Support cloudflare API Tokens. (#62043)

API Tokens provide a new way to authenticate with the Cloudflare API.
They allow for scoped and permissioned access to resources.

1 files changed, 38 insertions, 9 deletions

diff --git a/lib/ansible/modules/net_tools/cloudflare_dns.py b/lib/ansible/modules/net_tools/cloudflare_dns.py
index 7dd9008bff..94be19a411 100644
--- a/lib/ansible/modules/net_tools/cloudflare_dns.py
+++ b/lib/ansible/modules/net_tools/cloudflare_dns.py
@@ -23,17 +23,26 @@ short_description: Manage Cloudflare DNS records
 description:
    - "Manages dns records via the Cloudflare API, see the docs: U(https://api.cloudflare.com/)"
 options:
+  api_token:
+    description:
+    - API token.
+    - Required for api token authentication.
+    - "You can obtain your API token from the bottom of the Cloudflare 'My Account' page, found here: U(https://dash.cloudflare.com/)"
+    type: str
+    required: false
+    version_added: '2.10'
   account_api_token:
     description:
-    - Account API token.
+    - Account API key.
+    - Required for api keys authentication.
     - "You can obtain your API key from the bottom of the Cloudflare 'My Account' page, found here: U(https://dash.cloudflare.com/)"
     type: str
-    required: true
+    required: false
   account_email:
     description:
-    - Account email.
+    - Account email. Required for api keys authentication.
     type: str
-    required: true
+    required: false
   algorithm:
     description:
     - Algorithm number.
@@ -162,6 +171,14 @@ EXAMPLES = r'''
     account_api_token: dummyapitoken
   register: record
 
+- name: Create a record using api token
+  cloudflare_dns:
+    zone: my.com
+    record: test
+    type: A
+    value: 127.0.0.1
+    api_token: dummyapitoken
+
 - name: Create a my.com CNAME record to example.com
   cloudflare_dns:
     zone: my.com
@@ -367,6 +384,7 @@ class CloudflareAPI(object):
 
     def __init__(self, module):
         self.module = module
+        self.api_token = module.params['api_token']
         self.account_api_token = module.params['account_api_token']
         self.account_email = module.params['account_email']
         self.algorithm = module.params['algorithm']
@@ -418,9 +436,17 @@ class CloudflareAPI(object):
                 self.module.fail_json(msg="DS records only apply to subdomains.")
 
     def _cf_simple_api_call(self, api_call, method='GET', payload=None):
-        headers = {'X-Auth-Email': self.account_email,
-                   'X-Auth-Key': self.account_api_token,
-                   'Content-Type': 'application/json'}
+        if self.api_token:
+            headers = {
+                'Authorization': 'Bearer ' + self.api_token,
+                'Content-Type': 'application/json',
+            }
+        else:
+            headers = {
+                'X-Auth-Email': self.account_email,
+                'X-Auth-Key': self.account_api_token,
+                'Content-Type': 'application/json',
+            }
         data = None
         if payload:
             try:
@@ -766,8 +792,9 @@ class CloudflareAPI(object):
 def main():
     module = AnsibleModule(
         argument_spec=dict(
-            account_api_token=dict(type='str', required=True, no_log=True),
-            account_email=dict(type='str', required=True),
+            api_token=dict(type='str', required=False, no_log=True),
+            account_api_token=dict(type='str', required=False, no_log=True),
+            account_email=dict(type='str', required=False),
             algorithm=dict(type='int'),
             cert_usage=dict(type='int', choices=[0, 1, 2, 3]),
             hash_type=dict(type='int', choices=[1, 2]),
@@ -797,6 +824,8 @@ def main():
         ],
     )
 
+    if not module.params['api_token'] and not (module.params['account_api_token'] and module.params['account_email']):
+        module.fail_json(msg="Either api_token or account_api_token and account_email params are required.")
     if module.params['type'] == 'SRV':
         if not ((module.params['weight'] is not None and module.params['port'] is not None
                  and not (module.params['value'] is None or module.params['value'] == ''))