TerraformでCloudFrontのManaged Prefix Listを取得してみた
こんにちは。AWS事業本部トクヤマシュンです。
先日、CloudFrontのIPアドレスがManaged Prefix Listに対応しました。
待望のアップデートで、記憶に新しい人も多いのではないでしょうか。
そんなCloudFrontのManaged Prefix ListをTerraformで使う時にハマったので、対処法を共有します。
初めに結論
CloudFrontのManaged Prefix ListをTerraformで実装する際のデータソースは、
aws_prefix_listではなくaws_ec2_managed_prefix_listを使いましょう!
ハマりどころ
これまで、S3やDynamoDBのManaged Prefix ListをTerraformで参照するときは、データソースとしてaws_prefix_listのname属性を利用していました。
しかし、CloudFrontも同様に試したところ、下記のようなエラーが出ました。
data "aws_prefix_list" "cloudfront" {
name = "com.amazonaws.global.cloudfront.origin-facing"
}
output "aws_prefix_list_cloudfront"{
value = data.aws_prefix_list.cloudfront
}
╷
│ Error: no matching prefix list found; the prefix list ID or name may be invalid or not exist in the current region
│
│ with data.aws_prefix_list.cloudfront,
│ on aws_prefix_list_cloudfront.tf line 1, in data "aws_prefix_list" "cloudfront":
│ 1: data "aws_prefix_list" "cloudfront" {
│
CloudFrontのプレフィックスリスト名であるcom.amazonaws.global.cloudfront.origin-facingは、aws_prefix_list のname属性には存在していないようです。
prefix_list_id属性には、東京リージョンのCloudFrontのプレフィックスリストIDであるpl-58a04531は存在しているようで、 下記のようにID指定することでデータソースを取得すること自体はできました。
data "aws_prefix_list" "cloudfront" {
prefix_list_id = "pl-58a04531"
}
output "aws_prefix_list_cloudfront"{
value = data.aws_prefix_list.cloudfront
}
取得したManaged Prefix List(クリックして展開)
data.aws_prefix_list.cloudfront: Read complete after 0s [id=pl-58a04531]
Changes to Outputs:
+ aws_prefix_list_cloudfront = {
+ cidr_blocks = [
+ "54.182.172.0/22",
+ "54.182.144.0/21",
+ "130.176.88.0/21",
+ "204.246.166.0/24",
+ "130.176.140.0/22",
+ "130.176.86.0/23",
+ "52.46.32.0/19",
+ "54.182.160.0/21",
+ "54.239.204.0/22",
+ "15.158.0.0/16",
+ "54.182.156.0/22",
+ "52.82.134.0/23",
+ "54.182.248.0/22",
+ "52.46.4.0/23",
+ "54.182.128.0/20",
+ "205.251.218.0/24",
+ "54.239.134.0/23",
+ "52.82.128.0/23",
+ "64.252.128.0/18",
+ "54.182.240.0/21",
+ "52.46.0.0/22",
+ "64.252.64.0/18",
+ "70.132.0.0/18",
+ "130.176.160.0/19",
+ "130.176.76.0/24",
+ "54.182.176.0/21",
+ "130.176.78.0/23",
+ "54.239.170.0/23",
+ "54.182.184.0/22",
+ "130.176.72.0/22",
+ "130.176.136.0/23",
+ "130.176.192.0/19",
+ "54.182.224.0/21",
+ "130.176.80.0/22",
+ "54.239.208.0/21",
+ "130.176.64.0/21",
+ "52.46.16.0/20",
+ "54.182.188.0/23",
+ "130.176.96.0/19",
+ "130.176.128.0/21",
+ "130.176.0.0/18",
+ "13.124.199.0/24",
+ "54.182.154.0/23",
+ "130.176.144.0/20",
]
+ filter = null
+ id = "pl-58a04531"
+ name = "com.amazonaws.global.cloudfront.origin-facing"
+ prefix_list_id = "pl-58a04531"
}
