Update dependencies and a small refactor

This required a refactor of the Cloudflare API, which is now much nicer.

Author: RealOrangeOne

.github/workflows/main.yml

@@ -15,12 +15,12 @@ jobs:
       - name: Set up Python
         uses: actions/setup-python@v2
         with:
-          python-version: "3.11"
+          python-version: "3.13"
 
       - uses: actions/cache@v2
         with:
           path: ~/.cache/pip
-          key: pip-3.11-${{ hashFiles('dev-requirements.txt') }}-${{ hashFiles('requirements.txt') }}
+          key: pip-3.13-${{ hashFiles('dev-requirements.txt') }}-${{ hashFiles('requirements.txt') }}
 
       - name: Install Dependencies
         run: pip install -r dev-requirements.txt

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.11-slim
+FROM python:3.13-slim
 
 RUN apt-get update && apt-get install -y webhook && apt-get clean
 

README.md

@@ -17,15 +17,17 @@ Install the dependencies listed in `requirements.txt`, ideally into a virtual en
 
 Set some environment variables:
 
-- `CF_API_KEY`: A Cloudflare API key, with access to the zone you wish to edit. "DNS Edit" is required for those zones.
+- `CLOUDFLARE_API_TOKEN`: A Cloudflare API token, with access to the zone you wish to edit. "DNS Edit" is required for those zones.
 - `HEROKU_API_KEY`: API key from Heroku
-- `CF_ZONE_ID`: The Cloudflare zone id of the domain to automatically create
+- `CLOUDFLARE_ZONE_ID`: The Cloudflare zone id of the domain to automatically create
 
 Optionally:
 
 - `APP_NAME`: A regex of app names to act on. Any not matching this will be skipped.
 - `HEROKU_TEAMS`: A comma separated list of Heroku teams to operate on. By default will use all apps the account has access to.
 - `ALLOWED_CNAME_TARGETS`: A comma-separated list of regexes which match CNAMEs. If these CNAMEs are found in place of the correct Heroku CNAME, they won't be overridden.
+- `LOG_LEVEL`: Log level to use (default "WARNING").
+- `DRY_RUN`: Whether to perform actions, or just say they happened (Either `true` or `false` (default)).
 
 These can also be set in a `.env` file.
 

dev-requirements.txt

@@ -1,5 +1,3 @@
 -r requirements.txt
 
-black
-isort
-flake8
+ruff==0.9.2

main.py

@@ -5,14 +5,20 @@
 import re
 import socket
 import time
-from itertools import count
 
-import CloudFlare
 import heroku3
 import sentry_sdk
+from cloudflare import Cloudflare
 from dotenv import load_dotenv
 from heroku3.models.app import App
 
+logger = logging.getLogger("heroku-cloudflare-app-domain")
+logging_handler = logging.StreamHandler()
+logging_handler.setFormatter(
+    logging.Formatter("[%(asctime)s] %(levelname)s: %(message)s")
+)
+logger.addHandler(logging_handler)
+
 SUCCESS_ACM_STATUS = {
     "cert issued",
     "pending",  # Assume this is ok. It'll be picked up on next iteration if it's not
@@ -23,25 +29,18 @@
 ]
 
 
-def get_cloudflare_list(api, *args, params=None):
+class FakeDomain:
     """
-    Hack around Cloudflare's API to get all results in a nice way
+    A fake Domain object to stand in for Heroku's domain.
     """
 
-    for page_num in count(start=1):
-        raw_results = api.get(
-            *args, params={"page": page_num, "per_page": 50, **(params or {})}
-        )
-
-        yield from raw_results["result"]
+    acm_status = True
 
-        total_pages = raw_results["result_info"]["total_pages"]
-        if page_num == total_pages:
-            break
+    def __init__(self, hostname):
+        self.domain = self.hostname = hostname
 
 
 def enable_acm(app):
-    logging.info("Enabling ACM for %s", app.name)
     app._h._http_resource(
         method="POST", resource=("apps", app.id, "acm")
     ).raise_for_status()
@@ -76,7 +75,9 @@ def main():
     if sentry_dsn := os.environ.get("SENTRY_DSN"):
         sentry_sdk.init(sentry_dsn)
 
-    cf = CloudFlare.CloudFlare(raw=True)
+    logger.setLevel(getattr(logging, os.getenv("LOG_LEVEL", "INFO")))
+
+    cf = Cloudflare()
 
     heroku = heroku3.from_key(os.getenv("HEROKU_API_KEY"))
 
@@ -86,22 +87,22 @@ def main():
         os.getenv("HEROKU_TEAMS").split(",") if "HEROKU_TEAMS" in os.environ else None
     )
 
+    dry_run = os.getenv("DRY_RUN", "false").lower() == "true"
+
     if interval:
         while True:
-            do_create(cf, heroku, matcher, heroku_teams)
+            do_create(cf, heroku, matcher, heroku_teams, dry_run)
             time.sleep(interval)
     else:
-        do_create(cf, heroku, matcher, heroku_teams)
+        do_create(cf, heroku, matcher, heroku_teams, dry_run)
 
