Cloudflare - Requesting data source for Cloudflare IPs #6
Comments
hashibot
added
the
kind/enhancement
|
Note that the IPs are accessible via API at https://api.cloudflare.com/#cloudflare-ips-properties - and thus provider integration against this endpoint should be reasonably straightforward. |
|
Hi @elithrar, This is publicly available by cloudflare as plaintext on a HTTP URL. Thus you can use the terraform HTTP data_source introduced in 0.9.5 to pull that information in. I've written a module you are welcome to use/copy that does exactly this: https://github.com/sysadmiral/sysadmiral_tf_aws_secgrouprule_cloudflare It pulls cloudflares public IP's and creates a secgroup_rule for them. You can then create a security group and associate the secgroup_rule with it. |
|
@sysadmiral I love you, thank you :-) I never noticed that HTTP data resource before, this is so much better than my static list. |
|
@fillup - no problemo! yeah the lookup method guarantees your app will work with cloudflare if they ever change their IP's and as long as they continue to publish their IP's publicly in the jolly nice way that they currently do! 🙂 |
|
I'd be happy to do this when my page rules PR is working and if its merged okay. (i.e. so that I know I'm doing the right sort of thing) 🙂 |
|
Is there an ETA on the corresponding release to this feature occurring? |
|
@liomthechef check out what @sysadmiral told me, the data url resource is key for this, here is a example: data "http" "cloudflare_ipv4" {
url = "https://www.cloudflare.com/ips-v4"
}
resource "aws_security_group" "cloudflare_https" {
name = "cloudflare-https"
description = "Allow HTTPS traffic from Cloudflare"
vpc_id = "${var.vpc_id}"
}
resource "aws_security_group_rule" "cloudflare_ipv4" {
type = "ingress"
from_port = 443
to_port = 443
protocol = "tcp"
security_group_id = "${aws_security_group.cloudflare_https.id}"
cidr_blocks = ["${split("\n",trimspace(data.http.cloudflare_ipv4.body))}"]
} |
|
@fillup perfect, thats exactly what I needed, much appreciated. |
…le-resolve_override fix typo and go fmt
|
Given the relatively simple data http block that can be used to do this, I believe we can close this @patryk |
|
We already have a proper data source for IPs: https://www.terraform.io/docs/providers/cloudflare/d/ip_ranges.html. No need for 'http' hack. |
This issue was originally opened by @fillup as hashicorp/terraform#12166. It was migrated here as part of the provider split. The original body of the issue is below.
We use Cloudflare in front of our web apps and configure our AWS ELBs to limit access to Cloudflare's IP addresses. Right now we maintain a list manually based on https://www.cloudflare.com/ips/, but it would be great to be able to dynamically pull these lists for use in security groups and other things.
The text was updated successfully, but these errors were encountered: