diff --git a/CHANGELOG.md b/CHANGELOG.md
index a53a270..2992886 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,3 +10,7 @@
- add default route table (main)
- vpn
- add bgp_asn to output
+
+* v1.0.2 -- 20210505
+ - add nacls, nacls-rules
+ - move variables into more common things and make links
diff --git a/common/defaults.tf b/common/defaults.tf
index 8d1ef16..9f6ec12 100644
--- a/common/defaults.tf
+++ b/common/defaults.tf
@@ -17,6 +17,31 @@ locals {
"ses" = {
"event_types" = ["bounce", "delivery", "complaint"]
}
+ #---
+ # description = "Map of all rules where each entry is a tuple of: [from_port, to_port, egress, protocol, action, description]"
+ # type = map(tuple([number, number, bool, string, string, string]))
+ #---
+ "nacl_all_rules" = {
+ # basic outbounds
+ ephemeral_outbound = [1024, 65535, true, "tcp", "allow", "ephemeral-outbound"]
+ all_outbound = [0, 0, true, "all", "allow", "all-outbound"]
+
+ # basic inbounds
+ all_inbound = [0, 0, false, "all", "allow", "all-inbound"]
+ http_inbound = [80, 80, false, "tcp", "allow", "http-inbound"]
+ https_inbound = [443, 443, false, "tcp", "allow", "https-inbound"]
+ ssh_inbound = [22, 22, false, "tcp", "allow", "https-inbound"]
+ }
+ #---
+ # vpc varies by specific VPC cidr block, this will be merged with the actual vpc CIDR
+ #---
+ "nacl_all_cidr_blocks" = {
+ "all" = ["0.0.0.0/0"]
+ "enterprise" = ["148.129.0.0/16", "172.16.0.0/12", "192.168.0.0/16"]
+ "vpc" = []
+ "endpoints" = []
+ "additional" = []
+ "peers" = []
+ }
}
}
-
diff --git a/common/variables.common.availability_zones.tf b/common/variables.common.availability_zones.tf
new file mode 100644
index 0000000..3e17e57
--- /dev/null
+++ b/common/variables.common.availability_zones.tf
@@ -0,0 +1,5 @@
+variable "availability_zones" {
+ description = "AWS Availability Zones to use (by default will use all available)"
+ type = list(string)
+ default = []
+}
diff --git a/common/variables.common.subnets.tf b/common/variables.common.subnets.tf
new file mode 100644
index 0000000..ab8544e
--- /dev/null
+++ b/common/variables.common.subnets.tf
@@ -0,0 +1,21 @@
+variable "public_subnets_ids" {
+ description = "List of public subnet objects including: subnet, label, availability_zone, id"
+ type = list(object({
+ subnet = string
+ label = string
+ availability_zone = string
+ id = string
+ }))
+ default = []
+}
+
+variable "private_subnets_ids" {
+ description = "List of private subnet objects including: subnet, label, availability_zone, id"
+ type = list(object({
+ subnet = string
+ label = string
+ availability_zone = string
+ id = string
+ }))
+ default = []
+}
diff --git a/security-groups/variables.tf b/common/variables.common.vpc_id.tf
similarity index 100%
rename from security-groups/variables.tf
rename to common/variables.common.vpc_id.tf
diff --git a/common/version.tf b/common/version.tf
index 374ba43..02c6357 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,3 +1,3 @@
locals {
- _module_version = "1.0.1"
+ _module_version = "1.0.2"
}
diff --git a/nacl-rules/README.md b/nacl-rules/README.md
new file mode 100644
index 0000000..1980a00
--- /dev/null
+++ b/nacl-rules/README.md
@@ -0,0 +1,79 @@
+# About aws-vpc-setup :: nacl-rules
+
+This submodule creates network access control lists rules (nacls). The submodule nacls sets up the network
+acl and should be called first.
