Creation of CAA records

[stack72]

Hi,

I am investigating the creation of CAA records with this Terraform Provider. It was suggested this was added in #97 where I could specify this as follows:

resource "cloudflare_record" "caa" {
  domain  = "mydomain.com"
  name    = "mydomain.com"
  data    = {
    flags = "0"
    tag   = "issue"
    value = "letsencrypt.org"
  }
  type    = "CAA"
  ttl     = 1
}

I cannot seem to find where the value parameter as part of the data map was added. Without this value parameter, no details can be passed as part of the record.

I tried to set both the data and value blocks together but both are conflicting

if valueOk == dataOk {
		return fmt.Errorf(
			"either 'value' (present: %t) or 'data' (present: %t) must be provided",
			valueOk, dataOk)
	}

Please can you help with an example implementation here?

Paul

[jacobbednarz]

Using the following setup, I'm unable to reproduce the issue.

variable "cloudflare_email" {}
variable "cloudflare_api_key" {}
variable "cloudflare_zone_id" {}
variable "cloudflare_domain" {}

provider "cloudflare" {
  email      = var.cloudflare_email
  api_key    = var.cloudflare_api_key
}

resource "cloudflare_record" "caa" {
  zone_id  = var.cloudflare_zone_id
  name    = "caa-test.${var.cloudflare_domain}"
  data    = {
    flags = "0"
    tag   = "issue"
    value = "letsencrypt.org"
  }
  type    = "CAA"
  ttl     = 600
}

$ dig caa-test.terraform.cfapi.net -t caa +short
0 issue "letsencrypt.org"

You shouldn't be using domain attribute as it is deprecated in favour of zone_id and the ttl cannot be 1 for a non-proxied record.

[stack72]

Hi @jacobbednarz

Thanks for confirming here - just a follow up question on this - how does this even work when value isn't a parameter available on the data struct?

Paul

[jacobbednarz]

It's kind of two part. The first is that nested or complex types in Terraform sometimes allow weird behaviour like not catching unexpected attributes (the case here) and the fact the provider iterates over the d.GetOk("data") to build the request.

When the d.GetOk("data") is ran here, the following line dumps the struct where you can see all the values present (again, despite one not having a place in the schema).

[DEBUG] Data found in config: map[string]interface {}{"flags":"0", "tag":"issue", "value":"letsencrypt.org"}

After that, the key/value pairs of the type are enumerated and the request is built which ends up marshaling into the JSON payload for creating the record.

To safe guard future changes, we should probably add the field to the schema to prevent it from randomly stop working.

[stack72]

Ah so it's kinda exposing the Map feature in the schema

Got it - I'll happily send a PR that adds the specific fields if you want me to?

[jacobbednarz]

👍 happy to review a PR for it

[stephanepham-sib]

Hello here!
I try to use for_each with a module but it doesn't work because I can't set the data block to null in case where my DNS record is not a CAA. In the other way, if my record is a CAA type I want to use the data block and set value to null otherwise I'll have the error message below.
"either 'value' (present: %t) or 'data' (present: %t) must be provided",
Do you have any solution for this issue?
Thanks a lot

[stack72]

Hi @jacobbednarz

Sorry it took so long to get back to you on this, I just opened #866

Paul