# -*- coding: utf-8 -*- ''' Manage Cloudflare zone records ============================== This state allows to manage records of a particulare Cloudflare zone. It adds missing records, removes extra records and updates existing records. Updates are grouped by domain name and executed in the order that minimizes the risk of downtime. Changes are also cheched for sanity before applying. Remove comes first for scenarios where you change A to CNAME and similar. .. code-block:: yaml example.com: cloudflare.manage_zone_records: - zone: {{ pillar["cloudflare_zones"]["example.com"]|yaml }} Don't forget to use `yaml` filter, otherwise things get escaped twice. Zone data will look like this: .. code-block:: yaml cloudflare_zones: example.com: auth_email: ivan@example.com auth_key: | -----BEGIN PGP MESSAGE----- Comment: GPGTools - https://gpgtools.org PGP encrypted auth_key goes here. -----END PGP MESSAGE----- zone_id: 0101deadbeefdeadbeefdeadbeefdead records: - name: ivan.example.com content: 93.184.216.34 proxied: true Each record can have the following fields: * `name` - domain name (including zone) * `content` - value of the record * `type` - type of the record: A, AAAA, SRV, etc (A by default) * `proxied` - whether zone should be proxied (false by default) * `ttl` - TTL of the record, 1 means auto" (1 by default) * `salt_managed` - Whether Salt should manage the record, or skip it (True by default) * `priority` - The priority of the record. Only valid (and required) for MX records Reference: https://api.cloudflare.com/#dns-records-for-a-zone-properties In addition to `records`, it's also possible to provide `exclude` key with the list of regular expressions that will mark records that are managed externally. This state supports test mode. It makes sense to run it only on one node. ''' from collections import namedtuple import re import json import yaml import requests import logging import salt.exceptions logger = logging.getLogger(__name__) def manage_zone_records(name, zone): managed = Zone(name, zone) try: managed.sanity_check() except salt.exceptions.SaltInvocationError as err: return { "name": name, "changes": {}, "result": False, "comment": "{0}".format(err) } diff = managed.diff() result = {"name": name, "changes": _changes(diff), "result": None} if len(diff) == 0: result["comment"] = "The state of {0} ({1}) is up to date.".format( name, zone["zone_id"] ) result["changes"] = {} result["result"] = None if __opts__["test"] == True else True return result if __opts__["test"] == True: result[ "comment" ] = "The state of {0} ({1}) will be changed ({2} changes).".format( name, zone["zone_id"], len(diff) ) result["pchanges"] = result["changes"] return result managed.apply(diff) result["comment"] = "The state of {0} ({1}) was changed ({2} changes).".format( name, zone["zone_id"], len(diff) ) result["result"] = True return result def _changes(diff): changes = {} actions = map(lambda op: "{0} {1}".format(op["action"], str(op["record"])), diff) if actions: changes['diff'] = "\n".join(actions) return changes def validate_record(record): if "name" not in record: raise salt.exceptions.SaltInvocationError("'name' is required") if "content" not in record: raise salt.exceptions.SaltInvocationError("Required field 'content' is missing for entry <{0}>".format(record["name"])) if "type" in record and record["type"] == "MX" and "priority" not in record: raise salt.exceptions.SaltInvocationError("Required field 'priority' is missing for MX entry <{0}>".format(record["name"])) def record_from_dict(record): record.setdefault("type", "A") record.setdefault("proxied", False) record.setdefault("id", None) record.setdefault("ttl", 1) record.setdefault("salt_managed", True) priority = record["priority"] if record["type"] == "MX" else None return Record( record["id"], record["type"], record["name"], record["content"], priority, record["proxied"], record["ttl"], record["salt_managed"], ) class Record( namedtuple( "Record", ("id", "type", "name", "content", "priority", "proxied", "ttl", "salt_managed") ) ): def pure(self): return