Delete Cloudflare tunnels with active connections

brucet.cisco · January 28, 2023, 1:32am

I tried to delete a Cloudflare tunnel with active connections using the Cloudflare API - https://api.cloudflare.com/#cloudflare-tunnel-delete-a-cloudflare-tunnel

When I try to delete the tunnel, I get the following error response:
Cannot delete tunnel because it has active connections. Close any cloudflareds running the tunnel, or run cloudflared tunnel cleanup to delete stale connections, then try to delete it again.

I found the following article that describes how to using cloudflared to delete a tunnel with active connections using the -f option:
https://developers.cloudflare.com/cloudflare-one/connections/connect-apps/install-and-setup/tunnel-guide/local/tunnel-useful-commands/

I assume there must be a similar “force” option for the Cloudflare delete tunnel API but it does not seem to be documented. Does anyone have any information about this feature?

Chaika · January 28, 2023, 1:45am

Cloudflared is open source.

github.com

cloudflare/cloudflared/blob/19106cd60933deb609ebddd3a11f37eac70e8a62/cmd/cloudflared/tunnel/subcommand_context.go#L247


      
          		tunnel, err := client.GetTunnel(id)
          		if err != nil {
          			return errors.Wrapf(err, "Can't get tunnel information. Please check tunnel id: %s", id)
          		}
          
          
		// Check if tunnel DeletedAt field has already been set
          		if !tunnel.DeletedAt.IsZero() {
          			return fmt.Errorf("Tunnel %s has already been deleted", tunnel.ID)
          		}
          		if forceFlagSet {
          			if err := client.CleanupConnections(tunnel.ID, cfapi.NewCleanupParams()); err != nil {
          				return errors.Wrapf(err, "Error cleaning up connections for tunnel %s", tunnel.ID)
          			}
          		}
          
          
		if err := client.DeleteTunnel(tunnel.ID); err != nil {
          			return errors.Wrapf(err, "Error deleting tunnel %s", tunnel.ID)
          		}
          
          
		credFinder := sc.credentialFinder(id)
          		if tunnelCredentialsPath, err := credFinder.Path(); err == nil {

It looks like all it does is call Clean up Connections

github.com

cloudflare/cloudflared/blob/19106cd60933deb609ebddd3a11f37eac70e8a62/cfapi/tunnel.go#L192


      
          
          
	return nil, r.statusCodeToError("list connection details", resp)
          }
          
          
func parseConnectionsDetails(reader io.Reader) ([]*ActiveClient, error) {
          	var clients []*ActiveClient
          	err := parseResponse(reader, &clients)
          	return clients, err
          }
          
          
func (r *RESTClient) CleanupConnections(tunnelID uuid.UUID, params *CleanupParams) error {
          	endpoint := r.baseEndpoints.accountLevel
          	endpoint.RawQuery = params.encode()
          	endpoint.Path = path.Join(endpoint.Path, fmt.Sprintf("%v/connections", tunnelID))
          	resp, err := r.sendRequest("DELETE", endpoint, nil)
          	if err != nil {
          		return errors.Wrap(err, "REST request failed")
          	}
          	defer resp.Body.Close()
          
          
	return r.statusCodeToError("cleanup connections", resp)

Which is just the same clean up Cloudflare Tunnel connections you can find the API Docs

The Usage on the flag itself says the same, that it just cleans up stale connections

github.com

cloudflare/cloudflared/blob/ded9dec4f083cb5c303f251545685c842e0181e6/cmd/cloudflared/tunnel/subcommands.go#L105


      
          	})
          	credentialsFileFlag = altsrc.NewStringFlag(&cli.StringFlag{
          		Name:    CredFileFlag,
          		Aliases: []string{CredFileFlagAlias},
          		Usage:   "Filepath at which to read/write the tunnel credentials",
          		EnvVars: []string{"TUNNEL_CRED_FILE"},
          	})
          	forceDeleteFlag = &cli.BoolFlag{
          		Name:    "force",
          		Aliases: []string{"f"},
          		Usage: "Cleans up any stale connections before the tunnel is deleted. cloudflared will not " +
          			"delete a tunnel with connections without this flag.",
          		EnvVars: []string{"TUNNEL_RUN_FORCE_OVERWRITE"},
          	}
          	selectProtocolFlag = altsrc.NewStringFlag(&cli.StringFlag{
          		Name:    "protocol",
          		Value:   "h2mux",
          		Aliases: []string{"p"},
          		Usage:   fmt.Sprintf("Protocol implementation to connect with Cloudflare's edge network. %s", connection.AvailableProtocolFlagMessage),
          		EnvVars: []string{"TUNNEL_TRANSPORT_PROTOCOL"},
          		Hidden:  true,

So it looks like there’s no way to delete a tunnel with active connections and the description on the -f option is a bit misleading, sadly.

brucet.cisco · January 28, 2023, 4:14am

Thanks for the timely response and info.

I think there must be a way to delete tunnels with active connections since it works from the Cloudflare web UI. Unfortunately, it looks like the actual process is not documented.

Chaika · January 28, 2023, 4:26am

Ahhhh interesting, didn’t realize the dashboard could do it.

I looked at what the Zero Trust dashboard does, and it looks like it’s a magical query parameter, cascade=true

i.e DELETE https://api.cloudflare.com/client/v4/accounts/account-id/tunnels/tunnel-id?cascade=true

brucet.cisco · January 28, 2023, 4:34am

I just tried the sequence you provided from your inspection of cloudflared. I did “clean up tunnel connections” followed by “delete tunnel” using the API and it worked!!!

So I think your original answer based on cloudflared source code was correct.

Chaika · January 28, 2023, 4:54am

I see. I’m happy that worked for you.

Just in case someone sees this thread in the future:

According to the API Docs, cfd_tunnel is the new API Path for tunnels, i.e https://developers.cloudflare.com/api/operations/cloudflare-tunnel-clean-up-cloudflare-tunnel-connections

I had linked older Cloudflare Tunnel API Documentations/paths earlier, which I see now is marked as deprecated. It’s the same functionality and endpoints, just on cfd_tunnel instead of tunnels

https://developers.cloudflare.com/api/operations/cloudflare-tunnel-clean-up-cloudflare-tunnel-connections

The Clean Up Tunnel Connections API Call, api.cloudflare.com/client/v4/accounts/account_identifier/cfd_tunnel/tunnel_id/connections, despite the documentation saying it will only remove connections that are disconnected or in a pending reconnect state, kills all connections, even alive/working ones. Calling the list tunnel connections endpoint after shows no connections.

You can then call the normal tunnel delete without issues.

The Zero Trust Dash goes about this in a different way, using an undocumented query parameter, cascade=true
https://api.cloudflare.com/client/v4/accounts/{account_identifier}/cfd_tunnel/{tunnel_id}?cascade=true

Cascade true seems to have the same effect, and calling the list connections endpoint after shows no connections.

So either way will work, although both don’t align with documentation, as far as I can see.

system · January 31, 2023, 4:55am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.