This Driver generates a new subdomain for a domain that is managed in a Cloudflare Zone.

Property Description
Resource type dns
Account type cloudflare



Name Type Description
zone_id string The ID of the Cloudflare zone the record is in.
domain string The domain under which to specify the subdomain. For example,
proxied boolean [Optional] A boolean value specifying whether Cloudflare proxies this subdomain. Defaults to false.
ttl integer [Optional] An integer number of seconds that the DNS name should live for. Defaults to 1 which means “Default” in Cloudflare.




This Driver adds records to a Cloudflare Zonefile pointing at the Load Balancer for the relevant cluster. The Driver will generate new unique subdomains.

This Driver can be used with environments running on different clusters.

Zone Identifier

Cloudflare organizes resources into “Zones”. You can find the Zone Identifier on the main dash page for the domain. It is at the bottom right under the heading Zone ID.

API Token

The Driver uses a Cloudflare API Token to add, update and remove DNS records. The token must have Zone.DNS edit permissions on the zone the subdomain should be set up in.

The token should be added as an account of type cloudflare.


Use the humanitec/dns-cloudflare Driver to provision a new subdomain under for an app called cloudflare-dns-example-app.

First, the Cloud Account containing the Cloudflare API Token must be created:

curl \
  -X POST \
  -H "Authorization: Bearer ${HUMANITEC_TOKEN}" \
  -H "Content-Type: application/json" \
  --data-binary '{
    "id": "cloudflare-example-account",
    "name": "Cloudflare Example Account",
    "type": "cloudflare",
    "credentials": {
      "token": "kji2b0masdlkfjbaslf-b28n"

Then the following dynamic Resource Definition should be added. Apply the following modifications as needed:

  • Adjust the criteria to the Matching Criteria to fit your setup.
  • Decide whether you need to co-provision an ingress resource as shown, and remove the provision section if not. See Routes for a discussion on how the networking Resource Types work together.

cat <<EOF > dynamic-dns-cloudflare.yaml
kind: Definition
  id: dynamic-dns-cloudflare
  driver_account: cloudflare-example-account
  driver_type: humanitec/dns-cloudflare
  name: "Dynamic DNS via Cloudflare"
  type: dns
      zone_id: 1ef520391d97ed73c38bc35dd8b570d0
      ttl: 1
      proxied: false
    - app_id: cloudflare-dns-example-app
      is_dependent: false

humctl create -f dynamic-dns-cloudflare.yaml

curl \
  -X POST \
  -H "Authorization: Bearer ${HUMANITEC_TOKEN}" \
  -H "Content-Type: application/json" \
  --data-binary '{
  "id": "dynamic-dns-cloudflare",
  "name": "Dynamic DNS via Cloudflare",
  "type": "dns",
  "driver_account": "cloudflare-example-account",
  "driver_type": "humanitec/dns-cloudflare",
  "driver_inputs": {
    "values": {
      "zone_id": "1ef520391d97ed73c38bc35dd8b570d0",
      "domain": "",
      "ttl": 1,
      "proxied": false
  "criteria": [
      "app_id": "cloudflare-dns-example-app"
  "provision": {
    "ingress": {
      "is_dependent": false

Use this Resource Definition for the Humanitec Terraform Provider:

resource "humanitec_resource_definition" "dns-cloudflare" {
  id             = "dynamic-dns-cloudflare"
  name           = "Dynamic DNS via Cloudflare"
  type           = "dns"
  driver_account = "cloudflare-example-account"
  driver_type    = "humanitec/dns-cloudflare"

  driver_inputs = {
    values_string = jsonencode({
      "zone_id" = "1ef520391d97ed73c38bc35dd8b570d0"
      "domain"  = ""
      "ttl"     = 1
      "proxied" = false

  provision = {
    ingress = {
      is_dependent = false

resource "humanitec_resource_definition_criteria" "dns-cloudflare" {
  resource_definition_id =
  app_id                 = "cloudflare-dns-example-app"