Terraform Configuration Reference

This page provides a complete reference for all Terraform variables and outputs used in Pixelflare's infrastructure configuration.

Overview

Pixelflare's Terraform configuration deploys a complete image CDN on Cloudflare's infrastructure. The configuration is modular, allowing you to enable or disable features based on your requirements.

Using This Reference

Required variables must be provided for deployment
Optional variables have sensible defaults and can be customized
Outputs provide important values needed for configuration and deployment
All secrets are auto-generated if not provided

Quick Start

Minimum required variables for deployment:

hcl

cloudflare_account_id = "your-account-id"
cloudflare_api_token  = "your-api-token"
domain                = "example.com"

For a complete deployment example, see the Manual Deployment Guide.

Requirements

Name	Version
terraform	>= 1.5.0
cloudflare	~> 4.49
random	~> 3.6

Providers

Name	Version
cloudflare	4.52.5
random	3.7.2

Modules

Name	Source	Version
access	./modules/access	n/a
dns	./modules/dns	n/a
gateway	./modules/gateway	n/a
pages	./modules/pages	n/a
redirects	./modules/redirects	n/a
security	./modules/security	n/a
storage	./modules/storage	n/a
workers	./modules/workers	n/a

Resources

Name	Type
random_password.api_hash_secret	resource
random_password.backup_encryption_key	resource
random_password.encryption_root_key	resource
random_password.upload_token_secret	resource
cloudflare_zone.main	data source

