Skip to content

Commit

Permalink
feat! remove firewall rules (#43)
Browse files Browse the repository at this point in the history
* refactor(firewall): implement new 'ruleset' resource

* fix(main): typo in argo_enabled

* fix: remove deprecated firewall resources

* example: update with deprecated firewall resources removed

* docs: update terraform.md and README

* feat(versions): bump cloudflare provider to >= 4.0

* example: update req provider and outputs
  • Loading branch information
bcdady authored Jun 14, 2024
1 parent c0a704b commit 9141c9a
Show file tree
Hide file tree
Showing 11 changed files with 31 additions and 142 deletions.
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
# Local .terraform directories
**/.terraform/*

# Local .terraform lock file
**/.terraform.lock.hcl

# .tfstate files
*.tfstate
*.tfstate.*
Expand Down
63 changes: 19 additions & 44 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,6 @@

<!--
** DO NOT EDIT THIS FILE
**
** This file was automatically generated by the `cloudposse/build-harness`.
Expand All @@ -21,29 +18,22 @@
** (We maintain HUNDREDS of open source projects. This is how we maintain our sanity.)
**
-->

Terraform module to provision a CloudFlare zone with: DNS records, Argo, Firewall filters and rules.


> [!TIP]
> #### 👽 Use Atmos with Terraform
>
> ### 👽 Use Atmos with Terraform
>
> Cloud Posse uses [`atmos`](https://atmos.tools) to easily orchestrate multiple environments using Terraform. <br/>
> Works with [Github Actions](https://atmos.tools/integrations/github-actions/), [Atlantis](https://atmos.tools/integrations/atlantis), or [Spacelift](https://atmos.tools/integrations/spacelift).
>
> <details>
> <summary><strong>Watch demo of using Atmos with Terraform</strong></summary>
> <img src="https://github.com/cloudposse/atmos/blob/master/docs/demo.gif?raw=true"/><br/>
> <i>Example of running <a href="https://atmos.tools"><code>atmos</code></a> to manage infrastructure from our <a href="https://atmos.tools/quick-start/">Quick Start</a> tutorial.</i>
> </detalis>



> </details>
## Usage

Expand Down Expand Up @@ -95,20 +85,14 @@ module "zone" {
> you're using. This practice ensures the stability of your infrastructure. Additionally, we recommend implementing a systematic
> approach for updating versions to avoid unexpected changes.




## Examples

Here is an example of using this module:
- [`examples/complete`](examples/complete) - complete example of using this module



- [`examples/complete`](examples/complete) - complete example of using this module

<!-- markdownlint-disable -->
## Makefile Targets

```text
Available targets:
Expand All @@ -118,22 +102,21 @@ Available targets:
lint Lint terraform code
```
<!-- markdownlint-restore -->
<!-- markdownlint-disable -->

## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
| <a name="requirement_cloudflare"></a> [cloudflare](#requirement\_cloudflare) | >= 3.23 |
| <a name="requirement_cloudflare"></a> [cloudflare](#requirement\_cloudflare) | >= 4.0 |
| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.8 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_cloudflare"></a> [cloudflare](#provider\_cloudflare) | >= 3.23 |
| <a name="provider_time"></a> [time](#provider\_time) | >= 0.8 |
| <a name="provider_cloudflare"></a> [cloudflare](#provider\_cloudflare) | 4.34.0 |
| <a name="provider_time"></a> [time](#provider\_time) | 0.11.2 |

## Modules

Expand All @@ -146,8 +129,6 @@ Available targets:
| Name | Type |
|------|------|
| [cloudflare_argo.default](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/argo) | resource |
| [cloudflare_filter.default](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/filter) | resource |
| [cloudflare_firewall_rule.default](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/firewall_rule) | resource |
| [cloudflare_healthcheck.default](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/healthcheck) | resource |
| [cloudflare_page_rule.default](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/page_rule) | resource |
| [cloudflare_record.default](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/record) | resource |
Expand All @@ -170,7 +151,6 @@ Available targets:
| <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br> format = string<br> labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
| <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
| <a name="input_firewall_rules"></a> [firewall\_rules](#input\_firewall\_rules) | paused:<br> Whether this filter is currently paused.<br>expression:<br> The filter expression to be used.<br>description:<br> A note that you can use to describe the purpose of the filter and rule.<br>ref:<br> Short reference tag to quickly select related rules.<br>action:<br> The action to apply to a matched request.<br> Possible values: `block`, `challenge`, `allow`, `js_challenge`, `bypass`.<br>priority:<br> The priority of the rule to allow control of processing order.<br> A lower number indicates high priority.<br> If not provided, any rules with a priority will be sequenced before those without.<br>products:<br> List of products to bypass for a request when the bypass action is used.<br> Possible values: `zoneLockdown`, `uaBlock`, `bic`, `hot`, `securityLevel`, `rateLimit`, `waf`. | `list(any)` | `null` | no |
| <a name="input_healthchecks"></a> [healthchecks](#input\_healthchecks) | A list of maps of Health Checks rules.<br>The values of map is fully compliant with `cloudflare_healthcheck` resource.<br>To get more info see https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/healthcheck | `list(any)` | `null` | no |
| <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
| <a name="input_jump_start"></a> [jump\_start](#input\_jump\_start) | Whether to scan for DNS records on creation. | `bool` | `false` | no |
Expand All @@ -196,8 +176,6 @@ Available targets:

