cloudflared icon indicating copy to clipboard operation
cloudflared copied to clipboard
verified publisher icon cloudflare

📝Updated guide for Terraform Cloudflare tunnel

Open MugenTwo opened this issue 11 months ago • 1 comments

Available Documentation A link to the documentation that is available today and the areas which could be improved: https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/deploy-tunnels/deployment-guides/terraform/#configure-cloudflare-resources

Suggested Documentation The documentation is not updated to terraform provider version 5.0.0.+

Additional context I've been trying it on my own

resource "random_password" "tunnel_secret" {
  length = 64
}

resource "cloudflare_zero_trust_tunnel_cloudflared" "auto_tunnel" {
  account_id = var.cloudflare_account_id
  name       = "test-auto-tunnel"
  tunnel_secret     = base64sha256(random_password.tunnel_secret.result)
  config_src = "local"
}

resource "cloudflare_zero_trust_tunnel_cloudflared_config" "auto_tunnel" {
  tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.auto_tunnel.id
  account_id = var.cloudflare_account_id
  source = "local"
  config = {
    ingress = [
      {
        hostname = "log.${var.cloudflare_domain}"
        service  = "http://localhost:8082"
      },
      {
        service  = "http_status:404"
      }
    ]
  }
}

resource "cloudflare_dns_record" "my_dns" {
  zone_id = var.cloudflare_zone_id
  name    = "log.${var.cloudflare_domain}"
  content   = "${cloudflare_zero_trust_tunnel_cloudflared.auto_tunnel.id}.cfargotunnel.com"
  type    = "CNAME"
  ttl     = 1
  proxied = true
}

and then I build the credentials.json in a helm chart values.yaml, so that later I can mount it to the cloudflare

{"AccountTag":"${account_tag}","TunnelSecret":"${tunnel_secret}","TunnelID": "${tunnel_id}"}

by doing:

resource "helm_release" "some-chart" {
  depends_on = [null_resource.fetch_kubeconfig, cloudflare_zero_trust_tunnel_cloudflared.auto_tunnel, cloudflare_zero_trust_tunnel_cloudflared_config.auto_tunnel]

  name = "somechart"
  namespace = "default"
  chart = "./somechart/chart"

  values = [templatefile("./somechart/values.yaml", {
    # cloudflare_secret = var.cloudflare_secret
    account_tag = cloudflare_zero_trust_tunnel_cloudflared.auto_tunnel.account_tag
    tunnel_secret = random_password.tunnel_secret.result
    tunnel_id = cloudflare_zero_trust_tunnel_cloudflared.auto_tunnel.id
    cloudflare_domain = var.cloudflare_domain
  })]
}

but then when my container running in kubernetes run I get:

2025-02-15T03:51:37Z ERR Cannot determine default origin certificate path. No file cert.pem in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared]. You need to specify the origin certificate path by specifying the origincert option in the configuration file, or set TUNNEL_ORIGIN_CERT environment variable originCertPath=
error parsing tunnel ID: Error locating origin cert: client didn't specify origincert path

On the other hand:

If i generate the json file using CLI it works: cloudflared tunnel login cloudflared tunnel create test-auto-tunnel and then I get the json from the ~/.cloudflared/ directory.

and then I pass it to my kubernetes pod, it works perfectly. So, I think there is a missing step that I couldn't figure out from the terraform cloudflare tunnel creation.

MugenTwo avatar Feb 15 '25 08:02 MugenTwo

Hey, Can you assign me this issue. Do we need edit the documentation in the given link?

Samarthasbhat avatar Jul 12 '25 13:07 Samarthasbhat