We use Salt to manage our ever growing global fleet of machines. Salt is great for managing configurations and being the source of truth. We use it for remote command execution and for network automation tasks. It allows us to grow our infrastructure quickly with minimal human intervention.
CC-BY 2.0 image by Kevin Dooley
We got to thinking. Are DNS records not just a piece of the configuration? We concluded that they are and decided to manage our own records from Salt too.
We are strong believers in eating our own dog food, so we make our employees use the next version of our service before rolling it to everyone else. That way if there's a problem visiting one of the 5 million websites that use Cloudflare it'll get spotted quickly internally. This is also why we keep our own DNS records on Cloudflare itself.
Cloudflare has an API that allows you to manage your zones programmatically without ever logging into the dashboard. Until recently, we were using handcrafted scripts to manage our own DNS records via our API. These scripts were in exotic languages like PHP for historical reasons and had interesting behavior that not everybody enjoyed. While we were dogfooding our own APIs, these scripts were pushing the source of truth for DNS out of Salt.
When we decided to move some zones to Salt, we had a few key motivations:
Single source of truth
Peer-reviewed, audited and versioned changes
Making things that our customers would want to use
Points 1 and 2 were achieved by having DNS records in a Salt repo. The Salt configuration is itself in git, so we get peer reviews and audit trail for free. We think that we made progress on point 3 also.
After extensive internal testing and finding a few bugs in our API (that's what we wanted!), we are happy to announce the public availability of Cloudflare Salt module.
If you are familiar with Salt, it should be easy to see how to configure your records via Salt. All you need is the following:
Create the state cloudflare
to deploy your zones:
example.com:
cloudflare.manage_zone_records:
- zone: {{ pillar["cloudflare_zones"]["example.com"]|yaml }}
Add a pillar to configure your zone:
cloudflare_zones:
example.com:
auth_email: ivan@example.com
auth_key: auth key goes here
zone_id: 0101deadbeefdeadbeefdeadbeefdead
records:
- name: blog.example.com
content: 93.184.216.34
proxied: true
Here we configure zone example.com
to only have one record blog.example.com
pointing to 93.184.216.34
behind Cloudflare.
You can test your changes before you deploy:
salt-call state.apply cloudflare test=true
And then deploy if you are happy with the dry run:
salt-call state.apply cloudflare
After the initial setup, all you need is to change the records
array in pillar and re-deploy the state. See the README for more details.
DNS records are only one part of configuration you may want to change for your Cloudflare domain. We have plans to "saltify" other settings like WAF, caching, page rules and others too.
Come work with us if you want to help!