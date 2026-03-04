Terraform is an infrastructure as code tool that lets you define and manage your tunnels alongside other infrastructure. This guide deploys: ↗
A GCP virtual machine that runs a web server
A Cloudflare Tunnel that makes the server available over the Internet
(Optional) A Cloudflare Access policy that defines who can connect
Refer to the
Terraform installation guide for your operating system. ↗
2. Install the gcloud CLI
Install the gcloud CLI so that Terraform can interact with your GCP account. ↗
Authenticate with the CLI by running:
gcloud auth application-default login
3. Create a Cloudflare API token
Create an API token so that Terraform can interact with your Cloudflare account. At minimum, your token should include the following permissions:
Type Item Permission Account Cloudflare Tunnel Edit Account Access: Apps and Policies Edit Zone DNS Edit
4. Create a configuration directory
Terraform functions through a working directory that contains configuration files. You can store your configuration in multiple files or just one — Terraform will evaluate all of the configuration files in the directory as if they were in a single document.
Create a folder for your Terraform configuration:
Change into the directory:
5. Create Terraform configuration files
The following variables will be passed into your GCP and Cloudflare configuration.
In your configuration directory, create a
.tf file:
Open the file in a text editor and copy and paste the following:
variable "gcp_project_id" { description = "Google Cloud Platform (GCP) project ID" description = "Geographical zone for the GCP VM instance" variable "machine_type" { description = "Machine type for the GCP VM instance" variable "cloudflare_zone" { description = "Domain used to expose the GCP VM instance to the Internet" variable "cloudflare_zone_id" { description = "Zone ID for your domain" variable "cloudflare_account_id" { description = "Account ID for your Cloudflare account" variable "cloudflare_email" { description = "Email address for your Cloudflare account" variable "cloudflare_token" { description = "Cloudflare API token"
Assign values to the variables
In your configuration directory, create a
.tfvars file:
Terraform will automatically use these variables if the file is named
terraform.tfvars, otherwise the variable file will need to be manually passed in.
Add the following variables to
terraform.tfvars. Be sure to modify the example with your own values.
cloudflare_zone = "example.com" cloudflare_zone_id = "023e105f4ecef8ad9ca31a8372d0c353" cloudflare_account_id = "372e67954025e0ba6aaa6d586b9e0b59" cloudflare_email = "user@example.com" cloudflare_token = "y3AalHS_E7Vabk3c3lX950F90_Xl7YtjSlzyFn_X" gcp_project_id = "testvm-123" machine_type = "e2-medium"
Warning
To prevent accidentally exposing sensitive credentials, do not save
terraform.tfvars in your version control system. For example, if your version control is git, add
terraform.tfvars to your
.gitignore file.
Configure Terraform providers
You will need to declare the
providers used to provision the infrastructure. ↗
In your configuration directory, create a
.tf file:
Add the following providers to
providers.tf. The
random provider is used to generate a tunnel secret.
source = "cloudflare/cloudflare" source = "hashicorp/google" required_version = ">= 1.2" api_token = var . cloudflare_token project = var . gcp_project_id source = "cloudflare/cloudflare" version = ">= 4.40.0, < 5.0.0" source = "hashicorp/google" source = "hashicorp/random" required_version = ">= 1.2" api_token = var . cloudflare_token project = var . gcp_project_id
Configure Cloudflare resources
The following configuration will modify settings in your Cloudflare account.
In your configuration directory, create a
.tf file:
touch Cloudflare-config.tf
Add the following resources to
Cloudflare-config.tf:
# Creates a new remotely-managed tunnel for the GCP VM. resource "cloudflare_zero_trust_tunnel_cloudflared" "gcp_tunnel" { account_id = var . cloudflare_account_id name = "Terraform GCP tunnel" config_src = "cloudflare" # Reads the token used to run the tunnel on the server. data "cloudflare_zero_trust_tunnel_cloudflared_token" "gcp_tunnel_token" { account_id = var . cloudflare_account_id tunnel_id = cloudflare_zero_trust_tunnel_cloudflared . gcp_tunnel . id # Creates the CNAME record that routes http_app.${var.cloudflare_zone} to the tunnel. resource "cloudflare_dns_record" "http_app" { zone_id = var . cloudflare_zone_id content = " ${ cloudflare_zero_trust_tunnel_cloudflared . gcp_tunnel . id } .cfargotunnel.com" # Configures tunnel with a published application for clientless access. resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" { tunnel_id = cloudflare_zero_trust_tunnel_cloudflared . gcp_tunnel . id account_id = var . cloudflare_account_id hostname = "http_app. ${ var . cloudflare_zone } " service = "http://httpbin:80" service = "http_status:404" # (Optional) Routes internal IP of GCP instance through the tunnel for private network access using WARP. resource "cloudflare_zero_trust_tunnel_cloudflared_route" "example_tunnel_route" { account_id = var . cloudflare_account_id tunnel_id = cloudflare_zero_trust_tunnel_cloudflared . gcp_tunnel . id network = google_compute_instance . http_server . network_interface . 