Skip to content

HostnameAssociation

Source: src/Cloudflare/CertificateAuthorities/HostnameAssociation.ts

The set of hostnames in a Cloudflare zone that enforce mTLS, optionally keyed by an uploaded mTLS CA certificate.

Cloudflare models this as a settings singleton per (zone, mtls_certificate_id) pair — a pure GET/PUT API over /zones/{zone_id}/certificate_authorities/hostname_associations. With no mtlsCertificateId, the hostnames are associated with the zone’s active Cloudflare Managed CA; with one, they are associated with that uploaded CA certificate. Destroying the resource clears the association (PUT of an empty hostname list).

Safety: when there is no prior state but the keyed association already has hostnames, read reports the existing list as Unowned — the engine refuses to take it over (and would otherwise clobber a hand-managed list) unless --adopt or adopt(true) is set.

Note: an mTLS CA certificate cannot be deleted while hostname associations still reference it. Pass the certificate id through cert.mtlsCertificateId so the engine destroys the association before the certificate.

Cloudflare Managed CA

Section titled “Cloudflare Managed CA”
yield* Cloudflare.HostnameAssociation("MtlsHosts", {
  zoneId: zone.zoneId,
  hostnames: ["api.example.com"],
});

Uploaded CA certificate

Section titled “Uploaded CA certificate”
const ca = yield* Cloudflare.MtlsCertificate("ClientCa", {
  ca: true,
  certificates: caPem,
});


yield* Cloudflare.HostnameAssociation("ClientCaHosts", {
  zoneId: zone.zoneId,
  mtlsCertificateId: ca.mtlsCertificateId,
  hostnames: ["api.example.com", "admin.example.com"],
});