Record( None, self.type, self.name, self.content, self.priority, self.proxied, self.ttl, self.salt_managed, ) """ Cloudflare API expects `data` attribute when you add SRV records instead of `content`. This method synthesizes `data` from `content`. """ def data(self): if self.type == "SRV": service, proto, name = self.name.split(".", 2) parts = self.content.split("\t") if len(parts) == 3: # record should look like this: "priority weight port target" # cloudflare returns: "weight port target" priority = 10 weight, port, target = parts else: priority, weight, port, target = parts return { "service": service, "proto": proto, "name": name, "priority": int(priority), "weight": int(weight), "port": int(port), "target": target, } if self.type == "CAA": parts = self.content.split("\t") flags, tag, value = parts return { "name": self.name, "flags": int(flags), "tag": tag, "value": value[1:-1], } def __str__(self): ttl_str = 'auto' if self.ttl == 1 else '{0}s'.format(self.ttl) priority_string = 'priority: {0}, '.format(self.priority) if self.type == "MX" else '' return "{0} {1} -> '{2}' (proxied: {3}, ttl: {4})".format( self.type, self.name, self.content, priority_string, str(self.proxied).lower(), ttl_str ) def json(self): dict = { "type": self.type, "name": self.name, "content": self.content, "proxied": self.proxied, "data": self.data(), "ttl": self.ttl, } if self.type == "MX": dict["priority"] = self.priority return dict class Zone(object): ZONES_URI_TEMPLATE = "https://api.cloudflare.com/client/v4/zones/{zone_id}" RECORDS_URI_TEMPLATE = "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records?page={page}&per_page=50" ADD_RECORD_URI_TEMPLATE = ( "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records" ) REMOVE_RECORD_URI_TEMPLATE = ( "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records/{record_id}" ) UPDATE_RECORD_URI_TEMPLATE = ( "https://api.cloudflare.com/client/v4/zones/{zone_id}/dns_records/{record_id}" ) ACTION_ADD = "add" ACTION_REMOVE = "remove" ACTION_UPDATE = "update" SPECIAL_APPLY_ORDER = {ACTION_REMOVE: 0, ACTION_ADD: 1, ACTION_UPDATE: 2} REGULAR_APPLY_ORDER = {ACTION_ADD: 0, ACTION_UPDATE: 1, ACTION_REMOVE: 2} def __init__(self, name, zone): self.name = name self.api_token = zone.get("api_token", None) self.auth_email = zone.get("auth_email", None) self.auth_key = zone.get("auth_key", None) self.zone_id = zone["zone_id"] self.records = zone["records"] self.exclude = zone.get('exclude', []) if not self.api_token and not (self.auth_email and self.auth_key): raise Exception("Either api_token or auth_email and auth_key must be provided") def _request(self, uri, method="GET", json=None): if self.api_token: headers = {"Authorization": "Bearer {0}".format(self.api_token)} else: headers = {"X-Auth-Email": self.auth_email, "X-Auth-Key": self.auth_key} logger.info("Sending request: {0} {1} data: {2}".format(method, uri, json)) if method == "GET": resp = requests.get(uri, headers=headers) elif method == "POST": resp = requests.post(uri, headers=headers, json=json) elif method == "PUT": resp = requests.put(uri, headers=headers, json=json) elif method == "DELETE": resp = requests.delete(uri, headers=headers) else: raise Exception("Unknown request method: {0}".format(method)) if not resp.ok: raise Exception( "Got HTTP code {0}: {1}".format(resp.status_code, resp.text) ) return resp.json() def _add_record(self, record): self._request( self.ADD_RECORD_URI_TEMPLATE.format(zone_id=self.zone_id), method="POST", json=record.json(), ) def _remove_record(self, record): self._request( self.REMOVE_RECORD_URI_TEMPLATE.format( zone_id=self.zone_id, record_id=record.id ), method="DELETE", ) def _update_record(self, record): self._request( self.UPDATE_RECORD_URI_TEMPLATE.format( zone_id=self.zone_id, record_id=record.id ), method="PUT", json=record.json(), ) def sanity_check(self): found = self._request(self.ZONES_URI_TEMPLATE.format(zone_id=self.zone_id)) if self.name != found["result"]["name"]: raise Exception( "Zone name does not match: {0} != {1}".format( self.name, found["result"]["name"] ) ) As = set() CNAMEs = set() for record in self.desired(): if ( not