Is there a list of source ip addresses/networks for Terraform Cloud runs?

Hello all,

I wanted to follow-up and confirm the answer. Currently, Terraform Cloud does not run on a predefined range of IP addresses. I understand that the ability to whitelist is important, there is a possibility we may have a solution for this in the future. At this time, the runners are fairly dynamic.

2 Likes

too bad. this is kind of a dealbreaker for using terraform cloud. Was in touch with hashicorp support, the the suggesting is to move to terraform enterprise.

Half-way through migrating to Terraform Cloud I realised this is a total dealbreaker. Disappointing :frowning:

Shouldn’t be too hard to route the runners’ traffic through a bunch of NAT gateways with publicly known IP addresses should it?

Same here, trying to manage Azure KeyVault, any update so far?

Encountered this issue while trying to manage a Kubernetes cluster with a public API endpoint. Any update on this would be appreciated.

Hi, just going to jump in here. :slight_smile:

Wasn’t this one of the selling features of the Business Tier, announced back near the end of the summer? It’s only for certain Terraform Cloud features, though; maybe that’s the bit I’m missing.

Hello, everyone!

@jlj7 is correct that the IPs for Terraform Cloud are obtained with the API from this page.

Note that those IP ranges are for Version Control Systems, Sentinel, and Notifications only. HashiCorp Terraform Cloud Business Tier allows for agents that solve the remainder of this scenario by providing the ability to use Terraform Cloud Agents which allow Terraform Cloud to communicate with isolated, private, or on-premises infrastructure.

Please let us know if that answers your questions, and if you have any other concerns!

3 Likes

Hello everyone!

@onlydole could you please tell me what IP addresses should I whitelist for Terraform Cloud runs which connect to public Vultr API using official Vultr provider?

I tried all the addresses which I can find here https://app.terraform.io/api/meta/ip-ranges, but I get an error {"error":"Unauthorized IP address.","status":401}. I’m sure I use the correct access token, also I contacted Vultr support and they said there were no problems on their side.

Howdy, @alex-feel :wave:

Do you know if you’re getting a 401 response from the Vultr provider or when trying to authenticate with Terraform Cloud?

I’m happy to jump on a call with you if you’d like to troubleshoot.

@onlydole, I was getting the response from Vultr and saw it in a Terraform Cloud run frontend, here it is:

And after I whitelisted all IPv4 addresses in my Vultr account everything worked:

It turns out that the IP addresses highlighted in red are wrong, I took them here https://app.terraform.io/api/meta/ip-ranges

Could you please tell me where can I get the correct IP addresses which are used by Terraform Cloud runs?

1 Like

Hey, @alex-feel,

Thank you for providing those screenshots and additional information! That makes a lot more sense to me now what was going on.

Your screenshots helped show that the issue is occurring due to the runner IP not having access to Vultr.

  • The IPs you’re listing are correct, BUT those IPs are for the Terraform Cloud API, and for Terraform Cloud Notifications. There are IPs for Sentinel and VCS, though those won’t fix this issue.
  • The IPs for the runners are not shared publicly at this time as a means to protect users of Terraform Cloud and allow for optimizations that we can make for hosting runners on the SaaS platform.
  • You are able to guarantee IPs for runners if you utilize the Terraform Cloud for Business tier, which allows for you to self-host Terraform Cloud Agents and this would be my recommendation for more control over your IP space utilization and network access control.

Please let me know if there’s anything more I can clarify to that end, and I hope that helps shed more light on why those issues arose when working with the Vultr provider and Terraform Cloud runs!

3 Likes

@onlydole, now it’s clear, I just got confused by this message and thought there are now IPs for runners. Thanks for the clarification!

3 Likes

Is there a plan in place to document the list of ips used by TFC runners/workers?

Having to manage and run our own self hosted agents is not an option for us.

@onlydole Any improvement now available since your last comment on this thread. I need to figure out the best option right now, end of 2021.

Howdy, everyone!

The latest information for Terraform Cloud IP Ranges can be found here: IP Ranges - Terraform Cloud and Terraform Enterprise - Terraform by HashiCorp

Not the best option but you could modify the firewall rules on the fly using something like this but adapted to your needs and creating a dependency so the rule is changed before access is needed.

How to programmatically use your public Internet IP address in Terraform?

Any update here?
It’s been almost 2y and seems Hashicorp still did not address it.

The way to ensure predictable source IP addresses is to run your own agents on IP addresses of your own. That will then ensure that you can restrict to exactly the IP addresses your agents are using, rather than permitting access to your system from any Terraform Cloud workspace run by any organization.

Keeping in mind that anyone can run any Terraform configuration they wish on the hosted cloud agents, which can therefore make arbitrary network requests to any destination, restricting to only accept connections from those would be little better than allowing connections from anywhere on the internet.

The hosted agents for Terraform Cloud are suitable for working with systems that rely on credentials rather than network addresses for access control, but if you need to filter by source network address (either exclusively or in combination with credentials) then hosting your own agents is the appropriate solution.

makes sense from a security point of view; thank you.