-
Notifications
You must be signed in to change notification settings - Fork 626
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cloudflare - Requesting data source for Cloudflare IPs #6
Comments
Note that the IPs are accessible via API at https://api.cloudflare.com/#cloudflare-ips-properties - and thus provider integration against this endpoint should be reasonably straightforward. |
Hi @elithrar, This is publicly available by cloudflare as plaintext on a HTTP URL. Thus you can use the terraform HTTP data_source introduced in 0.9.5 to pull that information in. I've written a module you are welcome to use/copy that does exactly this: https://github.com/sysadmiral/sysadmiral_tf_aws_secgrouprule_cloudflare It pulls cloudflares public IP's and creates a secgroup_rule for them. You can then create a security group and associate the secgroup_rule with it. |
@sysadmiral I love you, thank you :-) I never noticed that HTTP data resource before, this is so much better than my static list. |
@fillup - no problemo! yeah the lookup method guarantees your app will work with cloudflare if they ever change their IP's and as long as they continue to publish their IP's publicly in the jolly nice way that they currently do! 🙂 |
I'd be happy to do this when my page rules PR is working and if its merged okay. (i.e. so that I know I'm doing the right sort of thing) 🙂 |
Is there an ETA on the corresponding release to this feature occurring? |
@liomthechef check out what @sysadmiral told me, the data url resource is key for this, here is a example: data "http" "cloudflare_ipv4" {
url = "https://www.cloudflare.com/ips-v4"
}
resource "aws_security_group" "cloudflare_https" {
name = "cloudflare-https"
description = "Allow HTTPS traffic from Cloudflare"
vpc_id = "${var.vpc_id}"
}
resource "aws_security_group_rule" "cloudflare_ipv4" {
type = "ingress"
from_port = 443
to_port = 443
protocol = "tcp"
security_group_id = "${aws_security_group.cloudflare_https.id}"
cidr_blocks = ["${split("\n",trimspace(data.http.cloudflare_ipv4.body))}"]
} |
@fillup perfect, thats exactly what I needed, much appreciated. |
…le-resolve_override fix typo and go fmt
Given the relatively simple data http block that can be used to do this, I believe we can close this @patryk |
We already have a proper data source for IPs: https://www.terraform.io/docs/providers/cloudflare/d/ip_ranges.html. No need for 'http' hack. |
This issue was originally opened by @fillup as hashicorp/terraform#12166. It was migrated here as part of the provider split. The original body of the issue is below.
We use Cloudflare in front of our web apps and configure our AWS ELBs to limit access to Cloudflare's IP addresses. Right now we maintain a list manually based on https://www.cloudflare.com/ips/, but it would be great to be able to dynamically pull these lists for use in security groups and other things.
The text was updated successfully, but these errors were encountered: