Infrastructure as Code for managing MCP Cloudflare DNS records using Pulumi.
DNS records are defined in src/config/records.ts, keyed by domain name.
Note: Production deployment is automatically handled by GitHub Actions. All merges to the main branch trigger an automatic deployment via the configured GitHub Actions workflow.
Pre-requisites:
- Pulumi CLI installed
- Google Cloud SDK installed
- Access to GCP project and GCS bucket
- Required credentials and secrets
- Authenticate with GCP:
gcloud auth application-default login - Get the passphrase file
passphrase.prod.txtfrom the maintainers - Preview changes:
make preview - Deploy changes:
make up
If setting up this infrastructure for the first time:
gcloud projects create mcp-dns-prod
gcloud config set project mcp-dns-prod
gcloud services enable storage.googleapis.com
# Create service account for CI/CD
gcloud iam service-accounts create pulumi-svc \
--display-name="Pulumi Service Account"
gcloud projects add-iam-policy-binding mcp-dns-prod \
--member="serviceAccount:[email protected]" \
--role="roles/storage.admin"
gcloud iam service-accounts keys create sa-key.json \
[email protected]
# Create bucket
gsutil mb gs://mcp-dns-prod-pulumi-state- Go to Cloudflare API Tokens
- Create a token with Zone:DNS:Edit permission for the zones you want to manage
- Note the token value
# Login to Pulumi backend
pulumi login gs://mcp-dns-prod-pulumi-state
# Create production stack
export PULUMI_CONFIG_PASSPHRASE_FILE=passphrase.prod.txt
pulumi stack init prod
# Configure application secrets in Pulumi
pulumi config set --secret cloudflare:apiToken "your-api-token"
pulumi config set cloudflare:accountId "your-account-id"You can find your Cloudflare Account ID in the Cloudflare dashboard URL or in the right sidebar of any zone's overview page.
Add the CI/CD secrets to GitHub Actions (repository settings → Secrets and variables → Actions):
GCP_PROD_SERVICE_ACCOUNT_KEY: Content ofsa-key.jsonPULUMI_PROD_PASSPHRASE: The passphrase you set above