Terraform module for deploying a Cloudflare blocklist on Tailscale exit nodes.
Warning
Cloudflare Zero Trust (CZT) expects a default location to exist at all times. First, manually create an empty CZT default location before working with this module.
terraform {
required_version = "~> 1.0"
required_providers {
cloudflare = {
source = "cloudflare/cloudflare"
version = "~> 4.0"
}
http = {
source = "hashicorp/http"
version = "~> 3.0"
}
tailscale = {
source = "tailscale/tailscale"
version = "~> 0.0"
}
}
}
provider "cloudflare" {}
provider "tailscale" {}
module "blocklist" {
source = "github.com/bendwyer/terraform-cloudflare-tailscale-blocklist"
cloudflare_account_id = "abcdefgh123456"
public_ip_address = "123.456.789"
}terraform {
required_version = "~> 1.0"
required_providers {
cloudflare = {
source = "cloudflare/cloudflare"
version = "~> 4.0"
}
http = {
source = "hashicorp/http"
version = "~> 3.0"
}
tailscale = {
source = "tailscale/tailscale"
version = "~> 0.0"
}
}
}
provider "cloudflare" {}
provider "tailscale" {}
locals {
public_ip_address = [
"123.456.789",
"12.345.67"
]
}
module "blocklist" {
source = "github.com/bendwyer/terraform-cloudflare-tailscale-blocklist"
cloudflare_account_id = "abcdefgh123456"
public_ip_address = local.public_ip_address
}terraform {
required_version = "~> 1.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
cloudflare = {
source = "cloudflare/cloudflare"
version = "~> 4.0"
}
http = {
source = "hashicorp/http"
version = "~> 3.0"
}
tailscale = {
source = "tailscale/tailscale"
version = "~> 0.0"
}
time = {
source = "hashicorp/time"
version = "~> 0.0"
}
}
}
provider "aws" {
region = "eu-central-1"
}
provider "aws" {
alias = "jp"
region = "ap-northeast-1"
}
provider "aws" {
alias = "us"
region = "us-east-1"
}
provider "cloudflare" {}
provider "tailscale" {}
locals {
public_ip_address = [
module.de_exit_node.public_ip_address,
module.jp_exit_node.public_ip_address,
module.us_exit_node.public_ip_address
]
}
resource "tailscale_acl" "this" {
acl = templatefile("${path.root}/acl.json.tftpl", {
tailscale_exit_node_tag_name = "exit"
})
}
module "de_exit_node" {
source = "github.com/bendwyer/terraform-aws-lightsail-tailscale-exit-node"
}
module "jp_exit_node" {
source = "github.com/bendwyer/terraform-aws-lightsail-tailscale-exit-node"
providers = {
aws = aws.jp
}
lightsail_region = "ap-northeast-1"
}
module "us_exit_node" {
source = "github.com/bendwyer/terraform-aws-lightsail-tailscale-exit-node"
providers = {
aws = aws.us
}
lightsail_region = "us-east-1"
}
module "blocklist" {
source = "github.com/bendwyer/terraform-cloudflare-tailscale-blocklist"
cloudflare_account_id = "abcdefgh123456"
public_ip_address = local.public_ip_address
}| Name | Version |
|---|---|
| terraform | >= 1.1.0 |
| cloudflare | >=4.25.0 |
| http | >=3.4.1 |
| tailscale | >=0.13.13 |
| Name | Version |
|---|---|
| cloudflare | >=4.25.0 |
| http | >=3.4.1 |
| tailscale | >=0.13.13 |
| Name | Type |
|---|---|
| cloudflare_teams_list.blocklist | resource |
| cloudflare_teams_location.this | resource |
| cloudflare_teams_rule.blocklist_policy | resource |
| cloudflare_teams_rule.security_policy | resource |
| tailscale_dns_nameservers.this | resource |
| http_http.blocklist_url | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cloudflare_account_id | Cloudflare account ID. | string |
n/a | yes |
| public_ip_address | A set of public IP address(es) where Cloudflare Gateway will be enabled. | set(string) |
n/a | yes |
| cloudflare_dns_resolvers_ipv4 | For queries over IPv4, the default DNS resolver IP addresses are anycast IP addresses, and they are shared across every Cloudflare Zero Trust account. See https://developers.cloudflare.com/cloudflare-one/connections/connect-devices/agentless/dns/locations/dns-resolver-ips/#ipv4-address for more information. | list(string) |
[ |
no |