{"id":21828963,"url":"https://github.com/johnnymarquez/cloudflare-iac-dynamic-firewall","last_synced_at":"2025-03-21T12:41:19.461Z","repository":{"id":227961781,"uuid":"583911212","full_name":"johnnymarquez/cloudflare-iac-dynamic-firewall","owner":"johnnymarquez","description":"Cloudflare Infrastructure as Code Dynamical Allocation of Firewall Rules.","archived":false,"fork":false,"pushed_at":"2023-01-22T19:13:27.000Z","size":13,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-26T08:41:55.911Z","etag":null,"topics":["aws","cloudflare","infrastructure-as-code","terraform"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/johnnymarquez.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2022-12-31T12:27:54.000Z","updated_at":"2023-03-23T20:28:49.000Z","dependencies_parsed_at":"2024-03-22T09:30:15.284Z","dependency_job_id":null,"html_url":"https://github.com/johnnymarquez/cloudflare-iac-dynamic-firewall","commit_stats":null,"previous_names":["johnnymarquez/cloudflare-iac-dynamic-firewall"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/johnnymarquez%2Fcloudflare-iac-dynamic-firewall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/johnnymarquez%2Fcloudflare-iac-dynamic-firewall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/johnnymarquez%2Fcloudflare-iac-dynamic-firewall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/johnnymarquez%2Fcloudflare-iac-dynamic-firewall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/johnnymarquez","download_url":"https://codeload.github.com/johnnymarquez/cloudflare-iac-dynamic-firewall/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244800339,"owners_count":20512447,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","cloudflare","infrastructure-as-code","terraform"],"created_at":"2024-11-27T18:19:27.139Z","updated_at":"2025-03-21T12:41:19.439Z","avatar_url":"https://github.com/johnnymarquez.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Cloudflare Infrastructure as Code Dynamical Allocation of Firewall Rules\n\nThe following repository contains sample infrastructure as code for managing Cloudflare resources. Relevant features\ninclude the dynamic provisioning of new rules and rulesets using Terraform's dynamic nested\nblocks. [Reference](https://developer.hashicorp.com/terraform/language/expressions/dynamic-blocks).\n\n## Export Api Key \u0026 Email as environment variables or secrets to maintain security\n\n        export TF_VAR_cf_apikey=''\n        export TF_VAR_cf_email=''\n        export TF_VAR_account_id=''\n\n## Fulfill zone settings\n\n        tfvars/environment.tfvars with zone information\n\n## Local workflow\n\n        terraform init\n        terraform workspace new sandbox\n        terraform plan --var-file=tfvars/sandbox.tfvars\n\n## Firewall Rules\n\nThe process to include a new rule is to add it into the sets of strings in the ```tfvars/env``` file, since this would\nallow\nto dynamically assign different rules to specific workspaces. A different approach would be to assign the rules with the\nsame format into the ```fw_rules``` resource inside ```variables.tf```\nExample:\n\n```\n{\n   action = \"allow\"\n   description = \"allow:amv/acceptlist-aws\"\n   expression = \"(ip.src in $amv_aws)\"\n   paused = false\n   products = []\n},\n```\n\nFor possible values on action, expression, and products, please refer to\n[Cloudflare Documentation](https://developers.cloudflare.com/firewall/).\nFor the description field, a personal preference is to include enough detail in the\nformat ```actions:brand/description```\n\n## Ruleset\n\nDynamic Ruleset resource has the capability to automatically create new resources by just listing them as a list of\nobjects into the ```tfvars/env``` file. With the given structure, the resource allows un unlimited number of rulesets\nwith unlimited number of nested headers inside whichever ruleset created.\nThe following is an example structure that can increase according to the needs of the project. However, as a good\npractice and to maintain a clear organization, the nested Rulesets should belong to the same purpose/project/subject.\nWhen your project requires a new kind of Releset, the generation of a new ```resource``` or ```terraform``` file would\nbe better suited.\n\n```\n  {\n    action      = \"rewrite\",\n    description = \"ClientHints\",\n    enabled     = true\n    expression  = \"(http.request.method eq \\\"GET\\\")\"\n    headers     = [\n      {\n        name      = \"accept-ch\"\n        operation = \"set\"\n        value     = \"sec-ch-ua-model,sec-ch-ua-platform-version\"\n      },\n      {\n        name      = \"permissions-policy\"\n        operation = \"set\"\n        value     = \"ch-ua-model=*,ch-ua-platform-version=*\"\n      },\n    ]\n  },\n  {\n    action      = \"rewrite\",\n    description = \"X-Frame-Options header prevents click-jacking attacks\",\n    enabled     = true\n    expression  = \"(not http.request.uri.path matches \\\"^/api/.*\\\")\"\n    headers     = [\n      {\n        name      = \"X-Frame-Options\"\n        operation = \"set\"\n        value     = \"DENY\"\n      },\n    ]\n  },\n```","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjohnnymarquez%2Fcloudflare-iac-dynamic-firewall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjohnnymarquez%2Fcloudflare-iac-dynamic-firewall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjohnnymarquez%2Fcloudflare-iac-dynamic-firewall/lists"}