cloudflare · jacobbednarz · Jan 27, 2021 · Jan 26, 2021 · Jan 26, 2021 · Jan 27, 2021
@@ -3,6 +3,7 @@ package cloudflare
 import (
 	"fmt"
 	"log"
+	"net"
 	"strings"
 
 	cloudflare "github.com/cloudflare/cloudflare-go"
@@ -41,6 +42,7 @@ func resourceCloudflareAccessRule() *schema.Resource {
 				Required:         true,
 				ForceNew:         true,
 				DiffSuppressFunc: configurationDiffSuppress,
+				ValidateFunc:     validateAccessRuleConfiguration,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"target": {
@@ -258,3 +260,47 @@ func configurationDiffSuppress(k, old, new string, d *schema.ResourceData) bool
 
 	return false
 }
+
+func validateAccessRuleConfiguration(v interface{}, k string) (warnings []string, errors []error) {
+	config := v.(map[string]interface{})
+
+	target := config["target"].(string)
+	value := config["value"].(string)
+
+	switch target {
+	case "ip_range":
+		return validateAccessRuleConfigurationIPRange(value)
+	default:
+	}
+
+	return warnings, errors
+}
+
+func validateAccessRuleConfigurationIPRange(v string) (warnings []string, errors []error) {
+	ip, ipNet, err := net.ParseCIDR(v)
+	if err != nil {
+		errors = append(errors, fmt.Errorf("failed to parse value as CIDR: %v", err))
+		return warnings, errors
+	}
+
+	if ipNet == nil {
+		errors = append(errors, fmt.Errorf("ip_range must hold a range"))
+		return warnings, errors
+	}
+
+	if ip.To4() != nil {
+		ones, _ := ipNet.Mask.Size()
+		if ones != 16 && ones != 24 {
+			errors = append(errors, fmt.Errorf("ip_range with ipv4 address must be a /16 or /24, got a /%d", ones))
+			return warnings, errors
+		}
+	} else {
+		ones, _ := ipNet.Mask.Size()
+		if ones != 32 && ones != 48 && ones != 64 {
+			errors = append(errors, fmt.Errorf("ip_range with ipv6 address must be in (/32, /48, /64), instead got a /%d", ones))
+			return warnings, errors
+		}
+	}
+
+	return warnings, errors
+}
@@ -2,6 +2,7 @@ package cloudflare
 
 import (
 	"fmt"
+	"regexp"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/helper/resource"
@@ -27,6 +28,29 @@ func TestAccAccessRuleASN(t *testing.T) {
 	})
 }
 
+func TestAccAccessRuleIPRange(t *testing.T) {
+	name := "cloudflare_access_rule.test"
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:  func() { testAccPreCheck(t) },
+		Providers: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config:      testAccessRuleAccountConfig("challenge", "this is notes", "ip_range", "104.16.0.0/20"),
+				ExpectError: regexp.MustCompile("ip_range with ipv4 address must be a /16 or /24, got a /20"),
+			}, {
+				Config: testAccessRuleAccountConfig("challenge", "this is notes", "ip_range", "104.16.0.0/24"),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(name, "notes", "this is notes"),
+					resource.TestCheckResourceAttr(name, "mode", "challenge"),
+					resource.TestCheckResourceAttr(name, "configuration.target", "ip_range"),
+					resource.TestCheckResourceAttr(name, "configuration.value", "104.16.0.0/24"),
+				),
+			},
+		},
+	})
+}
+
 func testAccessRuleAccountConfig(mode, notes, target, value string) string {
 	return fmt.Sprintf(`
 resource "cloudflare_access_rule" "test" {
@@ -38,3 +62,29 @@ resource "cloudflare_access_rule" "test" {
   }
 }`, mode, notes, target, value)
 }
+
+func TestValidateAccessRuleConfigurationIPRange(t *testing.T) {
+	ipRangeValid := map[string]bool{
+		"192.168.0.1/32":           false,
+		"192.168.0.1/24":           true,
+		"192.168.0.1/64":           false,
+		"192.168.0.1/31":           false,
+		"192.168.0.1/16":           true,
+		"fd82:0f75:cf0d:d7b3::/64": true,
+		"fd82:0f75:cf0d:d7b3::/48": true,
+		"fd82:0f75:cf0d:d7b3::/32": true,
+		"fd82:0f75:cf0d:d7b3::/63": false,
+		"fd82:0f75:cf0d:d7b3::/16": false,
+	}
+
+	for ipRange, valid := range ipRangeValid {
+		warnings, errors := validateAccessRuleConfigurationIPRange(ipRange)
+		isValid := len(errors) == 0
+		if len(warnings) != 0 {
+			t.Fatalf("ipRange is either invalid or valid, no room for warnings")
+		}
+		if isValid != valid {
+			t.Fatalf("%s resulted in %v, expected %v", ipRange, isValid, valid)
+		}
+	}
+}