Source Cloudflare IP ranges directly and automatically

manifests/haproxy/service.pp

@@ -212,28 +212,6 @@
 
   }
 
-  if $cloudflare_protected {
-    file { '/etc/haproxy/cloudflare-ipv4.txt':
-      content => @(EOT)
-        173.245.48.0/20
-        103.21.244.0/22
-        103.22.200.0/22
-        103.31.4.0/22
-        141.101.64.0/18
-        108.162.192.0/18
-        190.93.240.0/20
-        188.114.96.0/20
-        197.234.240.0/22
-        198.41.128.0/17
-        162.158.0.0/15
-        104.16.0.0/13
-        104.24.0.0/14
-        172.64.0.0/13
-        131.0.72.0/22
-      |EOT
-    }
-  }
-
   if $cert_source {
     file { "/etc/ssl/private/${service}":
       ensure  => 'directory',

manifests/profile/haproxy.pp

@@ -37,6 +37,10 @@
       content => $global_badrobots;
   }
 
+  file { '/etc/haproxy/cloudflare-ipv4.txt':
+    source => 'https://www.cloudflare.com/ips-v4',
+  }
+
   file { '/etc/ssl/private' :
     ensure => 'directory',
     mode   => '0700',

spec/classes/profile/haproxy_spec.rb

@@ -149,6 +149,13 @@
         end
       end
 
+      describe 'Cloudflare proxy IP ranges' do
+        it 'saves Cloudflare trusted ranges in /etc/haproxy' do
+          expect(subject).to contain_file('/etc/haproxy/cloudflare-ipv4.txt')
+            .with_source('https://www.cloudflare.com/ips-v4')
+        end
+      end
+
       describe 'global_badrobots.txt file' do
         it 'lists ips to block' do
           expect(subject).to contain_file('/etc/haproxy/global_badrobots.txt').with_content("1.2.3.0/24\n5.6.7.8\n")

spec/defines/haproxy_service_spec.rb

@@ -323,8 +323,6 @@
         context 'with the cloudflare_protected setting' do
           let(:params) { super().merge(cloudflare_protected: true) }
 
-          it { is_expected.to contain_file('/etc/haproxy/cloudflare-ipv4.txt') }
-
           it do
             expect(subject).to contain_concat_fragment('svc1-dc1-http frontend').with(
               target: service_config,