Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/johnnymarquez/cloudflare-iac-dynamic-firewall
Cloudflare Infrastructure as Code Dynamical Allocation of Firewall Rules.
https://github.com/johnnymarquez/cloudflare-iac-dynamic-firewall
aws cloudflare infrastructure-as-code terraform
Last synced: 8 days ago
JSON representation
Cloudflare Infrastructure as Code Dynamical Allocation of Firewall Rules.
- Host: GitHub
- URL: https://github.com/johnnymarquez/cloudflare-iac-dynamic-firewall
- Owner: johnnymarquez
- Created: 2022-12-31T12:27:54.000Z (about 2 years ago)
- Default Branch: main
- Last Pushed: 2023-01-22T19:13:27.000Z (about 2 years ago)
- Last Synced: 2024-11-27T18:18:53.286Z (2 months ago)
- Topics: aws, cloudflare, infrastructure-as-code, terraform
- Language: HCL
- Homepage:
- Size: 12.7 KB
- Stars: 2
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Cloudflare Infrastructure as Code Dynamical Allocation of Firewall Rules
The following repository contains sample infrastructure as code for managing Cloudflare resources. Relevant features
include the dynamic provisioning of new rules and rulesets using Terraform's dynamic nested
blocks. [Reference](https://developer.hashicorp.com/terraform/language/expressions/dynamic-blocks).
## Export Api Key & Email as environment variables or secrets to maintain security
export TF_VAR_cf_apikey=''
export TF_VAR_cf_email=''
export TF_VAR_account_id=''
## Fulfill zone settings
tfvars/environment.tfvars with zone information
## Local workflow
terraform init
terraform workspace new sandbox
terraform plan --var-file=tfvars/sandbox.tfvars
## Firewall Rules
The process to include a new rule is to add it into the sets of strings in the ```tfvars/env``` file, since this would
allow
to dynamically assign different rules to specific workspaces. A different approach would be to assign the rules with the
same format into the ```fw_rules``` resource inside ```variables.tf```
Example:
```
{
action = "allow"
description = "allow:amv/acceptlist-aws"
expression = "(ip.src in $amv_aws)"
paused = false
products = []
},
```
For possible values on action, expression, and products, please refer to
[Cloudflare Documentation](https://developers.cloudflare.com/firewall/).
For the description field, a personal preference is to include enough detail in the
format ```actions:brand/description```
## Ruleset
Dynamic Ruleset resource has the capability to automatically create new resources by just listing them as a list of
objects into the ```tfvars/env``` file. With the given structure, the resource allows un unlimited number of rulesets
with unlimited number of nested headers inside whichever ruleset created.
The following is an example structure that can increase according to the needs of the project. However, as a good
practice and to maintain a clear organization, the nested Rulesets should belong to the same purpose/project/subject.
When your project requires a new kind of Releset, the generation of a new ```resource``` or ```terraform``` file would
be better suited.
```
{
action = "rewrite",
description = "ClientHints",
enabled = true
expression = "(http.request.method eq \"GET\")"
headers = [
{
name = "accept-ch"
operation = "set"
value = "sec-ch-ua-model,sec-ch-ua-platform-version"
},
{
name = "permissions-policy"
operation = "set"
value = "ch-ua-model=*,ch-ua-platform-version=*"
},
]
},
{
action = "rewrite",
description = "X-Frame-Options header prevents click-jacking attacks",
enabled = true
expression = "(not http.request.uri.path matches \"^/api/.*\")"
headers = [
{
name = "X-Frame-Options"
operation = "set"
value = "DENY"
},
]
},
```