Best practice for terraform and routing internal ip

We were following the best practices for using terraform to setup argo tunnels listed in this blog post. We were hoping to automatically provision an Argo Tunnel as well as adding internal routes all through terraform.

When running the cloudflared tunnel route ip command in our metadata startup script, we noticed that it was expecting a user-level certificate as we’re getting the following error:

# cloudflared tunnel route ip list
2022-01-24T04:54:39Z INF Cannot determine default origin certificate path. No file cert.pem in [~/.cloudflared ~/.cloudflare-warp ~/cloudflare-warp /etc/cloudflared /usr/local/etc/cloudflared] originCertPath=
2022-01-24T04:54:39Z ERR You need to specify the origin certificate path with --origincert option, or set TUNNEL_ORIGIN_CERT environment variable. See for more information. originCertPath=
error while creating backend client: Error locating origin cert: client didn't specify origincert path when running from terminal

Is there a best practice for creating an ip route inline in an automatic provisioning process?


1 Like

The issue you are seeing there is because cloudflared is not logged in yet. My best guess for automating is you would manually have to login as a user then generate the certificate and copy it with terraform.

I have not used terraform recently so don’t know how secrets work with it.

1 Like

@user20542 I am facing exactly the same use case. Did you find a better way to do that?