+
+# Usage
+
+```hcl
+module "nacl-rules" {
+ source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules"
+ network_acl_id = module.nacls.private_network_acl
+
+ rule_description = "Enterprise plus VPC"
+ rule_definitions = {}
+ named_cidr_blocks = [ "enterprise", "vpc", "other" ]
+ merge_cidr_blocks = {
+ "vpc" = var.vpc_cidr
+ "other" = []
+ }
+ rules = [ "all_inbound", "all_outbound" ]
+ rule_number = 1000
+ rule_increment = 10
+
+ tags = {} =
+}
+```
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
+| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
+| [cidr\_blocks](#input\_cidr\_blocks) | List of CIDR blocks for selected rules | `list(string)` | `[]` | no |
+| [merge\_cidr\_blocks](#input\_merge\_cidr\_blocks) | Map of names to list of CIDR blocks | `map(list(string))` | `{}` | no |
+| [named\_cidr\_blocks](#input\_named\_cidr\_blocks) | List of CIDR block names from defaults for selected rules: (all, enterprise, vpc, ...) | `list(string)` | `[]` | no |
+| [network\_acl\_id](#input\_network\_acl\_id) | Network ACL ID to which to apply the rules | `string` | n/a | yes |
+| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
+| [rule\_definitions](#input\_rule\_definitions) | Map of rule port/proto definitions (default uses built-in all\_rules) | `map(tuple([number, number, bool, string, string, string]))` | `{}` | no |
+| [rule\_description](#input\_rule\_description) | Text describing purpose of rule set | `string` | `""` | no |
+| [rule\_increment](#input\_rule\_increment) | Rule number increment per new CIDR block | `number` | `10` | no |
+| [rule\_number](#input\_rule\_number) | Starting rule number within the rule | `number` | `null` | no |
+| [rules](#input\_rules) | Selected rule definitions from rule\_definitions or all\_rules (default: null) | `list(string)` | `[]` | no |
+| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
+| [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | VPC CIDR Block | `string` | `""` | no |
+| [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
+| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no |
+| [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes |
+| [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no |
+| [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no |
+| [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [nacl\_rules\_info](#output\_nacl\_rules\_info) | Information about NACL Rules |
diff --git a/nacl-rules/main.tf b/nacl-rules/main.tf
index 3434655..dbccffb 100644
--- a/nacl-rules/main.tf
+++ b/nacl-rules/main.tf
@@ -8,15 +8,23 @@
*
* ```hcl
* module "nacl-rules" {
-* source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules"
-* vpc_id = var.vpc_id
+* source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules"
+* network_acl_id = module.nacls.private_network_acl
*
-* vpc_name = var.vpc_name
-* vpc_short_name = var.vpc_short_name
-* vpc_full_name = var.vpc_full_name
-*
-* tags = {}
+* rule_description = "Enterprise plus VPC"
+* rule_definitions = {}
+* named_cidr_blocks = [ "enterprise", "vpc", "other" ]
+* merge_cidr_blocks = {
+* "vpc" = var.vpc_cidr
+* "other" = []
+* }
+* rules = [ "all_inbound", "all_outbound" ]
+* rule_number = 1000
+* rule_increment = 10
+*
+* tags = {} =
* }
+* ```
*/
locals {
@@ -27,200 +35,65 @@ locals {
"boc:tf_module_version" = local._module_version
"boc:created_by" = "terraform"
}
-
- # availability_zones = length(var.availability_zones) != 0 ? var.availability_zones : data.aws_availability_zones.zones.names
- # az_count = length(local.availability_zones)
- # az_count_list = range(local.az_count)
- # az_list = toset(local.availability_zones)
- # empty = toset([])
}
-## locals {
-## private_all = compact(concat(var.network_census, var.network_peers, list(var.vpc_cidr_block)))
-## private_all_start = 1000
-## # endpoint = ["52.216.0.0/15", "54.231.0.0/17"]
-## endpoint = []
-## endpoint_start = 2000
-## public_nat = "0.0.0.0/0"
-## public_nat_start = 3000
-## public_nat_ports = [80, 443]
