts on CF
2. Add domain for the first one
3. Add domain for the second one with same name
4. Make second account member of the first one
5. terraform apply
6. Watch how your records appears on acc 1 rather than on acc 2

Actual Behavior

When adding a monitor to a pool that is currently being used. Terraform attempts to destroy and re-create the pool. This fails as the pool is being used by the Load Balancer.

Expected Behavior

The pool would be recreated, or if necessary the LB would be recomputed as neccesary to create all resources as modified.

`
Error: Error applying plan:

1 error(s) occurred:

• cloudflare_load_balancer_pool.gke_pool (destroy): 1 error(s) occurred:

• cloudflare_load_balancer_pool.gke_pool: error deleting CloudFlare Load Balancer Pool: error from makeRequest: HTTP status 412: content "{\n "result": null,\n "success": false,\n "errors": [\n {\n "code": 1005,\n "message": "This object is referenced by other objects, delete them first."\n }\n ],\n "messages": []\n}\n"
  `

Terraform Version

Terraform v0.11.7

• provider.azurerm v1.6.0
• provider.cloudflare v1.0.0
• provider.google v1.13.0
• provider.kubernetes v1.1.0

Affected Resource(s)

Please list the resources as a list, for example:

• cloudflare_load_balancer_pool
• cloudflare_load_balancer

Hello,

Given the following tf config snippet:

resource "cloudflare_record" "mx" {
  domain   = "${var.domain}"
  name     = "${var.name}"
  value    = "mail.${var.domain}"
  type     = "MX"
  priority = 5
}

when I try to apply this I keep getting the following error:

Error: Error refreshing state: 1 error(s) occurred:

* cloudflare_record.mx: 1 error(s) occurred:

* cloudflare_record.mx: cloudflare_record.mx: error from makeRequest: HTTP status 400: content "{\"success\":false,\"errors\":[{\"code\":1002,\"message\":\"Invalid dns record identifier\"}],\"messages\":[],\"result\":null}"

For ${var.name} I have tried @, * & ${var.domain} but I continue to get the above error.

Any advice on how I could troubleshoot this issue?

Terraform Version

$ terraform -v
Terraform v0.11.1
+ provider.aws v1.12.0
+ provider.cloudflare v0.1.0

Your version of Terraform is out of date! The latest version
is 0.11.5. You can update by downloading from www.terraform.io/downloads.html

Affected Resource(s)

• cloudflare_record

Terraform Configuration Files

see above

Expected Behavior

Terraform creates a new DNS record

Actual Behavior

Terraform reports an API error no matter what value I try

Terraform Version

Terraform v0.11.7
+ provider.cloudflare v1.0.0

Affected Resource(s)

Please list the resources as a list, for example:

• cloudflare_zone_settings_override

Terraform Configuration Files

resource "cloudflare_zone_settings_override" "example" {
    name = "example.com"
    settings {
      browser_cache_ttl = "0"
    }
}

Expected Behavior

When I entered "0" as a value for the browser_cache_ttl, which means "Respect Existing Headers", this should have been accepted as a valid value. This value is missing from Cloudflare's API docs, which I just reported to them and has been acknowledged. In my support ticket they replied "The value you need to use in this case is 0."

Actual Behavior

Terraform failed with the following output:

Error: cloudflare_zone_settings_override.example: expected "settings.0.bro
wser_cache_ttl" to be one of [30 60 300 1200 1800 3600 7200 10800 14400 18000 28
800 43200 57600 72000 86400 172800 259200 345600 432000 691200 1382400 2073600 2
678400 5356800 16070400 31536000], got 0

Command `terraform plan` failed. Exiting.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform plan

This issue was originally opened by @SystemZ as hashicorp/terraform#5732. It was migrated here as part of the provider split. The original body of the issue is below.

I'm trying to add SRV record but there is an error with cloudflare API

Error applying plan:

1 error(s) occurred:

* cloudflare_record.ts3_official: Failed to create CloudFlare Record: API Error: Invalid service value.

