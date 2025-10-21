Ansible
Ansible is a software tool that enables at scale management of infrastructure. Ansible is agentless — all it needs to function is the ability to SSH to the target and Python installed on the target.
Ansible works alongside Terraform to streamline the Cloudflare Tunnel setup process. In this guide, you will use Terraform to deploy an SSH server on Google Cloud and create a locally-managed tunnel that makes the server available over the Internet. Terraform will automatically run an Ansible playbook that installs and configures
cloudflared on the server.
To complete the steps in this guide, you will need:
- A Google Cloud Project ↗ and GCP CLI installed and authenticated ↗.
- Basic knowledge of Terraform and Terraform installed ↗.
- A zone on Cloudflare.
- A Cloudflare API token with
Cloudflare Tunneland
DNSpermissions.
Refer to the Ansible installation instructions ↗.
Terraform and Ansible require an unencrypted SSH key to connect to the GCP server. If you do not already have a key, you can generate one as follows:
-
Open a terminal and type the following command:
-
When prompted for a passphrase, press the
Enterkey twice to leave it blank. Terraform cannot decode encrypted private keys.
Two files will be generated:
gcp_ssh which contains the private key, and
gcp_ssh.pub which contains the public key.
-
Create a folder for your Terraform and Ansible configuration files:
-
Change to the new directory:
The following variables will be passed into your GCP and Cloudflare configuration.
-
In your configuration directory, create a
.tffile:
-
Open the file in a text editor and copy and paste the following:
-
In your configuration directory, create a
.tfvarsfile:
Terraform will automatically use these variables if the file is named
terraform.tfvars, otherwise the variable file will need to be manually passed in.
-
Add the following variables to
terraform.tfvars. Be sure to modify the example with your own values.
You will need to declare the providers ↗ used to provision the infrastructure.
-
In your configuration directory, create a
.tffile:
-
Add the following providers to
providers.tf. The
randomprovider is used to generate a tunnel secret.
The following configuration will modify settings in your Cloudflare account.
-
In your configuration directory, create a
.tffile:
-
Add the following resources to
Cloudflare-config.tf:
The following configuration defines the specifications for the GCP virtual machine and installs Python3 on the machine. Python3 allows Ansible to configure the GCP instance instead of having to run a startup script on boot.
-
In your configuration directory, create a
.tffile:
-
Open the file in a text editor and copy and paste the following example. Be sure to insert your own GCP username and SSH key pair.
The following Terraform resource exports the tunnel token and other variables to
tf_ansible_vars_file.yml. Ansible will use the tunnel token to configure and run
cloudflared on the server.
-
In your configuration directory, create a new
tffile:
-
Copy and paste the following content into
export.tf:
Ansible playbooks are YAML files that declare the configuration Ansible will deploy.
-
Create a new
.ymlfile:
-
Open the file in a text editor and copy and paste the following content:
Keywords ↗ define how Ansible will execute the configuration. In the example above, the
vars_files keyword specifies where variable definitions are stored, and the
tasks keyword specifies the actions Ansible will perform.
Modules ↗ specify what tasks to complete. In this example, the
copy module creates a file and populates it with content.
Once you have created the configuration files, you can deploy them through Terraform. The Ansible deployment happens within the Terraform deployment when the
ansible-playbook command is run.
-
Initialize your configuration directory:
-
(Optional) Preview everything that will be created:
-
Deploy the configuration:
It may take several minutes for the GCP instance and tunnel to come online. You can view your new tunnel in Zero Trust ↗ under Networks > Tunnels.
To test, open a browser and go to
http://http_app.<CLOUDFLARE_ZONE>.com (for example,
http_app.example.com). You should see the Hello Cloudflare! test page.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Directory
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-