cloudflare · dcpena · Aug 25, 2025 · Aug 22, 2025 · Aug 22, 2025 · Aug 22, 2025
@@ -10,131 +10,106 @@ head:
 
 import { Render } from "~/components";
 
-In the [Initialize Terraform](/terraform/tutorial/initialize-terraform/) tutorial, you created and applied some basic Cloudflare configuration. Terraform applied this configuration to your zone because you provided your API token at the top of the `cloudflare.tf` file that has access to this zone.
-
-```sh
-head -n13 cloudflare.tf | tail -n3
-provider "cloudflare" {
-  api_token = "your-api-token"
-}
-```
-
-In this tutorial, you will store your configuration in GitHub where it can be tracked, peer-reviewed, and rolled back to as needed. First, you will remove your credentials from the Terraform config file to prevent committing them to a repository.
-
-<Render file="v4-code-snippets" product="terraform" />:
+In the [Initialize Terraform](/terraform/tutorial/initialize-terraform/) tutorial, you created and applied basic Cloudflare configuration. Now you'll store this configuration in version control for tracking, peer review, and rollback capabilities.
 
 ## 1. Use environment variables for authentication
 
-As a good security practice, remove your Cloudflare credentials from anything that will be committed to a repository. The Cloudflare Terraform provider supports reading the credentials (and other configuration) [from environment variables](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs#schema), as in the following example:
-
-```bash
-sed -ie 's/^.*api_token =.*$/  # token pulled from $CLOUDFLARE_API_TOKEN/' cloudflare.tf
+Remove credentials from your Terraform files before committing to version control. The Cloudflare provider v5 reads authentication from environment variables automatically.
+Update your `main.tf` file to remove the hardcoded API token:
+
+```hcl
+terraform {
+  required_providers {
+    cloudflare = {
+      source  = "cloudflare/cloudflare"
+      version = "~> 5"
+    }
+  }
+}
 
-head -n13 cloudflare.tf | tail -n3
 provider "cloudflare" {
-  # token pulled from $CLOUDFLARE_API_TOKEN
+  # API token will be read from CLOUDFLARE_API_TOKEN environment variable
 }
 
-export CLOUDFLARE_API_TOKEN=your-api-token
-```
+variable "zone_id" {
+  description = "Cloudflare Zone ID"
+  type        = string
+  sensitive   = true
+}
 
-You must still include the empty provider definition in the file, so that Terraform knows to install the Cloudflare plugin. For more information about advanced options you can use to customize the Cloudflare provider, refer to [Provider customization](/terraform/advanced-topics/provider-customization/).
+variable "account_id" {
+  description = "Cloudflare Account ID"
+  type        = string
+  sensitive   = true
+}
 
-After running the commands above, ensure that you can still authenticate to Cloudflare by running `terraform plan`. Terraform will pull the current state which requires a valid email and API token.
+variable "domain" {
+  description = "Domain name"
+  type        = string
+  default     = "example.com"
+}
 
-```sh
-terraform plan
+resource "cloudflare_dns_record" "www" {
+  zone_id = var.zone_id
+  name    = "www"
+  content = "203.0.113.10"
+  type    = "A"
+  ttl     = 1
+  proxied = true
+  comment = "Domain verification record"
+}
 ```
+:::note
+You must still include the empty provider definition in the file, so that Terraform knows to install the Cloudflare plugin. For more information about advanced options you can use to customize the Cloudflare provider, refer to [Provider customization](/terraform/advanced-topics/provider-customization/).
+:::
 
-```sh output
-cloudflare_record.www: Refreshing state... [id=c38d3102767284e7ca14d5dad3ab8b69]
-
-------------------------------------------------------------------------
-
-No changes. Infrastructure is up-to-date.
-
-This means that Terraform did not detect any differences between your
-configuration and real physical resources that exist. As a result, no
-actions need to be performed.
+Update your `terraform.tfvars` file:
+```hcl
+zone_id    = "your-zone-id-here"
+account_id = "your-account-id-here"
+domain     = "your-domain.com"
 ```
 
-## 2. Store configuration in GitHub
-
-After removing the credentials, initialize a Git repository with your Cloudflare configuration and then push it to GitHub.
-
-First, create the GitHub repository to store the configuration. You can do this via the GitHub user interface or with an API call.
-
+Ensure your API token is set as an environment variable:
 ```sh
-export GITHUB_USER=your-github-user
-export GITHUB_TOKEN=your-github-token
-
-export GITHUB_URL=$(curl -H "Authorization: token $GITHUB_TOKEN" -d '{"name": "cf-config", "private": true}' "https://api.github.com/user/repos" 2> /dev/null | jq -r .ssh_url)
-
-echo $GITHUB_URL
-
-git@github.com:$GITHUB_USER/cf-config.git
+export CLOUDFLARE_API_TOKEN="your-api-token-here"
 ```
 
-Next, initialize a Git repository and make the first commit.
-
-:::note[Note]
-
-You might need to [add your SSH key to your GitHub account](https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account).
-
-:::
+Verify authentication works:
 
 ```sh
-git init
+terraform plan
 ```
-
+You may see changes detected as Terraform compares your new variable-based configuration with the existing resources. This is normal when migrating from hardcoded values to variables:
 ```sh output
-Initialized empty Git repository in /Users/username/cf-config/.git/
-```
-
-```sh
-git remote add origin $GITHUB_URL
-git add cloudflare.tf
-
-git commit -m "Step 2 - Initial commit with webserver definition."
-```
+# cloudflare_dns_record.www will be updated in-place
+~ resource "cloudflare_dns_record" "www" {
+    ~ name     = "www.your-domain.com" -> "www"
+    ~ zone_id  = (sensitive value)
+    # (other attributes may show changes)
+}
 
-```sh output
-[master (root-commit) 5acea17] Step 2 - Initial commit with webserver definition.
- 1 file changed, 16 insertions(+)
- create mode 100644 cloudflare.tf
+Plan: 0 to add, 1 to change, 0 to destroy.
 ```
 
-Notice that the `.terraform` directory and `terraform.tfstate` file were not committed. The `.terraform` directory was not committed because the repository may be used on a different architecture, and the plugins contained in the directory are built for the system on which `terraform init` was run. The `terraform.tfstate` file was not committed because it may eventually contain sensitive strings, and it is not a good way to keep state in sync, as explained in HashiCorp's documentation on [Remote State](https://developer.hashicorp.com/terraform/language/state/remote).
-
-To prevent Git from notifying you about the two files, add them to a new `.gitignore` file, commit it, and push everything to GitHub.
-
-```bash
-cat > .gitignore <<'EOF'
+## 2. Store configuration in GitHub
+Create a `.gitignore` file with these contents:
+```text
 .terraform/
-terraform.tfstate*
-EOF
-
-git add .gitignore
-
-git commit -m "Step 2 - Ignore terraform plugin directory and state file."
-```
-
-```sh output
-[master 494c6d6] Step 2 - Ignore terraform plugin directory and state file.
- 1 file changed, 2 insertions(+)
- create mode 100644 .gitignore
+*.tfstate*
+.terraform.lock.hcl
+terraform.tfvars
 ```
-
+Initialize Git and commit your configuration:
 ```sh
-git push
+git init
+git add main.tf .gitignore
+git commit -m "Initial Terraform v5 configuration"
 ```
-
-```sh output
-Counting objects: 6, done.
-Delta compression using up to 8 threads.
-Compressing objects: 100% (4/4), done.
-Writing objects: 100% (6/6), 762 bytes | 0 bytes/s, done.
-Total 6 (delta 0), reused 0 (delta 0)
-To git@github.com:$GITHUB_USER/cf-config.git
- * [new branch]      master -> master
+Create a GitHub repository (via web interface or GitHub CLI) and push:
+```sh
+git branch -M main
+git remote add origin https://github.com/YOUR_USERNAME/cf-config.git
+git push -u origin main
 ```
+Your Terraform configuration is now version controlled and ready for team collaboration. The sensitive data (API tokens, zone IDs) remains secure and separate from your code.