Skip to content
Cloudflare Docs

2 – Track your history

In the Initialize Terraform tutorial, you created and applied basic Cloudflare configuration. Now you'll store this configuration in version control for tracking, peer review, and rollback capabilities.

1. Use environment variables for authentication

Remove credentials from your Terraform files before committing to version control. The Cloudflare provider v5 reads authentication from environment variables automatically. Update your main.tf file to remove the hardcoded API token:

terraform {
required_providers {
cloudflare = {
source = "cloudflare/cloudflare"
version = "~> 5"
}
}
}
provider "cloudflare" {
# API token will be read from CLOUDFLARE_API_TOKEN environment variable
}
variable "zone_id" {
description = "Cloudflare Zone ID"
type = string
sensitive = true
}
variable "account_id" {
description = "Cloudflare Account ID"
type = string
sensitive = true
}
variable "domain" {
description = "Domain name"
type = string
default = "example.com"
}
resource "cloudflare_dns_record" "www" {
zone_id = var.zone_id
name = "www"
content = "203.0.113.10"
type = "A"
ttl = 1
proxied = true
comment = "Domain verification record"
}

Update your terraform.tfvars file:

zone_id = "your-zone-id-here"
account_id = "your-account-id-here"
domain = "your-domain.com"

Ensure your API token is set as an environment variable:

Terminal window
export CLOUDFLARE_API_TOKEN="your-api-token-here"

Verify authentication works:

Terminal window
terraform plan

You may see changes detected as Terraform compares your new variable-based configuration with the existing resources. This is normal when migrating from hardcoded values to variables:

# cloudflare_dns_record.www will be updated in-place
~ resource "cloudflare_dns_record" "www" {
~ name = "www.your-domain.com" -> "www"
~ zone_id = (sensitive value)
# (other attributes may show changes)
}
Plan: 0 to add, 1 to change, 0 to destroy.

2. Store configuration in GitHub

Create a .gitignore file with these contents:

.terraform/
*.tfstate*
.terraform.lock.hcl
terraform.tfvars

Initialize Git and commit your configuration:

Terminal window
git init
git add main.tf .gitignore
git commit -m "Initial Terraform v5 configuration"

Create a GitHub repository (via web interface or GitHub CLI) and push:

Terminal window
git branch -M main
git remote add origin https://github.com/YOUR_USERNAME/cf-config.git
git push -u origin main

Your Terraform configuration is now version controlled and ready for team collaboration. The sensitive data (API tokens, zone IDs) remains secure and separate from your code.