weave
module · Networking

Cloudflare

Comprehensive Cloudflare control plane — accounts, zones, zone settings, DNS, page rules, rulesets, firewall, rate limits, managed headers, WAF, Workers (scripts / routes / cron / secrets), SSL (certificate packs, origin CA), Access (Zero Trust), Tunnels, Load Balancing, R2, Pages, Stream, notifications, Logpush.

Namespace: weave cloudflare Env: CLOUDFLARE_API_TOKEN
61
Commands
22
State kinds
Networking
Category
1
API docs

Setup

Configure credentials via environment variables. We recommend sourcing them through 1Password or your secrets manager rather than committing them to the shell rc.

Official API reference

weave commands for this module are checked against the vendor's published API.

Variable Description Status
CLOUDFLARE_API_TOKENRequired for authentication.required
CLOUDFLARE_ACCOUNT_IDDefault account ID for account-scoped commands when --account is omitted (optional).optional

Sanity-check the wiring:

weave secrets check
weave cloudflare --help
weave doctor   # reports CLOUDFLARE_API_TOKEN status

Capabilities

What this module can do, by entity and verb. means a working CLI surface; · means not (yet) wired.

Entity findlistshowdosnapshotdiffapply
access-app·
access-group···
access-identity-provider···
access-policy······
access-service-token······
account·····
account-member···
analytics······
api-token···
certificate-pack····
dns····
dns-record····
email-routing-rule···
firewall-rule·
load-balancer··
load-balancer-monitor···
load-balancer-pool···
logpush-job···
managed-header···
notification-policies····
notification-policy······
origin-cert······
page-rule··
pages-project····
r2-bucket····
rate-limit···
ruleset······
security-event·······
stream-video······
tunnel··
waf-override······
waf-package······
worker····
worker-cron-trigger······
worker-route···
worker-script······
worker-secret······
zone···
zone-setting··

Commands

Every registered CLI command, grouped by verb. Each example uses placeholder arguments — substitute real values for your environment.

find (8)

find access-app

read

Find an Access (Zero Trust) application by name.

weave cloudflare find access-app <name>

find account

read

Find an account by id or display name.

weave cloudflare find account <identifier>

find dns-record

read

Find a DNS record by name on a zone.

weave cloudflare find dns-record <name>

find firewall-rule

read

Find a firewall rule on a zone by description.

weave cloudflare find firewall-rule <description>

find load-balancer

read

Find a load balancer by name on a zone.

weave cloudflare find load-balancer <name>

find page-rule

read

Find a page rule by target URL substring.

weave cloudflare find page-rule <target>

find worker

read

Find a Workers script by name on an account.

weave cloudflare find worker <name>

find zone

read

Find a zone by name (domain).

weave cloudflare find zone <name>

list (35)

list access-apps

read

List Access (Zero Trust) applications on an account.

weave cloudflare list access-apps <arg>

list access-groups

read

List Access groups on an account.

weave cloudflare list access-groups <arg>

list access-identity-providers

read

List Access identity providers (IdPs).

weave cloudflare list access-identity-providers <arg>

list access-policies

read

List Access policies for one application.

weave cloudflare list access-policies <app>

list access-service-tokens

read

List Access service tokens (values not exposed).

weave cloudflare list access-service-tokens <arg>

list account-members

read

List members on an account.

weave cloudflare list account-members <arg>

list accounts

read

List accounts the API token can access.

weave cloudflare list accounts <arg>

list analytics

read

Aggregate zone analytics (HTTP requests, bandwidth) for a window.

weave cloudflare list analytics <arg>

list api-tokens

read

List API tokens on the current user.

weave cloudflare list api-tokens <arg>

list certificate-packs

read

List SSL certificate packs on a zone.

weave cloudflare list certificate-packs <arg>

list dns

read

List DNS records on a zone.

weave cloudflare list dns <zone>

list email-routing-rules

read

List Email Routing rules on a zone.

weave cloudflare list email-routing-rules <arg>

list firewall-rules

read

List firewall rules on a zone.

weave cloudflare list firewall-rules <arg>

list load-balancer-monitors

read

List load-balancer monitors on an account.

weave cloudflare list load-balancer-monitors <arg>

list load-balancer-pools

read

List load-balancer pools on an account.

