This Terraform module manages Cloudflare Firewall rules to its full extend (even for Enterprise customers).
When deleting Cloudflare firewall rules and recreating them with the same expression, Terraform is too fast for the Cloudflare API and will fail with an error, that the rule already exists.
To overcome this limitation, all rules in this module are indexed by their corresponding firewall expression (see locals.tf). Firewall expressions must be unique in Cloudflare anyway, so the index will never duplicate. This also means that whenever the expression changes, the rule will be recreated. Changes in all other values will not trigger a recreated.
This module omits the priority key for rulesets and auto-calculates those by the order they appear in the rules list.
terraform.tfvars:
domain = "domain.tld"
rules = [
{
description = "Test (WAF Bypass)"
paused = false
action = "bypass"
expression = "(http.user_agent contains \"UA-TEST/\" and ip.src eq 1.2.3.4 and http.request.uri.path eq \"/api/endpoint\")"
products = ["waf"]
},
{
description = "Test"
paused = false
action = "allow"
expression = "(http.user_agent contains \"UA-TEST1\" and ip.src eq 1.2.3.4 and http.request.uri.path eq \"/api/endpoint\")"
products = []
},
]| Name | Version |
|---|---|
| cloudflare | ~> 4.29 |
| Name | Version |
|---|---|
| terraform | >= 1.5 |
| cloudflare | ~> 4.29 |
The following input variables are required:
Description: The Cloudflare API token.
Type: string
Description: Cloudflare domain to apply rules for.
Type: string
The following input variables are optional (have default values):
Description: List of Cloudflare firewall rule objects.
Type:
list(object({
description = string
enabled = bool
action = string
expression = string
products = list(string)
}))Default: []
| Name | Description |
|---|---|
| domain | Current zone information. |
| rules | Created Cloudflare rules for the current zone. |
Copyright (c) 2021 flaconi