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Version

systemz@pc:~/Project/Infra/$ terraform -v
Terraform v0.6.13

Configuration for this SRV

resource "cloudflare_record" "ts3_official" {
    domain = "${var.cloudflare_domain}"
    name = "_ts3._udp.example.com."
    value = "0 0 9987 ts3.example.com."
    type = "SRV"
    ttl = 300
}

Currently, valid types are "A", "AAAA", "CNAME", "TXT", "SRV", "LOC", "MX", "NS" or "SPF".
CAA is missing.

This issue was originally opened by @jleclanche as hashicorp/terraform#10082. It was migrated here as part of the provider split. The original body of the issue is below.

https://www.terraform.io/docs/providers/cloudflare/r/record.html

Since proxied is a boolean (which the docs doesn't specify) and is Optional, it would be good to specify whether it defaults to false or true.

Terraform Version

❯ terraform --version
Terraform v0.11.7
+ provider.cloudflare v1.0.0

Affected Resource(s)

• cloudflare_page_rule

Terraform Configuration Files

resource "cloudflare_page_rule" "some_rule" {
  zone = "${var.domain}"
  target = "${var.domain}/blah"
  priority = 1
  status = "deactivated"

  actions = {
    forwarding_url {
      url = "https://www.example.com/"
      status_code = 301
    }
  }
}

Debug Output

❯ terraform plan

Error: cloudflare_page_rule.some_rule: expected status to be one of [active paused], got deactivated

Expected Behavior

Terraform should not error on valid status.

Actual Behavior

Terraform plan errors on status that is not active or paused. The real problem here is that while paused will work for terraform plan, it is not valid for the Cloudflare API.

The valid page rules status options for the Cloudflare api are: active and disabled. This Cloudflare Terraform provider erroneously requires the status to be one of active or paused.

relevant docs: https://api.cloudflare.com/#page-rules-for-a-zone-create-page-rule

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform plan with deactivated as a status value

alternatively to trigger api error when applying

1. terraform plan with paused as a status value
2. terraform apply

References

Here is the code that needs a patch

https://github.com/terraform-providers/terraform-provider-cloudflare/blob/cedda3010a6ba474a3b2287cd932cf27a8273880/cloudflare/resource_cloudflare_page_rule.go#L288

After successfully managing a bunch of DNS resources in Terraform for the past several months, today we started getting unmarshaling errors on the priority field of MX records. Other record types are unaffected (as they don't have the priority field.

I've got a fix below, though I don't know if that's the optimal solution or not (as I don't understand the underlying cause). I'm happy to submit it as a PR, however.

Thanks very much!
Ross

Terraform Version

bash-4.4$ terraform -v
Terraform v0.11.7
+ provider.cloudflare v1.0.0

Affected Resource(s)

Please list the resources as a list, for example:

• mx_1
• mx_2

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

resource "cloudflare_record" "mx_1" {
  domain   = "example.com"
  name     = "@"
  value    = "aspmx5.googlemail.com"
  type     = "MX"
  ttl      = "86400"
  priority = "10"
}

resource "cloudflare_record" "mx_2" {
  domain   = "example.com"
  name     = "@"
  value    = "aspmx4.googlemail.com"
  type     = "MX"
  ttl      = "86400"
  priority = "10"
}

Debug Output

I have captured the debug output, but have not attached it here since it contains sensitive values. If required, I can redact them and provide it in a gist.

Panic Output

Not produced.

Expected Behavior

The apply should have applied cleanly and shown no changes (there haven't been any changes to the resources in the .tf files, nor in the remote state, nor in the actual resources in Cloudflare.

Actual Behavior

The apply failed with unmarshaling errors. Further testing shows that this only happens with records of type MX, not with any other type!

$ terraform apply
cloudflare_record.mx_1: Refreshing state... (ID: 70d15be54de0d8fc9768cc7e71fd28bf)
cloudflare_record.mx_2: Refreshing state... (ID: 8a5150055abbe3e955ad65e86495cdb9)

Error: Error refreshing state: 2 error(s) occurred:

* cloudflare_record.mx_2: 1 error(s) occurred:

* cloudflare_record.mx_2: cloudflare_record.mx_3: error unmarshalling the JSON response: json: cannot unmarshal string into Go struct field DNSRecord.priority of type int
* cloudflare_record.mx_1: 1 error(s) occurred:

* cloudflare_record.mx_1: cloudflare_record.mx_2: error unmarshalling the JSON response: json: cannot unmarshal string into Go struct field DNSRecord.priority of type int

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply

Important Factoids

Inspecting the result of the API call here:
https://github.com/terraform-providers/terraform-provider-cloudflare/blob/master/vendor/github.com/cloudflare/cloudflare-go/dns.go#L118

I validated that the JSON response from the server contained the priority value as a quoted string, rather than a numeric value, and that this was causing the unmarshaling error (as the schema expects an int).

