A GitHub Action that exports Cloudflare zone configuration (DNS, rulesets, settings) to versioned JSON files in your repository.
Useful for backing up, tracking changes, and simplifying Cloudflare config management.
- Fetches and stores rulesets, settings, and DNS records from Cloudflare
- Redacts dynamic fields such as export timestamps and SOA serial numbers
- Saves JSON files to a configurable directory
- Automatically commits, pushes, and creates a pull request
- Can be run manually or scheduled
Create a file like .github/workflows/save-cloudflare-config.yml:
name: Save Cloudflare configuration
on:
schedule:
- cron: '0 10 * * *'
workflow_dispatch:
jobs:
save:
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
pull-requests: write
steps:
- name: Save Cloudflare config
uses: pronamic/github-action-cloudflare-config-export@main
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
with:
api_token: ${{ secrets.CLOUDFLARE_API_TOKEN }}
zone_id: ${{ vars.CLOUDFLARE_ZONE_ID }}| Name | Description | Required | Default |
|---|---|---|---|
api_token |
Cloudflare API token | ✅ | |
zone_id |
Cloudflare zone ID | ✅ | |
target_directory |
Where to store the exported config | ❌ | cloudflare-config |
Store your Cloudflare API Token in GitHub Secrets (CLOUDFLARE_API_TOKEN). The token should have read access to rulesets and settings:
| Resources | Permissions | Permissions levels |
|---|---|---|
| Zone | Config Rules | Read |
| Zone | Cache Rules | Read |
| Zone | Transform Rules | Read |
| Zone | Zone WAF | Read |
| Zone | Zone Settings | Read |
| Zone | DNS | Read |
| Zone | Firewall Services | Read |
Contributions welcome! Please open an issue or submit a PR.
We have used Cloudflare's Terraform provider to manage settings like firewall rules, WAF, and page rules. While powerful, it comes with practical downsides, especially when managing many websites for different clients.
Terraform is not user-friendly for non-developers. The syntax and workflow are too technical for support staff or clients.
Terraform requires a central, secure state file. Sharing and maintaining this file across teams or CI systems is hard to manage. This gets more complicated when working with hundreds of zones or clients.
When Terraform applies changes, existing rulesets are often removed and replaced. This resets Cloudflare statistics, which is problematic when fine-tuning configurations.
This GitHub Action fetches the current Cloudflare config and saves it to your Git repository. You can review changes via pull requests. No state file. No destructive updates. Just a versioned, readable history of your live Cloudflare setup.
- https://developers.cloudflare.com/api/
- https://developers.cloudflare.com/terraform/
- https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs
- https://github.com/cloudflare/terraform-provider-cloudflare
- https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions
- https://docs.github.com/en/actions/security-for-github-actions/security-guides/about-secrets