| Name | Description |
|------|-------------|
| <a name="output_filter_ids"></a> [filter\_ids](#output\_filter\_ids) | A list of filter IDs. |
| <a name="output_firewall_rule_ids"></a> [firewall\_rule\_ids](#output\_firewall\_rule\_ids) | A list of firewall rule IDs. |
| <a name="output_id"></a> [id](#output\_id) | The zone ID. |
| <a name="output_meta_phishing_detected"></a> [meta\_phishing\_detected](#output\_meta\_phishing\_detected) | Indicates if URLs on the zone have been identified as hosting phishing content. |
| <a name="output_meta_wildcard_proxiable"></a> [meta\_wildcard\_proxiable](#output\_meta\_wildcard\_proxiable) | Indicates whether wildcard DNS records can receive Cloudflare security and performance features. |
Expand All @@ -210,25 +188,22 @@ Available targets:
| <a name="output_verification_key"></a> [verification\_key](#output\_verification\_key) | Contains the TXT record value to validate domain ownership. This is only populated for zones of type `partial`. |
<!-- markdownlint-restore -->


## Related Projects

Check out these related projects.

- [terraform-null-label](https://github.com/cloudposse/terraform-null-label) - Terraform Module to define a consistent naming convention by (namespace, stage, name, [attributes])
- [terraform-cloudflare-waf-rulesets](https://github.com/cloudposse/terraform-cloudflare-waf-rulesets) - Terraform module to manage CloudFlare WAF rulesetes


## References

For additional context, refer to some of these links.

- [terraform-provider-cloudflare](https://registry.terraform.io/providers/cloudflare/cloudflare/latest) - Cloudflare Terraform Provider



> [!TIP]
> #### Use Terraform Reference Architectures for AWS
>
> ### Use Terraform Reference Architectures for AWS
>
> Use Cloud Posse's ready-to-go [terraform architecture blueprints](https://cloudposse.com/reference-architecture/) for AWS to get up and running quickly.
>
Expand All @@ -246,7 +221,9 @@ For additional context, refer to some of these links.
> *Your team can operate like a pro today.*
>
> Ensure that your team succeeds by using Cloud Posse's proven process and turnkey blueprints. Plus, we stick around until you succeed.
> #### Day-0: Your Foundation for Success
>
> ### Day-0: Your Foundation for Success
>
> - **Reference Architecture.** You'll get everything you need from the ground up built using 100% infrastructure as code.
> - **Deployment Strategy.** Adopt a proven deployment strategy with GitHub Actions, enabling automated, repeatable, and reliable software releases.
> - **Site Reliability Engineering.** Gain total visibility into your applications and services with Datadog, ensuring high availability and performance.
Expand All @@ -255,7 +232,8 @@ For additional context, refer to some of these links.
>
> <a href="https://cpco.io/commercial-support?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-cloudflare-zone&utm_content=commercial_support"><img alt="Request Quote" src="https://img.shields.io/badge/request%20quote-success.svg?style=for-the-badge"/></a>
>
> #### Day-2: Your Operational Mastery
> ### Day-2: Your Operational Mastery
>
> - **Training.** Equip your team with the knowledge and skills to confidently manage the infrastructure, ensuring long-term success and self-sufficiency.
> - **Support.** Benefit from a seamless communication over Slack with our experts, ensuring you have the support you need, whenever you need it.
> - **Troubleshooting.** Access expert assistance to quickly resolve any operational challenges, minimizing downtime and maintaining business continuity.
Expand All @@ -271,8 +249,6 @@ For additional context, refer to some of these links.

This project is under active development, and we encourage contributions from our community.



Many thanks to our outstanding contributors:

<a href="https://github.com/cloudposse/terraform-cloudflare-zone/graphs/contributors">
Expand All @@ -282,6 +258,7 @@ Many thanks to our outstanding contributors:
For 🐛 bug reports & feature requests, please use the [issue tracker](https://github.com/cloudposse/terraform-cloudflare-zone/issues).

In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.

1. Review our [Code of Conduct](https://github.com/cloudposse/terraform-cloudflare-zone/?tab=coc-ov-file#code-of-conduct) and [Contributor Guidelines](https://github.com/cloudposse/.github/blob/main/CONTRIBUTING.md).
2. **Fork** the repo on GitHub
3. **Clone** the project to your own machine
Expand Down Expand Up @@ -333,19 +310,17 @@ KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
```

</details>

## Trademarks

All other trademarks referenced herein are the property of their respective owners.


## Copyrights

Copyright © 2021-2024 [Cloud Posse, LLC](https://cloudposse.com)



<a href="https://cloudposse.com/readme/footer/link?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/terraform-cloudflare-zone&utm_content=readme_footer_link"><img alt="README footer" src="https://cloudposse.com/readme/footer/img"/></a>

<img alt="Beacon" width="0" src="https://ga-beacon.cloudposse.com/UA-76589703-4/cloudposse/terraform-cloudflare-zone?pixel&cs=github&cm=readme&an=terraform-cloudflare-zone"/>
11 changes: 3 additions & 8 deletions docs/terraform.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,15 +4,15 @@
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
| <a name="requirement_cloudflare"></a> [cloudflare](#requirement\_cloudflare) | >= 3.23 |
| <a name="requirement_cloudflare"></a> [cloudflare](#requirement\_cloudflare) | >= 4.0 |
| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.8 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_cloudflare"></a> [cloudflare](#provider\_cloudflare) | >= 3.23 |
| <a name="provider_time"></a> [time](#provider\_time) | >= 0.8 |
| <a name="provider_cloudflare"></a> [cloudflare](#provider\_cloudflare) | 4.34.0 |
| <a name="provider_time"></a> [time](#provider\_time) | 0.11.2 |

## Modules

Expand All @@ -25,8 +25,6 @@
| Name | Type |
|------|------|
| [cloudflare_argo.default](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/argo) | resource |
| [cloudflare_filter.default](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/filter) | resource |
| [cloudflare_firewall_rule.default](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/firewall_rule) | resource |
| [cloudflare_healthcheck.default](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/healthcheck) | resource |
| [cloudflare_page_rule.default](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/page_rule) | resource |
| [cloudflare_record.default](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/record) | resource |
Expand All @@ -49,7 +47,6 @@
| <a name="input_descriptor_formats"></a> [descriptor\_formats](#input\_descriptor\_formats) | Describe additional descriptors to be output in the `descriptors` output map.<br>Map of maps. Keys are names of descriptors. Values are maps of the form<br>`{<br> format = string<br> labels = list(string)<br>}`<br>(Type is `any` so the map values can later be enhanced to provide additional options.)<br>`format` is a Terraform format string to be passed to the `format()` function.<br>`labels` is a list of labels, in order, to pass to `format()` function.<br>Label values will be normalized before being passed to `format()` so they will be<br>identical to how they appear in `id`.<br>Default is `{}` (`descriptors` output will be empty). | `any` | `{}` | no |
| <a name="input_enabled"></a> [enabled](#input\_enabled) | Set to false to prevent the module from creating any resources | `bool` | `null` | no |
| <a name="input_environment"></a> [environment](#input\_environment) | ID element. Usually used for region e.g. 'uw2', 'us-west-2', OR role 'prod', 'staging', 'dev', 'UAT' | `string` | `null` | no |
