A Terraform provider that exposes a single provider-defined function, cidrsubtract, which computes the minimal set of CIDR blocks covering a base range minus a list of excluded ranges.
Useful for security group rules, ALB listener conditions, or network ACLs where you need to allow traffic from a network range while excluding specific subnets.
- No configuration, no state, no API calls — just a pure function
- Deterministic, sorted output for stable Terraform plans
- Handles overlapping and duplicate excludes gracefully
- Requires Terraform >= 1.8 (provider-defined function support)
terraform {
required_version = ">= 1.8.0"
required_providers {
cidrsubtract = {
source = "danifr/cidrsubtract"
}
}
}
provider "cidrsubtract" {}
locals {
allowed_cidrs = provider::cidrsubtract::cidrsubtract(
"10.0.0.0/16",
[
"10.0.10.0/24",
"10.0.11.0/24",
]
)
}cidrsubtract(base string, excludes list(string)) list(string)
Arguments:
base— Base CIDR block (e.g."10.0.0.0/16"). Must be valid CIDR notation with no host bits set.excludes— List of CIDR blocks to exclude. Each must be valid CIDR notation, no host bits set, and fully contained within the base.
Returns: Minimal list of CIDR blocks covering the base minus the excludes, sorted by network address.
go build -o terraform-provider-cidrsubtractAdd a dev override to ~/.terraformrc:
provider_installation {
dev_overrides {
"danifr/cidrsubtract" = "/path/to/terraform-provider-cidrsubtract"
}
direct {}
}Then run terraform plan in any configuration that uses the provider — no terraform init needed.
MPL-2.0