Cloudflare Tunnel
Repo: iac-api-gateway
File: gateway/tunnel.tf
One centralized tunnel per environment: eigenoid-gateway-{env}.
Key design choices
config_src = "cloudflare"— tunnel ingress config lives in Cloudflare's API, not on the VM.cloudflaredfetches its config at startup and receives live updates when ingress rules change. Changing onlytunnel.tfingress rules does not require a VM restart.- All ingress rules map to
http://localhost:8080(cf-proxy). cf-proxy is responsible for routing to the correct Cloud Run service based on theHostheader. - A catch-all rule returns
http_status:404for unmatched hostnames.
Current ingress rules (dev)
| Hostname | Service |
|---|---|
api-admin-internal-dev.eigenoid.services | http://localhost:8080 |
api-public-internal-dev.eigenoid.services | http://localhost:8080 |
| (catch-all) | http_status:404 |
DNS
Both api-*-internal-{env}.eigenoid.services records are CNAME → {tunnel-id}.cfargotunnel.com (proxied). Managed in gateway/dns.tf.
Note on
enable_dns_switch:dns.tfgates these records behindvar.enable_dns_switch. During initial rollout the switch isfalseto allow verification before live traffic is affected. Once flipped, the old CNAME records iniac-accessmust be removed to prevent Terraform drift.
Related pages
- Gateway VM — the VM that runs
cloudflaredand receives tunnel traffic - Adding a new API — how to add a new ingress rule
- Networking — firewall rules for tunnel egress