Introduction
Terraform Cloud Agents allow Terraform Cloud and Terraform Enterprise to communicate with isolated, private, or on-premise infrastructure. This is useful for on-premise infrastructure that you might have in a protected enclave.
There may be situations where you will need to add the Terraform Cloud IP Ranges to your networks' allow list.
Expected Outcome
Running the curl command below will provide you with the most up-to-date list of IP addresses when using the IP Ranges API.
Procedure
-
On any workstation with access to a command line, run:
$ curl --request GET https://app.terraform.io/api/meta/ip-ranges | jq '.'
{
"api": [
"75.2.98.97/32",
"99.83.150.238/32"
],
"notifications": [
"52.86.200.106/32",
"52.86.201.227/32",
"52.70.186.109/32",
"44.236.246.186/32",
"54.185.161.84/32",
"44.238.78.236/32"
],
"sentinel": [
"52.86.200.106/32",
"52.86.201.227/32",
"52.70.186.109/32",
"44.236.246.186/32",
"54.185.161.84/32",
"44.238.78.236/32"
],
"vcs": [
"52.86.200.106/32",
"52.86.201.227/32",
"52.70.186.109/32",
"44.236.246.186/32",
"54.185.161.84/32",
"44.238.78.236/32"
]
}
jq is not required, but if used it will present the output in a formatted manner.(Alternatively you can pipe the output to python if present, for formatting, ex:|python -m json.tool)
Additional Information
-
The IP addresses on the ephemeral GAP agent containers used for the Terraform Cloud plans and applies are not exposed on these API endpoints for security reasons. The API call returns the VCS, Sentinel, notifications and our incoming API IP ranges.
- In secure environments that require strict IP address limitations or when using resources that need to communicate back to the GAP agent, in those situations it would be advantageous to allow list the host IP address that has the Terraform Cloud agents installed to complete the desired workloads.
- If you experience issues using the methods described in this article, please contact HashiCorp Support to request for further assistance.