weave cloudflare list load-balancer-pools <arg>

list load-balancers

read

List load balancers on a zone.

weave cloudflare list load-balancers <arg>

list logpush-jobs

read

List Logpush jobs on a zone or account.

weave cloudflare list logpush-jobs <arg>

list managed-headers

read

List managed HTTP headers on a zone (request + response).

weave cloudflare list managed-headers <arg>

list notification-policies

read

List notification policies on an account.

weave cloudflare list notification-policies <arg>

list origin-certs

read

List Origin CA certificates on an account.

weave cloudflare list origin-certs <arg>

list page-rules

read

List page rules on a zone.

weave cloudflare list page-rules <arg>

list pages-projects

read

List Cloudflare Pages projects on an account.

weave cloudflare list pages-projects <arg>

list r2-buckets

read

List R2 buckets on an account.

weave cloudflare list r2-buckets <arg>

list rate-limits

read

List rate-limit rules on a zone.

weave cloudflare list rate-limits <arg>

list rulesets

read

List rulesets on a zone or account.

weave cloudflare list rulesets <arg>

list stream-videos

read

List Stream videos on an account (read-only).

weave cloudflare list stream-videos <arg>

list tunnels

read

List Cloudflare Tunnels (cloudflared / Argo) on an account.

weave cloudflare list tunnels <arg>

list waf-overrides

read

List WAF (legacy) overrides on a zone.

weave cloudflare list waf-overrides <arg>

list waf-packages

read

List WAF packages on a zone (read-only).

weave cloudflare list waf-packages <arg>

list worker-cron-triggers

read

List Worker cron triggers on a script.

weave cloudflare list worker-cron-triggers <script>

list worker-routes

read

List Worker routes on a zone.

weave cloudflare list worker-routes <arg>

list worker-secrets

read

List Worker secret names on a script (values never exposed).

weave cloudflare list worker-secrets <script>

list workers

read

List Workers scripts on an account.

weave cloudflare list workers <arg>

list zone-settings

read

List configuration settings for one zone.

weave cloudflare list zone-settings <arg>

list zones

read

List zones (domains) on this account.

weave cloudflare list zones <arg>

show (5)

show access-app

read

Show one Access application in detail.

weave cloudflare show access-app <app-id>

show tunnel

read

Show one tunnel in detail.

weave cloudflare show tunnel <tunnel-id>

show worker-script

read

Show Worker script metadata (source is intentionally truncated).

weave cloudflare show worker-script <script>

show zone

read

Show full detail for one zone.

weave cloudflare show zone <zone>

show zone-settings

read

Show all zone settings as one object.

weave cloudflare show zone-settings <zone>

do (12)

do create-api-token

write

Create an API token (value displayed once with --show-secret).

weave cloudflare do create-api-token <name>

do delete-dns-record

write

Delete a DNS record by name + type on a zone.

weave cloudflare do delete-dns-record <name>

do delete-tunnel

write

Delete a Cloudflare Tunnel by id.

weave cloudflare do delete-tunnel <tunnel-id>

do delete-worker

write

Delete a Worker script by name.

weave cloudflare do delete-worker <script>

do deploy-worker

write

Upload (or replace) a Worker script from a JS file.

weave cloudflare do deploy-worker <script>

do disable-dnssec

write

Disable DNSSEC on a zone.

weave cloudflare do disable-dnssec <zone>

do disable-firewall-rule

write

Pause a firewall rule by id.

weave cloudflare do disable-firewall-rule <rule-id>

do enable-dnssec

write

Enable DNSSEC on a zone.

weave cloudflare do enable-dnssec <zone>

do enable-firewall-rule

write

Un-pause (re-enable) a firewall rule by id.

weave cloudflare do enable-firewall-rule <rule-id>

do purge-cache

write

Purge cached content for a zone.

weave cloudflare do purge-cache <zone>

do revoke-api-token

write

Revoke (delete) an API token by id.

weave cloudflare do revoke-api-token <token-id>

do rotate-tunnel-token

write

Rotate the auth token for a tunnel (value shown once).

weave cloudflare do rotate-tunnel-token <tunnel-id>

watch (1)

watch security-events

write

Poll the security event firehose on a zone.

weave cloudflare watch security-events <arg>
snapshot / diff / apply are generated automatically from the State Kinds declared on this module — see the State kinds section below for per-kind details. Workflow: snapshot → edit YAML → diffapply --yes (or confirm interactively; apply --dry-run previews the same diff).