I was able to fix this issue with the following change to dns.go from the vendored cloudflare-go library:

diff --git a/vendor/github.com/cloudflare/cloudflare-go/dns.go b/vendor/github.com/cloudflare/cloudflare-go/dns.go
index 3303e9d..08f3394 100644
--- a/vendor/github.com/cloudflare/cloudflare-go/dns.go
+++ b/vendor/github.com/cloudflare/cloudflare-go/dns.go
@@ -25,7 +26,7 @@ type DNSRecord struct {
        ModifiedOn time.Time   `json:"modified_on,omitempty"`
        Data       interface{} `json:"data,omitempty"` // data returned by: SRV, LOC
        Meta       interface{} `json:"meta,omitempty"`
-       Priority   int         `json:"priority,omitempty"`
+       Priority   int         `json:"priority,string,omitempty"`
 }

 // DNSRecordResponse represents the response from the DNS endpoint.

I wonder if the return type of priority changed in the Cloudflare API response recently? All other code involved here (terraform, this provider, cloudflare-go) seem to be unchanged.

References

None

Without further knowledge and looking at the 'ttl' type ('int') I assume that auto 'ttl' (as in the UI) is not supported, unless it's '0'. It would be nice, would it be either implemented or documented, as in the latter case, it's not obvious.

host_header_override and resolve_override actions are both treated as OnOff values, meaning the provider will only allow values of on or off for them. These should allow arbitrary string values instead.

Terraform Version

$ terraform -v
Terraform v0.11.7

Affected Resource(s)

Please list the resources as a list, for example:

• cloudflare_page_rule

Terraform Configuration Files

resource "cloudflare_page_rule" "f86f9059911714b0d9f5bf7b1ca4b4e0" {
  zone = "${var.domain}"
  priority = 119
  target = "shopfront.${var.domain}/homepage/*"
  status = "active"

  actions = {
    resolve_override = "${var.origin}"
    host_header_override = "${var.domain}"
  }
}

Expected Behavior

The values for host_header_override and resolve_override actions should be accepted.

Actual Behavior

Error: cloudflare_page_rule.f86f9059911714b0d9f5bf7b1ca4b4e0: expected actions.0.host_header_override to be one of [on off], got foo.net

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply

Important Factoids

N/A

References

Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:

• Added in https://github.com/terraform-providers/terraform-provider-cloudflare/pull/76
• Mentioned in https://github.com/terraform-providers/terraform-provider-cloudflare/issues/46

Hi there,

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

Terraform Version

Terraform v0.11.8

• provider.cloudflare v1.2.0

Affected Resource(s)

• cloudflare_zone_settings_override.settings

Terraform Configuration Files

resource "cloudflare_zone_settings_override" "settings" {
  name = "${var.cloudflare_zone}"

  settings {
    browser_cache_ttl = 0
  }
}

Debug Output

https://gist.github.com/sixcorners/31d365e40d7aa20dec7f7d812c09d6b6

Expected Behavior

What should have happened?
browser_cache_ttl should have been set to 0.

Actual Behavior

What actually happened?
browser_cache_ttl didn't change.

Steps to Reproduce

1. terraform state rm cloudflare_zone_settings_override.settings && terraform apply

Important Factoids

References

Hi,

Hoping for some pointers here, struggling with this issue and unsure if it's a bug or something I'm doing wrong in my config. The example case is we want to disable an origin while an update is underway.