-## }
-##
-## # IN
-## resource "aws_network_acl_rule" "in_private_all" {
-## count = length(local.private_all)
-## network_acl_id = aws_network_acl.private.id
-## rule_number = local.private_all_start + count.index * 10
-## egress = false
-## protocol = "all"
-## rule_action = "allow"
-## from_port = 0
-## to_port = 0
-## cidr_block = local.private_all[count.index]
-## }
-##
-## resource "aws_network_acl_rule" "in_endpoint" {
-## count = length(local.endpoint)
-## network_acl_id = aws_network_acl.private.id
-## rule_number = local.endpoint_start + count.index * 10
-## egress = false
-## protocol = "tcp"
-## rule_action = "allow"
-## from_port = 1024
-## to_port = 65535
-## cidr_block = local.endpoint[count.index]
-## }
-##
-## resource "aws_network_acl_rule" "in_private_nat" {
-## network_acl_id = aws_network_acl.private.id
-## rule_number = local.public_nat_start
-## egress = false
-## protocol = "tcp"
-## rule_action = "allow"
-## from_port = 1024
-## to_port = 65535
-## cidr_block = local.public_nat
-## }
-##
-## # OUT
-## resource "aws_network_acl_rule" "out_private_all" {
-## count = length(local.private_all)
-## network_acl_id = aws_network_acl.private.id
-## rule_number = local.private_all_start + count.index * 10
-## egress = true
-## protocol = "all"
-## rule_action = "allow"
-## from_port = 0
-## to_port = 0
-## cidr_block = local.private_all[count.index]
-## }
-##
-## resource "aws_network_acl_rule" "out_endpoint" {
-## count = length(local.endpoint)
-## network_acl_id = aws_network_acl.private.id
-## rule_number = local.endpoint_start + count.index * 10
-## egress = true
-## protocol = "tcp"
-## rule_action = "allow"
-## from_port = 443
-## to_port = 443
-## cidr_block = local.endpoint[count.index]
-## }
-##
-## resource "aws_network_acl_rule" "out_private_nat" {
-## count = length(local.public_nat_ports)
-## network_acl_id = aws_network_acl.private.id
-## rule_number = local.public_nat_start + count.index * 10
-## egress = true
-## protocol = "tcp"
-## rule_action = "allow"
-## from_port = local.public_nat_ports[count.index]
-## to_port = local.public_nat_ports[count.index]
-## cidr_block = local.public_nat
-## }
-
-## resource "aws_network_acl_rule" "in_nat" {
-## network_acl_id = aws_network_acl.public.id
-## rule_number = local.public_nat_start
-## egress = false
-## protocol = "tcp"
-## rule_action = "allow"
-## from_port = 1024
-## to_port = 65535
-## cidr_block = local.public_nat
-## }
-##
-## resource "aws_network_acl_rule" "in_nat_vpc" {
-## count = length(local.public_nat_ports)
-## network_acl_id = aws_network_acl.public.id
-## rule_number = aws_network_acl_rule.in_nat.rule_number + 10 + count.index * 10
-## egress = false
-## protocol = "tcp"
-## rule_action = "allow"
-## from_port = local.public_nat_ports[count.index]
-## to_port = local.public_nat_ports[count.index]
-## cidr_block = var.vpc_cidr_block
-## depends_on = [aws_network_acl_rule.in_nat]
-## }
-##
-## resource "aws_network_acl_rule" "out_nat" {
-## count = length(local.public_nat_ports)
-## network_acl_id = aws_network_acl.public.id
-## rule_number = local.public_nat_start + count.index * 10
-## egress = true
-## protocol = "tcp"
-## rule_action = "allow"
-## from_port = local.public_nat_ports[count.index]
-## to_port = local.public_nat_ports[count.index]
-## cidr_block = local.public_nat
-## }
-##
-## resource "aws_network_acl_rule" "out_nat_vpc" {
-## count = 1
-## network_acl_id = aws_network_acl.public.id
-## rule_number = local.public_nat_start + 100 + count.index * 10
-## egress = true
-## protocol = "tcp"
-## rule_action = "allow"
-## from_port = 1024
-## to_port = 65535
-## cidr_block = var.vpc_cidr_block
-## }
-##
-##
+# private nacl
+# private
+# cidr enterprise+vpc+others
+# in all
+# out all
+# 1000
+# endpoints
+# cidr endpoint
+# in ephemeral
+# out 443
+# start 4000
+# public/nat
+# cidr all
+# in ephemeral
+# out 80,443
+#
+# public nacl
+# private
+# cidr vpc
+# in 80,443
+# out ephemeral
+# public/nat
+# cidr all
