2 – Track your history
In the Initialize Terraform tutorial, you created and applied some basic Cloudflare configuration. Terraform applied this configuration to your zone because you provided your API token at the top of the cloudflare.tf
file that has access to this zone.
In this tutorial, you will store your configuration in GitHub where it can be tracked, peer-reviewed, and rolled back to as needed. First, you will remove your credentials from the Terraform config file to prevent committing them to a repository.
As a good security practice, remove your Cloudflare credentials from anything that will be committed to a repository. The Cloudflare Terraform provider supports reading the credentials (and other configuration) from environment variables ↗, as in the following example:
You must still include the empty provider definition in the file, so that Terraform knows to install the Cloudflare plugin. For more information about advanced options you can use to customize the Cloudflare provider, refer to Provider customization.
After running the commands above, ensure that you can still authenticate to Cloudflare by running terraform plan
. Terraform will pull the current state which requires a valid email and API token.
After removing the credentials, initialize a Git repository with your Cloudflare configuration and then push it to GitHub.
First, create the GitHub repository to store the configuration. You can do this via the GitHub user interface or with an API call.
Next, initialize a Git repository and make the first commit.
Notice that the .terraform
directory and terraform.tfstate
file were not committed. The .terraform
directory was not committed because the repository may be used on a different architecture, and the plugins contained in the directory are built for the system on which terraform init
was run. The terraform.tfstate
file was not committed because it may eventually contain sensitive strings, and it is not a good way to keep state in sync, as explained in Hashicorp's documentation on Remote State ↗.
To prevent Git from notifying you about the two files, add them to a new .gitignore
file, commit it, and push everything to GitHub.