Skip to content

elasticscale/terraform-aws-cloudflare-tunnel-fargate

Repository files navigation

Description

This is a very easy way to get cheap access to all resources in your VPC.

The exact costs depend on if you use Fargate Spot (default option) and the number of instances (and their size).

  • For 1 spot instance of the smallest type: 2.66 USD per month
  • For 3 spot instances of the smallest type: 8.00 USD per month

You can use spot instances just fine if the desired_count > 1.

The steps you need to take:

  1. Create a Cloudflare account (a free account will do)
  2. Setup a cloudflare domain and connect the nameservers and wait until it is verified. After deploying you can click on the domain and find the Account ID.
  3. Create a Zero Trust team account (the free account will do)
  4. Create a custom API token, with these permissions:
    • Account/Cloudflare Tunnel/Edit
    • Account/Zero Trust/Edit
    • Zone/Zone/Read
  5. Deploy this module

These are one time steps and only need to be executed one time in a Zero Trust account:

  1. Go to Zero Trust settings > WARP client > Device enrollment permissions and add a rule, for instance you can auth to Warp if your email ends at elasticscale.com
  2. Go to Zero Trust settings > WARP Client > Edit the default profile, go the Split Tunnels section and click Manage, remove the CIDR block 10.0.0.0/8 (or if your VPC has another CIDR block that overlaps with one here, remove that one)
  3. Install the WARP client, then go to preferences, Account and click Login to Cloudflare Zero trust

After you connect to the WARP agent and whitelist the security group of this module to the instances you want to connect to, you should be able to connect to the instances via their private IPs.

You can also use this module to give Zero Trust access to internal load balancers or other services. You need to then set the ingress rules and add a CNAME to the Cloudflare domain.

For more debugging steps check out the elasticscale blog.

About ElasticScale

Discover ES Foundation, the smart digital infrastructure for SaaS companies that want to grow and thrive.

Check out our website for more information.

ElasticScale banner

Requirements

Name Version
aws >=5.0.0
cloudflare >=4.0.0

Providers

Name Version
aws >=5.0.0
cloudflare >=4.0.0
random n/a

Modules

No modules.

Resources

Name Type
aws_cloudwatch_log_group.logs resource
aws_ecs_cluster.main resource
aws_ecs_cluster_capacity_providers.main resource
aws_ecs_service.main resource
aws_ecs_task_definition.main resource
aws_iam_role.executionrole resource
aws_iam_role_policy_attachment.ecs_task_execution_role resource
aws_security_group.tunnel resource
aws_ssm_parameter.tunneltoken resource
cloudflare_tunnel.tunnel resource
cloudflare_tunnel_config.config resource
cloudflare_tunnel_route.route resource
random_password.tunnel_secret resource
random_string.suffix resource
aws_caller_identity.current data source
aws_region.current data source
aws_vpc.vpc data source
cloudflare_zone.zone data source

Inputs

Name Description Type Default Required
cloudflare_account_id Cloudflare account ID string n/a yes
cloudflare_version Cloudflare version to use, defaults to latest but best to pick a docker tag version to prevent issues string "latest" no
cloudflare_zone Domain name (NS must be connected and verified in Cloudflare) string n/a yes
cpu CPU units to allocate to each instance, defaults to 256, needs to be within Fargate configuration limits number 256 no
desired_count Number of instances to run initially, choose 3 or more for high availability across AZs number 3 no
fargate_type Use spot instances or regular instances (FARGATE_SPOT or FARGATE), SPOT is much cheaper and does not really affect availability in this case string "FARGATE_SPOT" no
ingress_rules List of ingress rules to allow traffic to (see cloudflare_tunnel_config docs, access_block not supported right now)
list(object({
hostname = optional(string)
path = optional(string)
service = string
}))
[
{
"service": "http_status:404"
}
]
no
memory Memory units to allocate to each instance, defaults to 512, needs to be within Fargate configuration limits number 512 no
prefix Prefix to add to all resources string "cf-tunnel" no
private_subnets List of private subnets to launch the Cloudflare instances in (must be same VPC under VPC ID) list(string) n/a yes
vpc_id VPC ID string n/a yes

Outputs

Name Description
security_group_id The ID of the security group
tunnel_cname The CNAME of the Cloudflare Tunnel (you can add this as a CNAME in the DNS settings to route traffic to the tunnel, which will be processed by the rules)
tunnel_id The ID of the Cloudflare Tunnel

About

A module that sets up a tunnel for private access via Cloudflare

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages