If you are controlling, with IP addresses, what API calls can be made from your networks, this change affects your ability to use Terraform.
The Terraform Registry’s CDN will change on Jan 18th, 2023. If you have the Registry’s IP addresses on an allowlist in order to access it, please add these IP addresses to your allowlist. It is advised that you remove the old allowed IP addresses after ensuring access with the new IPs.
This change will affect anyone that calls the Terraform Registry from behind a locked-down network. Many organizations have the IP addresses for the Registry (defined by the Registry's CDN) on an allowlist that lets their network access the Registry to call things like providers and modules.
Changeover date: Wednesday, January 18, 2023
Frequently Asked Questions
Q: Why is this happening?
A: The Terraform Registry is switching CDN providers. This means that the IP addresses for the Registry will change.
Q: Why does it matter if we can't access the Terraform Registry?
A: The Registry houses all Terraform providers and modules. Your system must access the Registry every time it runs Terraform with a provider or calls a module.
Q: What are the existing and new IP addresses?
A:
- Existing IP addresses (Fastly)
- New IP addresses (CloudFront)
Q: Does this affect registry.terraform.io only, or other domains as well?
A: Only registry.terraform.io will be affected by this change.
Q: My company whitelists domain names that we are allowed to access. Will this change affect the Registry domain name?
A: No, the Registry domain name will remain the same (registry.terraform.io).
Q: Will this new CDN have endpoints in China?
A: Yes. The new CDN provider, CloudFront, has some availability in China.
Q: Can we have a testing endpoint, so that we can test and validate this functionality works prior to the cutover date?
A: The most effective and straightforward way that you can validate functionality is by testing now whether your networks can route to CloudFront IPs (the new IP addresses).
Q: Does this affect us if we’re running TFC Agents?
A: Yes, it could. Any time that you run terraform on a network with strict firewall rules, they are likely to need to reach registry.terraform.io. If the firewalls around the networks that host TFC agents restrict egress to only certain IP ranges, then those TFC agents would be impacted.
TLDR: It is dependent on whether the network firewall restricts outgoing traffic by IP address. Not all networks do that, but if they do, and if Terraform is run in that network, there will be an impact.
Q: I’m a network administrator. What next steps would you recommend?
A:
- Before Jan 18th, 2023, add the new IP addresses to your allowlist.
- Before Jan 18th, 2023, conduct tests with your networks/firewall to ensure your networks can route to the new IP addresses.
- Leave the old IP addresses in place.
- After Jan 18th, 2023, double-check that your API calls are accessing the Registry with the new IP addresses.
- Remove the old IP addresses from the allowlist.
Q: Will there be a dual running period?
A: No, it is a clear cutover. But you can check right now to see if your networks can route to the new IPs (CloudFront IPs).
You should add the new IPs to your networks’ allowlist before January 18. Once the cutover occurs, ensure that your networks are accessing the Registry via the new IP addresses before removing the old IPs (Fastly IPs).
It is important to confirm that your networks are accessing the Registry via the new IP addresses because DNS records get cached in many places across networks. What this means is that when we cutover, a network may not immediately see the IP address change - it takes some time for a network to realize it should get a new version of the DNS record.
Q: What happens if we don't add the new IPs?
A: If you’re operating from behind a locked-down network and you don’t add the new IP addresses to your allowlist, you will not be able to access the Registry after the changeover. You won’t be able to call things that live in the Registry like Terraform providers and modules.
Q: If my company doesn’t use IP addresses to restrict network traffic, do we need to do anything?
A: No, the CDN switch should be unnoticeable.