Introduction
On January 18, 2023, the Content Delivery Network (CDN) provider for the Terraform Registry changed. This change affects your ability to use Terraform if you control API call access from your networks using IP address allowlists.
If your organization maintains an IP allowlist to access the Terraform Registry, you must add the new CloudFront IP addresses to your configuration. After you confirm access with the new IP addresses, you should remove the old IP addresses.
This change impacts any user or system that calls the Terraform Registry from a network with IP-based firewall rules. Many organizations add the Registry's CDN IP addresses to an allowlist to access providers and modules.
Frequently Asked Questions
Why is this happening?
The Terraform Registry switched CDN providers. This means that the IP addresses for the Registry changed.
Why does it matter if we cannot access the Terraform Registry?
The Registry houses all public Terraform providers and modules. Your system must access the Registry every time it runs Terraform with a provider or calls a module from the public registry.
What are the existing and new IP addresses?
- Existing IP addresses (Fastly):https://api.fastly.com/public-ip-list
- New IP addresses (CloudFront):https://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips
Does this affect registry.terraform.io only, or other domains as well?
Only registry.terraform.io is affected by this change.
My company whitelists domain names. Will this change affect the Registry domain name?
No, the Registry domain name remains registry.terraform.io.
Will this new CDN have endpoints in China?
Yes. The new CDN provider, CloudFront, has some availability in China.
How can we test this functionality?
The most effective way to validate functionality is to test whether your networks can route to the new CloudFront IP addresses.
Does this affect us if we are running HCP Terraform agents?
Yes, it could. Any time you run Terraform on a network with strict firewall rules, it will likely need to reach registry.terraform.io. If the firewalls for the networks that host HCP Terraform agents restrict egress to only certain IP ranges, then those agents would be impacted.
In summary, the impact depends on whether the network firewall restricts outgoing traffic by IP address. Not all networks do that, but if they do, and if Terraform runs in that network, there will be an impact.
As a network administrator, what are the recommended next steps?
- Before January 18, 2023, add the new IP addresses to your allowlist.
- Before January 18, 2023, conduct tests with your networks and firewall to ensure you can route to the new IP addresses.
- Leave the old IP addresses in place through the transition.
- After January 18, 2023, verify that your API calls are accessing the Registry with the new IP addresses.
- Remove the old IP addresses from the allowlist once you have confirmed a successful transition.
Was there a dual-running period?
No, it was a direct cutover. You should add the new IP addresses to your networks’ allowlist before the transition date. Once the cutover occurs, ensure that your networks are accessing the Registry via the new IP addresses before removing the old IPs (Fastly IPs).
It is important to confirm access via the new IP addresses because DNS records get cached in many places across networks. When the cutover occurs, a network may not immediately see the IP address change. It can take some time for a network to retrieve the updated DNS record.
What happens if we do not add the new IPs?
If you are operating from behind a network with an IP-based allowlist and you do not add the new IP addresses, you will not be able to access the Registry after the changeover. You will not be able to download assets that live in the Registry, such as Terraform providers and modules.
If my company does not use IP addresses to restrict network traffic, do we need to do anything?
No, the CDN switch should be unnoticeable.