Show HN: Azure IP ranges Terraform module

13 hours ago 1

A Terraform/OpenTofu module that provides all IP address ranges used by Azure services. The data is automatically updated nightly from Microsoft's official ServiceTags JSON.

  • Comprehensive IP ranges: Access all Azure service IP addresses (IPv4 and IPv6)
  • Service-specific filtering: Get IP ranges for specific Azure services by ID
  • IP version filtering: Filter by IPv4 only, IPv6 only, or both
  • Automatic updates: Data is updated nightly via GitHub Actions
  • No external dependencies: All data is pre-generated and stored as YAML files
module "azure_ip_ranges" { # Use either main or a specific version tag which is updates by e.g. renovate bot source = "git::https://github.com/aeimer/terraform-azure-ip-ranges.git?ref=main" } output "all_azure_ips" { value = module.azure_ip_ranges.all_prefixes } output "ipv4_only" { value = module.azure_ip_ranges.all_ipv4_prefixes } output "ipv6_only" { value = module.azure_ip_ranges.all_ipv6_prefixes }

Get IP Ranges for a Specific Service

module "azure_ip_ranges" { # Use either main or a specific version tag which is updates by e.g. renovate bot source = "git::https://github.com/aeimer/terraform-azure-ip-ranges.git?ref=main" } locals { azure_portal = module.azure_ip_ranges.services["AzurePortal"] } output "azure_portal_ipv4" { value = local.azure_portal.address_prefixes.ipv4 } output "azure_portal_ipv6" { value = local.azure_portal.address_prefixes.ipv6 }

Get Regional Service IP Ranges

module "azure_ip_ranges" { # Use either main or a specific version tag which is updates by e.g. renovate bot source = "git::https://github.com/aeimer/terraform-azure-ip-ranges.git?ref=main" } # Regional services use the format: ServiceName.RegionName locals { sweden_portal = module.azure_ip_ranges.services["AzurePortal.SwedenCentral"] } output "sweden_portal_ips" { value = local.sweden_portal.address_prefixes.all }

List All Available Services

module "azure_ip_ranges" { # Use either main or a specific version tag which is updates by e.g. renovate bot source = "git::https://github.com/aeimer/terraform-azure-ip-ranges.git?ref=main" } output "all_service_ids" { value = module.azure_ip_ranges.service_ids } output "azure_portal_services" { value = [ for id in module.azure_ip_ranges.service_ids : id if length(regexall("^AzurePortal", id)) > 0 ] }
Name Description
metadata Metadata about the ServiceTags data (change number, cloud, service count, generated date)
all_prefixes All IP address prefixes from all Azure services (both IPv4 and IPv6)
all_ipv4_prefixes All IPv4 address prefixes from all Azure services
all_ipv6_prefixes All IPv6 address prefixes from all Azure services
services Map of all services by ID with their metadata and address prefixes
service_ids Sorted list of all available Azure service IDs
prefix_counts Count of IP prefixes by type (total, ipv4, ipv6)

Each service in the services output has the following structure:

{ id = "AzurePortal" name = "AzurePortal" metadata = { change_number = 53 region = "" platform = "Azure" system_service = "AzurePortal" network_features = ["API", "NSG", "UDR", "FW"] global_change_number = 373 cloud = "Public" } address_prefixes = { all = ["4.145.74.52/30", "2603:1000:4::10c/126", ...] ipv4 = ["4.145.74.52/30", ...] ipv6 = ["2603:1000:4::10c/126", ...] counts = { total = 324 ipv4 = 200 ipv6 = 124 } } }

See the examples directory for complete examples:

  1. Data Source: Microsoft publishes ServiceTags JSON at https://www.microsoft.com/en-us/download/details.aspx?id=56519
  2. Nightly Updates: A GitHub Action runs every night at 2:00 AM UTC
  3. YAML Generation: A Go script converts the JSON into individual YAML files per service
  4. Terraform Module: The module reads these YAML files and provides structured outputs

The module data is automatically updated through GitHub Actions:

  • Schedule: Runs nightly at 2:00 AM UTC
  • Process:
    1. Scrapes the Microsoft download page for the latest JSON URL
    2. Downloads and validates the new ServiceTags JSON
    3. Compares change numbers with the current version
    4. If changes detected, regenerates all YAML files
    5. Commits changes directly to the main branch
  • Manual Trigger: You can manually trigger the workflow from the Actions tab
# Build the Go generator cd generate go build -o generator .

Contributions are welcome! Please open an issue or submit a pull request.

Alexander Eimer (@aeimer)

Star History

Read Entire Article