// Mgmt // Copyright (C) James Shubin and the project contributors // Written by James Shubin and the project contributors // // This program is free software: you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by // the Free Software Foundation, either version 3 of the License, or // (at your option) any later version. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License // along with this program. If not, see . // // Additional permission under GNU GPL version 3 section 7 // // If you modify this program, or any covered work, by linking or combining it // with embedded mcl code and modules (and that the embedded mcl code and // modules which link with this program, contain a copy of their source code in // the authoritative form) containing parts covered by the terms of any other // license, the licensors of this program grant you additional permission to // convey the resulting work. Furthermore, the licensors of this program grant // the original author, James Shubin, additional permission to update this // additional permission if he deems it necessary to achieve the goals of this // additional permission. package resources import ( "context" "fmt" "github.com/purpleidea/mgmt/engine" "github.com/purpleidea/mgmt/engine/traits" "github.com/purpleidea/mgmt/util/errwrap" "github.com/cloudflare/cloudflare-go/v6" "github.com/cloudflare/cloudflare-go/v6/dns" "github.com/cloudflare/cloudflare-go/v6/option" "github.com/cloudflare/cloudflare-go/v6/zones" ) func init() { engine.RegisterResource("cloudflare:dns", func() engine.Res { return &CloudflareDNSRes{} }) } // CloudflareDNSRes is a resource for managing DNS records in Cloudflare zones. // This resource uses the Cloudflare API to create, update, and delete DNS // records in a specified zone. It supports various record types including A, // AAAA, CNAME, MX, TXT, NS, SRV, and PTR records. The resource requires polling // to detect changes, as the Cloudflare API does not provide an event stream. // The Purge functionality allows enforcing that only managed DNS records exist // in the zone, removing any unmanaged records. type CloudflareDNSRes struct { traits.Base traits.GraphQueryable init *engine.Init // APIToken is the Cloudflare API token used for authentication. This is // required and must have the necessary permissions to manage DNS records // in the specified zone. APIToken string `lang:"apitoken"` // Comment is an optional comment to attach to the DNS record. This is // stored in Cloudflare and can be used for documentation purposes. Comment string `lang:"comment"` // Content is the value for the DNS record. This is required when State // is "exists" unless Purge is true. The format depends on the record // Type (e.g., IP address for A records, hostname for CNAME records). Content string `lang:"content"` // Priority is the priority value for records that support it (e.g., MX // records). This is a pointer to distinguish between an unset value and // a zero value. Priority *int64 `lang:"priority"` // Proxied specifies whether the record should be proxied through // Cloudflare's CDN. This is a pointer to distinguish between an unset // value and false. Only applicable to certain record types. Proxied *bool `lang:"proxied"` // Purge specifies whether to delete all DNS records in the zone that are // not defined in the mgmt graph. When true, this resource will query the // graph for other cloudflare:dns resources in the same zone and delete // any records not managed by those resources. Purge bool `lang:"purge"` // RecordName is the name of the DNS record (e.g., "www.example.com" or // "@" for the zone apex). This is required. RecordName string `lang:"record_name"` // State determines whether the DNS record should exist or be absent. // Valid values are "exists" (default) or "absent". When set to "absent", // the record will be deleted if it exists. State string `lang:"state"` // TTL is the time-to-live value for the DNS record in seconds. Must be // between 60 and 86400, or set to 1 for automatic TTL. Default is 1. TTL int64 `lang:"ttl"` // Type is the DNS record type (e.g., "A", "AAAA", "CNAME", "MX", "TXT", // "NS", "SRV", "PTR"). This is required. Type string `lang:"type"` // Zone is the name of the Cloudflare zone (domain) where the DNS record // should be managed (e.g., "example.com"). This is required. Zone string `lang:"zone"` client *cloudflare.Client zoneID string } // Default returns some sensible defaults for this resource. func (obj *CloudflareDNSRes) Default() engine.Res { return &CloudflareDNSRes{ State: "exists", TTL: 1, // this sets TTL to automatic } } // Validate checks if the resource data structure was populated correctly. func (obj *CloudflareDNSRes) Validate() error { if obj.RecordName == "" { return fmt.Errorf("record name is required") } if obj.APIToken == "" { return fmt.Errorf("API token is required") } if obj.Type == "" { return fmt.Errorf("record type is required") } if (obj.TTL < 60 || obj.TTL > 86400) && obj.TTL != 1 { // API requirement return fmt.Errorf("TTL must be between 60s and 86400s, or set to 1") } if obj.Zone == "" { return fmt.Errorf("zone name is required") } if obj.State != "exists" && obj.State != "absent" && obj.State != "" { return fmt.Errorf("state must be either 'exists', 'absent', or empty") } if obj.State == "exists" && obj.Content == "" && !obj.Purge { return fmt.Errorf("content is required when state is 'exists'") } if obj.MetaParams().Poll == 0 || obj.MetaParams().Poll < 1 { // CF accepts ~4req/s so this is good enough return fmt.Errorf("cloudflare:dns requires polling, set Meta:poll param (e.g., 60 seconds), min. 1s") } return nil } // Init runs some startup code for this resource. It initializes the Cloudflare // API client and validates that the specified zone exists. func (obj *CloudflareDNSRes) Init(init *engine.Init) error { obj.init = init obj.client = cloudflare.NewClient( option.WithAPIToken(obj.APIToken), ) //TODO: does it make more sense to check it here or in CheckApply()? zoneListParams := zones.ZoneListParams{ Name: cloudflare.F(obj.Zone), } zoneList, err := obj.client.Zones.List(context.Background(), zoneListParams) if err != nil { return errwrap.Wrapf(err, "failed to list zones") } if len(zoneList.Result) == 0 { return fmt.Errorf("zone %s not found", obj.Zone) } obj.zoneID = zoneList.Result[0].ID return nil } // Cleanup is run by the engine to clean up after the resource is done. It // clears sensitive data and releases the API client connection. func (obj *CloudflareDNSRes) Cleanup() error { obj.APIToken = "" obj.client = nil obj.zoneID = "" return nil } // Watch isn't implemented for this resource, since the Cloudflare API does not // provide any event stream. Instead, always use polling. func (obj *CloudflareDNSRes) Watch(context.Context) error { return fmt.Errorf("invalid Watch call: requires poll metaparam") } // CheckApply is the main convergence function for this resource. It checks the // current state of the DNS record against the desired state and applies changes // if necessary. If apply is false, it only checks if changes are needed. If // Purge is enabled, it will first delete any unmanaged records in the zone. func (obj *CloudflareDNSRes) CheckApply(ctx context.Context, apply bool) (bool, error) { zone, err := obj.client.Zones.List(ctx, zones.ZoneListParams{ Name: cloudflare.F(obj.Zone), }) if err != nil { return false, err } if len(zone.Result) == 0 { return false, fmt.Errorf("there's no zone registered with name %s", obj.Zone) } if len(zone.Result) > 1 { return false, fmt.Errorf("there's more than one zone with name %s", obj.Zone) } // We start by checking the need for purging if obj.Purge { checkOK, err := obj.purgeCheckApply(ctx, apply) if err != nil { return false, err } if !checkOK { return false, nil } } // List existing records listParams := dns.RecordListParams{ ZoneID: cloudflare.F(obj.zoneID), Name: cloudflare.F(dns.RecordListParamsName{ Contains: cloudflare.F(obj.RecordName), }), Type: cloudflare.F(dns.RecordListParamsType(obj.Type)), } recordList, err := obj.client.DNS.Records.List(ctx, listParams) if err != nil { return false, errwrap.Wrapf(err, "failed to list DNS records") } recordExists := len(recordList.Result) > 0 var record dns.RecordResponse if recordExists { record = recordList.Result[0] } switch obj.State { case "exists", "": if !recordExists { if !apply { return false, nil } if err := obj.createRecord(ctx); err != nil { return false, err } return true, nil } if obj.needsUpdate(record) { if !apply { return false, nil } if err := obj.updateRecord(ctx, record.ID); err != nil { return false, err } return true, nil } case "absent": if recordExists { if !apply { return false, nil } deleteParams := dns.RecordDeleteParams{ ZoneID: cloudflare.F(obj.zoneID), } _, err := obj.client.DNS.Records.Delete(ctx, record.ID, deleteParams) if err != nil { return false, errwrap.Wrapf(err, "failed to delete DNS record") } return true, nil } } return true, nil } // Cmp compares two resources and returns an error if they differ. This is used // to determine if two resources are equivalent for graph operations. func (obj *CloudflareDNSRes) Cmp(r engine.Res) error { if obj == nil && r == nil { return nil } if (obj == nil) != (r == nil) { return fmt.Errorf("one resource is empty") } res, ok := r.