Inputs

Name	Description	Type	Default	Required
cloudflare_account_id	Cloudflare account ID	`string`	n/a	yes
cloudflare_api_token	Cloudflare API token with appropriate permissions	`string`	n/a	yes
domain	Base domain for the application (e.g., pixelflare.cc)	`string`	n/a	yes
access_team_domain	Cloudflare Access team domain (e.g., 'as93' for as93.cloudflareaccess.com)	`string`	`""`	no
ai_batch_size	Number of images to process per AI queue batch	`number`	`5`	no
ai_image_downscale_width	Width to downscale images to before AI processing	`number`	`384`	no
ai_max_labels	Maximum number of labels to store per image	`number`	`10`	no
ai_min_classification_score	Minimum confidence score for AI classification labels (0.0-1.0)	`number`	`0.3`	no
ai_processing_timeout_ms	Timeout for AI processing in milliseconds	`number`	`30000`	no
allowed_email_domains	List of email domains allowed to access the application	`list(string)`	`[]`	no
allowed_emails	List of email addresses allowed to access the application (optional, in addition to GitHub)	`list(string)`	`[]`	no
allowed_variants	JSON array of allowed variant presets	`string`	`"[\"w128\",\"w256\",\"w512\",\"w1024\",\"w1536\",\"w2048\",\"thumb\",\"og-image\"]"`	no
analytics_aggregation_cron	Cron schedule for analytics aggregation job (format: 'minute hour day month weekday')	`string`	`"0 2 * * *"`	no
analytics_batch_enabled	Enable daily batch aggregation from Analytics Engine to D1 (recommended for production). Requires CLOUDFLARE_ACCOUNT_ID and CLOUDFLARE_API_TOKEN secrets.	`bool`	`true`	no
analytics_dataset_name	Name for the Analytics Engine dataset	`string`	`"pixflare_cdn_metrics"`	no
analytics_realtime_enabled	Enable real-time D1 writes for immediate dashboard availability (higher D1 usage). If false, only batch aggregation is used.	`bool`	`true`	no
analytics_retention_days	Number of days to retain analytics data in D1	`number`	`90`	no
api_hash_secret	Secret for hashing API keys (auto-generated if not provided)	`string`	`""`	no
audit_log_enabled	Enable audit logging for all resource changes	`bool`	`true`	no
auth_mode	Authentication mode: 'cloudflare' (Cloudflare Access), 'authjs' (Auth.js), or 'none' (dev only)	`string`	`"cloudflare"`	no
auth_secret	Auth.js secret for JWT encryption (required when auth_mode is 'authjs'). Set via TF_VAR_auth_secret or AUTH_SECRET	`string`	`""`	no
backup_encryption_key	Encryption key for S3 backup credentials (auto-generated if not provided)	`string`	`""`	no
backup_sync_cron	Cron schedule for S3 backup sync job	`string`	`"0 3 * * *"`	no
cleanup_cron	Cron schedule for cleanup job (delete old soft-deleted images)	`string`	`"0 1 * * *"`	no
cloudflare_api_token_for_custom_domains	Cloudflare API token for custom domain management (with SSL and Certificates Edit permission)	`string`	`""`	no
cloudflare_zone_id_for_custom_domains	Cloudflare Zone ID for custom domain management (optional, can also use main zone)	`string`	`""`	no
custom_domain_fallback_subdomain	Subdomain for custom domain fallback origin (e.g., 'fallback' for domains.pixelflare.cc)	`string`	`"fallback"`	no
d1_database_name	Name for the D1 database (will be prefixed with project and environment)	`string`	`"db"`	no
default_variant	Default variant preset for image URLs	`string`	`"w1024"`	no
docs_pages_host	Docs Cloudflare Pages hostname (e.g., pixflare-docs.pages.dev)	`string`	`""`	no
enable_access	Enable Cloudflare Access authentication	`bool`	`true`	no
enable_ai_classification	Enable AI-powered image classification and tagging (requires Workers AI)	`bool`	`false`	no
enable_ai_nsfw_detection	Enable AI-powered NSFW content detection (requires Workers AI)	`bool`	`false`	no
enable_analytics	Enable Analytics Engine for tracking CDN usage metrics (bandwidth, requests). Free tier: 10M writes/month, 1M queries/month.	`bool`	`true`	no
enable_custom_domains	Enable Cloudflare for SaaS custom domain feature (allows users to serve images from their own domains)	`bool`	`false`	no
enable_gateway	Enable gateway worker for single-domain routing (pixelflare.cc/* instead of subdomains)	`bool`	`true`	no
enable_queues	Enable Cloudflare Queues for async variant generation (requires Workers Paid plan). When disabled, requested variants will serve original images instead.	`bool`	`true`	no
enable_r2_protection	Enable WAF rule to block direct R2 bucket access (only allows Worker/Image Resizing)	`bool`	`true`	no
enable_subdomain_redirects	Enable 301 redirects from old subdomains to new path-based URLs (only applies if enable_gateway is true)	`bool`	`true`	no
enable_vectorize	Enable Cloudflare Vectorize for AI image embeddings and semantic search (requires Workers Paid plan with AI)	`bool`	`false`	no
enable_worker_routes	Configure custom domain routes for Workers (api.domain.com, cdn.domain.com)	`bool`	`true`	no
encryption_root_key	Root encryption key for wrapping TMKs (auto-generated if not provided)	`string`	`""`	no
environment	Environment name (dev, staging, production)	`string`	`"production"`	no
frontend_pages_host	Frontend Cloudflare Pages hostname (e.g., pixflare-frontend.pages.dev)	`string`	`""`	no
github_oauth_client_id	GitHub OAuth Client ID for Auth.js (optional). Set via TF_VAR_github_oauth_client_id or GITHUB_OAUTH_CLIENT_ID	`string`	`""`	no
github_oauth_client_secret	GitHub OAuth Client Secret for Better Auth. Set via .env file	`string`	`""`	no
github_sponsors_check_enabled	Enable GitHub Sponsors integration for automatic pro plan upgrades	`bool`	`false`	no
google_oauth_client_id	Google OAuth Client ID for Auth.js (optional). Set via TF_VAR_google_oauth_client_id or GOOGLE_OAUTH_CLIENT_ID	`string`	`""`	no
google_oauth_client_secret	Google OAuth Client Secret for Better Auth. Set via .env file	`string`	`""`	no
kv_namespace_name	Name for the KV namespace (will be prefixed with project and environment)	`string`	`"cache"`	no
max_upload_bytes	Maximum upload size in bytes	`number`	`104857600`	no
microsoft_oauth_client_id	Microsoft Entra ID OAuth Client ID for Auth.js (optional). Set via TF_VAR_microsoft_oauth_client_id or MICROSOFT_OAUTH_CLIENT_ID	`string`	`""`	no
microsoft_oauth_client_secret	Microsoft Entra ID OAuth Client Secret for Auth.js. Set via .env file	`string`	`""`	no
project_name	Project name used for resource naming	`string`	`"pixflare"`	no
r2_bucket_name	Name for the R2 bucket (will be prefixed with project and environment)	`string`	`"images"`	no
r2_subdomain	Subdomain for R2 custom domain (e.g., 'r2' for r2.example.com). Required for image resizing. Must be DIFFERENT from cdn subdomain.	`string`	`"r2"`	no
session_duration	Access session duration	`string`	`"24h"`	no
soft_delete_retention_days	Number of days to retain soft-deleted images before permanent deletion	`number`	`30`	no
stripe_enabled	Enable Stripe billing and subscriptions	`bool`	`false`	no
stripe_publishable_key	Stripe publishable key (safe to expose publicly)	`string`	`""`	no
stripe_secret_key	Stripe secret API key for backend operations	`string`	`""`	no
stripe_webhook_secret	Stripe webhook signing secret for verifying webhook events	`string`	`""`	no
subdomains	Subdomain configuration	object({ app = string api = string cdn = string })	{ "api": "api", "app": "app", "cdn": "cdn" }	no
tags	Tags to apply to resources (where supported)	`map(string)`	`{}`	no
turnstile_secret_key	Cloudflare Turnstile secret key	`string`	`""`	no
turnstile_site_key	Cloudflare Turnstile site key	`string`	`""`	no
upload_token_secret	Secret for HMAC signing of upload tokens (auto-generated if not provided)	`string`	`""`	no
usage_limits_enabled	Enable per-user upload quotas and usage limits	`bool`	`false`	no
worker_script_name	Name for the Worker script	`string`	`"api"`	no