record.name.endswith("." + self.name) and not record.name == self.name ): raise Exception( "Record {0} does not belong to zone {1}".format( record.name, self.name ) ) if record.ttl != 1 and record.ttl < 120: raise Exception( "Record {0} has invalid TTL: {1}".format(record.name, record.ttl) ) if record.ttl != 1 and record.proxied: raise Exception( "Record {0} has TTL set, but TTL for proxied records is managed by Cloudflare".format( record.name ) ) try: record.data() except Exception as e: raise Exception( "Record {0} cannot synthesize data from content: {1}".format( str(record), e ) ) if record.type in ("A", "AAAA"): As.add(record.name) if record.name in CNAMEs: raise Exception( "Record {0} has both A/AAAA and CNAME records".format( record.name ) ) if record.type in ("CNAME",): if record.name in CNAMEs: raise Exception( "Record {0} has serveral CNAME records".format(record.name) ) CNAMEs.add(record.name) if record.name in As: raise Exception( "Record {0} has both A/AAAA and CNAME records".format( record.name ) ) def existing(self): records = {} page = 1 while True: found = self._request( self.RECORDS_URI_TEMPLATE.format(zone_id=self.zone_id, page=page) ) for record_dict in found["result"]: record = record_from_dict(record_dict) excluded = False for pattern in self.exclude: if re.match(pattern, record.name): excluded = True break if not excluded: records[record_dict["id"]] = record current_page = found["result_info"]["page"] total_pages = found["result_info"]["total_pages"] if current_page == total_pages or total_pages == 0: break page += 1 return records.values() def desired(self): for record in self.records: validate_record(record) return map(lambda record: record_from_dict(record.copy()), self.records) def diff(self): existing_tuples = { (record.type, record.name, record.content, record.salt_managed): record for record in self.existing() } desired_tuples = { (record.type, record.name, record.content, record.salt_managed): record for record in self.desired() } desired_salt_managed = { record.name: record.salt_managed for record in self.desired() } changes = [] for key in set(desired_tuples).difference(existing_tuples): if not desired_tuples[key].salt_managed: continue changes.append({"action": self.ACTION_ADD, "record": desired_tuples[key]}) for key in set(existing_tuples).difference(desired_tuples): if key[1] in desired_salt_managed and desired_salt_managed[key[1]] == False: continue changes.append( {"action": self.ACTION_REMOVE, "record": existing_tuples[key]} ) for key in set(existing_tuples).intersection(desired_tuples): if ( existing_tuples[key].pure() == desired_tuples[key] or not desired_tuples[key].salt_managed ): continue changes.append( { "action": self.ACTION_UPDATE, "record": Record( existing_tuples[key].id, desired_tuples[key].type, desired_tuples[key].name, desired_tuples[key].content, priority=desired_tuples[key].priority, proxied=desired_tuples[key].proxied, ttl=desired_tuples[key].ttl, salt_managed=True, ), } ) return self._order(changes) def _order(self, diff): groups = {"primary": {}, "rest": {}} for op in diff: group = "rest" if op["record"].type in ("A", "AAAA", "CNAME"): group = "primary" if op["record"].name not in groups[group]: groups[group][op["record"].name] = [] groups[group][op["record"].name].append(op) result = [] def append_in_order(ops, order): for op in sorted(ops, key=lambda op: order[op["action"]]): result.append(op) for name, ops in groups["primary"].items(): if any(op["record"].type == "CNAME" for op in ops): # need to remove before adding append_in_order(ops, self.SPECIAL_APPLY_ORDER) else: # nothing special about these records append_in_order(ops, self.REGULAR_APPLY_ORDER) for name, ops in groups["rest"].items(): append_in_order(ops, self.REGULAR_APPLY_ORDER) return result def apply(self, diff): for op in diff: if op["action"] == self.ACTION_ADD: self._add_record(op["record"]) elif op["action"] == self.ACTION_REMOVE: self._remove_record(op["record"]) elif op["action"] == self.ACTION_UPDATE: self._update_record(op["record"]) else: raise Exception( "Unknown action {0} for record {1}", op["action"], str(op["record"]) )