Weekly Cloudflare DNS drift report in Slack | General Input

Build me an agent workflow that runs every Monday at 8am in my timezone (cron trigger) and reconciles our production Cloudflare DNS against an approved list we maintain in Google Sheets, then posts a drift report to Slack.

On each run, the agent should: (1) call Cloudflare's List Zones to enumerate every zone the API token can see, and for each zone call Cloudflare's List DNS Records to pull the current production DNS state (handle pagination so we get every record, not just the first page); (2) in parallel, call Google Sheets' Get Values on the tab named "Approved DNS records" in the spreadsheet I'll provide, which has the header row: zone, name, type, content, proxied, owner, ticket.

Then diff the two sets, matching on (zone, name, type). Reason about each delta and group findings into four buckets: UNAUTHORIZED (present in Cloudflare, missing from the sheet), MISSING (in the sheet but not in Cloudflare), CONTENT DRIFT (matching record exists in both but the content value differs, for example an A record's IP changed or a CNAME target changed), and PROXY DRIFT (the proxied flag in Cloudflare does not match what the sheet says). For any delta that matches a row in the sheet, attach the owner and ticket columns to the finding.

Write a concise drift report grouped by severity in this order: UNAUTHORIZED first, then CONTENT DRIFT, then PROXY DRIFT, then MISSING. Each item should be one short line: zone, record name, type, what changed, and the owner if known. If there is no drift, say so explicitly with a short "all clear" line so the team can see the check actually ran.

Post the report to the #platform-ops Slack channel using Slack's Send a Message operation. Then call Google Sheets' Append Values on a tab named "Drift history" in the same spreadsheet to append one row per finding with columns: timestamp (UTC, ISO 8601), severity, zone, record name, type, change description, owner, ticket. This is the audit trail, so always append even when there is no drift (append a single "all clear" marker row in that case).

Make the spreadsheet ID, the approved-records tab name, the drift-history tab name, and the Slack channel configurable at the top of the instructions so I can swap them without editing the agent body. The agent should fail loudly (post an error to the Slack channel) if the spreadsheet or either tab is unreachable, rather than silently skipping the run.

Additional information

What does this prompt do?

Pulls every DNS record from every Cloudflare zone your token can see, so nothing hides in a forgotten domain.
Reads an Approved DNS records tab in Google Sheets that your platform team maintains as the source of truth.
Highlights unauthorized records, missing records, content drift, and changes to the proxied flag, grouped by severity with the listed owner attached.
Posts a tidy weekly drift report to your platform channel in Slack and appends a timestamped audit row to a Drift history tab for the long-term trail.

What do I need to use this?

A Cloudflare API token that can read zones and DNS records for the zones you want to audit.
A Google account with edit access to the spreadsheet that holds your approved DNS list.
A Slack workspace and a channel where the weekly report should be posted, such as a platform or infrastructure ops channel.
An Approved DNS records tab with columns for zone, name, type, content, proxied, owner, and ticket, plus an empty Drift history tab for the audit trail.

How can I customize it?

Change the schedule to a different day or time, or run it more often if your DNS changes are frequent.
Swap the Slack channel, mention a specific group when severity is high, or split alerts across two channels for unauthorized versus expected changes.
Adjust the column names in the approved list, ignore certain record types like TXT verification rows, or scope the report to a single zone.

Frequently asked questions

Do I need Terraform or any infrastructure as code setup to use this?

No. This workflow is built for teams that manage DNS by hand or alongside Terraform. Your Google Sheet plays the role of a lightweight, easy to edit manifest that anyone on the team can read and update.

What kinds of drift will the report flag?

It flags four things: records that exist in Cloudflare but are not in your approved list, records that should exist but are missing, records whose IP or target value changed, and records whose proxied setting changed.

Will this change my DNS records?

No. The workflow only reads from Cloudflare. It never creates, edits, or deletes records. The output is a report you and your team review and act on.

Can I limit it to specific zones or domains?

Yes. You can scope your Cloudflare token to specific zones, or tell the workflow to only audit zones whose names match a pattern. Anything outside that scope is ignored.

How does the owner column help?

When the workflow finds drift on a record that appears in the approved list, it attaches the owner from your sheet so the right person is paged without anyone having to dig through tickets to figure out who owns that subdomain.