+# in ephemeral
+# out 80,443
+locals {
+ cb1 = local._defaults["nacl_all_cidr_blocks"]
+ cb2 = { for k, v in var.merge_cidr_blocks : k => flatten(concat(lookup(local.cb1, k, []), v)) }
+ cb3 = merge(local.cb1, local.cb2)
-# # main.tf
-# module "clients-acl-rule" {
-# source = "modules/acl"
-#
-# network_acl_id = "${aws_network_acl.public-acl.id}"
-#
-# all_acl_rules = "${var.acl_rules}"
-# cidrs = "${var.cidr_blocks["clients"]}"
-# rules = ["http_inbound", "https_inbound", "ephemeral_outbound"]
-# rule_number = 20
-# }
-#
-# setproduct(var.cidrs,var.rules)
+ cidr_blocks = flatten([for c in var.named_cidr_blocks : lookup(local.cb3, c, [])])
-## variable "network_acl_id" {
-## variable "rule_definitions" {
-## variable "cidr_blocks" {
-## variable "rules" {
-## variable "rule_number" {
-## variable "rule_increment" {
+ rules = ["http_inbound", "https_inbound", "all_inbound"]
+ rule_definitions = local._defaults["nacl_all_rules"]
+ rule_number = 1000
+ rule_increment = var.rule_increment
-locals {
- r = setproduct(var.cidr_blocks, var.rules)
+ r1 = setproduct(local.cidr_blocks, local.rules)
+ r2 = [for p in local.r1 : {
+ label = format("%v%%%v", p[0], p[1])
+ cidr = p[0]
+ rule_label = p[1]
+ description = local.rule_definitions[p[1]][4]
+ from_port = local.rule_definitions[p[1]][0]
+ to_port = local.rule_definitions[p[1]][1]
+ egress = local.rule_definitions[p[1]][2]
+ protocol = local.rule_definitions[p[1]][3]
+ action = local.rule_definitions[p[1]][3]
+ rule_number = local.rule_number }
+ ]
+ r3 = [for i in range(length(local.r2)) :
+ merge(
+ local.r2[i],
+ tomap({ rule_number = local.r2[i].rule_number + i * local.rule_increment }),
+ )
+ ]
+ r4 = [for v in local.r3 : v.rule_number]
+ r5 = length(local.r4) > 0 ? max(local.r4...) : null
}
-
-
-## #---
-## # description = "Map of all rules where each entry is a tuple of: [from_port, to_port, egress, protocol, action, description]"
-## # type = map(tuple([number, number, bool, string, string, string]))
-## #---
-## "nacl_all_rules" = {
-## # basic outbounds
-## ephemeral_outbound = [1024, 65535, true, "tcp", "allow", "ephemeral-outbound"]
-## all_outbound = [0, 0, true, "all", "allow", "all-outbound"]
-##
-## # basic inbounds
-## all_inbound = [0, 0, false, "all", "allow", "all-inbound"]
-## http_inbound = [80, 80, false, "tcp", "allow", "http-inbound"]
-## https_inbound = [443, 443, false, "tcp", "allow", "https-inbound"]
-## ssh_inbound = [22, 22, false, "tcp", "allow", "https-inbound"]
-## }
-## #---
-## # vpc varies by specific VPC cidr block, this will be merged with the actual vpc CIDR
-## #---
-## "nacl_all_cidr_blocks" = {
-## "all" = ["0.0.0.0/0"]
-## "enterprise" = ["148.129.0.0/16", "172.16.0.0/12", "192.168.0.0/16"]
-## "vpc" = []
-## "endpoints" = []
-## "additional" = []
-## "peers" = []
-## }
-## }
-## }
diff --git a/nacl-rules/outputs.tf b/nacl-rules/outputs.tf
index e69de29..b9f20f4 100644
--- a/nacl-rules/outputs.tf
+++ b/nacl-rules/outputs.tf
@@ -0,0 +1,12 @@
+output "nacl_rules_info" {
+ description = "Information about NACL Rules"
+ value = {
+ description = var.description
+ rule_count = length(local.r4)
+ last_rule_number = local.r5
+ first_rule_number = local.rule_number
+ rule_increment = local.rule_increment
+ cidrs = local.cidr_blocks
+ rules = local.rules
+ }
+}
diff --git a/nacl-rules/variables.tf b/nacl-rules/variables.tf
index 139cdfe..52357fb 100644
--- a/nacl-rules/variables.tf
+++ b/nacl-rules/variables.tf
@@ -17,6 +17,18 @@ variable "network_acl_id" {
type = string
}
+variable "vpc_cidr_block" {
+ description = "VPC CIDR Block"
+ type = string
+ default = ""
+}
+
+variable "rule_description" {
+ description = "Text describing purpose of rule set"
+ type = string
+ default = ""
+}
+
/*
* from_port = number (0 for all)
* to_port = number (0 for all)
@@ -39,6 +51,18 @@ variable "cidr_blocks" {
default = []
}
+variable "named_cidr_blocks" {
+ description = "List of CIDR block names from defaults for selected rules: (all, enterprise, vpc, ...)"
