I am trying to create an expression that would create a network firewall rule in cloudflare gateway. I cannot find expression builder in the dashboard as the documentation suggests and hence I did a lot of trial and error but unable to succeed.
Now I am using two lists one that contains and IP CIDR range and another that contains user emails.
I am trying to build an expression that checks for the ip.dst in the ip range and also if the email is “not” in the user email list.
After multiple trial and error I have created the following expression
expression = <<-EOT
ip.dst in {${join(“", "”, cloudflare_teams_list.cidr_list.items)}} and
not(
${join(" or ", [
for email in cloudflare_teams_list.user_list.items : “http.request.uri.query contains ‘email=${email}’”
])}
)
EOT
This gives me the following expression when I run terraform plan
expression = <<-EOT
ip.dst in {x.x.x.x/12} and
not(
http.request.uri.query contains ‘[email protected]’ or http.request.uri.query contains ‘[email protected]’ or http.request.uri.query contains ‘[email protected]’
)
EOT
Which means that my variables and all works but when I do a terraform apply and submit yes I get the following errors
1. ip.dst is an unknown identifier
2. invalid digit found in string while parsing with radix 16 - for the email
I referred to the documentation here Fields reference · Cloudflare Ruleset Engine docs which says that ip.dst is not available in standard fields.
Can anyone please help me build a correct expression since I really don’t want to manage the network firewall rules in Gateway manually.
Let me know if any other information is missing or required to help debug.