Maintainable Terraform CIDR lists

Problem

Your Terraform config requires managing many CIDRs that control firewall ingress rules. You’ve been storing these in a CSV string:

variable "client_cidrs" {
    default="50.1.1.1/32,44.2.1.0/32",
}

which is fed to a aws_security_group somewhere in your configuration.

The CIDRs change frequently and maintaining this variable is difficult as it’s hard to track where each individual CIDR came from.

Solution

Use a HCL list variable which allows each entry to have an associated comment explaining what the CIDR corresponds to:

variable "client_cidrs" {
    type="list",
    default=[
        "1.1.1.1/32", # London office
        "2.2.2.2/32", # Sydney office
    ]
}

If you need to pass these values around as a CSV string, use locals to join the list entries:

locals {
    ingress_cidrs = "${join(",", var.client_cidrs)}"
}

but prefer to pass list-type variables around instead.

——————

Something wrong? Suggest an improvement or add a comment (see article history)
Tagged with: terraform
Filed in: tips

Previous: Easy Github URLs from Vim
Next: Conditional nested blocks in Terraform

Copyright © 2005-2023 David Winterbottom
Content licensed under CC BY-NC-SA 4.0.