Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cloudflare - Requesting data source for Cloudflare IPs #6

Closed
hashibot opened this issue Jun 13, 2017 · 10 comments
Closed

Cloudflare - Requesting data source for Cloudflare IPs #6

hashibot opened this issue Jun 13, 2017 · 10 comments
Labels
kind/enhancement Categorizes issue or PR as related to improving an existing feature.

Comments

@hashibot
Copy link

This issue was originally opened by @fillup as hashicorp/terraform#12166. It was migrated here as part of the provider split. The original body of the issue is below.


We use Cloudflare in front of our web apps and configure our AWS ELBs to limit access to Cloudflare's IP addresses. Right now we maintain a list manually based on https://www.cloudflare.com/ips/, but it would be great to be able to dynamically pull these lists for use in security groups and other things.

@hashibot hashibot added the kind/enhancement Categorizes issue or PR as related to improving an existing feature. label Jun 13, 2017
@elithrar
Copy link

elithrar commented Jul 5, 2017

Note that the IPs are accessible via API at https://api.cloudflare.com/#cloudflare-ips-properties - and thus provider integration against this endpoint should be reasonably straightforward.

@sysadmiral
Copy link

sysadmiral commented Jul 6, 2017

Hi @elithrar,

This is publicly available by cloudflare as plaintext on a HTTP URL. Thus you can use the terraform HTTP data_source introduced in 0.9.5 to pull that information in.

I've written a module you are welcome to use/copy that does exactly this: https://github.com/sysadmiral/sysadmiral_tf_aws_secgrouprule_cloudflare

It pulls cloudflares public IP's and creates a secgroup_rule for them. You can then create a security group and associate the secgroup_rule with it.

@fillup
Copy link

fillup commented Jul 6, 2017

@sysadmiral I love you, thank you :-) I never noticed that HTTP data resource before, this is so much better than my static list.

@sysadmiral
Copy link

@fillup - no problemo! yeah the lookup method guarantees your app will work with cloudflare if they ever change their IP's and as long as they continue to publish their IP's publicly in the jolly nice way that they currently do! 🙂

@OJFord
Copy link
Contributor

OJFord commented Jul 7, 2017

I'd be happy to do this when my page rules PR is working and if its merged okay. (i.e. so that I know I'm doing the right sort of thing) 🙂

@liomthechef
Copy link

Is there an ETA on the corresponding release to this feature occurring?
Would prevent me writing a hack to get this working in my current workflows.

@fillup
Copy link

fillup commented Mar 13, 2018

@liomthechef check out what @sysadmiral told me, the data url resource is key for this, here is a example:

data "http" "cloudflare_ipv4" {
  url = "https://www.cloudflare.com/ips-v4"
}

resource "aws_security_group" "cloudflare_https" {
  name        = "cloudflare-https"
  description = "Allow HTTPS traffic from Cloudflare"
  vpc_id      = "${var.vpc_id}"
}

resource "aws_security_group_rule" "cloudflare_ipv4" {
  type              = "ingress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  security_group_id = "${aws_security_group.cloudflare_https.id}"
  cidr_blocks       = ["${split("\n",trimspace(data.http.cloudflare_ipv4.body))}"]
}

@liomthechef
Copy link

liomthechef commented Mar 14, 2018

@fillup perfect, thats exactly what I needed, much appreciated.
I should have read prior comments more fully :(

simpsora pushed a commit to simpsora/terraform-provider-cloudflare that referenced this issue Jun 20, 2018
@garrettgalow
Copy link
Contributor

Given the relatively simple data http block that can be used to do this, I believe we can close this @patryk

@patryk
Copy link
Contributor

patryk commented Jul 12, 2018

We already have a proper data source for IPs: https://www.terraform.io/docs/providers/cloudflare/d/ip_ranges.html. No need for 'http' hack.

@patryk patryk closed this as completed Jul 12, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/enhancement Categorizes issue or PR as related to improving an existing feature.
Projects
None yet
Development

No branches or pull requests

8 participants