| <a name="input_firewall_rules"></a> [firewall\_rules](#input\_firewall\_rules) | paused:<br> Whether this filter is currently paused.<br>expression:<br> The filter expression to be used.<br>description:<br> A note that you can use to describe the purpose of the filter and rule.<br>ref:<br> Short reference tag to quickly select related rules.<br>action:<br> The action to apply to a matched request.<br> Possible values: `block`, `challenge`, `allow`, `js_challenge`, `bypass`.<br>priority:<br> The priority of the rule to allow control of processing order.<br> A lower number indicates high priority.<br> If not provided, any rules with a priority will be sequenced before those without.<br>products:<br> List of products to bypass for a request when the bypass action is used.<br> Possible values: `zoneLockdown`, `uaBlock`, `bic`, `hot`, `securityLevel`, `rateLimit`, `waf`. | `list(any)` | `null` | no |
| <a name="input_healthchecks"></a> [healthchecks](#input\_healthchecks) | A list of maps of Health Checks rules.<br>The values of map is fully compliant with `cloudflare_healthcheck` resource.<br>To get more info see https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/healthcheck | `list(any)` | `null` | no |
| <a name="input_id_length_limit"></a> [id\_length\_limit](#input\_id\_length\_limit) | Limit `id` to this many characters (minimum 6).<br>Set to `0` for unlimited length.<br>Set to `null` for keep the existing setting, which defaults to `0`.<br>Does not affect `id_full`. | `number` | `null` | no |
| <a name="input_jump_start"></a> [jump\_start](#input\_jump\_start) | Whether to scan for DNS records on creation. | `bool` | `false` | no |
Expand All @@ -75,8 +72,6 @@

| Name | Description |
|------|-------------|
| <a name="output_filter_ids"></a> [filter\_ids](#output\_filter\_ids) | A list of filter IDs. |
| <a name="output_firewall_rule_ids"></a> [firewall\_rule\_ids](#output\_firewall\_rule\_ids) | A list of firewall rule IDs. |
| <a name="output_id"></a> [id](#output\_id) | The zone ID. |
| <a name="output_meta_phishing_detected"></a> [meta\_phishing\_detected](#output\_meta\_phishing\_detected) | Indicates if URLs on the zone have been identified as hosting phishing content. |
| <a name="output_meta_wildcard_proxiable"></a> [meta\_wildcard\_proxiable](#output\_meta\_wildcard\_proxiable) | Indicates whether wildcard DNS records can receive Cloudflare security and performance features. |
Expand Down
8 changes: 0 additions & 8 deletions examples/complete/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -35,14 +35,6 @@ module "zone" {
}
]

firewall_rules = [
{
expression = "(ip.src eq 192.168.0.1)"
description = "Block access from 192.168.0.1"
action = "block"
}
]

healthchecks = [
{
address = format("bastion-%s.%s", join("", var.attributes), var.zone)
Expand Down
10 changes: 0 additions & 10 deletions examples/complete/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -8,16 +8,6 @@ output "zone_record_hostnames_to_ids" {
value = module.zone.record_hostnames_to_ids
}

output "zone_filter_ids" {
description = "A list of filter IDs."
value = module.zone.filter_ids
}

output "zone_firewall_rule_ids" {
description = "A list of firewall rule IDs."
value = module.zone.firewall_rule_ids
}

output "zone_page_rule_targets_to_ids" {
description = "A map of the page rule targets to IDs."
value = module.zone.page_rule_targets_to_ids
Expand Down
2 changes: 1 addition & 1 deletion examples/complete/versions.tf
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ terraform {
required_providers {
cloudflare = {
source = "cloudflare/cloudflare"
version = ">= 3.23"
version = ">= 4.0"
}
time = {
source = "hashicorp/time"
Expand Down
31 changes: 0 additions & 31 deletions firewall.tf

This file was deleted.

8 changes: 4 additions & 4 deletions main.tf
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
locals {
tiered_caching = local.argo_enabed && var.argo_tiered_caching_enabled ? "on" : "off"
smart_routing = local.argo_enabed && var.argo_smart_routing_enabled ? "on" : "off"
argo_enabed = module.this.enabled && var.argo_enabled
tiered_caching = local.argo_enabled && var.argo_tiered_caching_enabled ? "on" : "off"
smart_routing = local.argo_enabled && var.argo_smart_routing_enabled ? "on" : "off"
argo_enabled = module.this.enabled && var.argo_enabled
zone_enabled = module.this.enabled && var.zone_enabled
zone_exists = module.this.enabled && !var.zone_enabled
records_enabled = module.this.enabled && length(var.records) > 0
Expand Down Expand Up @@ -44,7 +44,7 @@ resource "cloudflare_record" "default" {
}

resource "cloudflare_argo" "default" {
count = local.argo_enabed ? 1 : 0
count = local.argo_enabled ? 1 : 0

zone_id = local.zone_id
tiered_caching = local.tiered_caching
Expand Down
Loading

0 comments on commit 9141c9a

Please sign in to comment.