upgrade cloudflare provider (#2823)

* upgrade prod cf provider * upgrade cf cf provider
lingrino · Feb 18, 2025 · deb04e7 · deb04e7
1 parent a35450a
commit deb04e7
Show file tree

Hide file tree

Showing 18 changed files with 313 additions and 250 deletions.
diff --git a/terraform-modules/zone/gsuite.tf b/terraform-modules/zone/gsuite.tf
@@ -1,13 +1,14 @@
-resource "cloudflare_record" "txt_gsuite" {
+resource "cloudflare_dns_record" "txt_gsuite" {
   count = var.enable_gsuite ? 1 : 0
 
   zone_id = cloudflare_zone.zone.id
-  name    = "@"
+  name    = var.domain
   type    = "TXT"
+  ttl     = 1
   content = "v=spf1 include:_spf.google.com ~all"
 }
 
-resource "cloudflare_record" "mx_gsuite_verification" {
+resource "cloudflare_dns_record" "mx_gsuite_verification" {
   for_each = var.enable_gsuite ? {
     0 = { priority = 1, value = "aspmx.l.google.com" }
     1 = { priority = 5, value = "alt1.aspmx.l.google.com" }
@@ -19,24 +20,27 @@ resource "cloudflare_record" "mx_gsuite_verification" {
   zone_id  = cloudflare_zone.zone.id
   name     = var.domain
   type     = "MX"
+  ttl      = 1
   priority = each.value["priority"]
   content  = each.value["value"]
 }
 
-resource "cloudflare_record" "txt_gsuite_dkim" {
+resource "cloudflare_dns_record" "txt_gsuite_dkim" {
   count = var.gsuite_dkim_value != "" ? 1 : 0
 
   zone_id = cloudflare_zone.zone.id
-  name    = "google._domainkey"
+  name    = "google._domainkey.${var.domain}"
   type    = "TXT"
+  ttl     = 1
   content = var.gsuite_dkim_value
 }
 
-resource "cloudflare_record" "txt_gsuite_dmarc" {
+resource "cloudflare_dns_record" "txt_gsuite_dmarc" {
   count = var.gsuite_dkim_value != "" ? 1 : 0
 
   zone_id = cloudflare_zone.zone.id
-  name    = "_dmarc"
+  name    = "_dmarc.${var.domain}"
   type    = "TXT"
+  ttl     = 1
   content = "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; pct=100; rua=mailto:[email protected]"
 }
diff --git a/terraform-modules/zone/site_verification.tf b/terraform-modules/zone/site_verification.tf
@@ -1,8 +1,9 @@
-resource "cloudflare_record" "txt_base" {
+resource "cloudflare_dns_record" "txt_base" {
   for_each = var.google_site_verifications
 
   zone_id = cloudflare_zone.zone.id
-  name    = "@"
+  name    = var.domain
   type    = "TXT"
+  ttl     = 1
   content = each.key
 }
diff --git a/terraform-modules/zone/zone.tf b/terraform-modules/zone/zone.tf
@@ -1,8 +1,13 @@
 resource "cloudflare_zone" "zone" {
-  account_id = var.cloudflare_account_id
-  zone       = var.domain
+  name = var.domain
+
+  account = {
+    id = var.cloudflare_account_id
+  }
+
 }
 
