Trouble terraforming Cloudflare API Shield
Inheriting a clickops configuration of Cloudflare API Shield, I was trying to create a proper terraform code. Thankfully Cloudflare has a utility called cf-terraforming that allows import of manually create resources into Terraform code.
dude@build:~/cf_shield$ cf-terraforming generate --resource-type cloudflare_api_shield_operation --zone ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ --token XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
resource "cloudflare_api_shield_operation" "terraform_managed_resource_ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ" {
endpoint = "/users"
host = "apigw-dev.example.com"
method = "GET"
zone_id = "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ"
}
resource "cloudflare_api_shield_operation" "terraform_managed_resource_ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ" {
endpoint = "/users"
host = "apigw-dev.example.com"
method = "POST"
zone_id = "ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ"
}
That looked OK-ish, but the resource ID’s seem to be identical… Sure enough, terraform was complaining about duplicate resources ID’s when trying to import them. So I figure I would see what kind of information I could pull out using Cloudflare API itself:
dude@build:~/cf_shield$ curl -X GET "https://api.cloudflare.com/client/v4/zones/ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ/api_gateway/operations/" \-H "Authorization: Bearer XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" \-H "Content-Type:application/json"
{
"result": [
{
"operation_id": "0a030d60-d0f8-4e0b-a0e1-1d7c9668fb02",
"method": "GET",
"host": "apigw-dev.example.com",
"endpoint": "/users",
"last_updated": "2025-04-28T09:50:37.697512Z"
},
{
"operation_id": "28e90beb-d90f-4f1b-b95d-a319e30aeced",
"method": "POST",
"host": "apigw-dev.example.com",
"endpoint": "/users",
"last_updated": "2025-04-28T09:51:18.100454Z"
},
{
"operation_id": "4e8854f0-3062-445a-8de6-0aa3b48c363a",
"method": "POST",
"host": "apigw-dev.example.com",
"endpoint": "/users-2",
"last_updated": "2025-04-28T09:53:10.305594Z"
},
]
}
Cool, there is operation_id. So in the end each endpoint had toi be imported using its operation_id like so:
dude@build:~/cf_shield$ terraform import cloudflare_api_shield_operation.example 'ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ/0a030d60d0f84e0ba0e11d7c9668fb02'