Terraform CloudFlare Provider Example

This is a short article on how to create DNS records on your CloudFlare DNS zone using Terraform. I have used this in new coming article about OpenShift 3.11 on AWS. You can check out the cloudflare.tf example on my Github repository: https://github.com/berndonline/openshift-terraform/blob/aws-dev/cloudflare.tf

In the cloudflare_record configuration, the variables of the AWS ALB dns names are under resource values. This means, Terraform will start with deploying  the AWS infrastructure and create’s afterwards the specified DNS records on the CloudFlare DNS zone.

provider "cloudflare" {
  email = "[email protected]"
  token = "***YOUR-API-TOKEN***"
variable "domain" {
  default = "domain.com"
resource "cloudflare_record" "console-paas" {
  domain  = "${var.domain}"
  name    = "console-paas"
  value   = "${aws_lb.master_alb.dns_name}"
  type    = "CNAME"
  proxied = false
resource "cloudflare_record" "wildcard-paas" {
  domain  = "${var.domain}"
  name    = "*.paas"
  value   = "${aws_lb.infra_alb.dns_name}"
  type    = "CNAME"
  proxied = false

If you verify this on the CloudFlare web console, you see that Terraform created two DNS record’s and pointing to the AWS ALB dns name:

When you run terraform destroy the two DNS records will be automatically removed.

I recommend having a look at the great articles on the CloudFlare blog:



Common DNS errors

Something a bit different now from what I posting normally, this time about common DNS errors.

One of colleagues tried to configure basic DNS load balancing over two web platforms but instead of using two A records he were using one A record and one CNAME. Ones that was configured the problems started because some DNS server (google DNS cache) were only replying with the IP of the configured CNAME, other DNS servers from service providers were replying with nothing.

Bind per default would only add the CNAME into the configuration and ignore all other records but my colleague were using TinyDNS so I cannot say if TinyDNS load the configuration with both CNAME and A records. But the main reason of the problems was that the DNS configuration got inconsistent and the RFC for common DNS errors explained it very clearly:

A CNAME record is not allowed to coexist with any other data.  In other words, if suzy.podunk.xx is an alias for sue.podunk.xx, you can't also have an MX record for suzy.podunk.edu, or an A record, or even a TXT record.

Have a look at the RFC about common DNS errors, very interesting!

From my side I would have used GSLB (Global Server Load Balancing) and not basic DNS round-robin 😉