+ type = list(string)
+ default = []
+}
+
+variable "merge_cidr_blocks" {
+ description = "Map of names to list of CIDR blocks"
+ type = map(list(string))
+ default = {}
+}
+
variable "rules" {
description = "Selected rule definitions from rule_definitions or all_rules (default: null)"
type = list(string)
diff --git a/nacls/data.tf b/nacls/data.tf
new file mode 120000
index 0000000..995624d
--- /dev/null
+++ b/nacls/data.tf
@@ -0,0 +1 @@
+../common/data.tf
\ No newline at end of file
diff --git a/nacls/defaults.tf b/nacls/defaults.tf
new file mode 120000
index 0000000..a5556ac
--- /dev/null
+++ b/nacls/defaults.tf
@@ -0,0 +1 @@
+../common/defaults.tf
\ No newline at end of file
diff --git a/nacls/main.tf b/nacls/main.tf
new file mode 100644
index 0000000..86223fb
--- /dev/null
+++ b/nacls/main.tf
@@ -0,0 +1,61 @@
+/*
+* # About aws-vpc-setup :: nacls
+*
+* This submodule creates network access control lists (nacls). The submodule nacl-rules sets up the rules for
+* each specific nacl. This creates both a public and a private NACL.
+*
+* # Usage
+*
+* ```hcl
+* module "nacls" {
+* source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacls"
+* vpc_id = var.vpc_id
+* public_subnets_ids = [ for s in module.subnets.public_subnets_ids : s.id ]
+* private_subnets_ids = [ for s in module.subnets.private_subnets_ids : s.id ]
+* vpc_full_name = var.vpc_full_name
+*
+* # optional
+* vpc_name = var.vpc_name
+* vpc_short_name = var.vpc_short_name
+*
+* tags = {}
+* }
+*/
+
+locals {
+ account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+ account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+
+ base_tags = {
+ "boc:tf_module_version" = local._module_version
+ "boc:created_by" = "terraform"
+ }
+}
+
+#---
+# nacl: private
+#---
+resource "aws_network_acl" "private" {
+ vpc_id = var.vpc_id
+ subnet_ids = [for subnet in var.private_subnets_ids : subnet.id]
+
+ tags = merge(
+ local.base_tags,
+ var.tags,
+ map("Name", format("%v%v-%v", local._prefixes["network-acl"], var.vpc_full_name, "private")),
+ )
+}
+
+#---
+# nacl: public
+#---
+resource "aws_network_acl" "public" {
+ vpc_id = aws_vpc.vpc.id
+ subnet_ids = [for subnet in var.public_subnets_ids : subnet.id]
+
+ tags = merge(
+ local.base_tags,
+ var.tags,
+ map("Name", format("%v%v-%v", local._prefixes["network-acl"], var.vpc_full_name, "public")),
+ )
+}
diff --git a/nacls/outputs.tf b/nacls/outputs.tf
new file mode 100644
index 0000000..d9411fd
--- /dev/null
+++ b/nacls/outputs.tf
@@ -0,0 +1,10 @@
+output "public_network_acl_id" {
+ description = "public network ACL ID"
+ value = aws_network_acl.public.id
+}
+
+output "private_network_acl_id" {
+ description = "private network ACL ID"
+ value = aws_network_acl.private.id
+}
+
diff --git a/nacls/prefixes.tf b/nacls/prefixes.tf
new file mode 120000
index 0000000..7e265d5
--- /dev/null
+++ b/nacls/prefixes.tf
@@ -0,0 +1 @@
+../common/prefixes.tf
\ No newline at end of file
diff --git a/nacls/subnet-nacls.tf.x b/nacls/subnet-nacls.tf.x
new file mode 100644
index 0000000..a6e923d
--- /dev/null
+++ b/nacls/subnet-nacls.tf.x
@@ -0,0 +1,157 @@
+#---
+# nacl: private
+#---
+resource "aws_network_acl" "private" {
+ vpc_id = var.vpc_id
+ subnet_ids = aws_subnet.private[*].id
+
+ tags = merge(
+ local.common_tags,
+ map("Name", "nacl-${var.vpc_full_name}-private")
+ )
+}
+
+locals {
+ private_all = compact(concat(var.network_census, var.network_peers, list(var.vpc_cidr_block)))
+ private_all_start = 1000
+ # endpoint = ["52.216.0.0/15", "54.231.0.0/17"]
