provider-cloudflare is a Crossplane provider that
is built using Upjet code
generation tools and exposes XRM-conformant managed resources for the
Cloudflare API.
Install the provider by using the following command after changing the image tag to the latest release:
up ctp provider install chezmoi-sh/provider-cloudflare:v0.1.0
Alternatively, you can use declarative installation:
cat <<EOF | kubectl apply -f -
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-cloudflare
spec:
package: chezmoi-sh/provider-cloudflare:v0.1.0
EOF
Notice that in this example Provider resource is referencing ControllerConfig with debug enabled.
You can see the API reference here.
Table below shows the resources that are currently supported by the provider, their relation with the Cloudflare Terraform provider and their status.
Note
Possible statuses are:
- ✅: Supported and automatically tested through E2E
- 🛂: Supported but manually tested
⚠️ : Supported but not tested- 🔲: Unsupported / Not implemented
- 🚫: Deprecated
| Status | API Group | Kind | Terraform Equivalent |
|---|---|---|---|
| ✅ | account.cloudflare.crossplane.io | APIToken | cloudflare_api_token |
| 🛂 | account.cloudflare.crossplane.io | Account | cloudflare_account |
| ✅ | dns.cloudflare.crossplane.io | DNSSEC | cloudflare_zone_dnssec |
| ✅ | dns.cloudflare.crossplane.io | Record | cloudflare_record |
| 🛂 | zone.cloudflare.crossplane.io | Zone | cloudflare_zone |
| 🔲 | cloudflare_access_rule | ||
| 🔲 | cloudflare_account_member | ||
| 🔲 | cloudflare_address_map | ||
| 🔲 | cloudflare_api_shield_operation_schema_validation_settings | ||
| 🔲 | cloudflare_api_shield_operation | ||
| 🔲 | cloudflare_api_shield_schema_validation_settings | ||
| 🔲 | cloudflare_api_shield_schema | ||
| 🔲 | cloudflare_api_shield | ||
| 🔲 | cloudflare_argo | ||
| 🔲 | cloudflare_authenticated_origin_pulls_certificate | ||
| 🔲 | cloudflare_authenticated_origin_pulls | ||
| 🔲 | cloudflare_bot_management | ||
| 🔲 | cloudflare_byo_ip_prefix | ||
| 🔲 | cloudflare_certificate_pack | ||
| 🔲 | cloudflare_cloud_connector_rules | ||
| 🔲 | cloudflare_custom_hostname_fallback_origin | ||
| 🔲 | cloudflare_custom_hostname | ||
| 🔲 | cloudflare_custom_pages | ||
| 🔲 | cloudflare_custom_ssl | ||
| 🔲 | cloudflare_d1_database | ||
| 🔲 | cloudflare_email_routing_address | ||
| 🔲 | cloudflare_email_routing_catch_all | ||
| 🔲 | cloudflare_email_routing_rule | ||
| 🔲 | cloudflare_email_routing_settings | ||
| 🔲 | cloudflare_healthcheck | ||
| 🔲 | cloudflare_hostname_tls_setting_ciphers | ||
| 🔲 | cloudflare_hostname_tls_setting | ||
| 🔲 | cloudflare_hyperdrive_config | ||
| 🔲 | cloudflare_infrastructure_access_target | ||
| 🔲 | cloudflare_keyless_certificate | ||
| 🔲 | cloudflare_list_item | ||
| 🔲 | cloudflare_list | ||
| 🔲 | cloudflare_load_balancer_monitor | ||
| 🔲 | cloudflare_load_balancer_pool | ||
| 🔲 | cloudflare_load_balancer | ||
| 🔲 | cloudflare_logpull_retention | ||
| 🔲 | cloudflare_logpush_job | ||
| 🔲 | cloudflare_logpush_ownership_challenge | ||
| 🔲 | cloudflare_magic_firewall_ruleset | ||
| 🔲 | cloudflare_magic_wan_gre_tunnel | ||
| 🔲 | cloudflare_magic_wan_ipsec_tunnel | ||
| 🔲 | cloudflare_magic_wan_static_route | ||
| 🔲 | cloudflare_managed_headers | ||
| 🔲 | cloudflare_mtls_certificate | ||
| 🔲 | cloudflare_notification_policy_webhooks | ||
| 🔲 | cloudflare_notification_policy | ||
| 🔲 | cloudflare_observatory_scheduled_test | ||
| 🔲 | cloudflare_origin_ca_certificate | ||
| 🔲 | cloudflare_page_rule | ||
| 🔲 | cloudflare_pages_domain | ||
| 🔲 | cloudflare_pages_project | ||
| 🔲 | cloudflare_queue | ||
| 🔲 | cloudflare_r2_bucket | ||
| 🔲 | cloudflare_regional_hostname | ||
| 🔲 | cloudflare_regional_tiered_cache | ||
| 🔲 | cloudflare_risk_behavior | ||
| 🔲 | cloudflare_ruleset | ||
| 🔲 | cloudflare_spectrum_application | ||
| 🔲 | cloudflare_tiered_cache | ||
| 🔲 | cloudflare_total_tls | ||
| 🔲 | cloudflare_turnstile_widget | ||
