Feature: cloudflare_tunnel_config support for origin_request in ingress

[christidis]

Current Terraform and Cloudflare provider version

latest as of writing this issue (v3.29.0).

Description

Once Cloudflare API is updated in order to allow configuring origin_requests for the ingresses, then cloudflare_tunnel_config module should be also updated in order to support this functionality.

Use cases

Once this is available we should be able to apply such configurations via Terraform (eg for localhost:8002).

tunnel: 6ff42ae2-765d-4adf-8112-31c55c1551ef
credentials-file: /root/.cloudflared/6ff42ae2-765d-4adf-8112-31c55c1551ef.json
originRequest: # Top-level configuration
  connectTimeout: 30s

ingress:
  # The localhost:8000 service inherits all root-level configuration.
  # In other words, it will use a connectTimeout of 30 seconds.
  - hostname: example.com
    service: localhost:8000
  - hostname: example2.com
    service: localhost:8001
  # The localhost:8002 service overrides some root-level config.
  - service: localhost:8002
    originRequest:
      connectTimeout: 10s
      disableChunkedEncoding: true
  # Some built-in services such as `http_status` do not use any configuration.
  # The service below will simply respond with HTTP 404.
  - service: http_status:404

Potential Terraform configuration

resource "cloudflare_argo_tunnel" "example_tunnel" {
  account_id = "f037e56e89293a057740de681ac9abbe"
  name       = "example_tunnel"
  secret     = "<32 character secret>"
}

resource "cloudflare_tunnel_config" "example_config" {
  account_id = "f037e56e89293a057740de681ac9abbe"
  tunnel_id  = cloudflare_argo_tunnel.example_tunnel.id

  config {
    warp_routing {
      enabled = true
    }
    origin_request {
      connect_timeout          = "1m0s"
      tls_timeout              = "1m0s"
      tcp_keep_alive           = "1m0s"
      no_happy_eyeballs        = false
      keep_alive_connections   = 1024
      keep_alive_timeout       = "1m0s"
      http_host_header         = "baz"
      origin_server_name       = "foobar"
      ca_pool                  = "/path/to/unsigned/ca/pool"
      no_tls_verify            = false
      disable_chunked_encoding = false
      bastion_mode             = false
      proxy_address            = "10.0.0.1"
      proxy_port               = "8123"
      proxy_type               = "socks"
      ip_rules {
        prefix = "/web"
        ports  = [80, 443]
        allow  = false
      }
    }
    ingress_rule {
      hostname = "foo"
      path     = "/bar"
      service  = "http://10.0.0.2:8080"
    }
    ingress_rule {
      origin_request {
        http_host_header         = "xyz-int"
        disable_chunked_encoding = false
      }
      hostname = "xyz"
      path     = "/xyz"
      service  = "http://10.0.0.2:8080"
    }
    ingress_rule {
      service = "https://10.0.0.3:8081"
    }
  }
}

References

• relates to cloudflare_tunnel_config Feature: cloudflare_tunnel_config resource  #1756 added in v.3.29.0.
• depends on Update TunnelConfig Responses in documentation as well as in SDK cloudflare-go#1098 - as Cloudfare Public API must be updated first
• depends on Update Tunnel API Structs cloudflare-go#1099 - as Cloudfare Public API must be updated first (PR)

[joshuarubin]

It doesn't seem to be documented, but it is supported in the public api. You can see this by using the dashboard and editing a tunnnel's "public hostname" values.

Here's an example of what it sends:
PUT https://api.teams.cloudflare.com/api/v4/accounts/<account_id>/cfd_tunnel/<tunnel_id>/configurations

{
  "config": {
    "ingress": [
      {
        "hostname": "<hostname>",
        "service": "ssh://localhost:22",
        "originRequest": {
          "noHappyEyeballs": false
        }
      },
      {
        "service": "tcp://localhost:2022",
        "hostname": "<hostname>",
        "originRequest": {
          "noHappyEyeballs": false
        }
      },
      {
        "service": "http_status:404"
      }
    ]
  }
}

It is critical that this be enabled in the provider and a default be provided or else cloudflare doesn't see any "origin configurations" and zero trust can't route to it. I had to manually modify a connection setting (like the no happy eyeballs one) save, and then reset it and save for the tunnel to start working properly.

[asychev]

Any updates on this? In many cases absence of this feature is a hard blocker.

[ruimarinho]

This is even more problematic considering the terraform PUT replaces any previously-configured UI setting. Any chance of getting this fixed anytime soon? Hard blocker for me as well.

Edit: This seems to be supported by the SDK https://github.com/cloudflare/cloudflared/blob/master/config/configuration.go#L177-L182.

[github-actions]

This functionality has been released in v4.7.0 of the Terraform Cloudflare Provider.

Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!