answerdigital · cmbuckley · May 2, 2025 · Apr 29, 2025 · May 1, 2025
diff --git a/modules/cloudflare/dns/README.md b/modules/cloudflare/dns/README.md
@@ -37,7 +37,7 @@ The module also simplifies a few boilerplate records at the apex for security pu
 | <a name="input_create_zone"></a> [create\_zone](#input\_create\_zone) | Whether to create the zone. Defaults to `true`. | `bool` | `true` | no |
 | <a name="input_default_ttl"></a> [default\_ttl](#input\_default\_ttl) | Default TTL for DNS records. Defaults to 1, which means “automatic”. | `number` | `1` | no |
 | <a name="input_domain"></a> [domain](#input\_domain) | The top-level domain name to hold the records. | `string` | n/a | yes |
-| <a name="input_records"></a> [records](#input\_records) | List of DNS records for the domain.<br/><br/>    • `name`     - (Optional) The name of the record. Defaults to "@" (i.e. an apex record).<br/>    • `ttl`      - (Optional) The TTL of the record. Defaults to `default_ttl`.<br/>    • `type`     - (Required) The record type.<br/>    • `content`  - (Required) The content of the record.<br/>    • `priority` - (Optional) The priority of the record.<br/>    • `proxied`  - (Optional) Whether to use Cloudflare’s origin protection. Defaults to `false`. | <pre>map(object({<br/>    name     = optional(string, "@")<br/>    ttl      = optional(number)<br/>    type     = string<br/>    content  = string<br/>    priority = optional(number)<br/>    proxied  = optional(bool, false)<br/>  }))</pre> | n/a | yes |
+| <a name="input_records"></a> [records](#input\_records) | List of DNS records for the domain.<br/><br/>    • `name`     - (Optional) The sudomain name (without the domain suffix). Defaults to empty (i.e. an apex record).<br/>    • `ttl`      - (Optional) The TTL of the record. Defaults to `default_ttl`.<br/>    • `type`     - (Required) The record type.<br/>    • `content`  - (Required) The content of the record.<br/>    • `priority` - (Optional) The priority of the record.<br/>    • `proxied`  - (Optional) Whether to use Cloudflare’s origin protection. Defaults to `false`. | <pre>map(object({<br/>    name     = optional(string)<br/>    ttl      = optional(number)<br/>    type     = string<br/>    content  = string<br/>    priority = optional(number)<br/>    proxied  = optional(bool, false)<br/>  }))</pre> | n/a | yes |
 | <a name="input_security_contact"></a> [security\_contact](#input\_security\_contact) | Security contact for the domain. Defaults to 'security@DOMAIN', where `DOMAIN` is the top-level domain name. | `string` | `null` | no |
 | <a name="input_spf"></a> [spf](#input\_spf) | List of SPF directives for the domain. | `list(string)` | `[]` | no |
 

diff --git a/modules/cloudflare/dns/dns.tf b/modules/cloudflare/dns/dns.tf
@@ -18,7 +18,7 @@ resource "cloudflare_dns_record" "dns" {
   for_each = var.records
 
   zone_id  = local.zone_id
-  name     = each.value.name
+  name     = each.value.name != null ? "${each.value.name}.${var.domain}" : var.domain
   ttl      = each.value.ttl != null ? each.value.ttl : var.default_ttl
   type     = each.value.type
   content  = each.value.content
@@ -33,7 +33,7 @@ resource "cloudflare_dns_record" "apex_txt" {
   ]))
 
   zone_id = local.zone_id
-  name    = "@"
+  name    = var.domain
   ttl     = var.default_ttl
   type    = "TXT"
   content = each.value
@@ -43,7 +43,7 @@ resource "cloudflare_dns_record" "apex_txt" {
 resource "cloudflare_dns_record" "caa" {
   for_each = toset(var.caa_issuers)
   zone_id  = local.zone_id
-  name     = "@"
+  name     = var.domain
   ttl      = var.default_ttl
   type     = "CAA"
 

diff --git a/modules/cloudflare/dns/variables.tf b/modules/cloudflare/dns/variables.tf
@@ -18,15 +18,15 @@ variable "records" {
   description = <<EOT
     List of DNS records for the domain.
 
-    • `name`     - (Optional) The name of the record. Defaults to "@" (i.e. an apex record).
+    • `name`     - (Optional) The sudomain name (without the domain suffix). Defaults to empty (i.e. an apex record).
     • `ttl`      - (Optional) The TTL of the record. Defaults to `default_ttl`.
     • `type`     - (Required) The record type.
     • `content`  - (Required) The content of the record.
     • `priority` - (Optional) The priority of the record.
     • `proxied`  - (Optional) Whether to use Cloudflare’s origin protection. Defaults to `false`.
   EOT
   type = map(object({
-    name     = optional(string, "@")
+    name     = optional(string)
     ttl      = optional(number)
     type     = string
     content  = string