State kinds

Resources this module can snapshot and diff; apply where the kind supports live writes (see Round-trip per kind). Always run diff before apply; use --yes in automation after review. Files live under .weave-state/cloudflare/.

dns

snapshot diff apply

All DNS records on a zone (full apply: create / update / delete).

Scope
zone
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: cloudflare
kind: dns
zone: <value>
items:
  - # <fields specific to this kind — see snapshot output>

zone-settings

snapshot diff apply

Editable zone-level toggles (cache, security, SSL, etc.) — singleton apply.

Scope
zone
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: cloudflare
kind: zone-settings
zone: <value>
items:
  - # <fields specific to this kind — see snapshot output>

email-routing-rules

snapshot diff apply

Email Routing rules (full apply: create / update / delete).

Scope
zone
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: cloudflare
kind: email-routing-rules
zone: <value>
items:
  - # <fields specific to this kind — see snapshot output>

page-rules

snapshot diff apply

Page rules on a zone (full apply: create / update / delete).

Scope
zone
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: cloudflare
kind: page-rules
zone: <value>
items:
  - # <fields specific to this kind — see snapshot output>

firewall-rules

snapshot diff apply

Zone firewall rules (full apply: create / update / delete).

Scope
zone
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: cloudflare
kind: firewall-rules
zone: <value>
items:
  - # <fields specific to this kind — see snapshot output>

rate-limits

snapshot diff apply

Zone rate-limit rules (full apply: create / update / delete).

Scope
zone
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: cloudflare
kind: rate-limits
zone: <value>
items:
  - # <fields specific to this kind — see snapshot output>

managed-headers

snapshot diff apply

Managed HTTP headers (request + response) — per-id enabled toggles.

Scope
zone
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: cloudflare
kind: managed-headers
zone: <value>
items:
  - # <fields specific to this kind — see snapshot output>

certificate-packs

snapshot diff apply

SSL certificate packs (snapshot + diff only — renewal is automatic).

Scope
zone
Round-trip
Snapshot + diff (apply not wired).

State file skeleton

module: cloudflare
kind: certificate-packs
zone: <value>
items:
  - # <fields specific to this kind — see snapshot output>

worker-routes

snapshot diff apply

Worker route patterns -> script bindings on a zone (full apply).

Scope
zone
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: cloudflare
kind: worker-routes
zone: <value>
items:
  - # <fields specific to this kind — see snapshot output>

load-balancers

snapshot diff apply

Zone-scoped load balancers (full apply: create / update / delete).

Scope
zone
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: cloudflare
kind: load-balancers
zone: <value>
items:
  - # <fields specific to this kind — see snapshot output>

load-balancer-pools

snapshot diff apply

Account-scoped LB origin pools (full apply: create / update / delete).

Scope
account
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: cloudflare
kind: load-balancer-pools
account: <value>
items:
  - # <fields specific to this kind — see snapshot output>

load-balancer-monitors

snapshot diff apply

Account-scoped LB health monitors (full apply).

Scope
account
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: cloudflare
kind: load-balancer-monitors
account: <value>
items:
  - # <fields specific to this kind — see snapshot output>

access-apps

snapshot diff apply

Zero Trust Access applications (full apply).

Scope
account
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: cloudflare
kind: access-apps
account: <value>
items:
  - # <fields specific to this kind — see snapshot output>

access-groups

snapshot diff apply

Zero Trust Access groups (full apply).

Scope
account
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: cloudflare
kind: access-groups
account: <value>
items:
  - # <fields specific to this kind — see snapshot output>

access-identity-providers

snapshot diff apply

Zero Trust IdPs (full apply; client secrets are redacted on snapshot).

Scope
account
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: cloudflare
kind: access-identity-providers
account: <value>
items:
  - # <fields specific to this kind — see snapshot output>

r2-buckets

snapshot diff apply

R2 buckets (snapshot + diff only — bucket lifecycle is destructive).

Scope
account
Round-trip
Snapshot + diff (apply not wired).

State file skeleton

module: cloudflare
kind: r2-buckets
account: <value>
items:
  - # <fields specific to this kind — see snapshot output>

pages-projects

snapshot diff apply

Cloudflare Pages projects (snapshot + diff only — edit via wrangler).

Scope
account
Round-trip
Snapshot + diff (apply not wired).

State file skeleton

module: cloudflare
kind: pages-projects
account: <value>
items:
  - # <fields specific to this kind — see snapshot output>

account-members

snapshot diff apply

Account members + their role assignments (full apply).

Scope
account
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: cloudflare
kind: account-members
account: <value>
items:
  - # <fields specific to this kind — see snapshot output>

api-tokens

snapshot diff apply

API token metadata (snapshot + diff only — values are write-once).

Scope
Round-trip
Snapshot + diff (apply not wired).

State file skeleton

module: cloudflare
kind: api-tokens
items:
  - # <fields specific to this kind — see snapshot output>

tunnels

snapshot diff apply

Cloudflare Tunnels (snapshot + diff only — tokens are write-once).

Scope
account
Round-trip
Snapshot + diff (apply not wired).

State file skeleton

module: cloudflare
kind: tunnels
account: <value>
items:
  - # <fields specific to this kind — see snapshot output>

notification-policies

snapshot diff apply

Account notification (alerting) policies (full apply).

Scope
account
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: cloudflare
kind: notification-policies
account: <value>
items:
  - # <fields specific to this kind — see snapshot output>

logpush-jobs

snapshot diff apply

Logpush jobs on an account (full apply).

Scope
account
Round-trip
Full round-trip — snapshot, diff, apply.

State file skeleton

module: cloudflare
kind: logpush-jobs
account: <value>
items:
  - # <fields specific to this kind — see snapshot output>

Workflows

End-to-end recipes from operators who already run this module in production. Copy, adapt, and put under change-control.

Bulk DNS edit — review in a PR before applying

Snapshot zone DNS into git, propose edits in a branch, diff, then apply.

weave cloudflare snapshot dns --zone=example.com
git checkout -b dns-cleanup && git add .weave-state/cloudflare && git commit -m 'snapshot dns'
$EDITOR .weave-state/cloudflare/example-com/dns.yaml
weave cloudflare diff dns --zone=example.com    # preview
weave cloudflare apply dns --zone=example.com --yes

Purge cached content after a deploy

Purge a small set of URLs first; fall back to everything only if needed.

weave cloudflare do purge-cache example.com --files https://example.com/index.html --files https://example.com/app.js --yes
weave cloudflare watch security-events --zone=example.com --iterations=4   # confirm no new WAF noise

Quarterly firewall + WAF audit

Snapshot firewall + rate-limit + zone settings, commit, diff next quarter.

weave cloudflare snapshot firewall-rules --zone=example.com
weave cloudflare snapshot rate-limits --zone=example.com
weave cloudflare snapshot zone-settings --zone=example.com
git add .weave-state/cloudflare && git commit -m 'security audit Q1'
# … next quarter …
weave cloudflare diff firewall-rules --zone=example.com   # any drift?

Zero Trust app + policy review

Audit Access apps, groups, and IdPs across the account.

weave cloudflare snapshot access-apps --account=Acme
weave cloudflare snapshot access-groups --account=Acme
weave cloudflare snapshot access-identity-providers --account=Acme   # secrets redacted
weave cloudflare list access-policies <app-id> --account=Acme         # per-app drilldown

Rotate an API token without committing the value

create-api-token + --show-secret prints the value once; never put it in YAML.

weave cloudflare do create-api-token ci-deploy --policies='[{...}]' --show-secret --yes
# copy the printed value into your secrets manager
weave cloudflare list api-tokens   # confirm new token appears
weave cloudflare do revoke-api-token <old-token-id> --yes

Terraform parity

For each Terraform resource in the canonical provider, here's the equivalent live-API verb in weave. Use this as a migration cheat-sheet, not a 1:1 contract — weave deliberately stays in the live-state lane, not the desired-state lane.

Terraform resource weave equivalent
cloudflare_accountweave cloudflare list/find account
Read-only — account creation requires the Cloudflare API enterprise tooling.
cloudflare_zoneweave cloudflare list/find/show zone
cloudflare_zone_settings_overrideweave cloudflare list/show zone-settings / snapshot zone-settings
cloudflare_zone_dnssecweave cloudflare do enable-dnssec / disable-dnssec
cloudflare_recordweave cloudflare list/find dns-record / snapshot dns / do delete-dns-record
cloudflare_email_routing_ruleweave cloudflare list email-routing-rules / snapshot email-routing-rules
cloudflare_page_ruleweave cloudflare list/find page-rule / snapshot page-rules
cloudflare_rulesetweave cloudflare list rulesets
Rulesets are read-listed; per-ruleset edits go via the API directly today.
cloudflare_firewall_rule + cloudflare_filterweave cloudflare list/find firewall-rule / snapshot firewall-rules / do enable/disable-firewall-rule
cloudflare_rate_limitweave cloudflare list rate-limits / snapshot rate-limits
cloudflare_managed_headersweave cloudflare list managed-headers / snapshot managed-headers
cloudflare_waf_overrideweave cloudflare list waf-overrides
Read-only listing; legacy WAF (rule-set based) is being migrated to rulesets.
cloudflare_workers_scriptweave cloudflare list/find/show worker / do deploy-worker / do delete-worker
cloudflare_workers_routeweave cloudflare list worker-routes / snapshot worker-routes
cloudflare_worker_cron_triggerweave cloudflare list worker-cron-triggers <script>
cloudflare_workers_secretweave cloudflare list worker-secrets <script>
Names only; values never round-tripped through state.
cloudflare_certificate_packweave cloudflare list certificate-packs / snapshot certificate-packs
Snapshot + diff only; renewal is automatic.
cloudflare_origin_ca_certificateweave cloudflare list origin-certs
cloudflare_access_applicationweave cloudflare list/find access-app / snapshot access-apps
cloudflare_access_policyweave cloudflare list access-policies <app>
cloudflare_access_groupweave cloudflare list access-groups / snapshot access-groups
cloudflare_access_identity_providerweave cloudflare list access-identity-providers / snapshot access-identity-providers
client_secret is redacted on snapshot; rotate via dashboard.
cloudflare_access_service_tokenweave cloudflare list access-service-tokens
Listing only; client_secret can only be retrieved once at creation.
cloudflare_tunnelweave cloudflare list/show tunnel / snapshot tunnels / do delete-tunnel / do rotate-tunnel-token
cloudflare_load_balancerweave cloudflare list/find load-balancer / snapshot load-balancers
cloudflare_load_balancer_poolweave cloudflare list load-balancer-pools / snapshot load-balancer-pools
cloudflare_load_balancer_monitorweave cloudflare list load-balancer-monitors / snapshot load-balancer-monitors
cloudflare_r2_bucketweave cloudflare list r2-buckets / snapshot r2-buckets
Snapshot + diff only — bucket create/delete is destructive of object data.
cloudflare_pages_projectweave cloudflare list pages-projects / snapshot pages-projects
Snapshot + diff only — edit via wrangler / dashboard.
cloudflare_account_memberweave cloudflare list account-members / snapshot account-members
cloudflare_api_tokenweave cloudflare list api-tokens / snapshot api-tokens / do create-api-token / do revoke-api-token
Values shown ONCE on create (--show-secret); never round-tripped.
cloudflare_notification_policyweave cloudflare list notification-policies / snapshot notification-policies
cloudflare_logpush_jobweave cloudflare list logpush-jobs / snapshot logpush-jobs
cloudflare_argo / cloudflare_byo_ip_* / cloudflare_workers_for_platforms_*(skipped)
Paid-tier / network-engineering / multi-tenant Workers — low operator traffic.
(security event tail / analytics dashboard)weave cloudflare watch security-events / list analytics
Operational verbs unique to weave — no Terraform equivalent.

Troubleshooting & source

Missing credentials

Run weave doctor — it reports which env vars (including CLOUDFLARE_API_TOKEN) are set and which are blank.

Unexpected behaviour from a state apply

Re-run weave cloudflare diff <kind> to confirm the controller's current state, then re-snapshot before the next apply. The driver always re-snapshots before diffing.

Open the source

The module lives at https://github.com/andy-broyles/weavewhatever/tree/main/src/weave/modules/cloudflare. File a bug or feature request at https://github.com/andy-broyles/weavewhatever/issues.