Thanks for the reply, would you consider getting this data programmatically bad practice or against the declarative nature of Terraform?
Yes, I try to avoid getting external data. It has serious security implications, and it slows the process. The example that I shared about getting the public IP is for testing, a proper infrastructure will have a fixed IP range and will probably use a VPN to connect with AWS.
If GitHub doesn’t change the IPs often, I would hard code the values as Terraform variables, and monitor api.github.com/meta for changes, trigger a human alert (if it happens rarely it doesn’t need to be fully automated).
If Github changes IPs often, Terraform will not know by itself, you will need to apply the changes manually (terraform apply), so I will try a different solution, maybe:
-
Monitoring the API for changes and then running a hook (Adapt this AWS lambda) that modifies the rule (Terraform will probably see a change later on but the end result will be the same).
-
Don’t use AWS Security rules for that, maybe use a NGINX firewall module or other software firewall that can use FQDN as sources, make sure you trust your DNS server!. - Haven’t tried, don’t know if possible -
Lets ask the expert, @apparentlymart what do you think?