sudacode/dotfiles
1
0
Fork 0
mirror of https://github.com/ksyasuda/dotfiles.git synced 2026-03-21 06:11:27 -07:00
Code Issues Packages Projects Releases Wiki Activity
Files
872fc61ba53977bc0ffd9b5bdacdb29a7265510c
dotfiles/.agents/skills/cloudflare-deploy/references/terraform/configuration.md
sudacode f9a530667e update skills
2026-03-17 16:53:22 -07:00

7.4 KiB
Raw Blame History

Terraform Configuration Reference

Complete resource configurations for Cloudflare infrastructure.

Zone & DNS

# Zone + settings
resource "cloudflare_zone" "example" { account = { id = var.account_id }; name = "example.com"; type = "full" }
resource "cloudflare_zone_settings_override" "example" {
  zone_id = cloudflare_zone.example.id
  settings { ssl = "strict"; always_use_https = "on"; min_tls_version = "1.2"; tls_1_3 = "on"; http3 = "on" }
}

# DNS records (A, CNAME, MX, TXT)
resource "cloudflare_dns_record" "www" {
  zone_id = cloudflare_zone.example.id; name = "www"; content = "192.0.2.1"; type = "A"; proxied = true
}
resource "cloudflare_dns_record" "mx" {
  for_each = { "10" = "mail1.example.com", "20" = "mail2.example.com" }
  zone_id = cloudflare_zone.example.id; name = "@"; content = each.value; type = "MX"; priority = each.key
}

Workers

Simple Pattern (Legacy - Still Works)

resource "cloudflare_workers_script" "api" {
  account_id = var.account_id; name = "api-worker"; content = file("worker.js")
  module = true; compatibility_date = "2025-01-01"
  kv_namespace_binding { name = "KV"; namespace_id = cloudflare_workers_kv_namespace.cache.id }
  r2_bucket_binding { name = "BUCKET"; bucket_name = cloudflare_r2_bucket.assets.name }
  d1_database_binding { name = "DB"; database_id = cloudflare_d1_database.app.id }
  secret_text_binding { name = "SECRET"; text = var.secret }
}

Gradual Rollouts (Recommended for Production)

resource "cloudflare_worker" "api" { account_id = var.account_id; name = "api-worker" }
resource "cloudflare_worker_version" "api_v1" {
  account_id = var.account_id; worker_name = cloudflare_worker.api.name
  content = file("worker.js"); content_sha256 = filesha256("worker.js")
  compatibility_date = "2025-01-01"
  bindings {
    kv_namespace { name = "KV"; namespace_id = cloudflare_workers_kv_namespace.cache.id }
    r2_bucket { name = "BUCKET"; bucket_name = cloudflare_r2_bucket.assets.name }
  }
}
resource "cloudflare_workers_deployment" "api" {
  account_id = var.account_id; worker_name = cloudflare_worker.api.name
  versions { version_id = cloudflare_worker_version.api_v1.id; percentage = 100 }
}

Worker Binding Types (v5)

Binding Attribute Example
KV kv_namespace_binding { name = "KV", namespace_id = "..." }
R2 r2_bucket_binding { name = "BUCKET", bucket_name = "..." }
D1 d1_database_binding { name = "DB", database_id = "..." }
Service service_binding { name = "AUTH", service = "auth-worker" }
Secret secret_text_binding { name = "API_KEY", text = "..." }
Queue queue_binding { name = "QUEUE", queue_name = "..." }
Vectorize vectorize_binding { name = "INDEX", index_name = "..." }
Hyperdrive hyperdrive_binding { name = "DB", id = "..." }
AI ai_binding { name = "AI" }
Browser browser_binding { name = "BROWSER" }
Analytics analytics_engine_binding { name = "ANALYTICS", dataset = "..." }
mTLS mtls_certificate_binding { name = "CERT", certificate_id = "..." }

Routes & Triggers

resource "cloudflare_worker_route" "api" {
  zone_id = cloudflare_zone.example.id; pattern = "api.example.com/*"
  script_name = cloudflare_workers_script.api.name
}
resource "cloudflare_worker_cron_trigger" "task" {
  account_id = var.account_id; script_name = cloudflare_workers_script.api.name
  schedules = ["*/5 * * * *"]
}

