Creating a security group ingress rules from an api with Ips lists

Github publishes a list of IPs in this endpoint https://api.github.com/meta.

I want to create a security group that only allows the ips specified in this endpoint. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group

Is it reasonable to simply use a http provider and jsonsencode to dynamically create these ingress rules in the cidr range?

If not, what is a better approach i.e. pull the ips into a tfvars or hcl file periodically?

Hi @gridcellcoder

Welcome to Terraform forums.

If you know how to build the list of IPs, you can use an external data source.

See an example for getting you public Internet IP and using it in a firewall rule in AWS:

Hi @javierruizjimenez

Thanks for the reply, would you consider getting this data programatically bad practice or against the declarative nature of Terraform?

Should’nt we be getting these IPs manually/programatically outside of terraform and using that as variables?

Many thanks for your input.

Hi @gridcellcoder

Thanks for the reply, would you consider getting this data programmatically bad practice or against the declarative nature of Terraform?

Yes, I try to avoid getting external data. It has serious security implications, and it slows the process. The example that I shared about getting the public IP is for testing, a proper infrastructure will have a fixed IP range and will probably use a VPN to connect with AWS.

If GitHub doesn’t change the IPs often, I would hard code the values as Terraform variables, and monitor api.github.com/meta for changes, trigger a human alert (if it happens rarely it doesn’t need to be fully automated).

If Github changes IPs often, Terraform will not know by itself, you will need to apply the changes manually (terraform apply), so I will try a different solution, maybe:

  • Monitoring the API for changes and then running a hook (Adapt this AWS lambda) that modifies the rule (Terraform will probably see a change later on but the end result will be the same).

  • Don’t use AWS Security rules for that, maybe use a NGINX firewall module or other software firewall that can use FQDN as sources, make sure you trust your DNS server!. - Haven’t tried, don’t know if possible -

Lets ask the expert, @apparentlymart what do you think?