Resources for managing R2

[andyli]

Current Terraform and Cloudflare provider version

N/A

Description

Would be nice to have resources for managing R2 buckets.

Use cases

To manage everything in Terraform.

Potential Terraform configuration

Something similar to the aws_s3_bucket and the related resources.

References

No response

[pkoch]

@jacobbednarz can you elaborate what upstream movement we're jammed on? I can programmatically manipulate buckets with wrangler r2 bucket OPERATION.

[jacobbednarz]

the upstream library that Terraform uses to make the API calls - cloudflare-go.

[ghuntley]

Disappointed to see there's no support for buckets w/terraform.

[yonran]

If you just want to create buckets, you can use the terraform-provider-aws with the S3 Compatibility API and an S3 Auth token, and using a custom service endpoint and skipping sanity checks within the aws provider. Example of creating an R2 bucket:

variable "account_id" {
  type = string
  sensitive = true
}
variable "cloudflare_r2_access_key_id" {
  type = string
}
variable "cloudflare_r2_secret_access_key" {
  type = string
  sensitive = true
}
provider "aws" {
  access_key = var.cloudflare_r2_access_key_id
  secret_key = var.cloudflare_r2_secret_access_key
  # https://developers.cloudflare.com/r2/platform/s3-compatibility/api/#bucket-region
  region = "auto"
  # fix error validating provider credentials: error calling sts:GetCallerIdentity
  # … lookup sts.auto.amazonaws.com on …: no such host
  skip_credentials_validation = true
  # fix Error: Invalid AWS Region: auto
  skip_region_validation = true
  # fix error retrieving account details: AWS account ID not previously found
  # and failed retrieving via all available methods.
  # caused by iam:ListRoles to iam.amazonaws.com
  # and sts:GetCallerIdentity to sts.auto.amazonaws.com
  skip_requesting_account_id = true
  # skip loading instance profile credentials from 169.254.169.254
  skip_metadata_api_check = true
  # skip ec2/DescribeAccountAttributes to ec2.auto.amazonaws.com
  skip_get_ec2_platforms = true
  endpoints {
    # https://developers.cloudflare.com/r2/platform/s3-compatibility/api/
    s3 = "https://${var.account_id}.r2.cloudflarestorage.com"
  }
  # optional: use an alias so you can also use the real aws provider
  alias = "cloudflare_r2"
}

resource "aws_s3_bucket" "terraform" {
  provider = aws.cloudflare_r2
  bucket = "my-bucket"
}

However, it seems that it is still not possible to bind a bucket to a cloudflare_worker_script from terraform, which is pretty important.

Edit: it seems that it is not possible to create a cloudflare object using terraform-provider-aws 4.x aws_s3_object (aka aws_s3_bucket_object), since that resource tries to read the tags using GetObjectTagging (GET /key?tagging=), but R2 does not recognize ?tagging and just returns the object itself.

[alex8bitw]

the upstream library that Terraform uses to make the API calls - cloudflare-go.

@jacobbednarz @andyli
Looks like support was already added cloudflare/cloudflare-go#1028

https://pkg.go.dev/github.com/cloudflare/cloudflare-go#API.CreateR2Bucket

Example here:
https://github.com/cloudflare/terraform-provider-cloudflare/blob/3d0674f8c32e3a1b060233ef85bd5c0d3774ebf7/internal/provider/resource_cloudflare_worker_script_test.go
Looks like it's already being used? Just not exposed yet.

[Elycin]

Looking forward to this. +1

[fredsig]

Looking forwad as well now that R2 is GA.

[Cyb3r-Jak3]

FYI, this still isn't possible as there is no publicly documented API end to get a bucket which terraform needs to check to see if a resource exists.

[jpalomaki]

When this does get implemented, having CORS support baked-in would be great: https://kian.org.uk/configuring-cors-on-cloudflare-r2/

[knpwrs]

@jpalomaki that may be possible using the AWS provider to configure the R2 bucket (I haven't tried yet but I plan on it): https://developers.cloudflare.com/r2/examples/terraform/

[laurencegill]

I have found the following aws resources seem to work fine:

aws_s3_bucket
aws_s3_bucket_acl
aws_s3_bucket_lifecycle_configuration
aws_s3_bucket_public_access_block
aws_s3_bucket_server_side_encryption_configuration
aws_s3_bucket_versioning

aws_s3_bucket_public_access_block doesn't work, and nor can you bind a CF domain using TF, which is quite annoying.

[knpwrs]

@jpalomaki I recently got configuring CORS with terraform working:

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "4.57.1"
    }
  }
}

provider "aws" {
  alias                       = "cloudflare"
  region                      = "us-east-1"
  access_key                  = var.cloudflare_r2_access_key
  secret_key                  = var.cloudflare_r2_secret_key
  skip_credentials_validation = true
  skip_region_validation      = true
  skip_requesting_account_id  = true

  endpoints {
    s3 = var.cloudflare_r2_endpoint
  }
}

resource "aws_s3_bucket" "public_bucket" {
  provider = aws.cloudflare
  bucket   = var.cloudflare_r2_public_bucket
}

resource "aws_s3_bucket_cors_configuration" "public_bucket_cors" {
  provider = aws.cloudflare
  bucket   = aws_s3_bucket.public_bucket.id

  cors_rule {
    allowed_methods = ["GET"]
    allowed_origins = ["*"]
  }
}

[heyhippari]

Would be great to be able to configure Domain Access as well, since it currently doesn't seem to be possible to set some required metadata with cloudflare_record, like which R2 bucket the DNS record points to (Even though importing R2 records works just fine).

[github-actions]

This functionality has been released in v4.7.0 of the Terraform Cloudflare Provider.

Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!