A custom Azure Bicep extension for creating Cloudflare DNS resources through Infrastructure as Code (IaC). Check this out to learn how to create your own .NET Bicep extension
This project provides a Bicep extension that enables you to create Cloudflare DNS records and security rules directly from your Azure Bicep templates.
Note
This is an experimental Bicep feature and is subject to change. Do not use it in production.
Experimental / sample only. Limited functionality to:
- Create Cloudflare DNS Records (A, AAAA, CNAME, MX, TXT, SRV, PTR, NS, CAA)
- Manage DNS record properties (content, TTL, proxied status)
- Support for multiple Cloudflare zones
- Apply Cloudflare Security Rules (Security Rules API)
- Idempotent updates when running
bicep local-deploymultiple times (DNS records and security rules are updated in place) - Free Plan only currently
See Sample/dns.bicep and Sample/security-rule.bicep for reference templates.
You will need to create a Cloudflare API token from the Cloudflare API Tokens page.
- Create Custom Token
- Permissions:
- Zone - DNS - Edit (DNS records)
- Zone - Firewall Services - Edit (security rules)
- Zone Resources: Include - Specific Zone - Your Domain
- Save and make a note of the API Token
- Make this an enviornment variable
CLOUDFLARE_API_TOKENlocally ($env:CLOUDFLARE_API_TOKEN = "here"), or as a GitHub enviornment secret if running in a pipeline so thatbicep local-deploywill authenticate successfully.
targetScope = 'local'
extension Cloudflare
@description('Cloudflare Zone ID for the domain')
param zoneId string
// DNS record sample
resource txtRecord 'DnsRecord' = {
name: 'txtRecord'
zoneName: 'example.com'
zoneId: zoneId
type: 'TXT'
content: 'hello'
ttl: 300
proxied: false
}// Security rule sample
resource blockCountryTraffic 'SecurityRule' = {
name: 'blockCountryTraffic'
zoneId: zoneId
description: 'Block traffic from CN'
expression: '(ip.src.country eq "CN")'
action: 'block'
enabled: true
reference: 'block-country-cn' // Unique ref
}
output recordName string = txtRecord.name
output securityRuleId string = blockCountryTraffic.ruleId
...Run bicep local-deploy Samples/dns.bicepparam
Note
The SecurityRule resource maps to the Cloudflare Security Rules API and supports the free plan feature set.
Specify the optional reference property when you need a custom Cloudflare identifier; the extension otherwise defaults it to the resource name on first deploy.
For comprehensive usage examples, please refer to the Sample/ directory in this repository.
Here are the steps to run it either locally or using an ACR.
Run script Publish-Extension.ps1 from the folder Infra/Scripts/ to publish the project and to publish the extension locally for Bicep to use:
./Infra/Scripts/Publish-Extension.ps1 -Target ./cloudflare-extensionThis creates the binary that contains the Cloudflare API calls. Prepare your bicepconfig.json to refer to the binary. Set experimentalFeaturesEnabled -> localDeploy to true and refer to the extension cloudflare to the binary:
{
"experimentalFeaturesEnabled": {
"localDeploy": true
},
"extensions": {
"Cloudflare": "../bin/cloudflare" // local
},
"implicitExtensions": []
}If you want to make use of an Azure Container Registry then I would recommend to fork the project, and run the GitHub Actions. Or, run the Bicep template for the ACR deployment locally and then push it using the same principal:
[string] $target = "br:<registry-name>.azurecr.io/cloudflare:<version>"
./Infra/Scripts/Publish-Extension.ps1 -Target $targetIn the bicepconfig.json you refer to the ACR:
{
"experimentalFeaturesEnabled": {
"localDeploy": true
},
"extensions": {
"Cloudflare": "br:cloudflarebicep.azurecr.io/cloudflare:0.1.25" // ACR
// "Cloudflare": "../bin/cloudflare" // local
},
"implicitExtensions": []
}If you want to try it out without effort, then you can use br:cloudflarebicep.azurecr.io/extensions/cloudflare:0.1.25 as the ACR reference which I have published.
We welcome contributions to the Cloudflare Bicep Extension! Please see our Contributing Guide for detailed information on how to contribute to this project.