update

CHANGELOG.md

@@ -10,3 +10,7 @@
     - add default route table (main)
   - vpn
     - add bgp_asn to output
+
+* v1.0.2 -- 20210505
+  - add nacls, nacls-rules
+  - move variables into more common things and make links

common/defaults.tf

@@ -17,6 +17,31 @@ locals {
     "ses" = {
       "event_types" = ["bounce", "delivery", "complaint"]
     }
+    #---
+    #   description = "Map of all rules where each entry is a tuple of: [from_port, to_port, egress, protocol, action, description]"
+    #   type        = map(tuple([number, number, bool, string, string, string]))
+    #---
+    "nacl_all_rules" = {
+      # basic outbounds
+      ephemeral_outbound = [1024, 65535, true, "tcp", "allow", "ephemeral-outbound"]
+      all_outbound       = [0, 0, true, "all", "allow", "all-outbound"]
+
+      # basic inbounds
+      all_inbound   = [0, 0, false, "all", "allow", "all-inbound"]
+      http_inbound  = [80, 80, false, "tcp", "allow", "http-inbound"]
+      https_inbound = [443, 443, false, "tcp", "allow", "https-inbound"]
+      ssh_inbound   = [22, 22, false, "tcp", "allow", "https-inbound"]
+    }
+    #---
+    # vpc varies by specific VPC cidr block, this will be merged with the actual vpc CIDR
+    #---
+    "nacl_all_cidr_blocks" = {
+      "all"        = ["0.0.0.0/0"]
+      "enterprise" = ["148.129.0.0/16", "172.16.0.0/12", "192.168.0.0/16"]
+      "vpc"        = []
+      "endpoints"  = []
+      "additional" = []
+      "peers"      = []
+    }
   }
 }
-

common/variables.common.availability_zones.tf

@@ -0,0 +1,5 @@
+variable "availability_zones" {
+  description = "AWS Availability Zones to use (by default will use all available)"
+  type        = list(string)
+  default     = []
+}

common/variables.common.subnets.tf

@@ -0,0 +1,21 @@
+variable "public_subnets_ids" {
+  description = "List of public subnet objects including: subnet, label, availability_zone, id"
+  type = list(object({
+    subnet            = string
+    label             = string
+    availability_zone = string
+    id                = string
+  }))
+  default = []
+}
+
+variable "private_subnets_ids" {
+  description = "List of private subnet objects including: subnet, label, availability_zone, id"
+  type = list(object({
+    subnet            = string
+    label             = string
+    availability_zone = string
+    id                = string
+  }))
+  default = []
+}

common/version.tf

@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.0.1"
+  _module_version = "1.0.2"
 }

nacl-rules/README.md

@@ -0,0 +1,79 @@
+# About aws-vpc-setup :: nacl-rules
+
+This submodule creates network access control lists rules (nacls).  The submodule nacls sets up the network
+acl and should be called first.
+
+# Usage
+
+```hcl
+module "nacl-rules" {
+  source            = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules"
+  network_acl_id    = module.nacls.private_network_acl
+
+  rule_description  = "Enterprise plus VPC"
+  rule_definitions  = {}
+  named_cidr_blocks = [ "enterprise", "vpc", "other" ]
+  merge_cidr_blocks = {
+    "vpc" = var.vpc_cidr
+    "other" = []
+  }
+  rules             = [ "all_inbound", "all_outbound" ]
+  rule_number       = 1000
+  rule_increment    = 10
+
+  tags = {}         =
+}
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| <a name="input_cidr_blocks"></a> [cidr\_blocks](#input\_cidr\_blocks) | List of CIDR blocks for selected rules | `list(string)` | `[]` | no |
+| <a name="input_merge_cidr_blocks"></a> [merge\_cidr\_blocks](#input\_merge\_cidr\_blocks) | Map of names to list of CIDR blocks | `map(list(string))` | `{}` | no |
+| <a name="input_named_cidr_blocks"></a> [named\_cidr\_blocks](#input\_named\_cidr\_blocks) | List of CIDR block names from defaults for selected rules: (all, enterprise, vpc, ...) | `list(string)` | `[]` | no |
+| <a name="input_network_acl_id"></a> [network\_acl\_id](#input\_network\_acl\_id) | Network ACL ID to which to apply the rules | `string` | n/a | yes |
+| <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| <a name="input_rule_definitions"></a> [rule\_definitions](#input\_rule\_definitions) | Map of rule port/proto definitions (default uses built-in all\_rules) | `map(tuple([number, number, bool, string, string, string]))` | `{}` | no |
+| <a name="input_rule_description"></a> [rule\_description](#input\_rule\_description) | Text describing purpose of rule set | `string` | `""` | no |
+| <a name="input_rule_increment"></a> [rule\_increment](#input\_rule\_increment) | Rule number increment per new CIDR block | `number` | `10` | no |
+| <a name="input_rule_number"></a> [rule\_number](#input\_rule\_number) | Starting rule number within the rule | `number` | `null` | no |
+| <a name="input_rules"></a> [rules](#input\_rules) | Selected rule definitions from rule\_definitions or all\_rules (default: null) | `list(string)` | `[]` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| <a name="input_vpc_cidr_block"></a> [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | VPC CIDR Block | `string` | `""` | no |
+| <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
+| <a name="input_vpc_full_name"></a> [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes |
+| <a name="input_vpc_index"></a> [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no |
+| <a name="input_vpc_name"></a> [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no |
+| <a name="input_vpc_short_name"></a> [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_nacl_rules_info"></a> [nacl\_rules\_info](#output\_nacl\_rules\_info) | Information about NACL Rules |