Skip to content

Instantly share code, notes, and snippets.

@pew

pew/cloudflare_ip.tf

Created December 24, 2021 13:03
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save pew/b039debe0b125e4f40b4a9b0585c5902 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save pew/b039debe0b125e4f40b4a9b0585c5902 to your computer and use it in GitHub Desktop.
Download ZIP
Terraform Allow List Cloudflare IP Ranges Without Auth/API Token
Raw
cloudflare_ip.tf
provider "http" {}
data "http" "cloudflare_ips" {
url = "https://api.cloudflare.com/client/v4/ips"
request_headers = {
Accept = "application/json"
}
}
locals {
cloudflare_ip_ranges = jsondecode(data.http.cloudflare_ips.body)
cloudflare_ipv4_cidrs = local.cloudflare_ip_ranges.result.ipv4_cidrs
cloudflare_ipv6_cidrs = local.cloudflare_ip_ranges.result.ipv6_cidrs
cloudflare_ips_combined = concat(local.cloudflare_ipv4_cidrs, local.cloudflare_ipv6_cidrs)
}
@pew
Copy link
Copy Markdown
Author

pew commented Dec 24, 2021

hetzner:

resource "hcloud_firewall" "cloudflare-only" {
  name = "cloudflare-in"
  rule {
    direction = "in"
    protocol  = "icmp"
    source_ips = [
      "0.0.0.0/0",
      "::/0"
    ]
  }

  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "443"
    source_ips = local.cloudflare_ips_combined
  }
}

linode:

resource "linode_firewall" "cloudflare_only" {
  label = "cloudflare-in"

  inbound {
    label    = "https"
    action   = "ACCEPT"
    protocol = "TCP"
    ports    = "443"
    ipv4     = local.cloudflare_ipv4_cidrs
    ipv6     = local.cloudflare_ipv6_cidrs
  }

  inbound {
    label    = "icmp"
    action   = "ACCEPT"
    protocol = "ICMP"
    ipv4     = ["0.0.0.0/0"]
    ipv6     = ["::/0"]
  }

  inbound_policy  = "DROP"
  outbound_policy = "ACCEPT"

  linodes = [1234]
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment