Cloudflare provider for octoDNS
Project description
Cloudflare provider for octoDNS
An octoDNS provider that targets Cloudflare.
Installation
Command line
pip install octodns-cloudflare
requirements.txt/setup.py
Pinning specific versions or SHAs is recommended to avoid unplanned upgrades.
Versions
# Start with the latest versions and don't just copy what's here
octodns==0.9.14
octodns-cloudflare==0.0.1
SHAs
# Start with the latest/specific versions and don't just copy what's here
-e git+https://git@github.com/octodns/octodns.git@9da19749e28f68407a1c246dfdf65663cdc1c422#egg=octodns
-e git+https://git@github.com/octodns/octodns-cloudflare.git@ec9661f8b335241ae4746eea467a8509205e6a30#egg=octodns_cloudflare
Configuration
providers:
cloudflare:
class: octodns_cloudflare.CloudflareProvider
# Your Cloudflare account email address (not needed if using token)
# setting email along with an API Token will raise an error.
email: env/CLOUDFLARE_EMAIL
# The API Token or API Key.
# Required permissions for API Tokens are Zone:Read, DNS:Read and DNS:Edit.
# Page Rules:Edit is required for managing Page Rules (URLFWD) records.
token: env/CLOUDFLARE_TOKEN
# Optional. Filter by account ID in environments where a token has access
# across more than the permitted number of accounts allowed by Cloudflare.
account_id: env/CLOUDFLARE_ACCOUNT_ID
# Import CDN enabled records as CNAME to {}.cdn.cloudflare.net. Records
# ending at .cdn.cloudflare.net. will be ignored when this provider is
# not used as the source and the cdn option is enabled.
#
# See: https://support.cloudflare.com/hc/en-us/articles/115000830351
#cdn: false
# Manage Page Rules (URLFWD) records
# pagerules: true
# Optional. Define Cloudflare plan type for the zones. Default: free,
# options: free, pro, business, enterprise
#plan_type: free
# Optional. Default: 4. Number of times to retry if a 429 response
# is received.
#retry_count: 4
# Optional. Default: 0. Number of times to retry if a 403 response
# is received.
#auth_error_retry_count: 0
# Optional. Default: 300. Number of seconds to wait before retrying.
#retry_period: 300
# Optional. Default: 50. Number of zones per page.
#zones_per_page: 50
# Optional. Default: 100. Number of dns records per page.
#records_per_page: 100
# Optional. Default: 120. Lowest TTL allowed to be set.
# A different limit for (non-)enterprise zone applies.
# See: https://developers.cloudflare.com/dns/manage-dns-records/reference/ttl
#min_ttl: 120
# Optional. Default: 15. Timeout in seconds for API requests.
#timeout: 15
# Optional. Default: https://api.cloudflare.com/client/v4. API base URL for Cloudflare API requests.
#api_url: https://api.cloudflare.com/client/v4
Internal DNS zones (CloudflareInternalProvider)
Cloudflare Internal DNS (Enterprise, beta) hosts zones of type: "internal" whose records resolve only inside a private network via Cloudflare Gateway. CloudflareInternalProvider manages records inside pre-existing internal zones. Use it alongside CloudflareProvider so public and internal zones are each handled by the right provider instance:
providers:
cloudflare:
class: octodns_cloudflare.CloudflareProvider
token: env/CLOUDFLARE_TOKEN
account_id: env/CLOUDFLARE_ACCOUNT_ID
cloudflare_internal:
class: octodns_cloudflare.CloudflareInternalProvider
token: env/CLOUDFLARE_TOKEN
# Required. Internal DNS views are account-scoped.
account_id: env/CLOUDFLARE_ACCOUNT_ID
# Optional. Narrow zone enumeration to a single DNS view. Set this when
# two internal zones in the account share a name across different views
# (allowed by Cloudflare); the provider will otherwise raise at populate
# time listing the duplicate zone_ids.
#view_id: env/CLOUDFLARE_VIEW_ID
zones:
corp.internal.tests.:
sources: [config]
targets: [cloudflare_internal]
Notes and constraints:
- Zones must pre-exist in Cloudflare. The provider does not auto-create internal zones (create them in the dashboard or via
POST /zoneswithtype: "internal", then link to a view). - Not supported (
cdn,pagerules,plan_type) — passing any of these toCloudflareInternalProviderraises an error. Cloudflare internal zones have no proxy, no pagerules, and no plan tier. - Root NS records are stripped before apply, with a warning logged. Internal zones have no nameservers (Cloudflare Gateway resolves them directly), so root NS records are never meaningful on this zone type. You can leave
NSrecords in a shared YAML source without reconfiguringstrict_supports. - Zone enumeration is hybrid by default: the provider takes the union of
GET /zones?account.id=…(filtered totype=="internal") and a walk of the account's DNS views (GET /accounts/{account_id}/dns_settings/views→ each view'szones[]→GET /zones/{zone_id}to hydrate names). Settingview_idnarrows enumeration to a single view. - Required token scopes: Account: DNS Views (Edit), Account: Account Settings (Edit), Zone: Zone (Read), Zone: DNS (Edit), Zone: DNS Settings (Edit). Include the account in Account Resources and the internal zones in Zone Resources.