Outputs

Name	Description
access_enabled	Whether Cloudflare Access is enabled
api_hash_secret	API hash secret (for secure storage)
api_url	API URL
app_url	Frontend application URL
backup_encryption_key	Backup encryption key for S3 credentials (for secure storage)
backup_queue_name	Name of the backup sync queue
cdn_url	CDN URL
cf_access_aud	Cloudflare Access audience tag (for wrangler.toml)
cf_access_certs_url	Cloudflare Access certificates URL (for wrangler.toml)
custom_domain_queue_name	Name of the custom domain verification queue
d1_database_id	ID of the D1 database
d1_database_name	Name of the D1 database
encryption_root_key	Root encryption key for wrapping TMKs (for secure storage)
gateway_enabled	Whether the gateway worker is enabled
gateway_worker_name	Name of the gateway worker
github_callback_url	GitHub OAuth callback URL (configure in GitHub OAuth App)
github_oauth_client_secret	GitHub OAuth client secret (for secure storage)
google_oauth_client_secret	Google OAuth client secret (for secure storage)
kv_namespace_id	ID of the KV namespace
pages_custom_domain	Custom domain for the Pages project
pages_deploy_command	Command to deploy the frontend
pages_project_name	Cloudflare Pages project name
pages_subdomain	Cloudflare Pages default subdomain
r2_bucket_name	Name of the R2 bucket
r2_custom_domain	R2 custom domain for image resizing
r2_custom_domain_instructions	Manual instructions for setting up R2 custom domain (if applicable)
turnstile_secret_key	Cloudflare Turnstile secret key (for secure storage)
upload_token_secret	Upload token secret for HMAC signing (for secure storage)
variant_queue_name	Name of the variant processing queue
vectorize_index_name	Name of the Vectorize index for AI embeddings (if enabled)
vectorize_setup_instructions	Manual instructions for creating Vectorize index (if applicable)
webhook_queue_name	Name of the webhook delivery queue
worker_custom_domains	Custom domains for the Worker
worker_script_name	Name of the Worker script
wrangler_config	Configuration values for wrangler.toml

Notes

This documentation is automatically generated from the Terraform configuration using terraform-docs
Sensitive outputs are marked but actual values are never exposed in documentation
For module-specific documentation, see the individual module directories in terraform/modules/
For deployment examples, see Manual Deployment Guide

Terraform Configuration Reference ​

Overview ​

Using This Reference ​

Quick Start ​

Requirements ​

Providers ​

Modules ​

Resources ​

Inputs ​

Outputs ​

Notes ​