1# Terraform Configuration Reference
2 
3Complete resource configurations for Cloudflare infrastructure.
4 
5## Zone & DNS
6 
7```hcl
8# Zone + settings
9resource "cloudflare_zone" "example" { account = { id = var.account_id }; name = "example.com"; type = "full" }
10resource "cloudflare_zone_settings_override" "example" {
11  zone_id = cloudflare_zone.example.id
12  settings { ssl = "strict"; always_use_https = "on"; min_tls_version = "1.2"; tls_1_3 = "on"; http3 = "on" }
13}
14 
15# DNS records (A, CNAME, MX, TXT)
16resource "cloudflare_dns_record" "www" {
17  zone_id = cloudflare_zone.example.id; name = "www"; content = "192.0.2.1"; type = "A"; proxied = true
18}
19resource "cloudflare_dns_record" "mx" {
20  for_each = { "10" = "mail1.example.com", "20" = "mail2.example.com" }
21  zone_id = cloudflare_zone.example.id; name = "@"; content = each.value; type = "MX"; priority = each.key
22}
23```
24 
25## Workers
26 
27### Simple Pattern (Legacy - Still Works)
28 
29```hcl
30resource "cloudflare_workers_script" "api" {
31  account_id = var.account_id; name = "api-worker"; content = file("worker.js")
32  module = true; compatibility_date = "2025-01-01"
33  kv_namespace_binding { name = "KV"; namespace_id = cloudflare_workers_kv_namespace.cache.id }
34  r2_bucket_binding { name = "BUCKET"; bucket_name = cloudflare_r2_bucket.assets.name }
35  d1_database_binding { name = "DB"; database_id = cloudflare_d1_database.app.id }
36  secret_text_binding { name = "SECRET"; text = var.secret }
37}
38```
39 
40### Gradual Rollouts (Recommended for Production)
41 
42```hcl
43resource "cloudflare_worker" "api" { account_id = var.account_id; name = "api-worker" }
44resource "cloudflare_worker_version" "api_v1" {
45  account_id = var.account_id; worker_name = cloudflare_worker.api.name
46  content = file("worker.js"); content_sha256 = filesha256("worker.js")
47  compatibility_date = "2025-01-01"
48  bindings {
49    kv_namespace { name = "KV"; namespace_id = cloudflare_workers_kv_namespace.cache.id }
50    r2_bucket { name = "BUCKET"; bucket_name = cloudflare_r2_bucket.assets.name }
51  }
52}
53resource "cloudflare_workers_deployment" "api" {
54  account_id = var.account_id; worker_name = cloudflare_worker.api.name
55  versions { version_id = cloudflare_worker_version.api_v1.id; percentage = 100 }
56}
57```
58 
59### Worker Binding Types (v5)
60 
61| Binding | Attribute | Example |
62|---------|-----------|---------|
63| KV | `kv_namespace_binding` | `{ name = "KV", namespace_id = "..." }` |
64| R2 | `r2_bucket_binding` | `{ name = "BUCKET", bucket_name = "..." }` |
65| D1 | `d1_database_binding` | `{ name = "DB", database_id = "..." }` |
66| Service | `service_binding` | `{ name = "AUTH", service = "auth-worker" }` |
67| Secret | `secret_text_binding` | `{ name = "API_KEY", text = "..." }` |
68| Queue | `queue_binding` | `{ name = "QUEUE", queue_name = "..." }` |
69| Vectorize | `vectorize_binding` | `{ name = "INDEX", index_name = "..." }` |
70| Hyperdrive | `hyperdrive_binding` | `{ name = "DB", id = "..." }` |
71| AI | `ai_binding` | `{ name = "AI" }` |
72| Browser | `browser_binding` | `{ name = "BROWSER" }` |
73| Analytics | `analytics_engine_binding` | `{ name = "ANALYTICS", dataset = "..." }` |
74| mTLS | `mtls_certificate_binding` | `{ name = "CERT", certificate_id = "..." }` |
75 
76### Routes & Triggers
77 
78```hcl
79resource "cloudflare_worker_route" "api" {
80  zone_id = cloudflare_zone.example.id; pattern = "api.example.com/*"
81  script_name = cloudflare_workers_script.api.name
82}
83resource "cloudflare_worker_cron_trigger" "task" {
84  account_id = var.account_id; script_name = cloudflare_workers_script.api.name
85  schedules = ["*/5 * * * *"]
86}
87```
88 
89## Storage (KV, R2, D1)
90 
91```hcl
92# KV
93resource "cloudflare_workers_kv_namespace" "cache" { account_id = var.account_id; title = "cache" }
94resource "cloudflare_workers_kv" "config" {
95  account_id = var.account_id; namespace_id = cloudflare_workers_kv_namespace.cache.id
96  key_name = "config"; value = jsonencode({ version = "1.0" })
