Handle ruleset and zone settings with Cloudflare API

modules/cloudflare/cloudflare_ruleset.sh

@@ -1,27 +1,19 @@
 #!/bin/bash
 
-# Cloudflare API endpoint
-API_ENDPOINT="https://api.cloudflare.com/client/v4/zones"
-
 # Function to update zone settings
-update_zone_settings() {
-    local response=$(curl -s -X PATCH "${API_ENDPOINT}/${ZONE_ID}/settings" \
-         -H "Authorization: Bearer ${CLOUDFLARE_API_TOKEN}" \
-         -H "Content-Type: application/json" \
-         --data "{
-             \"items\": [
-                 {\"id\": \"ssl\", \"value\": \"${SSL}\"},
-                 {\"id\": \"always_use_https\", \"value\": \"${ALWAYS_USE_HTTPS}\"}
-             ]
-         }")
-
-    if echo "$response" | grep -q '"success":true'; then
-        echo "Successfully updated settings for zone ${ZONE_ID}"
-    else
-        echo "Failed to update settings for zone ${ZONE_ID}"
-        echo "Response: $response"
-    fi
-}
+response=$(curl -s -X PATCH "https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/settings" \
+        -H "Authorization: Bearer ${CLOUDFLARE_API_TOKEN}" \
+        -H "Content-Type: application/json" \
+        --data "{
+            \"items\": [
+                {\"id\": \"ssl\", \"value\": \"${SSL}\"},
+                {\"id\": \"always_use_https\", \"value\": \"${ALWAYS_USE_HTTPS}\"}
+            ]
+        }")
 
-# Main execution
-update_zone_settings
+if echo "$response" | grep -q '"success":true'; then
+    echo "Successfully updated settings for zone ${ZONE_ID}"
+else
+    echo "Failed to update settings for zone ${ZONE_ID}"
+    echo "Response: $response"
+fi

modules/cloudflare/cloudflare_zone_settings_override.sh

@@ -1,31 +1,54 @@
 #!/bin/bash
 
 # Cloudflare API endpoint
-API_ENDPOINT="https://api.cloudflare.com/client/v4/zones"
+API_ENDPOINT="https://api.cloudflare.com/client/v4/zones/${ZONE_ID}/rulesets"
 
-# Function to update zone settings
-update_zone_settings() {
-    local zone_id=$1
-    local response=$(curl -s -X PATCH "${API_ENDPOINT}/${zone_id}/settings" \
-         -H "Authorization: Bearer ${CLOUDFLARE_API_TOKEN}" \
-         -H "Content-Type: application/json" \
-         --data "{
-             \"items\": [
-                 {\"id\": \"ssl\", \"value\": \"${SSL}\"},
-                 {\"id\": \"always_use_https\", \"value\": ${ALWAYS_USE_HTTPS}}
-             ]
-         }")
+# Function to create or update ruleset
+method="POST"
+endpoint="${API_ENDPOINT}"
 
-    if echo "$response" | grep -q '"success":true'; then
-        echo "Successfully updated settings for zone ${zone_id}"
-    else
-        echo "Failed to update settings for zone ${zone_id}"
-        echo "Response: $response"
-    fi
-}
+# Check if ruleset already exists
+existing_ruleset=$(curl -s -X GET "${API_ENDPOINT}?phase=${PHASE}" \
+        -H "Authorization: Bearer ${CLOUDFLARE_API_TOKEN}" \
+        -H "Content-Type: application/json")
 
-# Main execution
-IFS=',' read -ra ZONE_ID_ARRAY <<< "$ZONE_IDS"
-for zone_id in "${ZONE_ID_ARRAY[@]}"; do
-    update_zone_settings "$zone_id"
-done
+if echo "$existing_ruleset" | jq -e '.result[0]' > /dev/null; then
+    ruleset_id=$(echo "$existing_ruleset" | jq -r '.result[0].id')
+    method="PUT"
+    endpoint="${API_ENDPOINT}/${ruleset_id}"
+fi
+
+# Prepare the rules JSON
+rules_json=$(echo $RULESET_RULES | jq -c '
+    [.[] | {
+        action: .action,
+        action_parameters: (
+            if .action_parameters.ssl != null then
+                {ssl: .action_parameters.ssl}
+            else
+                {}
+            end
+        ),
+        expression: .expression,
+        description: .description
+    }]
+')
+
+# Send request to create or update ruleset
+response=$(curl -s -X $method "$endpoint" \
+        -H "Authorization: Bearer ${CLOUDFLARE_API_TOKEN}" \
+        -H "Content-Type: application/json" \
+        --data "{
+            \"name\": \"Dynamic Main Ruleset\",
+            \"description\": \"Dynamic ruleset for managing app settings\",
+            \"kind\": \"${KIND}\",
+            \"phase\": \"${PHASE}\",
+            \"rules\": ${rules_json}
+        }")
+
+if echo "$response" | grep -q '"success":true'; then
+    echo "Successfully managed ruleset for zone ${ZONE_ID}"
+else
+    echo "Failed to manage ruleset for zone ${ZONE_ID}"
+    echo "Response: $response"
+fi

modules/cloudflare/main.tf

@@ -54,8 +54,8 @@ resource "null_resource" "cloudflare_zone_settings_override" {
   triggers = {
     cloudflare_api_token = var.cloudflare_api_token
     zone_id              = data.cloudflare_zone.domain[each.key].id
-    ssl                  = "flexible"
-    always_use_https     = "off"
+    ssl                  = "full"
+    always_use_https     = "on"
   }
 
   provisioner "local-exec" {
@@ -96,23 +96,23 @@ resource "null_resource" "cloudflare_zone_settings_override" {
 #   }
 # }
 
-# resource "null_resource" "cloudflare_ruleset" {
-#   for_each = local.apps_grouped_by_root_domain
+resource "null_resource" "cloudflare_ruleset" {
+  for_each = local.apps_grouped_by_root_domain
 
-#   triggers = {
-#     zone_id       = data.cloudflare_zone.domain[each.key].id
-#     kind          = "zone"
-#     phase         = "http_config_settings"
-#     ruleset_rules = local.ruleset_rules
-#   }
+  triggers = {
+    zone_id       = data.cloudflare_zone.domain[each.key].id
+    kind          = "zone"
+    phase         = "http_config_settings"
+    ruleset_rules = local.ruleset_rules
+  }
 
-#   provisioner "local-exec" {
-#     command = "${path.module}/cloudflare_ruleset.sh"
-#     environment = {
-#       ZONE_ID       = self.triggers.zone_id
-#       KIND          = self.triggers.kind
-#       PHASE         = self.triggers.phase
-#       RULESET_RULES = self.triggers.ruleset_rules
-#     }
-#   }
-# }
+  provisioner "local-exec" {
+    command = "${path.module}/cloudflare_ruleset.sh"
+    environment = {
+      ZONE_ID       = self.triggers.zone_id
+      KIND          = self.triggers.kind
+      PHASE         = self.triggers.phase
+      RULESET_RULES = self.triggers.ruleset_rules
+    }
+  }
+}