Skip to content

RM-22227: Update track-history.mdx #24638

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Aug 25, 2025
Merged

RM-22227: Update track-history.mdx #24638

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
523877d
Update track-history.mdx
Ashnayak Aug 22, 2025
fa8ef92
Update src/content/docs/terraform/tutorial/track-history.mdx
Ashnayak Aug 22, 2025
4012f54
Update track-history.mdx
Ashnayak Aug 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
171 changes: 72 additions & 99 deletions src/content/docs/terraform/tutorial/track-history.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,131 +10,104 @@ head:

import { Render } from "~/components";

In the [Initialize Terraform](/terraform/tutorial/initialize-terraform/) tutorial, you created and applied some basic Cloudflare configuration. Terraform applied this configuration to your zone because you provided your API token at the top of the `cloudflare.tf` file that has access to this zone.

```sh
head -n13 cloudflare.tf | tail -n3
provider "cloudflare" {
api_token = "your-api-token"
}
```

In this tutorial, you will store your configuration in GitHub where it can be tracked, peer-reviewed, and rolled back to as needed. First, you will remove your credentials from the Terraform config file to prevent committing them to a repository.

<Render file="v4-code-snippets" product="terraform" />:
In the [Initialize Terraform](/terraform/tutorial/initialize-terraform/) tutorial, you created and applied basic Cloudflare configuration. Now you'll store this configuration in version control for tracking, peer review, and rollback capabilities.

## 1. Use environment variables for authentication

As a good security practice, remove your Cloudflare credentials from anything that will be committed to a repository. The Cloudflare Terraform provider supports reading the credentials (and other configuration) [from environment variables](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs#schema), as in the following example:

```bash
sed -ie 's/^.*api_token =.*$/ # token pulled from $CLOUDFLARE_API_TOKEN/' cloudflare.tf
Remove credentials from your Terraform files before committing to version control. The Cloudflare provider v5 reads authentication from environment variables automatically.
Update your `main.tf` file to remove the hardcoded API token:

```hcl
terraform {
required_providers {
cloudflare = {
source = "cloudflare/cloudflare"
version = "~> 5"
}
}
}

head -n13 cloudflare.tf | tail -n3
provider "cloudflare" {
# token pulled from $CLOUDFLARE_API_TOKEN
# API token will be read from CLOUDFLARE_API_TOKEN environment variable
}

export CLOUDFLARE_API_TOKEN=your-api-token
```
variable "zone_id" {
description = "Cloudflare Zone ID"
type = string
sensitive = true
}

You must still include the empty provider definition in the file, so that Terraform knows to install the Cloudflare plugin. For more information about advanced options you can use to customize the Cloudflare provider, refer to [Provider customization](/terraform/advanced-topics/provider-customization/).
variable "account_id" {
description = "Cloudflare Account ID"
type = string
sensitive = true
}

After running the commands above, ensure that you can still authenticate to Cloudflare by running `terraform plan`. Terraform will pull the current state which requires a valid email and API token.
variable "domain" {
description = "Domain name"
type = string
default = "example.com"
}

```sh
terraform plan
resource "cloudflare_dns_record" "www" {
zone_id = var.zone_id
name = "www"
content = "203.0.113.10"
type = "A"
ttl = 1
proxied = true
comment = "Domain verification record"
}
```
Note: You must still include the empty provider definition in the file, so that Terraform knows to install the Cloudflare plugin. For more information about advanced options you can use to customize the Cloudflare provider, refer to [Provider customization](/terraform/advanced-topics/provider-customization/).

```sh output
cloudflare_record.www: Refreshing state... [id=c38d3102767284e7ca14d5dad3ab8b69]

------------------------------------------------------------------------

No changes. Infrastructure is up-to-date.