- Cross-instance collisions are user-owned: if a zone is linked to multiple views and you register both views with octoDNS, both providers write to the same underlying zone. Split your octoDNS config so each zone is managed by exactly one provider.
Note: The "proxied" flag of "A", "AAAA" and "CNAME" records can be managed via the YAML provider like so:
name:
octodns:
cloudflare:
proxied: true
# auto-ttl true is implied by proxied true, but can be explicitly
# configured to be more complete
#auto-ttl: true
# with proxied=true, the TTL here will be ignored by CloudflareProvider
ttl: 120
type: A
value: 1.2.3.4
Note: All record types support "auto" ttl, which is effectively equivalent to 300s.
name:
octodns:
cloudflare:
auto-ttl: true
# with proxied=true, the TTL here will be ignored by CloudflareProvider
ttl: 120
type: A
value: 1.2.3.4
Note: All record types also support tagging, which can be combined with the tag processor to support advanced filtering scenarios.
name:
octodns:
cloudflare:
tags:
- "managed-by:terraform"
- "team:engineering"
ttl: 120
type: A
value: 1.2.3.4
Support Information
Records
CloudflareProvider supports A, AAAA, ALIAS, CAA, CNAME, DS, LOC, MX, NAPTR, NS, PTR, SPF, SRV, SSHFP, TXT, and URLFWD. There are restrictions on CAA tag support.
Root NS Records
CloudflareProvider does not supports root NS record management. They can partially be managed in the API, errors are thrown if you include the Cloudflare name servers in the values, but the system completely ignores the values set and serves up its own regardless.
Dynamic
CloudflareProvider does not support dynamic records.
Required API Token Permissions
Required Permissions for API Token are Zone:Read, DNS:Read, and DNS:Edit.
Page Rules:Edit is also required for managing Page Rules (URLFWD) records, otherwise an authentication error will be raised.
Important Note: When using a CloudFlare token you should NOT provide an email address or you will receive an error.
An example when using Page Rules (URLFWD) records -
TTL
Cloudflare has a different minimum TTL for enterprise and non-enterprise zones. See the documentation for more information. In the past the CloudflareProvider had a fixed minimum TTL set to 120 seconds and for backwards compatibility this is the current default.
Processors
| Processor | Description |
|---|---|
| ProxyCNAME | Allows Cloudflare proxied records to be used on other providers without exposing the proxied record value. Points other providers to the relevant .cdn.cloudflare.net subdomain. Useful to allow split authority with a secondary provider while still retaining Cloudflare benefits for certain records. |
| TagAllowListFilter | Filter that ONLY manages records with the specified tags, all others will be ignored. Useful for grouping records across zones (e.g. by team, department) so that they can be managed independently. |
| TagRejectListFilter | Filter that IGNORES records with the specified tags, all others will be managed. Useful for filtering out specific records that are that are managed externally (e.g. through Terraform). |
| TtlToProxy | Ensure Cloudflare's proxy status is setup depending on the TTL set for the record. This can be helpful for octodns_bind.ZoneFileSource or the like. |
Developement
See the /script/ directory for some tools to help with the development process. They generally follow the Script to rule them all pattern. Most useful is ./script/bootstrap which will create a venv and install both the runtime and development related requirements. It will also hook up a pre-commit hook that covers most of what's run by CI.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file octodns_cloudflare-1.2.0.tar.gz.
File metadata
- Download URL: octodns_cloudflare-1.2.0.tar.gz
- Upload date:
- Size: 43.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d33cd8db5cea0097bb60c8b1c107edf5de1651a8fdf0879e2bbfb7122e979c77
|
|
| MD5 |
398be6925f507df2ea8386f9c775270c
|
|
| BLAKE2b-256 |
6ddc518e48e615bbcbabea274e0b802ee8a5ac2fb6360680ff0e249c86bfcc0e
|
File details
Details for the file octodns_cloudflare-1.2.0-py3-none-any.whl.
File metadata
- Download URL: octodns_cloudflare-1.2.0-py3-none-any.whl
- Upload date:
- Size: 21.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4fc1a119890494a950997360d534e7e1c133b17228227570881327d6cfcf7391
|
|
| MD5 |
ba52a9f2da28156cf8433d6a2ae45831
|
|
| BLAKE2b-256 |
16585320a82c6fbc14f2442efb68ac0c8760a8b0a9ad9153b7a4898e50507a81
|