Terraform Version

Terraform v0.11.3

Affected Resource(s)

• cloudflare_loadbalancer_pool

Terraform Configuration Files

variable "cluster_ips" {
  description = "Map of the IP addresses to the ingress of all clusters in the hydra deployment"
  type        = "map"
}

variable "aks_cluster_1_enabled" {
  description = "Enable the cluster in the traffic manager"
  default     = true
}

variable "aks_cluster_2_enabled" {
  description = "Enable the cluster in the traffic manager"
  default     = true
}

variable "gke_cluster_1_enabled" {
  description = "Enable the cluster in the traffic manager"
  default     = true
}

variable "gke_cluster_2_enabled" {
  description = "Enable the cluster in the traffic manager"
  default     = true
}

resource "cloudflare_load_balancer_pool" "hydra_clusters" {
  name  = "hydra_clusters"

  monitor = "${cloudflare_load_balancer_monitor.health.id}"

  origins {
    name    = "aks_cluster_1"
    address = "${var.cluster_ips["aks_cluster_1"]}"
    enabled = "${var.aks_cluster_1_enabled}"
  }

  origins {
    name    = "aks_cluster_2"
    address = "${var.cluster_ips["aks_cluster_2"]}"
    enabled = "${var.aks_cluster_2_enabled}"
  }

  origins {
    name    = "gke_cluster_1"
    address = "${var.cluster_ips["gke_cluster_1"]}"
    enabled = "${var.gke_cluster_1_enabled}"
  }

  origins {
    name    = "gke_cluster_2"
    address = "${var.cluster_ips["gke_cluster_2"]}"
    enabled = "${var.gke_cluster_2_enabled}"
  }
}

Debug Output

16:04 $ terraform apply -auto-approve  -var aks_cluster_1_enabled=false -refresh=false
module.hydra.module.cloudflare.cloudflare_load_balancer_pool.hydra_clusters: Modifying... (ID: 5379235e4afcf3c52fa0d375dd9a5b10)
  origins.1080982093.address: "168.00.15.000" => ""
  origins.1080982093.enabled: "true" => "false"
  origins.1080982093.name:    "aks_cluster_1" => ""
  origins.1107272590.address: "35.000.97.000" => "35.000.97.000"
  origins.1107272590.enabled: "true" => "true"
  origins.1107272590.name:    "gke_cluster_2" => "gke_cluster_2"
  origins.3164109218.address: "000.69.000.208" => "000.69.000.208"
  origins.3164109218.enabled: "true" => "true"
  origins.3164109218.name:    "aks_cluster_2" => "aks_cluster_2"
  origins.3736081697.address: "00.234.000.38" => "00.234.000.38"
  origins.3736081697.enabled: "true" => "true"
  origins.3736081697.name:    "gke_cluster_1" => "gke_cluster_1"
  origins.3753179603.address: "" => "000.63.15.000"
  origins.3753179603.enabled: "" => "false"
  origins.3753179603.name:    "" => "aks_cluster_1"

Error: Error applying plan:

1 error(s) occurred:

* module.hydra.module.cloudflare.cloudflare_load_balancer_pool.hydra_clusters: 1 error(s) occurred:

* cloudflare_load_balancer_pool.hydra_clusters: doesn't support update

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Expected Behavior

The origin name aks_cluster_1 to be disabled.

Actual Behavior

Error returned stating that 'doesn't support update'

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. Create a pool with enable set to variable
2. Deploy the pool with tf apply
3. Redeploy with variable for enable set to false and observe error.

While trying to integrate fetching CloudFlare IPs for use in an AWS security group used with an ELB, I found that cidr_blocks returned both IPv4 and IPv6 addresses (great), ipv4_cidr_blocks returned IPv4 addresses (great), and ipv6_cidr_blocks returned IPv4 addresses (what?!).

I thought I was going out of my mind at first, but I discovered #6 which lead me to #27 and then #28. This forced me to look at the code. I speak several PLs (assembly, C, Perl, PHP, etc.) but not Go. Yet, this is what I found:

https://github.com/terraform-providers/terraform-provider-cloudflare/blob/0b67bf2d55bccd24275f30e2112756abd27a070f/cloudflare/data_source_ip_ranges.go#L73

This looks like a copy-paste typo that happens to be quite severe.

Many page rule options are supported, but I don't see anything for overriding host headers.

Was is left out because of a technical reason or because it's perceived as less important than the ones that were implemented?

