AWS CloudFlare security group Terraform module

Terraform module that populates a security group with cloudflare ip ranges and keeps it updated daily.

The following resources are created:

• A lambda function that keeps your security group's ingress rules updated with published cloudflare ip ranges.
• A cloudwatch event rule with a schedule to trigger the lambda daily

Usage

module "cloudflare-ips" {
  source = "github.com/orzarchi/terraform-aws-cloudflare-security-group"

  security_group_id = "${aws_security_group.cloudflare.id}"
  enabled= "${var.use_cloudflare}"
}

Requirements

No requirements.

Providers

Name	Version
archive	n/a
aws	n/a

Modules

No modules.

Resources

Name	Type
aws_cloudwatch_event_rule.cloudflare-update-schedule	resource
aws_cloudwatch_event_target.cloudflare-update-schedule	resource
aws_cloudwatch_log_group.lambda-log-group	resource
aws_iam_policy.policy	resource
aws_iam_role.iam_for_lambda	resource
aws_iam_role_policy_attachment.policy	resource
aws_lambda_function.update-ips	resource
aws_lambda_permission.allow_cloudwatch	resource
aws_security_group_rule.egress_http	resource
aws_security_group_rule.egress_https	resource
archive_file.lambda_zip	data source

Inputs

Name	Description	Type	Default	Required
enabled	Whether to do anything at all, useful if cloudflare is not needed on all environments. Accepts the string 'true' or 'false'.	string	"true"	no
schedule_expression	The cloudwatch schedule expression used to run the updater lambda.	string	"cron(0 20 * * ? *)"	no
security_group_id	An existing security group to populate with cloudflare ips as ingress rules.	any	n/a	yes

Outputs

No outputs.

Variables

• security_group_id: An existing security group to populate with cloudflare ips as ingress rules.
• schedule_expression: The cloudwatch schedule expression used to run the updater lambda. Defaults to every day at 20:00.
• enabled (Optional) - whether to do anything at all, useful if cloudflare is not needed on all environments. Accepts the string "true" or "false". Defaults to "true"