+ endpoint = []
+ endpoint_start = 2000
+ public_nat = "0.0.0.0/0"
+ public_nat_start = 3000
+ public_nat_ports = [80, 443]
+}
+
+# IN
+resource "aws_network_acl_rule" "in_private_all" {
+ count = length(local.private_all)
+ network_acl_id = aws_network_acl.private.id
+ rule_number = local.private_all_start + count.index * 10
+ egress = false
+ protocol = "all"
+ rule_action = "allow"
+ from_port = 0
+ to_port = 0
+ cidr_block = local.private_all[count.index]
+}
+
+resource "aws_network_acl_rule" "in_endpoint" {
+ count = length(local.endpoint)
+ network_acl_id = aws_network_acl.private.id
+ rule_number = local.endpoint_start + count.index * 10
+ egress = false
+ protocol = "tcp"
+ rule_action = "allow"
+ from_port = 1024
+ to_port = 65535
+ cidr_block = local.endpoint[count.index]
+}
+
+resource "aws_network_acl_rule" "in_private_nat" {
+ network_acl_id = aws_network_acl.private.id
+ rule_number = local.public_nat_start
+ egress = false
+ protocol = "tcp"
+ rule_action = "allow"
+ from_port = 1024
+ to_port = 65535
+ cidr_block = local.public_nat
+}
+
+# OUT
+resource "aws_network_acl_rule" "out_private_all" {
+ count = length(local.private_all)
+ network_acl_id = aws_network_acl.private.id
+ rule_number = local.private_all_start + count.index * 10
+ egress = true
+ protocol = "all"
+ rule_action = "allow"
+ from_port = 0
+ to_port = 0
+ cidr_block = local.private_all[count.index]
+}
+
+resource "aws_network_acl_rule" "out_endpoint" {
+ count = length(local.endpoint)
+ network_acl_id = aws_network_acl.private.id
+ rule_number = local.endpoint_start + count.index * 10
+ egress = true
+ protocol = "tcp"
+ rule_action = "allow"
+ from_port = 443
+ to_port = 443
+ cidr_block = local.endpoint[count.index]
+}
+
+resource "aws_network_acl_rule" "out_private_nat" {
+ count = length(local.public_nat_ports)
+ network_acl_id = aws_network_acl.private.id
+ rule_number = local.public_nat_start + count.index * 10
+ egress = true
+ protocol = "tcp"
+ rule_action = "allow"
+ from_port = local.public_nat_ports[count.index]
+ to_port = local.public_nat_ports[count.index]
+ cidr_block = local.public_nat
+}
+
+#---
+# public subnets
+#---
+resource "aws_network_acl" "public" {
+ vpc_id = aws_vpc.vpc.id
+ subnet_ids = aws_subnet.public[*].id
+
+ tags = merge(
+ local.common_tags,
+ map("Name", "nacl-${var.vpc_full_name}-public")
+ )
+}
+
+resource "aws_network_acl_rule" "in_nat" {
+ network_acl_id = aws_network_acl.public.id
+ rule_number = local.public_nat_start
+ egress = false
+ protocol = "tcp"
+ rule_action = "allow"
+ from_port = 1024
+ to_port = 65535
+ cidr_block = local.public_nat
+}
+
+resource "aws_network_acl_rule" "in_nat_vpc" {
+ count = length(local.public_nat_ports)
+ network_acl_id = aws_network_acl.public.id
+ rule_number = aws_network_acl_rule.in_nat.rule_number + 10 + count.index * 10
+ egress = false
+ protocol = "tcp"
+ rule_action = "allow"
+ from_port = local.public_nat_ports[count.index]
+ to_port = local.public_nat_ports[count.index]
+ cidr_block = var.vpc_cidr_block
+ depends_on = [aws_network_acl_rule.in_nat]
+}
+
+resource "aws_network_acl_rule" "out_nat" {
+ count = length(local.public_nat_ports)
+ network_acl_id = aws_network_acl.public.id
+ rule_number = local.public_nat_start + count.index * 10
+ egress = true
+ protocol = "tcp"
+ rule_action = "allow"
+ from_port = local.public_nat_ports[count.index]
+ to_port = local.public_nat_ports[count.index]
+ cidr_block = local.public_nat
+}
+