This issue was originally opened by @fillup as hashicorp/terraform#12166. It was migrated here as part of the provider split. The original body of the issue is below.

We use Cloudflare in front of our web apps and configure our AWS ELBs to limit access to Cloudflare's IP addresses. Right now we maintain a list manually based on https://www.cloudflare.com/ips/, but it would be great to be able to dynamically pull these lists for use in security groups and other things.

Hi there,

It would be awesome to have support for the recently released Cloudflare Workers from Terraform (https://blog.cloudflare.com/cloudflare-workers-unleashed/).

Terraform Version

$ terraform -v
Terraform v0.11.7

Affected Resource(s)

Potential resources could be of the form:

resource "cloudflare_worker" "foobar" {
  zone_id = "${var.cloudflare_zone_id}"
  filter = "example.com/*"
  script_content = ${file("path.txt")}
}

Expected Behavior

Terraform provisions a Cloudflare Worker resource.

Actual Behavior

Not supported yet.

References

https://developers.cloudflare.com/workers/api/

Hi there,

Terraform Version

Terraform v0.10.0
provider.cloudflare: version = "~> 0.1"

Affected Resource(s)

Please list the resources as a list, for example:

• cloudflare_record

Terraform Configuration Files

variable "CLOUDFLARE_EMAIL" {}
variable "CLOUDFLARE_TOKEN" {}
variable "domain" {
  default = "secretsauce.com"
}

provider "cloudflare" {
  email = "${var.CLOUDFLARE_EMAIL}" 
  token = "${var.CLOUDFLARE_TOKEN}"
}

...

resource "cloudflare_record" "welcome_TXT" {
  domain  = "${var.domain}"
  name    = "welcome"
  value   = "google-site-verification=snipped"
  type    = "TXT"
}

resource "cloudflare_record" "welcome_TXT_1" {
  domain  = "${var.domain}"
  name    = "welcome"
  value   = "v=spf1 include:welcome.secretsauce.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"
  type    = "TXT"
}

and a few hundred other records. I have exported our ~350 DNS records, that we previously created manually on cloudflare. Now I have used a template engine to render cloudflare_record configuration for terraform.

I would be happy to provide the full configuration files in a non-public way if you would like to reproduce the error.

Debug Output

I cannot provide the debug output publicly as it contains sensitive data

Panic Output

I cannot provide the panic output publicly as it contains sensitive data

Expected Behavior

What should have happened?

Actual Behavior

Terraform should have formulated a plan, hopefully that no action was required.

Steps to Reproduce

terraform plan

References

• terraform/terraform#8341

I am using a cloudflare_load_balancer_pool and want to point it at my digital ocean droplets. I can do this if i hardcode the length:

resource "cloudflare_load_balancer_pool" "rke" {
  provider = "cloudflare.loadbalancer"

  name = "rke"

  origins {
    name = "rke-1"
    address = "${element(digitalocean_droplet.kubernetes_nodes.*.ipv4_address, 1)}"
    enabled = true
  }
  origins {
    name = "rke-2"
    address = "${element(digitalocean_droplet.kubernetes_nodes.*.ipv4_address, 2)}"
    enabled = true
  }
  origins {
    name = "rke-3"
    address = "${element(digitalocean_droplet.kubernetes_nodes.*.ipv4_address, 3)}"
    enabled = true
  }
  origins {
    name = "rke-4"
    address = "${element(digitalocean_droplet.kubernetes_nodes.*.ipv4_address, 4)}"
    enabled = true
  }

  monitor = "${cloudflare_load_balancer_monitor.rke.id}"

  depends_on = ["rke_cluster.cluster", "cloudflare_load_balancer_monitor.rke"]
}

However, it would be better if I could iterate over the digital ocean droplets and create origins. For example, I do this with DNS:

resource "cloudflare_record" "kubernetes_do" {
  provider = "cloudflare.dns"

  count = "${var.digitalocean_nodes}"

  domain = "${var.cluster_domain}"
  name = "rke"
  value = "${element(digitalocean_droplet.kubernetes_nodes.*.ipv4_address, count.index)}"
  type = "A"
  ttl = 3600
}

Is it possible to achieve this using the current schema?

cloudflare_record allows uppercase name values, but it seems the Cloudflare API converts it to lower case(?). As a result, using an upper case letter in a record name will result in future terraform plan runs to indicate a recreation of the resource.

