Cloudflare Operations¶
Operational guide for Cloudflare DNS, Tunnels, and Workers.
Quick Reference¶
| Property | Value |
|---|---|
| Domains | fzymgc.house (internal), fzymgc.net (webhooks) |
| Terraform Module | tf/cloudflare/ |
| API Token Path | secret/fzymgc-house/infrastructure/cloudflare/* |
| Tunnel Name | fzymgc-house-main |
| Worker | hcp-terraform-discord |
Architecture¶
+----------------------------------------------------------------+
| Cloudflare Account |
+-----------------+-----------------+-----------------------------+
| fzymgc.house | fzymgc.net | Workers |
| (internal DNS) | (webhooks) | (serverless functions) |
+-----------------+-----------------+-----------------------------+
| Zero Trust Tunnel |
| fzymgc-house-main |
+----------------------------------------------------------------+
API Token Pattern¶
Currently uses a single bootstrap token with full operational permissions.
Note: Cloudflare provider v5 has breaking changes for
cloudflare_api_tokenthat make Terraform-managed token creation unreliable. When v5 stabilizes, we'll add a two-token pattern (bootstrap -> workload).
| Token | Purpose | Permissions | Created By |
|---|---|---|---|
| Bootstrap | Terraform auth + operations | Full operational | Manual (once) |
Vault Paths¶
| Path | Content |
|---|---|
.../cloudflare/bootstrap-token |
Bootstrap token for Terraform |
.../cloudflare/discord-webhook |
Discord webhook URL |
.../cloudflare/hcp-terraform-hmac |
HMAC secret for webhook validation |
DNS Management¶
DNS records are managed via Terraform in tf/cloudflare/.
Add DNS Record¶
- Edit
tf/cloudflare/tunnel.tf - Add record resource (see
cloudflare_dns_record.webhook_servicesfor pattern) - Submit PR and merge
- HCP Terraform applies changes
Common Record Types¶
| Type | Use Case |
|---|---|
| A | Direct IP mapping |
| CNAME | Alias to another record |
| TXT | Verification, SPF |
Cloudflare Tunnel¶
The tunnel provides secure external access without exposing IPs.
Architecture¶
Managed Services¶
Services exposed via tunnel are configured in Kubernetes ingress.
Workers¶
HCP Terraform Discord Worker¶
Transforms HCP Terraform notification webhooks into Discord embeds.
| Property | Value |
|---|---|
| Code | cloudflare/workers/hcp-terraform-discord/worker.js |
| Terraform | tf/cloudflare/workers.tf |
| Secrets | DISCORD_WEBHOOK_URL, HMAC_SECRET |
HMAC Validation: When HMAC_SECRET is configured, validates X-TFE-Notification-Signature header. Invalid signatures rejected with 401.
Common Operations¶
Bootstrap Token Setup (One-Time)¶
- Create token in Cloudflare Dashboard:
- API Tokens > Create Token > Create Custom Token
- Permissions:
- Account > Workers Scripts > Edit
- Account > Cloudflare Tunnel > Edit
- Account > Account Settings > Read
- Zone > DNS > Edit
- Zone > Zone > Read
-
Account/Zone Resources: Include your account and all zones
-
Store in Vault:
-
Apply Terraform:
Apply Order¶
- tf/vault: Creates HMAC secret
- tf/cloudflare: Deploys Worker with HMAC binding, creates workload token
- HCP TF UI: Add HMAC token to notification webhook
Troubleshooting¶
DNS Not Resolving¶
- Check propagation:
dig @1.1.1.1 service.fzymgc.house - Verify Terraform state
- Check Cloudflare dashboard
Token Authentication Errors¶
Cause: API token missing required permissions.
Fix: 1. Check bootstrap token has all required permissions 2. Verify token is stored correctly in Vault:
Tunnel Not Connecting¶
# Check tunnel status
kubectl -n cloudflared get pods
kubectl -n cloudflared logs -l app.kubernetes.io/name=cloudflared
# Verify credentials in Vault
vault kv get secret/fzymgc-house/cluster/cloudflared/tunnels/fzymgc-house-main
Worker Deployment Fails¶
# Check Worker exists
curl -X GET "https://api.cloudflare.com/client/v4/accounts/ACCOUNT_ID/workers/scripts" \
-H "Authorization: Bearer $(vault kv get -field=token secret/fzymgc-house/infrastructure/cloudflare/bootstrap-token)"
See Also¶
- HCP Terraform Operations - Webhook notifications
- Tunnel connector:
argocd/app-configs/cloudflared-main/ - Worker code:
cloudflare/workers/hcp-terraform-discord/