タダです.
CloudFront からのネットワークアクセスを制御する方法として Managed Prefix を使って ALB のセキュリティグループでコントロールするのを Terraform でやってみたのでまとめます.
Managed Prefix List を扱う Terraform のコード
CloudFront からの Managed Prefix はaws_ec2_managed_prefix_list
で扱えます.
data "aws_ec2_managed_prefix_list" "cloudfront" { name = "com.amazonaws.global.cloudfront.origin-facing" } output "aws_ec2_managed_prefix_list_attribute" { value = data.aws_ec2_managed_prefix_list.cloudfront }
出力してみると以下のように CloudFront の IP リストが返ってきます.pl-58a04531
にて管理されるようですね.
Changes to Outputs: + aws_ec2_managed_prefix_list_attribute = { + address_family = "IPv4" + arn = "arn:aws:ec2:ap-northeast-1:aws:prefix-list/pl-58a04531" + entries = [ + { + cidr = "13.124.199.0/24" + description = "" }, + { + cidr = "130.176.0.0/18" + description = "" }, + { + cidr = "130.176.128.0/21" + description = "" }, + { + cidr = "130.176.136.0/23" + description = "" }, + { + cidr = "130.176.140.0/22" + description = "" }, + { + cidr = "130.176.144.0/20" + description = "" }, + { + cidr = "130.176.160.0/19" + description = "" }, + { + cidr = "130.176.192.0/19" + description = "" }, + { + cidr = "130.176.64.0/21" + description = "" }, + { + cidr = "130.176.72.0/22" + description = "" }, + { + cidr = "130.176.76.0/24" + description = "" }, + { + cidr = "130.176.78.0/23" + description = "" }, + { + cidr = "130.176.80.0/22" + description = "" }, + { + cidr = "130.176.86.0/23" + description = "" }, + { + cidr = "130.176.88.0/21" + description = "" }, + { + cidr = "130.176.96.0/19" + description = "" }, + { + cidr = "15.158.0.0/16" + description = "" }, + { + cidr = "18.68.0.0/16" + description = "" }, + { + cidr = "204.246.166.0/24" + description = "" }, + { + cidr = "205.251.218.0/24" + description = "" }, + { + cidr = "3.172.0.0/18" + description = "" }, + { + cidr = "52.46.0.0/22" + description = "" }, + { + cidr = "52.46.16.0/20" + description = "" }, + { + cidr = "52.46.32.0/19" + description = "" }, + { + cidr = "52.46.4.0/23" + description = "" }, + { + cidr = "52.82.128.0/23" + description = "" }, + { + cidr = "52.82.134.0/23" + description = "" }, + { + cidr = "54.182.128.0/20" + description = "" }, + { + cidr = "54.182.144.0/21" + description = "" }, + { + cidr = "54.182.154.0/23" + description = "" }, + { + cidr = "54.182.156.0/22" + description = "" }, + { + cidr = "54.182.160.0/21" + description = "" }, + { + cidr = "54.182.172.0/22" + description = "" }, + { + cidr = "54.182.176.0/21" + description = "" }, + { + cidr = "54.182.184.0/22" + description = "" }, + { + cidr = "54.182.188.0/23" + description = "" }, + { + cidr = "54.182.224.0/21" + description = "" }, + { + cidr = "54.182.240.0/21" + description = "" }, + { + cidr = "54.182.248.0/22" + description = "" }, + { + cidr = "54.239.134.0/23" + description = "" }, + { + cidr = "54.239.170.0/23" + description = "" }, + { + cidr = "54.239.204.0/22" + description = "" }, + { + cidr = "54.239.208.0/21" + description = "" }, + { + cidr = "64.252.128.0/18" + description = "" }, + { + cidr = "64.252.64.0/18" + description = "" }, + { + cidr = "70.132.0.0/18" + description = "" }, ] + filter = null + id = "pl-58a04531" + max_entries = 0 + name = "com.amazonaws.global.cloudfront.origin-facing" + owner_id = "AWS" + tags = {} + timeouts = null + version = 0 }
Managed Prefix List を ALB のセキュリティグループで制御する
そして本題です.Managed Prefix List を使って ALB のセキュリティグループを定義します.つまり,Inbound Rule 443 番ポートへのアクセスを Managed Prefix List からアクセスを設定します.
resource "aws_security_group" "hoge_alb" { name = "hoge-alb" vpc_id = aws_vpc.tf_vpc.id egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } tags = { Name = "hoge-alb" } } resource "aws_security_group_rule" "ingress_from_cloudfront_sg_rule" { type = "ingress" from_port = 443 to_port = 443 protocol = "tcp" prefix_list_ids = [data.aws_ec2_managed_prefix_list.cloudfront.id] security_group_id = aws_security_group.hoge_alb.id } data "aws_ec2_managed_prefix_list" "cloudfront" { name = "com.amazonaws.global.cloudfront.origin-facing" }
実行計画を走らせると以下のような結果になります.
# aws_security_group.hoge_alb will be created + resource "aws_security_group" "hoge_alb" { + arn = (known after apply) + description = "Managed by Terraform" + egress = [ + { + cidr_blocks = [ + "0.0.0.0/0", ] + description = "" + from_port = 0 + ipv6_cidr_blocks = [] + prefix_list_ids = [] + protocol = "-1" + security_groups = [] + self = false + to_port = 0 }, ] + id = (known after apply) + ingress = (known after apply) + name = "hoge-alb" + name_prefix = (known after apply) + owner_id = (known after apply) + revoke_rules_on_delete = false + tags = { + "Name" = "hoge-alb" } + tags_all = { + "Name" = "hoge-alb" } + vpc_id = "vpc-xxx" } # aws_security_group_rule.ingress_from_cloudfront_sg_rule will be created + resource "aws_security_group_rule" "ingress_from_cloudfront_sg_rule" { + from_port = 443 + id = (known after apply) + prefix_list_ids = [ + "pl-58a04531", ] + protocol = "tcp" + security_group_id = (known after apply) + security_group_rule_id = (known after apply) + self = false + source_security_group_id = (known after apply) + to_port = 443 + type = "ingress" } Plan: 2 to add, 0 to change, 0 to destroy.
適用後が下記の画像にあるように Inbound Rule 443番ポートからのアクセスが pl-58a04531
になっています.
まとめ
Terraform を使って CloudFront の Managed Prefix List を使って ALB アクセスを定義してみました.