terraform-provider-cloudflare icon indicating copy to clipboard operation
terraform-provider-cloudflare copied to clipboard

Published 20 hours ago verified publisher icon cloudflare

Change DCV method on the apex domain of a CNAME configured zone

Open mwheeler-ep opened this issue 4 years ago • 2 comments

Current Terraform and Cloudflare provider version

Terraform v1.0.0
on windows_amd64
+ provider registry.terraform.io/cloudflare/cloudflare v2.23.0
+ provider registry.terraform.io/hashicorp/aws v3.48.0

Description

Looking at the documentation I can't seem to find any way to change DCV method on the apex of our zone to CNAME method when using the partial zone configuration as described in here: https://developers.cloudflare.com/ssl/edge-certificates/universal-ssl/changing-dcv-method

Use cases

Domains in partial configuration that require universal SSL configuration but can't use the HTTP method.

Potential Terraform configuration


resource "cloudflare_zone" "apex" {
  zone = vars.domain_name
  type = "partial" # CNAME mode
  plan = "enterprise"
}

resource "cloudflare_zone_settings_override" "apex" {
  zone_id = cloudflare_zone.apex.id
  settings {
    ssl = "strict"
    min_tls_version = "1.2"
    always_use_https = "on"
    dvc_method = "cname" # this likely isn't the right place for this but I have no idea where... it's possible that this might fit better under the record?
  }
}

# in my experience you require a record for the apex, even if it's not used, to generate the certificate pack uuid to validate
resource "cloudflare_record" "apex" { 
  zone_id = cloudflare_zone.apex.id

  type = "CNAME"
  proxied = true

  name = vars.domain_name
  value = "example.org" 
}

References

#1052 is related in that once the DCV method has been changed we would need to know the CNAME details to configure in third party DNS provider

mwheeler-ep avatar Jul 14 '21 04:07 mwheeler-ep

this will need to be added to cloudflare-go before we can add support for swapping/exposing the DCV method on this resource.

jacobbednarz avatar Jul 19 '21 00:07 jacobbednarz

Hey @jacobbednarz I was thinking about trying to implement something that resolves this issue but I'd like some guidance on how this could be designed. I don't think my original comment of setting dvc_method in cloudflare_zone_settings_override is the right place for it as you might want to change specific sub domains verification methods.

Would something like cloudflare_certificate_pack_override make more sense similar to cloudflare_zone_settings_override eg:

resource "cloudflare_certificate_pack_override" "main" {
   zone_id = cloudflare_zone.apex.id
   cert_pack_uuid = data.something.something // A data resource or new attributes might need to be created for this
   validation_method = "cname"
}

TheSkorm avatar Aug 03 '21 02:08 TheSkorm

This issue has been closed as we are now tracking this internally with service teams directly. If you would like an update or to be notified when/if the product ships with this change, please reach out to Cloudflare Support or your account team who can watch the internal feature request for you.

jacobbednarz avatar Mar 25 '24 00:03 jacobbednarz