Storage (KV, R2, D1)

# KV
resource "cloudflare_workers_kv_namespace" "cache" { account_id = var.account_id; title = "cache" }
resource "cloudflare_workers_kv" "config" {
  account_id = var.account_id; namespace_id = cloudflare_workers_kv_namespace.cache.id
  key_name = "config"; value = jsonencode({ version = "1.0" })
}

# R2
resource "cloudflare_r2_bucket" "assets" { account_id = var.account_id; name = "assets"; location = "WNAM" }

# D1 (migrations via wrangler) & Queues
resource "cloudflare_d1_database" "app" { account_id = var.account_id; name = "app-db" }
resource "cloudflare_queue" "events" { account_id = var.account_id; name = "events-queue" }

Pages

resource "cloudflare_pages_project" "site" {
  account_id = var.account_id; name = "site"; production_branch = "main"
  deployment_configs {
    production {
      compatibility_date = "2025-01-01"
      environment_variables = { NODE_ENV = "production" }
      kv_namespaces = { KV = cloudflare_workers_kv_namespace.cache.id }
      d1_databases = { DB = cloudflare_d1_database.app.id }
    }
  }
  build_config { build_command = "npm run build"; destination_dir = "dist" }
  source { type = "github"; config { owner = "org"; repo_name = "site"; production_branch = "main" }}
}

resource "cloudflare_pages_domain" "custom" {
  account_id = var.account_id; project_name = cloudflare_pages_project.site.name; domain = "site.example.com"
}

Rulesets (WAF, Redirects, Cache)

# WAF
resource "cloudflare_ruleset" "waf" {
  zone_id = cloudflare_zone.example.id; name = "WAF"; kind = "zone"; phase = "http_request_firewall_custom"
  rules { action = "block"; enabled = true; expression = "(cf.client.bot) and not (cf.verified_bot)" }
}

# Redirects
resource "cloudflare_ruleset" "redirects" {
  zone_id = cloudflare_zone.example.id; name = "Redirects"; kind = "zone"; phase = "http_request_dynamic_redirect"
  rules {
    action = "redirect"; enabled = true; expression = "(http.request.uri.path eq \"/old\")"
    action_parameters { from_value { status_code = 301; target_url { value = "https://example.com/new" }}}
  }
}

# Cache rules
resource "cloudflare_ruleset" "cache" {
  zone_id = cloudflare_zone.example.id; name = "Cache"; kind = "zone"; phase = "http_request_cache_settings"
  rules {
    action = "set_cache_settings"; enabled = true; expression = "(http.request.uri.path matches \"\\.(jpg|png|css|js)$\")"
    action_parameters { cache = true; edge_ttl { mode = "override_origin"; default = 86400 }}
  }
}

Load Balancers

resource "cloudflare_load_balancer_monitor" "http" {
  account_id = var.account_id; type = "http"; path = "/health"; interval = 60; timeout = 5
}
resource "cloudflare_load_balancer_pool" "api" {
  account_id = var.account_id; name = "api-pool"; monitor = cloudflare_load_balancer_monitor.http.id
  origins { name = "api-1"; address = "192.0.2.1" }
  origins { name = "api-2"; address = "192.0.2.2" }
}
resource "cloudflare_load_balancer" "api" {
  zone_id = cloudflare_zone.example.id; name = "api.example.com"
  default_pool_ids = [cloudflare_load_balancer_pool.api.id]; steering_policy = "geo"
}

Access (Zero Trust)

resource "cloudflare_access_application" "admin" {
  account_id = var.account_id; name = "Admin"; domain = "admin.example.com"; type = "self_hosted"
  session_duration = "24h"; allowed_idps = [cloudflare_access_identity_provider.github.id]
}
resource "cloudflare_access_policy" "allow" {
  account_id = var.account_id; application_id = cloudflare_access_application.admin.id
  name = "Allow"; decision = "allow"; precedence = 1
  include { email = ["admin@example.com"] }
}
resource "cloudflare_access_identity_provider" "github" {
  account_id = var.account_id; name = "GitHub"; type = "github"
  config { client_id = var.github_id; client_secret = var.github_secret }
}

See Also

Reference in New Issue View Git Blame Copy Permalink