From a2ce5b9d05fcf46db7c5cdb314af2f47b3c4703a Mon Sep 17 00:00:00 2001
From: Haitao Pan <haitaopanhq@gmail.com>
Date: Sat, 27 Jun 2026 13:48:19 +0800
Subject: [PATCH] fix(cloudflare): prefer DNS scoped token

---
 roles/cloudflare_dns/README.md      |  4 ++--
 roles/cloudflare_dns/tasks/main.yml | 10 +++++-----
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/roles/cloudflare_dns/README.md b/roles/cloudflare_dns/README.md
index 09640dc..9edd6b4 100644
--- a/roles/cloudflare_dns/README.md
+++ b/roles/cloudflare_dns/README.md
@@ -6,10 +6,10 @@ Reusable Ansible role for creating and updating Cloudflare DNS records in the `s
 
 - Zone lookup by name, or direct `cloudflare_dns_zone_id`
 - Create/update/delete of managed DNS records
-- Token resolution from Ansible extra vars:
+- Token resolution from Ansible extra vars, with the DNS-scoped token preferred:
   - `-e CLOUDFLARE_DNS_API_TOKEN=...`
   - `-e CLOUDFLARE_API_TOKEN=...`
-- Environment-backed token resolution as fallback:
+- Environment-backed token resolution as fallback, with the DNS-scoped token preferred:
   - `CLOUDFLARE_DNS_API_TOKEN`
   - `CLOUDFLARE_API_TOKEN`
 
diff --git a/roles/cloudflare_dns/tasks/main.yml b/roles/cloudflare_dns/tasks/main.yml
index f5fa007..eb1936a 100644
--- a/roles/cloudflare_dns/tasks/main.yml
+++ b/roles/cloudflare_dns/tasks/main.yml
@@ -11,8 +11,8 @@
   ansible.builtin.set_fact:
     cloudflare_dns_api_token: >-
       {{
-        vars.get('CLOUDFLARE_API_TOKEN', '')
-        | default(vars.get('CLOUDFLARE_DNS_API_TOKEN', ''), true)
+        vars.get('CLOUDFLARE_DNS_API_TOKEN', '')
+        | default(vars.get('CLOUDFLARE_API_TOKEN', ''), true)
       }}
   when: cloudflare_dns_api_token | default('', true) | length == 0
 
@@ -20,8 +20,8 @@
   ansible.builtin.set_fact:
     cloudflare_dns_api_token: >-
       {{
-        lookup('ansible.builtin.env', 'CLOUDFLARE_API_TOKEN')
-        | default(lookup('ansible.builtin.env', 'CLOUDFLARE_DNS_API_TOKEN'), true)
+        lookup('ansible.builtin.env', 'CLOUDFLARE_DNS_API_TOKEN')
+        | default(lookup('ansible.builtin.env', 'CLOUDFLARE_API_TOKEN'), true)
       }}
   when: cloudflare_dns_api_token | default('', true) | length == 0
 
@@ -78,7 +78,7 @@
           - "'#zone:read' in (cloudflare_dns_zone_lookup.json.result[0].permissions | default([]))"
           - "'#dns_records:edit' in (cloudflare_dns_zone_lookup.json.result[0].permissions | default([]))"
         fail_msg: >-
-          CLOUDFLARE_API_TOKEN is valid but lacks DNS edit permission for {{ cloudflare_dns_zone_name }}.
+          CLOUDFLARE_DNS_API_TOKEN is valid but lacks DNS edit permission for {{ cloudflare_dns_zone_name }}.
           Current permissions: {{ cloudflare_dns_zone_lookup.json.result[0].permissions | default([]) }}.
           Required: Zone read + DNS edit on the svc.plus zone.
       when: