Cloudflare Workers Platform

cloudflare-workers-platform

Worker with KV/R2/D1 bindings, routes, custom domain, and secrets — a full edge app scaffold in one module call. Creates the Worker script plus the KV namespaces, R2 buckets, and D1 databases it binds to, wires every binding by name, and exposes the app on routes and/or custom domains. Built against the auto-generated provider v5 schema. Works with Terraform and OpenTofu (>= 1.6), Cloudflare provider >= 5.0, < 6.0.

Opinionated defaults:

• Observability (invocation logs) on, full head-sampling.
• ES-module Worker syntax by default; pinned compatibility_date.
• Secrets are bound as secret_text (encrypted at Cloudflare) and marked sensitive in state; plain config goes in plain_text_vars.
• Storage resources are named <script_name>-<binding> unless overridden.

Usage

module "edge_app" {
  source      = "./cloudflare-workers-platform"
  account_id  = "023e105f4ecef8ad9ca31a8372d0c353"
  script_name = "edge-app"

  script_content = file("${path.module}/dist/worker.js")

  kv_namespaces = { CACHE = {} }
  r2_buckets    = { ASSETS = {} }
  d1_databases  = { DB = {} }

  plain_text_vars = { APP_ENV = "production" }
  secrets         = { API_KEY = var.api_key }

  zone_id        = "0da42c8d2132a9ddaf714f9e7c920711"
  custom_domains = ["app.example.com"]
}

In the Worker, bindings arrive on env under the map keys: env.CACHE (KV), env.ASSETS (R2), env.DB (D1), env.APP_ENV, env.API_KEY.

Inputs

Name	Type	Default	Description
account_id	string	—	Cloudflare account ID (32-hex, required)
script_name	string	—	Worker name; prefix for default resource names (required)
script_content	string	—	Worker source code, uploaded inline (required)
module_syntax	bool	true	ES-module syntax; false = service-worker syntax
compatibility_date	string	"2025-01-01"	Workers runtime compatibility date
compatibility_flags	list(string)	[]	Runtime flags, e.g. ["nodejs_compat"]
logpush	bool	false	Enable Logpush for trace events
observability_enabled	bool	true	Workers observability logs
observability_head_sampling_rate	number	1	Sampling rate (0..1]
kv_namespaces	map(object)	{}	KV namespaces keyed by binding name; optional title
r2_buckets	map(object)	{}	R2 buckets keyed by binding name; optional name, location, storage_class
d1_databases	map(object)	{}	D1 databases keyed by binding name; optional name, location_hint
plain_text_vars	map(string)	{}	Non-secret env vars
secrets	map(string)	{}	Secret env vars (sensitive)
zone_id	string	null	Zone for routes/custom domains (required when those are set)
routes	list(object)	[]	Route patterns (pattern, optional per-route zone_id)
custom_domains	list(string)	[]	Hostnames attached as Worker custom domains

Outputs

Name	Description
script_name	Deployed Worker name
kv_namespace_ids	Binding name => KV namespace ID
r2_bucket_names	Binding name => R2 bucket name
d1_database_ids	Binding name => D1 database UUID
route_ids	Route pattern => route ID
custom_domain_hostnames	Custom domain hostnames

Requirements & notes

• Terraform or OpenTofu >= 1.6; cloudflare/cloudflare >= 5.0, < 6.0.
• API token needs: Workers Scripts:Edit, Workers KV Storage:Edit, Workers R2 Storage:Edit, D1:Edit, and (for routes/domains) Zone Workers Routes:Edit + Zone DNS:Edit.
• Binding names must be unique across kv_namespaces, r2_buckets, d1_databases, plain_text_vars, and secrets — the module concatenates them into one binding list.
• Custom domains must be hostnames inside zone_id; Cloudflare creates the DNS record and certificate automatically.
• script_content is uploaded inline and stored in state; for large bundled workers, build first (esbuild/wrangler) and pass via file(...).

Verification

Static-validated (fmt, validate, tflint). Live apply/destroy testing pending cloud sandbox availability — see catalog status.

License

Commercial — IaC Bazaar EULA. © IaC Bazaar. Original work (not derived from a third-party module).