(*CloudflareDNSRes) if !ok { return fmt.Errorf("not a %s", obj.Kind()) } if obj.APIToken != res.APIToken { return fmt.Errorf("apitoken differs") } if (obj.Proxied == nil) != (res.Proxied == nil) { return fmt.Errorf("proxied values differ") } if obj.Proxied != nil && *obj.Proxied != *res.Proxied { return fmt.Errorf("proxied values differ") } if obj.RecordName != res.RecordName { return fmt.Errorf("record name differs") } if obj.Purge != res.Purge { return fmt.Errorf("purge value differs") } if obj.State != res.State { return fmt.Errorf("state differs") } if obj.TTL != res.TTL { return fmt.Errorf("ttl differs") } if obj.Type != res.Type { return fmt.Errorf("record type differs") } if obj.Zone != res.Zone { return fmt.Errorf("zone differs") } if obj.zoneID != res.zoneID { return fmt.Errorf("zoneid differs") } if obj.Content != res.Content { return fmt.Errorf("content param differs") } if obj.Priority != res.Priority { return fmt.Errorf("the priority param differs") } return nil } // buildRecordParam creates the appropriate record parameter structure based on // the record type. This is a helper function used by buildNewRecordParam and // buildEditRecordParam. // TODO: double check the fields for each record, might have missed some func (obj *CloudflareDNSRes) buildRecordParam() (any, error) { ttl := dns.TTL(obj.TTL) switch obj.Type { case "A": param := dns.ARecordParam{ Name: cloudflare.F(obj.RecordName), Type: cloudflare.F(dns.ARecordTypeA), Content: cloudflare.F(obj.Content), TTL: cloudflare.F(ttl), } if obj.Proxied != nil { param.Proxied = cloudflare.F(*obj.Proxied) } if obj.Comment != "" { param.Comment = cloudflare.F(obj.Comment) } return param, nil case "AAAA": param := dns.AAAARecordParam{ Name: cloudflare.F(obj.RecordName), Type: cloudflare.F(dns.AAAARecordTypeAAAA), Content: cloudflare.F(obj.Content), TTL: cloudflare.F(ttl), } if obj.Proxied != nil { param.Proxied = cloudflare.F(*obj.Proxied) } if obj.Comment != "" { param.Comment = cloudflare.F(obj.Comment) } return param, nil case "CNAME": param := dns.CNAMERecordParam{ Name: cloudflare.F(obj.RecordName), Type: cloudflare.F(dns.CNAMERecordTypeCNAME), Content: cloudflare.F(obj.Content), TTL: cloudflare.F(ttl), } if obj.Proxied != nil { param.Proxied = cloudflare.F(*obj.Proxied) } if obj.Comment != "" { param.Comment = cloudflare.F(obj.Comment) } return param, nil case "MX": param := dns.MXRecordParam{ Name: cloudflare.F(obj.RecordName), Type: cloudflare.F(dns.MXRecordTypeMX), Content: cloudflare.F(obj.Content), TTL: cloudflare.F(ttl), } if obj.Proxied != nil { param.Proxied = cloudflare.F(*obj.Proxied) } if obj.Priority != nil { // required for MX record param.Priority = cloudflare.F(float64(*obj.Priority)) } if obj.Comment != "" { param.Comment = cloudflare.F(obj.Comment) } return param, nil case "TXT": param := dns.TXTRecordParam{ Name: cloudflare.F(obj.RecordName), Type: cloudflare.F(dns.TXTRecordTypeTXT), Content: cloudflare.F(obj.Content), TTL: cloudflare.F(ttl), } if obj.Proxied != nil { param.Proxied = cloudflare.F(*obj.Proxied) } if obj.Comment != "" { param.Comment = cloudflare.F(obj.Comment) } return param, nil case "NS": param := dns.NSRecordParam{ Name: cloudflare.F(obj.RecordName), Type: cloudflare.F(dns.NSRecordTypeNS), Content: cloudflare.F(obj.Content), TTL: cloudflare.F(ttl), } if obj.Proxied != nil { param.Proxied = cloudflare.F(*obj.Proxied) } if obj.Comment != "" { param.Comment = cloudflare.F(obj.Comment) } return param, nil case "SRV": param := dns.SRVRecordParam{ Name: cloudflare.F(obj.RecordName), Type: cloudflare.F(dns.SRVRecordTypeSRV), TTL: cloudflare.F(ttl), } if obj.Proxied != nil { param.Proxied = cloudflare.F(*obj.Proxied) } if obj.Comment != "" { param.Comment = cloudflare.F(obj.Comment) } return param, nil case "PTR": param := dns.PTRRecordParam{ Name: cloudflare.F(obj.RecordName), Type: cloudflare.F(dns.PTRRecordTypePTR), Content: cloudflare.F(obj.Content), TTL: cloudflare.F(ttl), } if obj.Proxied != nil { param.Proxied = cloudflare.F(*obj.Proxied) } if obj.Comment != "" { param.Comment = cloudflare.F(obj.Comment) } return param, nil default: return nil, fmt.Errorf("record type %s is not supported", obj.Type) } } // buildNewRecordParam creates the appropriate record parameter for creating new // records. func (obj *CloudflareDNSRes) buildNewRecordParam() (dns.RecordNewParamsBodyUnion, error) { result, err := obj.buildRecordParam() if err != nil { return nil, err } return result.