 resource "cloudflare_zone_dnssec" "zone" {
   zone_id = cloudflare_zone.zone.id
+  status  = "active"
 }
diff --git a/terraform/aws/accounts/prod/.terraform.lock.hcl b/terraform/aws/accounts/prod/.terraform.lock.hcl
diff --git a/terraform/aws/accounts/prod/data.tf b/terraform/aws/accounts/prod/data.tf
@@ -1 +1,12 @@
-data "cloudflare_api_token_permission_groups" "all" {}
+data "cloudflare_accounts" "lingrino" {
+  name = "lingrino"
+}
+
+data "cloudflare_api_token_permissions_groups_list" "all" {
+  account_id = data.cloudflare_accounts.lingrino.result[0].id
+}
+
+locals {
+  account_permission_group_ids = [for k, v in data.cloudflare_api_token_permissions_groups_list.all.result : { id = v.id } if v.scopes[0] == "com.cloudflare.api.account" && v.name != "Account API Tokens Write"]
+  zone_permission_group_ids    = [for k, v in data.cloudflare_api_token_permissions_groups_list.all.result : { id = v.id } if v.scopes[0] == "com.cloudflare.api.account.zone"]
+}
diff --git a/terraform/aws/accounts/prod/meta.tf b/terraform/aws/accounts/prod/meta.tf
@@ -20,6 +20,11 @@ provider "b2" {
 }
 
 provider "cloudflare" {
+  api_token = jsondecode(ephemeral.aws_secretsmanager_secret_version.cloudflare_keys_terraform_cloud.secret_string)["CLOUDFLARE_API_TOKEN"]
+}
+
+provider "cloudflare" {
+  alias     = "create-tokens"
   api_token = jsondecode(ephemeral.aws_secretsmanager_secret_version.cloudflare_keys_create_tokens.secret_string)["CLOUDFLARE_API_TOKEN"]
 }
 

diff --git a/terraform/aws/accounts/prod/secrets_cloudflare.tf b/terraform/aws/accounts/prod/secrets_cloudflare.tf
@@ -24,29 +24,42 @@ resource "aws_secretsmanager_secret" "cloudflare_keys_terraform_cloud" {
   }
 }
 
+ephemeral "aws_secretsmanager_secret_version" "cloudflare_keys_terraform_cloud" {
+  secret_id = aws_secretsmanager_secret.cloudflare_keys_terraform_cloud.id
+}
+
 resource "aws_secretsmanager_secret_version" "cloudflare_keys_terraform_cloud" {
   secret_id = aws_secretsmanager_secret.cloudflare_keys_terraform_cloud.id
   secret_string = jsonencode({
     CLOUDFLARE_API_TOKEN = cloudflare_api_token.terraform_cloud.value,
   })
+
+  lifecycle {
+    ignore_changes = [secret_string]
+  }
 }
 
 resource "cloudflare_api_token" "terraform_cloud" {
-  name = "terraform-cloud"
+  provider = cloudflare.create-tokens
 
-  policy {
-    resources = {
-      "com.cloudflare.api.account.*" = "*"
-    }
-    permission_groups = values(data.cloudflare_api_token_permission_groups.all.account)
-  }
+  name = "terraform-cloud"
 
-  policy {
-    resources = {
-      "com.cloudflare.api.account.zone.*" = "*"
+  policies = [
+    {
+      effect = "allow"
+      resources = {
+        "com.cloudflare.api.account.*" = "*"
+      }
+      permission_groups = local.account_permission_group_ids
+    },
+    {
+      effect = "allow"
+      resources = {
+        "com.cloudflare.api.account.zone.*" = "*"
+      }
+      permission_groups = local.zone_permission_group_ids
     }
-    permission_groups = values(data.cloudflare_api_token_permission_groups.all.zone)
-  }
+  ]
 }
 
 #################################
@@ -65,22 +78,31 @@ resource "aws_secretsmanager_secret_version" "cloudflare_keys_local" {
   secret_string = jsonencode({
     CLOUDFLARE_API_TOKEN = cloudflare_api_token.local.value,
   })
+
+  lifecycle {
+    ignore_changes = [secret_string]
+  }
 }
 
 resource "cloudflare_api_token" "local" {
-  name = "local"
+  provider = cloudflare.create-tokens
 
-  policy {
-    resources = {
-      "com.cloudflare.api.account.*" = "*"
-    }
-    permission_groups = values(data.cloudflare_api_token_permission_groups.all.account)
-  }
+  name = "local"
 