| 🔲 | cloudflare_url_normalization_settings | ||
| 🔲 | cloudflare_user_agent_blocking_rule | ||
| 🔲 | cloudflare_waiting_room_event | ||
| 🔲 | cloudflare_waiting_room_rules | ||
| 🔲 | cloudflare_waiting_room_settings | ||
| 🔲 | cloudflare_waiting_room | ||
| 🔲 | cloudflare_web3_hostname | ||
| 🔲 | cloudflare_web_analytics_rule | ||
| 🔲 | cloudflare_web_analytics_site | ||
| 🔲 | cloudflare_workers_cron_trigger | ||
| 🔲 | cloudflare_workers_domain | ||
| 🔲 | cloudflare_workers_for_platforms_dispatch_namespace | ||
| 🔲 | cloudflare_workers_for_platforms_namespace | ||
| 🔲 | cloudflare_workers_kv_namespace | ||
| 🔲 | cloudflare_workers_kv | ||
| 🔲 | cloudflare_workers_route | ||
| 🔲 | cloudflare_workers_script | ||
| 🔲 | cloudflare_workers_secret | ||
| 🔲 | cloudflare_zero_trust_access_application | ||
| 🔲 | cloudflare_zero_trust_access_custom_page | ||
| 🔲 | cloudflare_zero_trust_access_group | ||
| 🔲 | cloudflare_zero_trust_access_identity_provider | ||
| 🔲 | cloudflare_zero_trust_access_mtls_certificate | ||
| 🔲 | cloudflare_zero_trust_access_mtls_hostname_settings | ||
| 🔲 | cloudflare_zero_trust_access_organization | ||
| 🔲 | cloudflare_zero_trust_access_policy | ||
| 🔲 | cloudflare_zero_trust_access_service_token | ||
| 🔲 | cloudflare_zero_trust_access_short_lived_certificate | ||
| 🔲 | cloudflare_zero_trust_access_tag | ||
| 🔲 | cloudflare_zero_trust_device_certificates | ||
| 🔲 | cloudflare_zero_trust_device_managed_networks | ||
| 🔲 | cloudflare_zero_trust_device_posture_integration | ||
| 🔲 | cloudflare_zero_trust_device_posture_rule | ||
| 🔲 | cloudflare_zero_trust_device_profiles | ||
| 🔲 | cloudflare_zero_trust_dex_test | ||
| 🔲 | cloudflare_zero_trust_dlp_profile | ||
| 🔲 | cloudflare_zero_trust_dns_location | ||
| 🔲 | cloudflare_zero_trust_gateway_certificate | ||
| 🔲 | cloudflare_zero_trust_gateway_policy | ||
| 🔲 | cloudflare_zero_trust_gateway_proxy_endpoint | ||
| 🔲 | cloudflare_zero_trust_gateway_settings | ||
| 🔲 | cloudflare_zero_trust_key_access_key_configuration | ||
| 🔲 | cloudflare_zero_trust_list | ||
| 🔲 | cloudflare_zero_trust_local_fallback_domain | ||
| 🔲 | cloudflare_zero_trust_risk_behavior | ||
| 🔲 | cloudflare_zero_trust_risk_score_integration | ||
| 🔲 | cloudflare_zero_trust_split_tunnel | ||
| 🔲 | cloudflare_zero_trust_tunnel_cloudflared_config | ||
| 🔲 | cloudflare_zero_trust_tunnel_cloudflared | ||
| 🔲 | cloudflare_zero_trust_tunnel_route | ||
| 🔲 | cloudflare_zero_trust_tunnel_virtual_network | ||
| 🔲 | cloudflare_zone_cache_reserve | ||
| 🔲 | cloudflare_zone_cache_variants | ||
| 🔲 | cloudflare_zone_hold | ||
| 🔲 | cloudflare_zone_lockdown | ||
| 🔲 | cloudflare_zone_settings_override | ||
| 🚫 | cloudflare_access_application | ||
| 🚫 | cloudflare_access_ca_certificate | ||
| 🚫 | cloudflare_access_custom_page | ||
| 🚫 | cloudflare_access_group | ||
| 🚫 | cloudflare_access_identity_provider | ||
| 🚫 | cloudflare_access_keys_configuration | ||
| 🚫 | cloudflare_access_mutual_tls_certificate | ||
| 🚫 | cloudflare_access_mutual_tls_hostname_settings | ||
| 🚫 | cloudflare_access_organization | ||
| 🚫 | cloudflare_access_policy | ||
| 🚫 | cloudflare_access_service_token | ||
| 🚫 | cloudflare_access_tag | ||
| 🚫 | cloudflare_device_dex_test | ||
| 🚫 | cloudflare_device_managed_networks | ||
| 🚫 | cloudflare_device_policy_certificates | ||
| 🚫 | cloudflare_device_posture_integration | ||
| 🚫 | cloudflare_device_posture_rule | ||
| 🚫 | cloudflare_device_settings_policy | ||
| 🚫 | cloudflare_dlp_profile | ||
| 🚫 | cloudflare_fallback_domain | ||
| 🚫 | cloudflare_filter | ||
| 🚫 | cloudflare_firewall_rule | ||
| 🚫 | cloudflare_gre_tunnel | ||
| 🚫 | cloudflare_ipsec_tunnel | ||
| 🚫 | cloudflare_rate_limit | ||
| 🚫 | cloudflare_split_tunnel | ||
| 🚫 | cloudflare_static_route | ||
| 🚫 | cloudflare_teams_account | ||
| 🚫 | cloudflare_teams_list | ||
| 🚫 | cloudflare_teams_location | ||
| 🚫 | cloudflare_teams_proxy_endpoint | ||