Affected Resource(s)

• cloudflare_record

Terraform Configuration Files

resource "cloudflare_record" "vpn" {
  domain   = "<your domain here>"
  name     = "tftestingsubV616" # note the capital V
  value    = "52.39.212.111"
  type     = "A"
  ttl      = 1
  priority = 80
  proxied  = true
}

Debug Output

-/+ cloudflare_record.vpn (new resource required)
      id:          "5db4d077f4b071b5a276407f666495ae" => <computed> (forces new resource)
      [...]
      name:        "tftestingsubv616" => "tftestingsubV616" (forces new resource)
      [...]

Expected Behavior

• Terraform should warn on upper case usage, or automatically convert to lowercase for storing in state

Actual Behavior

• terraform plan wants to recreate the record

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply the provided config
2. terraform plan will show a recreation

zrt means "Enabled+0RTT" in the dashboard.

This is a very minor issue and I wouldn't blame you if you decided to close it outright, but one minor issue I've had with this provider is that using CLOUDFLARE_TOKEN as the environment variable clashes with my other cloudflare-dependent apps which all use CLOUDFLARE_API_KEY.

The lego library also uses CLOUDFLARE_EMAIL and CLOUDFLARE_API_KEY:
https://github.com/xenolf/lego/blob/82ac43327b01319544c050d5d78a4edeff9565d2/providers/dns/cloudflare/cloudflare.go#L28-L34

Terraform Version

Terraform v0.11.7

• provider.aws v1.27.0
• provider.cloudflare v1.0.0

Affected Resource(s)

• cloudflare_record

Terraform Configuration Files

resource "cloudflare_record" "caa" {
  domain  = "mydomain.com"
  name    = "mydomain.com"
  data    = {
    flags = "0"
    tag   = "issue"
    value = "letsencrypt.org"
  }
  type    = "CAA"
  ttl     = 1
}

Debug Output

gist of debug output

Expected Behavior

CAA record is created

Actual Behavior

Error from CloudFlare API

Steps to Reproduce

1. terraform apply

Important Factoids

Interestingly, if I manually create the CAA record using the Dashboard and then:

1. terraform import
2. terraform apply
   ...there are no changes to be applied, telling me the configuration looks correct.

References

• #26
• #29

Support Cloudflare Zone lockdowns:
https://api.cloudflare.com/#zone-lockdown-properties

Potential resource could be of form:

resource "cloudflare_zone_lockdown" "foobar" {
  zone        = "${var.cloudflare_domain}"
  paused      = "false"
  description = "lockdown rule for api.mysite.com"

  urls = [
    "api.mysite.com/some/endpoint*",
  ]

  configurations = [
    {
      target = "ip"
      value  = "1.2.3.4"
    },
    {
      target = "ip_range"
      value  = "5.6.7.8/24"
    },
  ]
}

Where paused is optional (defaults to false) and description is optional.

Origin weights and session affinity were added to cloudflare-go here: cloudflare/cloudflare-go@667a723.

Should be able to do something like this for weights:

resource "cloudflare_load_balancer_pool" "example-servers" {
  ...
  origins {
    name = "www-us"
    address = "203.0.113.10"
    weight = 0.5
  }
  origins {
    name = "www-asia"
    address = "198.51.100.15"
    weight = 0.5
  }

And session persistence:

resource "cloudflare_load_balancer" "example-lb" {
  ...
  session_affinity = "cookie"
}

% terraform version                                                                                               [08/09/18 12:54:50]
Terraform v0.11.7
+ provider.alicloud v1.10.0
+ provider.ansible v0.0.4
+ provider.cloudflare v1.1.0
+ provider.digitalocean v0.1.3
+ provider.google v1.16.2

Your cloudflare_page_rule keeps trying to recreate all entries that use forwarding_url which includes upper case letters because it seems to lowercase everything.

Example:

Terraform will perform the following actions:

  ~ module.redirect.cloudflare_page_rule.redirect[1]
      actions.0.forwarding_url.0.url: "https://some.service.com/abcde/" => "https://some.service.com/aBcDe/"