Skip to content

Cloudflare Operations

Operational guide for Cloudflare DNS, Tunnels, and Workers.

Quick Reference

Property Value
Domains fzymgc.house (internal), fzymgc.net (webhooks)
Terraform Module tf/cloudflare/
API Token Path secret/fzymgc-house/infrastructure/cloudflare/*
Tunnel Name fzymgc-house-main
Worker hcp-terraform-discord

Architecture

+----------------------------------------------------------------+
|                      Cloudflare Account                         |
+-----------------+-----------------+-----------------------------+
| fzymgc.house    | fzymgc.net      | Workers                     |
| (internal DNS)  | (webhooks)      | (serverless functions)      |
+-----------------+-----------------+-----------------------------+
|                     Zero Trust Tunnel                           |
|                   fzymgc-house-main                             |
+----------------------------------------------------------------+

API Token Pattern

Currently uses a single bootstrap token with full operational permissions.

Note: Cloudflare provider v5 has breaking changes for cloudflare_api_token that make Terraform-managed token creation unreliable. When v5 stabilizes, we'll add a two-token pattern (bootstrap -> workload).

Token Purpose Permissions Created By
Bootstrap Terraform auth + operations Full operational Manual (once)

Vault Paths

Path Content
.../cloudflare/bootstrap-token Bootstrap token for Terraform
.../cloudflare/discord-webhook Discord webhook URL
.../cloudflare/hcp-terraform-hmac HMAC secret for webhook validation

DNS Management

DNS records are managed via Terraform in tf/cloudflare/.

Add DNS Record

  1. Edit tf/cloudflare/tunnel.tf
  2. Add record resource (see cloudflare_dns_record.webhook_services for pattern)
  3. Submit PR and merge
  4. HCP Terraform applies changes

Common Record Types

Type Use Case
A Direct IP mapping
CNAME Alias to another record
TXT Verification, SPF

Cloudflare Tunnel

The tunnel provides secure external access without exposing IPs.

Architecture

Internet -> Cloudflare -> Tunnel -> Traefik -> Services

Managed Services

Services exposed via tunnel are configured in Kubernetes ingress.

Webhook services (configured via var.webhook_services): - windmill-wh.fzymgc.net -> Windmill webhooks

Workers

HCP Terraform Discord Worker

Transforms HCP Terraform notification webhooks into Discord embeds.

Property Value
Code cloudflare/workers/hcp-terraform-discord/worker.js
Terraform tf/cloudflare/workers.tf
Secrets DISCORD_WEBHOOK_URL, HMAC_SECRET

HMAC Validation: When HMAC_SECRET is configured, validates X-TFE-Notification-Signature header. Invalid signatures rejected with 401.

Common Operations

Bootstrap Token Setup (One-Time)

  1. Create token in Cloudflare Dashboard:
  2. API Tokens > Create Token > Create Custom Token
  3. Permissions:
    • Account > Workers Scripts > Edit
    • Account > Cloudflare Tunnel > Edit
    • Account > Account Settings > Read
    • Zone > DNS > Edit
    • Zone > Zone > Read

  4. Account/Zone Resources: Include your account and all zones

  5. Store in Vault: 

    vault kv put secret/fzymgc-house/infrastructure/cloudflare/bootstrap-token \
  token="YOUR_BOOTSTRAP_TOKEN"

  6. Apply Terraform: 

    terraform -chdir=tf/cloudflare apply

Apply Order

tf/vault -> tf/cloudflare -> Configure HCP TF webhook
  1. tf/vault: Creates HMAC secret
  2. tf/cloudflare: Deploys Worker with HMAC binding, creates workload token
  3. HCP TF UI: Add HMAC token to notification webhook

Troubleshooting

DNS Not Resolving

  1. Check propagation: dig @1.1.1.1 service.fzymgc.house
  2. Verify Terraform state
  3. Check Cloudflare dashboard

Token Authentication Errors

Error: 403 Forbidden - Authentication error

Cause: API token missing required permissions.

Fix: 1. Check bootstrap token has all required permissions 2. Verify token is stored correctly in Vault: 

vault kv get secret/fzymgc-house/infrastructure/cloudflare/bootstrap-token

Tunnel Not Connecting

# Check tunnel status
kubectl -n cloudflared get pods
kubectl -n cloudflared logs -l app.kubernetes.io/name=cloudflared

# Verify credentials in Vault
vault kv get secret/fzymgc-house/cluster/cloudflared/tunnels/fzymgc-house-main

Worker Deployment Fails

# Check Worker exists
curl -X GET "https://api.cloudflare.com/client/v4/accounts/ACCOUNT_ID/workers/scripts" \
  -H "Authorization: Bearer $(vault kv get -field=token secret/fzymgc-house/infrastructure/cloudflare/bootstrap-token)"

See Also

  • HCP Terraform Operations - Webhook notifications
  • Tunnel connector: argocd/app-configs/cloudflared-main/
  • Worker code: cloudflare/workers/hcp-terraform-discord/