(dns.RecordNewParamsBodyUnion), nil } // buildEditRecordParam creates the appropriate record parameter for editing // records. func (obj *CloudflareDNSRes) buildEditRecordParam() (dns.RecordEditParamsBodyUnion, error) { result, err := obj.buildRecordParam() if err != nil { return nil, err } return result.(dns.RecordEditParamsBodyUnion), nil } // createRecord creates a new DNS record in Cloudflare using the resource's // parameters. func (obj *CloudflareDNSRes) createRecord(ctx context.Context) error { recordParams, err := obj.buildNewRecordParam() if err != nil { return err } createParams := dns.RecordNewParams{ ZoneID: cloudflare.F(obj.zoneID), Body: recordParams, } _, err = obj.client.DNS.Records.New(ctx, createParams) if err != nil { return errwrap.Wrapf(err, "failed to create dns record") } return nil } // updateRecord updates an existing DNS record in Cloudflare with the resource's // parameters. func (obj *CloudflareDNSRes) updateRecord(ctx context.Context, recordID string) error { recordParams, err := obj.buildEditRecordParam() if err != nil { return err } editParams := dns.RecordEditParams{ ZoneID: cloudflare.F(obj.zoneID), Body: recordParams, } _, err = obj.client.DNS.Records.Edit(ctx, recordID, editParams) if err != nil { return errwrap.Wrapf(err, "failed to update dns record") } return nil } // needsUpdate compares the current DNS record with the desired state and // returns true if an update is needed. func (obj *CloudflareDNSRes) needsUpdate(record dns.RecordResponse) bool { if obj.Content != record.Content { return true } if obj.TTL != int64(record.TTL) { return true } if obj.Proxied != nil { if *obj.Proxied != record.Proxied { return true } } if obj.Priority != nil { if float64(*obj.Priority) != record.Priority { return true } } if obj.Comment != record.Comment { return true } // TODO add more checks? return false } // purgeCheckApply deletes all DNS records in the zone that are not defined in // the mgmt graph. It queries the graph for other cloudflare:dns resources in // the same zone and builds an exclusion list. If apply is false, it only checks // if purge is needed. func (obj *CloudflareDNSRes) purgeCheckApply(ctx context.Context, apply bool) (bool, error) { listParams := dns.RecordListParams{ ZoneID: cloudflare.F(obj.zoneID), } iter := obj.client.DNS.Records.ListAutoPaging(ctx, listParams) allRecords := []dns.RecordResponse{} for iter.Next() { allRecords = append(allRecords, iter.Current()) } if err := iter.Err(); err != nil { return false, errwrap.Wrapf(err, "failed to list dns records for purge") } excludes := make(map[string]bool) graph, err := obj.init.FilteredGraph() if err != nil { return false, errwrap.Wrapf(err, "can't read the filtered graph") } for _, vertex := range graph.Vertices() { res, ok := vertex.(engine.Res) if !ok { return false, fmt.Errorf("not a resource") } if res.Kind() != "cloudflare:dns" { continue // we only want cloudflare dns resources } if res.Name() == obj.Name() { continue // skip self } cfRes, ok := res.(*CloudflareDNSRes) if !ok { return false, fmt.Errorf("wrong resource type") } if cfRes.Zone == obj.Zone { recordKey := fmt.Sprintf("%s:%s", cfRes.RecordName, cfRes.Type) excludes[recordKey] = true } } checkOK := true for _, record := range allRecords { recordKey := fmt.Sprintf("%s:%s", record.Name, record.Type) if excludes[recordKey] { continue } if apply { deleteParams := dns.RecordDeleteParams{ ZoneID: cloudflare.F(obj.zoneID), } _, err := obj.client.DNS.Records.Delete(ctx, record.ID, deleteParams) if err != nil { return false, errwrap.Wrapf(err, "failed to purge %s", recordKey) } } else { checkOK = false } } return checkOK, nil } // GraphQueryAllowed returns nil if you're allowed to query the graph. This // function accepts information about the requesting resource so we can // determine the access with some form of fine-grained control. func (obj *CloudflareDNSRes) GraphQueryAllowed(opts ...engine.GraphQueryableOption) error { options := &engine.GraphQueryableOptions{} // default options options.Apply(opts...) // apply the options if options.Kind != "cloudflare:dns" { return fmt.Errorf("only other cloudflare dns resources can access this info") } return nil }