ただしプレフィックスリストIDはリージョン毎に異なるので、このコードを他リージョンでも使うにはリージョン毎にIDの書き換えが必要で、少し面倒です。
対処法
そこで、データソースとしてaws_ec2_managed_prefix_listを使ったところ、下のようにname属性で取得することができました。
data "aws_ec2_managed_prefix_list" "attribute" {
name = "com.amazonaws.global.cloudfront.origin-facing"
}
output "aws_ec2_managed_prefix_list_attribute"{
value = data.aws_ec2_managed_prefix_list.attribute
}
取得したManaged Prefix List(クリックして展開)
data.aws_ec2_managed_prefix_list.attribute: Read complete after 0s [id=pl-58a04531]
Changes to Outputs:
+ aws_ec2_managed_prefix_list_attribute = {
+ address_family = "IPv4"
+ arn = "arn:aws:ec2:ap-northeast-1:aws:prefix-list/pl-58a04531"
+ entries = [
+ {
+ cidr = "13.124.199.0/24"
+ description = ""
},
+ {
+ cidr = "130.176.0.0/18"
+ description = ""
},
+ {
+ cidr = "130.176.128.0/21"
+ description = ""
},
+ {
+ cidr = "130.176.136.0/23"
+ description = ""
},
+ {
+ cidr = "130.176.140.0/22"
+ description = ""
},
+ {
+ cidr = "130.176.144.0/20"
+ description = ""
},
+ {
+ cidr = "130.176.160.0/19"
+ description = ""
},
+ {
+ cidr = "130.176.192.0/19"
+ description = ""
},
+ {
+ cidr = "130.176.64.0/21"
+ description = ""
},
+ {
+ cidr = "130.176.72.0/22"
+ description = ""
},
+ {
+ cidr = "130.176.76.0/24"
+ description = ""
},
+ {
+ cidr = "130.176.78.0/23"
+ description = ""
},
+ {
+ cidr = "130.176.80.0/22"
+ description = ""
},
+ {
+ cidr = "130.176.86.0/23"
+ description = ""
},
+ {
+ cidr = "130.176.88.0/21"
+ description = ""
},
+ {
+ cidr = "130.176.96.0/19"
+ description = ""
},
+ {
+ cidr = "15.158.0.0/16"
+ description = ""
},
+ {
+ cidr = "204.246.166.0/24"
+ description = ""
},
+ {
+ cidr = "205.251.218.0/24"
+ description = ""
},
+ {
+ cidr = "52.46.0.0/22"
+ description = ""
},
+ {
+ cidr = "52.46.16.0/20"
+ description = ""
},
+ {
+ cidr = "52.46.32.0/19"
+ description = ""
},
+ {
+ cidr = "52.46.4.0/23"
+ description = ""
},
+ {
+ cidr = "52.82.128.0/23"
+ description = ""
},
+ {
+ cidr = "52.82.134.0/23"
+ description = ""
},
+ {
+ cidr = "54.182.128.0/20"
+ description = ""
},
+ {
+ cidr = "54.182.144.0/21"
+ description = ""
},
+ {
+ cidr = "54.182.154.0/23"
+ description = ""
},
+ {
+ cidr = "54.182.156.0/22"
+ description = ""
},
+ {
+ cidr = "54.182.160.0/21"
+ description = ""
},
+ {
+ cidr = "54.182.172.0/22"
+ description = ""
},
+ {
+ cidr = "54.182.176.0/21"
+ description = ""
},
+ {
+ cidr = "54.182.184.0/22"
+ description = ""
},
+ {
+ cidr = "54.182.188.0/23"
+ description = ""
},
+ {
+ cidr = "54.182.224.0/21"
+ description = ""
},
+ {
+ cidr = "54.182.240.0/21"
+ description = ""
},
+ {
+ cidr = "54.182.248.0/22"
+ description = ""
},
+ {
+ cidr = "54.239.134.0/23"
+ description = ""
},
+ {
+ cidr = "54.239.170.0/23"
+ description = ""
},
+ {
+ cidr = "54.239.204.0/22"
+ description = ""
},
+ {
+ cidr = "54.239.208.0/21"
+ description = ""
},
+ {
+ cidr = "64.252.128.0/18"
+ description = ""
},
+ {
+ cidr = "64.252.64.0/18"
+ description = ""
},
+ {
+ cidr = "70.132.0.0/18"
+ description = ""
},
]
+ filter = null
+ id = "pl-58a04531"
+ max_entries = 0
+ name = "com.amazonaws.global.cloudfront.origin-facing"
+ owner_id = "AWS"
+ tags = {}
+ version = 0
}
このコードだと、他リージョンで実行した場合にはリージョンに応じた値を取得することができます。
providerのリージョンをus-east-1に変更して実行した結果を示します。
data "aws_ec2_managed_prefix_list" "attribute" {
provider = aws.us-east-1
name = "com.amazonaws.global.cloudfront.origin-facing"
}
output "aws_ec2_managed_prefix_list_attribute"{
value = data.aws_ec2_managed_prefix_list.attribute
}
取得したManaged Prefix List(クリックして展開)
data.aws_ec2_managed_prefix_list.attribute: Read complete after 1s [id=pl-3b927c52]
Changes to Outputs:
+ aws_ec2_managed_prefix_list_attribute = {
+ address_family = "IPv4"
+ arn = "arn:aws:ec2:us-east-1:aws:prefix-list/pl-3b927c52"
+ entries = [
+ {
+ cidr = "13.124.199.0/24"
+ description = ""
},
+ {
+ cidr = "130.176.0.0/18"
+ description = ""
},
+ {
+ cidr = "130.176.128.0/21"
+ description = ""
},
+ {
+ cidr = "130.176.136.0/23"
+ description = ""
},
+ {
+ cidr = "130.176.140.0/22"
+ description = ""
},
+ {
+ cidr = "130.176.144.0/20"
+ description = ""
},
+ {
+ cidr = "130.176.160.0/19"
+ description = ""
},
+ {
+ cidr = "130.176.192.0/19"
+ description = ""
},
+ {
+ cidr = "130.176.64.0/21"
+ description = ""
},
+ {
+ cidr = "130.176.72.0/22"
+ description = ""
},
+ {
+ cidr = "130.176.76.0/24"
+ description = ""
},
+ {
+ cidr = "130.176.78.0/23"
+ description = ""
},
+ {
+ cidr = "130.176.80.0/22"
+ description = ""
},
+ {
+ cidr = "130.176.86.0/23"
+ description = ""
},
+ {
+ cidr = "130.176.88.0/21"
+ description = ""
},
+ {
+ cidr = "130.176.96.0/19"
+ description = ""
},
+ {
+ cidr = "15.158.0.0/16"
+ description = ""
},
+ {
+ cidr = "204.246.166.0/24"
+ description = ""
},
+ {
+ cidr = "205.251.218.0/24"
+ description = ""
},
+ {
+ cidr = "52.46.0.0/22"
+ description = ""
},
+ {
+ cidr = "52.46.16.0/20"
+ description = ""
},
+ {
+ cidr = "52.46.32.0/19"
+ description = ""
},
+ {
+ cidr = "52.46.4.0/23"
+ description = ""
},
+ {
+ cidr = "52.82.128.0/23"
+ description = ""
},
+ {
+ cidr = "52.82.134.0/23"
+ description = ""
},
+ {
+ cidr = "54.182.128.0/20"
+ description = ""
},
+ {
+ cidr = "54.182.144.0/21"
+ description = ""
},
+ {
+ cidr = "54.182.154.0/23"
+ description = ""
},
+ {
+ cidr = "54.182.156.0/22"
+ description = ""
},
+ {
+ cidr = "54.182.160.0/21"
+ description = ""
},
+ {
+ cidr = "54.182.172.0/22"
+ description = ""
},
+ {
+ cidr = "54.182.176.0/21"
+ description = ""
},
+ {
+ cidr = "54.182.184.0/22"
+ description = ""
},
+ {
+ cidr = "54.182.188.0/23"
+ description = ""
},
+ {
+ cidr = "54.182.224.0/21"
+ description = ""
},
+ {
+ cidr = "54.182.240.0/21"
+ description = ""
},
+ {
+ cidr = "54.182.248.0/22"
+ description = ""
},
+ {
+ cidr = "54.239.134.0/23"
+ description = ""
},
+ {
+ cidr = "54.239.170.0/23"
+ description = ""
},
+ {
+ cidr = "54.239.204.0/22"
+ description = ""
},
+ {
+ cidr = "54.239.208.0/21"
+ description = ""
},
+ {
+ cidr = "64.252.128.0/18"
+ description = ""
},
+ {
+ cidr = "64.252.64.0/18"
+ description = ""
},
+ {
+ cidr = "70.132.0.0/18"
+ description = ""
},
]
+ filter = null
+ id = "pl-3b927c52"
+ max_entries = 0
+ name = "com.amazonaws.global.cloudfront.origin-facing"
+ owner_id = "AWS"
+ tags = {}
+ version = 0
}
リージョンの切り替えによって、参照するIDがpl-3b927c52に変更されていて、リスト内のIPアドレスも変更されています。
CloudFrontのManaged Prefix Listを使ったSecurity Groupルールを作ってみる
CloudFrontのManaged Prefix ListのみをIngressのポート443で許可したSecurityGroupルールを作るTerraformコードを置いておきます。 CloudFront-ALB構成を実装したい時、ALBのSecurity Groupにアタッチするルールとしてお役立てください。
resource "aws_security_group" "alb_sg" {
name = "alb-sg"
vpc_id = "vpc-06e4ab6c6cEXAMPLE"
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "alb-sg"
}
}
resource "aws_security_group_rule" "ingress_from_cloudfront_sg_rule" {
type = "ingress"
from_port = 443
to_port = 443
protocol = "tcp"
prefix_list_ids = [data.aws_ec2_managed_prefix_list.cloudfront.id]
security_group_id = aws_security_group.alb_sg.id
}
data "aws_ec2_managed_prefix_list" "cloudfront" {
name = "com.amazonaws.global.cloudfront.origin-facing"
}
なお、CloudFrontのManaged Prefix Listを用いたルールは重みが55となります。
1つのSecurityGroupにアタッチ可能なインバウンド/アウトバウンドルールのデフォルト合計値は60なので、追加でアタッチできるルールは5個となるので注意してください。
この60という上限値は制限緩和が可能ですので、必要があればこちらも検討しましょう。
趣味のスパイスカレー
突然ですが、私の趣味はスパイスカレー作りです。
自分の作ったカレーを多くの人に見てもらいたい欲求が出てきたので、本筋とは全然関係ありませんがブログで公開していくこととします。
- 合わせ出しの鶏キーマ
- ココナッツチキンカレー
- レンズ豆のダル
スリランカを意識したあいがけプレートを作りました。
合わせ出しの鰹と昆布の旨味が体に染み、美味でした。
最後に
CloudFrontのManaged Prefix Listはとても便利な機能です。
Terraformからも参照が可能ですので、是非ご活用ください。
本ブログがどなたかの助けになれば幸いです。 それでは。
参考
下記サイトを参考にさせて頂きました。この場を借りてお礼申し上げます。
![[Terraform]Aurora MySQLのログ出力先ログクラスをInfrequent Accessにしてみた](https://images.ctfassets.net/ct0aopd36mqt/wp-thumbnail-7e1a533ff5b5a6a8eb5d4ae82bacdcd6/5845157a3c941213d245ec7cdf7358e8/amazon-aurora)