This means that Terraform did not detect any differences between your
configuration and real physical resources that exist. As a result, no
actions need to be performed.
Update your `terraform.tfvars` file:
```hcl
zone_id = "your-zone-id-here"
account_id = "your-account-id-here"
domain = "your-domain.com"
```

## 2. Store configuration in GitHub

After removing the credentials, initialize a Git repository with your Cloudflare configuration and then push it to GitHub.

First, create the GitHub repository to store the configuration. You can do this via the GitHub user interface or with an API call.

Ensure your API token is set as an environment variable:
```sh
export GITHUB_USER=your-github-user
export GITHUB_TOKEN=your-github-token

export GITHUB_URL=$(curl -H "Authorization: token $GITHUB_TOKEN" -d '{"name": "cf-config", "private": true}' "https://api.github.com/user/repos" 2> /dev/null | jq -r .ssh_url)

echo $GITHUB_URL

[email protected]:$GITHUB_USER/cf-config.git
export CLOUDFLARE_API_TOKEN="your-api-token-here"
```

Next, initialize a Git repository and make the first commit.

:::note[Note]

You might need to [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account).

:::
Verify authentication works:

```sh
git init
terraform plan
```

You may see changes detected as Terraform compares your new variable-based configuration with the existing resources. This is normal when migrating from hardcoded values to variables:
```sh output
Initialized empty Git repository in /Users/username/cf-config/.git/
```

```sh
git remote add origin $GITHUB_URL
git add cloudflare.tf

git commit -m "Step 2 - Initial commit with webserver definition."
```
# cloudflare_dns_record.www will be updated in-place
~ resource "cloudflare_dns_record" "www" {
~ name = "www.your-domain.com" -> "www"
~ zone_id = (sensitive value)
# (other attributes may show changes)
}

```sh output
[master (root-commit) 5acea17] Step 2 - Initial commit with webserver definition.
1 file changed, 16 insertions(+)
create mode 100644 cloudflare.tf
Plan: 0 to add, 1 to change, 0 to destroy.
```

Notice that the `.terraform` directory and `terraform.tfstate` file were not committed. The `.terraform` directory was not committed because the repository may be used on a different architecture, and the plugins contained in the directory are built for the system on which `terraform init` was run. The `terraform.tfstate` file was not committed because it may eventually contain sensitive strings, and it is not a good way to keep state in sync, as explained in HashiCorp's documentation on [Remote State](https://developer.hashicorp.com/terraform/language/state/remote).

To prevent Git from notifying you about the two files, add them to a new `.gitignore` file, commit it, and push everything to GitHub.

```bash
cat > .gitignore <<'EOF'
## 2. Store configuration in GitHub
Create a .gitignore file with these contents:
Copy link
Collaborator

@dcpena dcpena Aug 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Create a .gitignore file with these contents:
Create a `.gitignore file with these contents:

Copy link
Contributor Author

@Ashnayak Ashnayak Aug 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated to .gitignore

```text
.terraform/
terraform.tfstate*
EOF

git add .gitignore

git commit -m "Step 2 - Ignore terraform plugin directory and state file."
*.tfstate*
.terraform.lock.hcl
terraform.tfvars
```

```sh output
[master 494c6d6] Step 2 - Ignore terraform plugin directory and state file.
1 file changed, 2 insertions(+)
create mode 100644 .gitignore
```

Initialize Git and commit your configuration:
```sh
git push
git init
git add main.tf .gitignore
git commit -m "Initial Terraform v5 configuration"
```

```sh output
Counting objects: 6, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (6/6), 762 bytes | 0 bytes/s, done.
Total 6 (delta 0), reused 0 (delta 0)
To [email protected]:$GITHUB_USER/cf-config.git
* [new branch] master -> master
Create a GitHub repository (via web interface or GitHub CLI) and push:
```sh
git branch -M main
git remote add origin https://github.com/YOUR_USERNAME/cf-config.git
git push -u origin main
```
Your Terraform configuration is now version controlled and ready for team collaboration. The sensitive data (API tokens, zone IDs) remains secure and separate from your code.
Loading