-  policy {
-    resources = {
-      "com.cloudflare.api.account.zone.*" = "*"
+  policies = [
+    {
+      effect = "allow"
+      resources = {
+        "com.cloudflare.api.account.*" = "*"
+      }
+      permission_groups = local.account_permission_group_ids
+    },
+    {
+      effect = "allow"
+      resources = {
+        "com.cloudflare.api.account.zone.*" = "*"
+      }
+      permission_groups = local.zone_permission_group_ids
     }
-    permission_groups = values(data.cloudflare_api_token_permission_groups.all.zone)
-  }
+  ]
 }
diff --git a/terraform/cloudflare/.terraform.lock.hcl b/terraform/cloudflare/.terraform.lock.hcl
diff --git a/terraform/cloudflare/account.tf b/terraform/cloudflare/account.tf
@@ -1,14 +1,8 @@
 resource "cloudflare_account" "account" {
-  name              = "lingrino"
-  type              = "standard"
-  enforce_twofactor = true
-}
-
-resource "cloudflare_account_member" "lingrino" {
-  account_id    = cloudflare_account.account.id
-  email_address = "[email protected]"
+  name = "lingrino"
+  type = "standard"
 
-  role_ids = [
-    "33666b9c79b9a5273fc7344ff42f953d",
-  ]
+  settings = {
+    enforce_twofactor = true
+  }
 }
diff --git a/terraform/cloudflare/notifications.tf b/terraform/cloudflare/notifications.tf
@@ -7,7 +7,9 @@ resource "cloudflare_notification_policy" "origin_availability" {
   name        = "Origin Availability"
   description = "a cloudflare origin is detected as down"
 
-  email_integration {
-    id = "[email protected]"
+  mechanisms = {
+    email = [{
+      id = "[email protected]"
+    }]
   }
 }
diff --git a/terraform/cloudflare/site_lingren_com.tf b/terraform/cloudflare/site_lingren_com.tf
@@ -13,26 +13,29 @@ module "zone_lingren_com" {
   ]
 }
 
-resource "cloudflare_record" "lingren_com" {
+resource "cloudflare_dns_record" "lingren_com" {
   zone_id = module.zone_lingren_com.id
   proxied = true
   name    = "lingren.com"
   type    = "CNAME"
+  ttl     = 1
   content = "lingrino.com" # superseded by below redirect
 }
 
-resource "cloudflare_record" "star_lingren_com" {
+resource "cloudflare_dns_record" "star_lingren_com" {
   zone_id = module.zone_lingren_com.id
   proxied = true
   name    = "*.lingren.com"
   type    = "CNAME"
+  ttl     = 1
   content = "lingrino.com" # superseded by below redirect
 }
 
-resource "cloudflare_record" "atproto_lingren_com" {
+resource "cloudflare_dns_record" "atproto_lingren_com" {
   zone_id = module.zone_lingren_com.id
   name    = "_atproto.lingren.com"
   type    = "TXT"
+  ttl     = 1
   content = "did=did:plc:k6ylnfky52hxfl7yoxfnbwot"
 }
 
@@ -45,18 +48,20 @@ resource "cloudflare_ruleset" "redirect_lingren_com_to_lingrino_com" {
   kind  = "zone"
   phase = "http_request_dynamic_redirect"
 
-  rules {
-    action      = "redirect"
-    description = "redirect [*.]lingren.com to lingrino.com"
-    expression  = "true"
+  rules = [
+    {
+      action      = "redirect"
+      description = "redirect [*.]lingren.com to lingrino.com"
+      expression  = "true"
 
-    action_parameters {
-      from_value {
-        status_code = 301
-        target_url {
-          value = "https://lingrino.com"
+      action_parameters = {
+        from_value = {
+          status_code = 301
+          target_url = {
+            value = "https://lingrino.com"
+          }
         }
       }
     }
-  }
+  ]
 }