Originally published on kuryzhev.cloud
One misconfigured proxied flag in a terraform cloudflare dns config can silently take down staging SSH or VPN access — nobody notices until someone tries to connect and gets a timeout instead of a connection refused. We hit exactly this last quarter: a staging record got flipped to proxied = true during a "quick fix" in the console, Cloudflare started intercepting non-HTTP(S) traffic on port 22, and it took us forty minutes to figure out why our bastion host was unreachable. That incident is the reason this checklist exists.
Why this checklist
Managing DNS through the Cloudflare dashboard feels fast right up until you have three environments and two people editing records independently. Someone adds a TXT record for a verification step in prod, forgets to mirror it in Terraform, and six months later a terraform apply deletes it because it's not in state and someone ran an aggressive cleanup. That's drift, and it's the single biggest source of "why did DNS break" incidents I've debugged.
The other reason this needs to be a checklist and not a one-time setup doc: Cloudflare's API has real constraints that bite you as you scale past a handful of records. Rate limits sit around 1200 requests per 5 minutes per token — fine for 20 records, painful for a for_each loop managing 150 of them during a bulk apply. Zone-level permissions also matter more than people expect; a token scoped too broadly in CI is a liability, and one scoped too narrowly breaks silently with a 403 that doesn't explain itself well.






