Getting started with Terraform and Cloudflare (Part 1 of 2)

In this tutorial, you'll learn how to configure a basic website using Terraform and Cloudflare. You'll start by setting up your domain with Cloudflare, then use Terraform to manage DNS records for the domain. Next, you'll configure some optional HTTPS settings on your zone using Terraform. Finally, you'll add a rate limiting rule to protect your website from brute force login attempts. To follow along with this tutorial, you should have an existing Cloudflare account and domain registered with them. You will also need the Terraform CLI installed on your system. 1. Create a new GitHub repository for your configuration files. 2. Clone the repository to your local machine: ```bash git clone https://github.com/$GITHUB_USER/cf-config.git cd cf-config ``` 3. Initialize Terraform in the new directory: ```bash terraform init ``` 4. Create a `variables.tf` file with the following content: ```hcl variable "domain" { description = "The domain name to configure." } ``` 5. Update your `main.tf` file to include the Cloudflare provider and DNS record creation: ```hcl provider "cloudflare" { email = var.CLOUDFLARE_EMAIL api_key = var.CLOUDFLARE_API_KEY } resource "cloudflare_record" "www" { zone_id = data.cloudflare_zone.example-com.id name = "www" type = "CNAME" value = "upinatoms.com" ttl = 1 } ``` 6. Run `terraform apply` to create the DNS record: ```bash terraform apply --auto-approve ``` 7. Create a new branch and append the zone settings override: ```bash git checkout -b step2-zone-settings cat >> cloudflare.tf <<'EOF' resource "cloudflare_zone_settings_override" "example-com-settings" { name = "${var.domain}" settings { tls_1_3 = "on" always_use_https = "on" ssl = "full" waf = "on" } } EOF ``` 8. Preview and merge the changes: ```bash git add cloudflare.tf git commit -m "Step 2 - Enable TLS 1.3, Always Use HTTPS, SSL Full mode, and WAF." git checkout master && git merge step2-zone-settings && git push ``` 9. Apply the updated zone settings: ```bash terraform apply --auto-approve ``` 10. Create a new branch and append the rate limiting settings: ```bash git checkout -b step4-ratelimit cat >> cloudflare.cf <<'EOF' resource "cloudflare_rate_limit" "login-limit" { zone = "${var.domain}" threshold = 5 period = 60 match { request { url_pattern = "${var.domain}/login" schemes = ["HTTP", "HTTPS"] methods = ["POST"] } response { statuses = [401, 403] origin_traffic = true } } action { mode = "simulate" timeout = 300 response { content_type = "text/plain" body = "You have failed to login 5 times in a 60 second period and will be blocked from attempting to login again for the next 5 minutes." } } disabled = false description = "Block failed login attempts (5 in 1 min) for 5 minutes." } EOF ``` 11. Preview and merge the changes: ```bash git add cloudflare.tf git commit -m "Step 4 - Add rate limiting rule to protect /login." git checkout master && git merge step4-ratelimit && git push ``` 12. Update the rule to ban (not just simulate): ```bash git checkout step4-ratelimit sed -i.bak -e 's/simulate/ban/' cloudflare.tf git diff git add cloudflare.tf git commit -m "Step 4 - Update /login rate limit rule from 'simulate' to 'ban'." git checkout master && git merge step4-ratelimit && git push ``` 13. Confirm the rule works as expected: ```bash for i in {1..6}; do curl -XPOST -d '{"username": "foo", "password": "bar"}' -vso /dev/null https://www.example.com/login 2>&1 | grep "< HTTP"; sleep 1; done ``` That's it for today! Stay tuned next week for part 2 of this post, where we continue the tour through the following resources and techniques: - Load Balancing Resource - Page Rules Resource - Reviewing and Rolling Back Changes - Importing Existing State and Configuration