97}
98 
99# R2
100resource "cloudflare_r2_bucket" "assets" { account_id = var.account_id; name = "assets"; location = "WNAM" }
101 
102# D1 (migrations via wrangler) & Queues
103resource "cloudflare_d1_database" "app" { account_id = var.account_id; name = "app-db" }
104resource "cloudflare_queue" "events" { account_id = var.account_id; name = "events-queue" }
105```
106 
107## Pages
108 
109```hcl
110resource "cloudflare_pages_project" "site" {
111  account_id = var.account_id; name = "site"; production_branch = "main"
112  deployment_configs {
113    production {
114      compatibility_date = "2025-01-01"
115      environment_variables = { NODE_ENV = "production" }
116      kv_namespaces = { KV = cloudflare_workers_kv_namespace.cache.id }
117      d1_databases = { DB = cloudflare_d1_database.app.id }
118    }
119  }
120  build_config { build_command = "npm run build"; destination_dir = "dist" }
121  source { type = "github"; config { owner = "org"; repo_name = "site"; production_branch = "main" }}
122}
123 
124resource "cloudflare_pages_domain" "custom" {
125  account_id = var.account_id; project_name = cloudflare_pages_project.site.name; domain = "site.example.com"
126}
127```
128 
129## Rulesets (WAF, Redirects, Cache)
130 
131```hcl
132# WAF
133resource "cloudflare_ruleset" "waf" {
134  zone_id = cloudflare_zone.example.id; name = "WAF"; kind = "zone"; phase = "http_request_firewall_custom"
135  rules { action = "block"; enabled = true; expression = "(cf.client.bot) and not (cf.verified_bot)" }
136}
137 
138# Redirects
139resource "cloudflare_ruleset" "redirects" {
140  zone_id = cloudflare_zone.example.id; name = "Redirects"; kind = "zone"; phase = "http_request_dynamic_redirect"
141  rules {
142    action = "redirect"; enabled = true; expression = "(http.request.uri.path eq \"/old\")"
143    action_parameters { from_value { status_code = 301; target_url { value = "https://example.com/new" }}}
144  }
145}
146 
147# Cache rules
148resource "cloudflare_ruleset" "cache" {
149  zone_id = cloudflare_zone.example.id; name = "Cache"; kind = "zone"; phase = "http_request_cache_settings"
150  rules {
151    action = "set_cache_settings"; enabled = true; expression = "(http.request.uri.path matches \"\\.(jpg|png|css|js)$\")"
152    action_parameters { cache = true; edge_ttl { mode = "override_origin"; default = 86400 }}
153  }
154}
155```
156 
157## Load Balancers
158 
159```hcl
160resource "cloudflare_load_balancer_monitor" "http" {
161  account_id = var.account_id; type = "http"; path = "/health"; interval = 60; timeout = 5
162}
163resource "cloudflare_load_balancer_pool" "api" {
164  account_id = var.account_id; name = "api-pool"; monitor = cloudflare_load_balancer_monitor.http.id
165  origins { name = "api-1"; address = "192.0.2.1" }
166  origins { name = "api-2"; address = "192.0.2.2" }
167}
168resource "cloudflare_load_balancer" "api" {
169  zone_id = cloudflare_zone.example.id; name = "api.example.com"
170  default_pool_ids = [cloudflare_load_balancer_pool.api.id]; steering_policy = "geo"
171}
172```
173 
174## Access (Zero Trust)
175 
176```hcl
177resource "cloudflare_access_application" "admin" {
178  account_id = var.account_id; name = "Admin"; domain = "admin.example.com"; type = "self_hosted"
179  session_duration = "24h"; allowed_idps = [cloudflare_access_identity_provider.github.id]
180}
181resource "cloudflare_access_policy" "allow" {
182  account_id = var.account_id; application_id = cloudflare_access_application.admin.id
183  name = "Allow"; decision = "allow"; precedence = 1
184  include { email = ["[email protected]"] }
185}
186resource "cloudflare_access_identity_provider" "github" {
187  account_id = var.account_id; name = "GitHub"; type = "github"
188  config { client_id = var.github_id; client_secret = var.github_secret }
189}
190```
191 
192## See Also
193 
194- [README](./README.md) - Provider setup
195- [API](./api.md) - Data sources
196- [Patterns](./patterns.md) - Use cases
197- [Troubleshooting](./gotchas.md) - Issues
198