silent failure in cloudflare-sg module

[briskt]

If the Cloudflare API used by the cloudflare-sg does not return a correct response, the data will be invalid but the Terraform plan will not necessarily fail. This is because the http provider no longer checks the return status but leaves it up to the consumer to check the new status_code attribute.

Recommendation:

Instead of using this module, use these resources directly in your module:

resource "aws_security_group" "cloudflare" {
  name        = "cloudflare"
  description = "Allow HTTPS traffic from Cloudflare"
  vpc_id      = module.vpc.id
  tags = {
    Name = "my-app-name-and-environment-cloudflare"
  }
}

resource "aws_security_group_rule" "cloudflare" {
  type              = "ingress"
  from_port         = 443
  to_port           = 443
  protocol          = "tcp"
  security_group_id = aws_security_group.cloudflare.id
  cidr_blocks       = split(",", data.external.cloudflare_ips.result.ipv4_cidrs)
  ipv6_cidr_blocks  = split(",", data.external.cloudflare_ips.result.ipv6_cidrs)
}

data "external" "cloudflare_ips" {
  program = ["${path.module}/cloudflare-ips.sh"]
}

cloudflare-ips.sh

#!/usr/bin/env bash

set -e

curl --silent --fail 'https://api.cloudflare.com/client/v4/ips' | jq '{
  ipv4_cidrs: (.result.ipv4_cidrs | join(",")),
  ipv6_cidrs: (.result.ipv6_cidrs | join(","))
}'