 
-def do_create(cf, heroku, matcher, heroku_teams):
-    cf_zone = cf.zones.get(os.environ["CF_ZONE_ID"])["result"]
+def do_create(cf: Cloudflare, heroku, matcher, heroku_teams, dry_run):
+    cf_zone = cf.zones.get(zone_id=os.environ["CLOUDFLARE_ZONE_ID"])
 
     all_records = {
-        record["name"]: record
-        for record in get_cloudflare_list(
-            cf.zones.dns_records, cf_zone["id"], params={"type": "CNAME"}
-        )
+        record.name: record
+        for record in cf.dns.records.list(zone_id=cf_zone.id, type="CNAME")
     }
 
     heroku_apps = list(
@@ -110,24 +111,31 @@ def do_create(cf, heroku, matcher, heroku_teams):
         else get_apps_for_teams(heroku, heroku_teams)
     )
 
+    known_records = set()
+
+    logger.info("Checking %d apps", len(heroku_apps))
+
     for app in heroku_apps:
         if matcher.match(app.name) is None:
             continue
 
-        app_domain = f"{app.name}.{cf_zone['name']}"
+        app_domain = f"{app.name}.{cf_zone.name}"
         app_domains = {domain.hostname: domain for domain in app.domains()}
 
         existing_record = all_records.get(app_domain)
 
         # Add the domain to Heroku if it doesn't know about it
         if app_domain not in app_domains:
-            logging.info("%s: domain not set in Heroku", app.name)
-            new_heroku_domain = app.add_domain(app_domain, sni_endpoint=None)
-            app_domains[new_heroku_domain.hostname] = new_heroku_domain
+            logger.info("%s: domain not set in Heroku", app.name)
+            if dry_run:
+                app_domains[app_domain] = FakeDomain("example.herokudns.com")
+            else:
+                new_heroku_domain = app.add_domain(app_domain, sni_endpoint=None)
+                app_domains[new_heroku_domain.hostname] = new_heroku_domain
 
         # This saves refreshing for the whole app, which can be noisy
-        if app_domains[app_domain].acm_status not in SUCCESS_ACM_STATUS:
-            logging.debug("%s: cycling domain to refresh ACM", app.name)
+        if not dry_run and app_domains[app_domain].acm_status not in SUCCESS_ACM_STATUS:
+            logger.debug("%s: cycling domain to refresh ACM", app.name)
             app.remove_domain(app_domain)
             new_heroku_domain = app.add_domain(app_domain, sni_endpoint=None)
             app_domains[new_heroku_domain.hostname] = new_heroku_domain
@@ -140,31 +148,45 @@ def do_create(cf, heroku, matcher, heroku_teams):
         }
 
         if existing_record is None:
-            logging.info("%s: domain not set", app.name)
-            cf.zones.dns_records.post(cf_zone["id"], data=cf_record_data)
-        elif existing_record["content"] != cname:
-            if is_allowed_cname_target(existing_record["content"]):
-                logging.info("%s: record is different, but an allowed value", app.name)
-            else:
-                logging.warning("%s: incorrect record value", app.name)
-                cf.zones.dns_records.patch(
-                    cf_zone["id"], existing_record["id"], data=cf_record_data
+            logger.info("%s: domain not set", app.name)
+            if not dry_run:
+                cf.dns.records.create(zone_id=cf_zone.id, **cf_record_data)
+        elif existing_record.content != cname:
+            if is_allowed_cname_target(existing_record.content):
+                logger.warning(
+                    "%s: record is different, but an allowed value", app.name
                 )
+            else:
+                logger.warning("%s: incorrect record value", app.name)
+                if not dry_run:
+                    cf.dns.records.edit(
+                        zone_id=cf_zone.id,
+                        dns_record_id=existing_record.id,
+                        **cf_record_data,
+                    )
+        else:
+            logger.debug("%s: No action needed", app.name)
 
         # Enable ACM if not already, so certs can be issued
         has_acm = any(d.acm_status for d in app_domains.values())
         if not has_acm:
-            enable_acm(app)
+            logger.info("Enabling ACM for %s", app.name)
+            if not dry_run:
+                enable_acm(app)
+
+        known_records.add(app_domain)
 
     # Delete heroku records which don't exist anymore
     # This intentionally doesn't contain records we just created, so the records propagate
     for existing_record in all_records.values():
-        existing_value = existing_record["content"]
-        if existing_value.endswith("herokudns.com") and not record_exists(
-            existing_value
+        existing_value = existing_record.content
+        if (
+            existing_record.name not in known_records
+            and existing_value.endswith("herokudns.com")
+            and not record_exists(existing_value)
         ):
-            logging.warning("%s: stale heroku domain", existing_value)
-            cf.zones.dns_records.delete(cf_zone["id"], existing_record["id"])
+            logger.warning("%s: stale heroku domain", existing_value)
+            cf.dns.records.delete(existing_record.id, zone_id=cf_zone.id)
 
 
 if __name__ == "__main__":

pyproject.toml

@@ -0,0 +1,8 @@
+[project]
+name = "heroku-cloudflare-app-domain"
+version = "0.0.0"
+requires-python = "~=3.13"
+
+[tool.ruff.lint]
+select = ["E", "F", "I", "W", "N", "B", "A", "C4", "T20"]
+ignore = ["E501", "DJ008"]

requirements.txt

@@ -1,4 +1,4 @@
-cloudflare==2.14.3
-python-dotenv==1.0.0
+cloudflare==4.0.0
+python-dotenv==1.0.1
 heroku3==5.2.1
-sentry-sdk==1.39.1
+sentry-sdk==2.20.0