| 🚫 | cloudflare_teams_rule | ||
| 🚫 | cloudflare_tunnel_config | ||
| 🚫 | cloudflare_tunnel_route | ||
| 🚫 | cloudflare_tunnel_virtual_network | ||
| 🚫 | cloudflare_tunnel | ||
| 🚫 | cloudflare_worker_cron_trigger | ||
| 🚫 | cloudflare_worker_domain | ||
| 🚫 | cloudflare_worker_route | ||
| 🚫 | cloudflare_worker_script | ||
| 🚫 | cloudflare_worker_secret |
In order to provide a better experience for the developers, this provider uses a Nix Flake
to manage the development environment.
If you are familiar with direnv and you have Nix installed,
all you need is to allow the .envrc file to be loaded by direnv and everything will be set up for you.
Note
For other users, I will create a Devcontainer for this project in the future.
Here is a step-by-step guide to get you started:
# Clone the repository and go to the project directory
git clone /~https://github.com/chezmoi-sh/provider-cloudflare
cd provider-cloudflare
# Allow the .envrc file to be loaded (will be slow the first time)
direnv allow
# Install the dependencies
make submodulesNow, everything is set up and you can start developing.
Like other Crossplane providers, this provider uses the Upjet code generation tools to generate the code
for the resources, based on the Terraform provider.
However, because the Terraform provider for Cloudflare is a massive project (150+ resources), I decided to
use an intermediate step to generate the code for the resources.
This intermediate step is a Go program that takes an inventory of resources and generates the Go code for all resources.
Important
As this program is not perfect, if a resource needs some customization, you will need to update the program to add the necessary logic.
So, here is a step-by-step guide to add a new resource:
- Add the resource to the inventory file, inside the
supportedsection.
NOTE: Everything we need to know about the structure of the resource is in the inventory file it-self, at the beginning of the file. - Run
make provider-cloudflare.generateto generate the Go files containing the resource configuration. - Run
make generateto generate the provider code. - Add examples and tests for the new resource, inside the
examplesdirectory. - Run
make e2eto test the new resource. - Update the Resources Reference and Status table in the README file.
- Create a pull request.
Important
This repository uses the Gitmoji convention for commit messages and uses Trunk to format and lint the code.
Note
I've tried to automate as much as possible without leaving the dev experience provided by Upjet and its documentation; apart from the Go code generation part, everything else follows the official documentation.
- Publish the provider to the Crossplane marketplace through the Github Actions workflow
- Make it publicly available in the Crossplane marketplace
- Add Devcontainer for people who don't use Nix
- Configure Renovate to improve how it updates the dependencies (grouping with logical changes, updating dependencies that are cross-referenced by the CI and the Makefile)
- Add some checks to the CI to ensure that all changes follow the guidelines
For filing bugs, suggesting improvements, or requesting new features, please open an issue.
This provider is mainly inspired by the one created by cdloh,
which is much more complete and feature-rich than this one (for now at least).
The main reason for creating this provider was to learn how to create a Crossplane provider and to have a provider
that is more aligned with the way resources are displayed inside the Cloudflare dashboard. For example, the DNSSEC
resource should be a DNS resource and not a zone resource.
The other reason is that I wanted to have a provider that is easier to maintain through code generation, which will
simplify the migration from v4 to v5 of Cloudflare's official terraform provider.
This provider is released under the Apache 2.0 license. See the LICENSE file for more details.