{"id":15715411,"url":"https://github.com/cloudflare/zt-hostname-ip-list-sync","last_synced_at":"2025-10-03T23:26:34.869Z","repository":{"id":240271011,"uuid":"802148227","full_name":"cloudflare/zt-hostname-ip-list-sync","owner":"cloudflare","description":"Synchronize DNS with Zero Trust IP Lists","archived":false,"fork":false,"pushed_at":"2024-10-01T14:50:00.000Z","size":12052,"stargazers_count":2,"open_issues_count":1,"forks_count":3,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-04-02T11:04:34.504Z","etag":null,"topics":["cloudflare","terraform","zerotrust"],"latest_commit_sha":null,"homepage":"https://developers.cloudflare.com/cloudflare-one","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cloudflare.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-05-17T15:59:12.000Z","updated_at":"2025-03-15T09:38:55.000Z","dependencies_parsed_at":"2024-05-29T05:24:54.403Z","dependency_job_id":"ba47952b-cfa9-40a0-835a-9f1b444fa4f8","html_url":"https://github.com/cloudflare/zt-hostname-ip-list-sync","commit_stats":null,"previous_names":["cloudflare/zt-hostname-ip-list-sync"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/cloudflare/zt-hostname-ip-list-sync","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudflare%2Fzt-hostname-ip-list-sync","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudflare%2Fzt-hostname-ip-list-sync/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudflare%2Fzt-hostname-ip-list-sync/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudflare%2Fzt-hostname-ip-list-sync/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cloudflare","download_url":"https://codeload.github.com/cloudflare/zt-hostname-ip-list-sync/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cloudflare%2Fzt-hostname-ip-list-sync/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278242448,"owners_count":25954624,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-03T02:00:06.070Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloudflare","terraform","zerotrust"],"created_at":"2024-10-03T21:41:27.781Z","updated_at":"2025-10-03T23:26:34.819Z","avatar_url":"https://github.com/cloudflare.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Zero Trust - Hostname IP List Synchronization\n\nThis Terraform module configures Cloudflare Workers to synchronize DNS hostnames with Zero Trust IP lists. This enables writing Gateway Network policies based on Destination IP address for services using changing or dynamic IP addresses.\n\n## Prerequisites\n\n- You have a Cloudflare Zero Trust account. See https://developers.cloudflare.com/cloudflare-one/.\n- Terraform is installed on your device. See https://developer.hashicorp.com/terraform/install.\n\n## Installation\n\n### Generate API Tokens\n\nThis script requires two Cloudflare API tokens. See [Developer Docs](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) for guidance on provisioning API tokens. Available API permissions are documented [here](https://developers.cloudflare.com/fundamentals/api/reference/permissions/).\n#### WORKER_ZEROTRUST_LISTS_TOKEN\n\nThis API token is used by the Worker script to read and write Zero Trust Lists. This requires the following permissions:\n\n- Zero Trust Read\n- Zero Trust Edit\n\n#### CF_TOKEN\n\nThis API token is used by Terraform to provision the environment. This API token requires the following permissions:\n\n- Zero Trust Read\n- Zero Trust Edit\n- Worker Scripts Read\n- Worker Scripts Edit\n\n## Deployment\n\n- Copy `terraform.tfvars.example` to `terraform.tfvars`\n- Define values in `terraform.tfvars`:\n\t- CF_ACCOUNT_TAG: This is your Account ID. See [Find zone and account IDs](https://developers.cloudflare.com/fundamentals/setup/find-account-and-zone-ids/).\n\t- WORKER_ZEROTRUST_LISTS_TOKEN: Generated above.\n\t- CF_TOKEN: Generated above.\n- `terraform init`\n- `terraform apply`\n\n### Optional Parameters\n\n#### CRON_SCHEDULE\n\nDefault: `* * * * *`\n\nBy default this script will run every minute. It can be run less frequently by defining a [cron schedule](https://developers.cloudflare.com/workers/configuration/cron-triggers/#supported-cron-expressions).\n\n## Usage\n\n### Adding hostnames to Zero Trust lists\n\nOnce deployed you will have a new List available in the Zero Trust dashboard named: `Integration: Hostname IP Source List (Do Not Delete)`.  The Worker cron uses this script to identify hostnames to synchronize with Zero Trust lists.\n\nYou can add hostnames to this list via API, CSV or manually. See [Developer Docs: Lists](https://developers.cloudflare.com/cloudflare-one/policies/gateway/lists/) for more information.\n\nOnce a hostname is added, a new list will be automatically generated the next time the Worker cron executes. This takes roughly a minute.\n\n### Using Hostname Lists in Firewall Policies\n\nHostname lists can be referenced using the *in list* operator. For example to block traffic to example.com you can write a Firewall policy such as:\n\nSelector: `Destination IP`\nOperator: `in list`\nValue: `Destination IPs for example.com`\n\n### Support for Private DNS resolution\n\nThe Worker resolves DNS using a DoH Location configured in your Zero Trust dashboard. In order for the Worker to resolve and synchronize Private Hostnames to IP Lists a Resolver Policy must be separately configured.\n\nSee [Developer Docs: Resolver policies](https://developers.cloudflare.com/cloudflare-one/policies/gateway/resolver-policies/) for more information.\n\n## Known limitations\n\n### Subrequest limits\n\nThis script is subject to Worker [subrequest limits](https://developers.cloudflare.com/workers/platform/limits/). The script performs the following requests:\n\n- One to request the list of hostnames.\n- Three per hostname:\n\t- One to perform DNS-over-HTTPs resolution.\n\t- One to fetch the hostname list.\n\t- One to patch the hostname list with added and removed IPs.\n\nAt the time of writing, this means this script is limited to:\n\n- 399 hostnames on Workers Unbound.\n- 16 hostnames on Workers Standard.\n\nPlease contact your account team if you require increased limits.\n\n## List limits\n\nBy default Zero Trust limits accounts to [100 lists](https://developers.cloudflare.com/cloudflare-one/account-limits/). Please contact your account team if you require increased limits.\n\n### Geographic DNS\n\nThis script executes as a [Worker Cron Trigger](https://developers.cloudflare.com/workers/configuration/cron-triggers/) which runs on underutilized machines on Cloudflare's global network. Geographic DNS may lead to unexpected results as the script executes in different locations around the world and receives different DNS answers.\n\n## Roadmap\n\n- AAAA / IPv6 Records\n\n# FAQ\n\n## Can I rename the hostname list?\n\nYes. You can rename the title and description of this list. The Worker selects the list using the ID number defined in a Worker environment variable. \n\n## Can I modify an automatically generated hostname list?\n\nThe only property you may modify is the title. The script selects the hostname list based on the description which must not be modified. Manual IP changes will be overwritten on the next cron invocation.\n\n## Monitoring\n\nYou can monitor cron invocations and tail logs using the [Workers dashboard](https://developers.cloudflare.com/workers/configuration/cron-triggers/#view-past-events).","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudflare%2Fzt-hostname-ip-list-sync","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcloudflare%2Fzt-hostname-ip-list-sync","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcloudflare%2Fzt-hostname-ip-list-sync/lists"}