ai-workspace-infra/playbooks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(cloudflare): prefer DNS scoped token

Browse Source
This commit is contained in:
Haitao Pan 2026-06-27 13:48:19 +08:00
parent 19a3c9f72a
commit a2ce5b9d05
2 changed files with 7 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
roles/cloudflare_dns/README.md
View File

@ -6,10 +6,10 @@ Reusable Ansible role for creating and updating Cloudflare DNS records in the `s
- Zone lookup by name, or direct `cloudflare_dns_zone_id`
- Create/update/delete of managed DNS records
- Token resolution from Ansible extra vars:
- Token resolution from Ansible extra vars, with the DNS-scoped token preferred:
- `-e CLOUDFLARE_DNS_API_TOKEN=...`
- `-e CLOUDFLARE_API_TOKEN=...`
- Environment-backed token resolution as fallback:
- Environment-backed token resolution as fallback, with the DNS-scoped token preferred:
- `CLOUDFLARE_DNS_API_TOKEN`
- `CLOUDFLARE_API_TOKEN`

10
roles/cloudflare_dns/tasks/main.yml
View File

@ -11,8 +11,8 @@
ansible.builtin.set_fact:
cloudflare_dns_api_token: >-
{{
vars.get('CLOUDFLARE_API_TOKEN', '')
| default(vars.get('CLOUDFLARE_DNS_API_TOKEN', ''), true)
vars.get('CLOUDFLARE_DNS_API_TOKEN', '')
| default(vars.get('CLOUDFLARE_API_TOKEN', ''), true)
}}
when: cloudflare_dns_api_token | default('', true) | length == 0
@ -20,8 +20,8 @@
ansible.builtin.set_fact:
cloudflare_dns_api_token: >-
{{
lookup('ansible.builtin.env', 'CLOUDFLARE_API_TOKEN')
| default(lookup('ansible.builtin.env', 'CLOUDFLARE_DNS_API_TOKEN'), true)
lookup('ansible.builtin.env', 'CLOUDFLARE_DNS_API_TOKEN')
| default(lookup('ansible.builtin.env', 'CLOUDFLARE_API_TOKEN'), true)
}}
when: cloudflare_dns_api_token | default('', true) | length == 0
@ -78,7 +78,7 @@
- "'#zone:read' in (cloudflare_dns_zone_lookup.json.result[0].permissions | default([]))"
- "'#dns_records:edit' in (cloudflare_dns_zone_lookup.json.result[0].permissions | default([]))"
fail_msg: >-
CLOUDFLARE_API_TOKEN is valid but lacks DNS edit permission for {{ cloudflare_dns_zone_name }}.
CLOUDFLARE_DNS_API_TOKEN is valid but lacks DNS edit permission for {{ cloudflare_dns_zone_name }}.
Current permissions: {{ cloudflare_dns_zone_lookup.json.result[0].permissions | default([]) }}.
Required: Zone read + DNS edit on the svc.plus zone.
when: