DEV Community

Cover image for How to migrate DNS records from CloudFlare to AWS Route53 with Terraform&Terragrunt
Yaroslav Yarmoshyk
Yaroslav Yarmoshyk

Posted on

How to migrate DNS records from CloudFlare to AWS Route53 with Terraform&Terragrunt

Possible reasons

There are multiple reasons for such migration. The most common are the following:

  1. You'd like to use external-dns controller in your EKS cluster to manage DNS records automatically for you, however the CloudFlare support is still in beta and you don't want to use it for production workloads.
  2. You want to take the advantages of AWS WebApplication Firewall instead of CloudFlare WAF.

There might be other reasons but I faced the 2 in the most resent project.

You'll need to put either Cloudfront distribution or ApplicationLoadBalancer (ALB) in front of your web application to use AWS WAF because it provides the application level protection so it can not be enabled for NetworkLoadBalancer (NLB)

Migration flow

  1. Read all the records from the existing CloudFlare DNS zone. You can re-use the python script I've prepared. The automation is available in The readme file describes how to use it.
  2. Create DNS zone in AWS You don't need to invest much efforts into this. Feel free to re-use the existing terraform-aws-route53 community module
  3. Create DNS records in AWS The script above produces the json output that can be used as an input for the terraform-aws-route53/records terraform module
    "name": "",
    "type": "A",
    "ttl": 300,
    "records": [
Enter fullscreen mode Exit fullscreen mode

The output should be saved into the file. Next the contents can be read with terrafrom/terragrunt and specified as inputs to the terraform-aws-route53/records terrafrom module

    records_jsonencoded = jsondecode(file("dns_records.json"))
Enter fullscreen mode Exit fullscreen mode
  1. Update NameServer configuration in your current DNS registrar. For this you'll need to refer to the documentation of the DNS provider where your domain is registered.

I will not cover running terragrunt apply procedure here. There are many documents about this over the internet.

Closing words

Most of the time you'll spend on creating the API token in CloudFlare and injecting the route53 provisioning into your existing IaaC structure.
Basically we extract the data from cloudflare, convert it into proper format, next create all records with terragrunt or terraform.

Top comments (0)