0 . network_ip comment = "Example tunnel route" # Creates a reusable Access policy. resource "cloudflare_zero_trust_access_policy" "allow_emails" { account_id = var . cloudflare_account_id name = "Allow email addresses" email = var .cloudflare_email # Creates an Access application to control who can connect to the public hostname. resource "cloudflare_zero_trust_access_application" "http_app" { account_id = var . cloudflare_account_id name = "Access application for http_app. ${ var . cloudflare_zone } " domain = "http_app. ${ var . cloudflare_zone } " id = cloudflare_zero_trust_access_policy.allow_emails.id # Generates a 32-byte secret for the tunnel. resource "random_bytes" "tunnel_secret" { # Creates a new remotely-managed tunnel for the GCP VM. resource "cloudflare_zero_trust_tunnel_cloudflared" "gcp_tunnel" { account_id = var . cloudflare_account_id name = "Terraform GCP tunnel" secret = random_bytes . tunnel_secret . base64 # Creates the CNAME record that routes http_app.${var.cloudflare_zone} to the tunnel. resource "cloudflare_record" "http_app" { zone_id = var . cloudflare_zone_id content = " ${ cloudflare_zero_trust_tunnel_cloudflared . gcp_tunnel . cname } " # Configures tunnel with a published application for clientless access. resource "cloudflare_zero_trust_tunnel_cloudflared_config" "gcp_tunnel_config" { tunnel_id = cloudflare_zero_trust_tunnel_cloudflared . gcp_tunnel . id account_id = var . cloudflare_account_id hostname = " ${ cloudflare_record . http_app . hostname } " service = "http://httpbin:80" service = "http_status:404" # (Optional) Route internal IP of GCP instance through the tunnel for private network access using WARP. resource "cloudflare_zero_trust_tunnel_route" "example_tunnel_route" { account_id = var . cloudflare_account_id tunnel_id = cloudflare_zero_trust_tunnel_cloudflared . gcp_tunnel . id network = google_compute_instance . http_server . network_interface . 0 . network_ip comment = "Example tunnel route" # Creates an Access application to control who can connect to the public hostname. resource "cloudflare_zero_trust_access_application" "http_app" { account_id = var . cloudflare_account_id name = "Access application for http_app. ${ var . cloudflare_zone } " domain = "http_app. ${ var . cloudflare_zone } " # Creates a (legacy) Access policy for the Access application. resource "cloudflare_zero_trust_access_policy" "allow_emails" { application_id = cloudflare_zero_trust_access_application . http_app . id account_id = var . cloudflare_account_id name = "Example policy for http_app. ${ var . cloudflare_zone } " email = [ var . cloudflare_email ]
To learn more about these resources, refer to the
Cloudflare provider documentation. ↗
The following configuration defines the specifications for the GCP virtual machine and configures a startup script to run upon boot.
In your configuration directory, create a
.tf file:
Add the following content to
GCP-config.tf:
data "google_compute_image" "image" { family = "ubuntu-2204-lts" project = "ubuntu-os-cloud" resource "google_compute_instance" "http_server" { machine_type = var . machine_type image = data . google_compute_image . image . self_link // Optional config to make instance ephemeral automatic_restart = false // Pass the tunnel token to the GCP server so that the server can install and run the tunnel upon startup. metadata_startup_script = templatefile ( "./install-tunnel.tftpl" , tunnel_token = data .cloudflare_zero_trust_tunnel_cloudflared_token.gcp_tunnel_token.token data "google_compute_image" "image" { family = "ubuntu-2204-lts" project = "ubuntu-os-cloud" resource "google_compute_instance" "http_server" { machine_type = var . machine_type image = data . google_compute_image . image . self_link // Optional config to make instance ephemeral automatic_restart = false // Pass the tunnel token to the GCP server so that the server can install and run the tunnel upon startup. metadata_startup_script = templatefile ( "./install-tunnel.tftpl" , tunnel_token = cloudflare_zero_trust_tunnel_cloudflared.gcp_tunnel.tunnel_token
The following script will install
cloudflared and run the tunnel as a service. This example also installs a lightweight HTTP application that you can use to test connectivity.
In your configuration directory, create a Terraform template file:
touch install-tunnel.tftpl
Open the file in a text editor and copy and paste the following bash script:
# Script to install Cloudflare Tunnel and Docker resources sudo apt-get install software-properties-common # Retrieving the docker repository for this OS curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable" # The OS is updated and docker is installed sudo apt update -y && sudo apt upgrade -y sudo apt install docker docker-compose -y # Add the HTTPBin application and run it on localhost:8080. cat > /tmp/docker-compose.yml << "EOF" image: kennethreitz/httpbin image: cloudflare/cloudflared:latest container_name: cloudflared command: tunnel run --token ${tunnel_token} sudo docker-compose up -d
To deploy the configuration files:
Initialize your configuration directory:
Preview everything that will be created:
Apply the configuration:
It may take several minutes for the GCP instance and tunnel to come online. You can view your new tunnel in the
Cloudflare dashboard under ↗ Networking > Tunnels.
Remove Terraform resources
If you need to roll back the configuration, run
terraform destroy to delete everything created through Terraform. Both
terraform apply and
terraform destroy prompt for user input before applying the changes. To run without requiring user input, you can add the
-auto-approve flag to the command.
In the
Cloudflare dashboard, go to ↗ Networking > Tunnels and verify that your tunnel is Active.
(Optional) If you configured Access, go to
Security > Access > Applications and verify that your Cloudflare email is allowed by the Access policy.
From any device, open a browser and go to
http_app.<CLOUDFLARE_ZONE> (for example,
http_app.example.com).
If you configured Access, you will see the Access login page. Log in with your Cloudflare email.
You should see the HTTPBin homepage, confirming that your tunnel is routing traffic correctly.