+resource "aws_network_acl_rule" "out_nat_vpc" {
+ count = 1
+ network_acl_id = aws_network_acl.public.id
+ rule_number = local.public_nat_start + 100 + count.index * 10
+ egress = true
+ protocol = "tcp"
+ rule_action = "allow"
+ from_port = 1024
+ to_port = 65535
+ cidr_block = var.vpc_cidr_block
+}
diff --git a/nacls/variables.common.subnets.tf b/nacls/variables.common.subnets.tf
new file mode 120000
index 0000000..ad715ca
--- /dev/null
+++ b/nacls/variables.common.subnets.tf
@@ -0,0 +1 @@
+../common/variables.common.subnets.tf
\ No newline at end of file
diff --git a/nacls/variables.common.tf b/nacls/variables.common.tf
new file mode 120000
index 0000000..7439ed8
--- /dev/null
+++ b/nacls/variables.common.tf
@@ -0,0 +1 @@
+../common/variables.common.tf
\ No newline at end of file
diff --git a/nacls/variables.common.vpc.tf b/nacls/variables.common.vpc.tf
new file mode 120000
index 0000000..5e77d37
--- /dev/null
+++ b/nacls/variables.common.vpc.tf
@@ -0,0 +1 @@
+../common/variables.common.vpc.tf
\ No newline at end of file
diff --git a/nacls/variables.common.vpc_id.tf b/nacls/variables.common.vpc_id.tf
new file mode 120000
index 0000000..bc2e061
--- /dev/null
+++ b/nacls/variables.common.vpc_id.tf
@@ -0,0 +1 @@
+../common/variables.common.vpc_id.tf
\ No newline at end of file
diff --git a/nacls/version.tf b/nacls/version.tf
new file mode 120000
index 0000000..b83c5b7
--- /dev/null
+++ b/nacls/version.tf
@@ -0,0 +1 @@
+../common/version.tf
\ No newline at end of file
diff --git a/routing/variables.common.availability_zones.tf b/routing/variables.common.availability_zones.tf
new file mode 120000
index 0000000..dca20a3
--- /dev/null
+++ b/routing/variables.common.availability_zones.tf
@@ -0,0 +1 @@
+../common/variables.common.availability_zones.tf
\ No newline at end of file
diff --git a/routing/variables.common.subnets.tf b/routing/variables.common.subnets.tf
new file mode 120000
index 0000000..ad715ca
--- /dev/null
+++ b/routing/variables.common.subnets.tf
@@ -0,0 +1 @@
+../common/variables.common.subnets.tf
\ No newline at end of file
diff --git a/routing/variables.common.vpc_id.tf b/routing/variables.common.vpc_id.tf
new file mode 120000
index 0000000..bc2e061
--- /dev/null
+++ b/routing/variables.common.vpc_id.tf
@@ -0,0 +1 @@
+../common/variables.common.vpc_id.tf
\ No newline at end of file
diff --git a/routing/variables.tf b/routing/variables.tf
index 5094cc1..66c0e5f 100644
--- a/routing/variables.tf
+++ b/routing/variables.tf
@@ -27,38 +27,38 @@ variable "enable_nat" {
default = false
}
-variable "vpc_id" {
- description = "VPC ID"
- type = string
-}
-
-variable "availability_zones" {
- description = "AWS Availability Zones to use (by default will use all available)"
- type = list(string)
- default = []
-}
-
-variable "public_subnets_ids" {
- description = "List of public subnet objects including: subnet, label, availability_zone, id"
- type = list(object({
- subnet = string
- label = string
- availability_zone = string
- id = string
- }))
- default = []
-}
-
-variable "private_subnets_ids" {
- description = "List of private subnet objects including: subnet, label, availability_zone, id"
- type = list(object({
- subnet = string
- label = string
- availability_zone = string
- id = string
- }))
- default = []
-}
+## variable "vpc_id" {
+## description = "VPC ID"
+## type = string
+## }
+##
+## variable "availability_zones" {
+## description = "AWS Availability Zones to use (by default will use all available)"
+## type = list(string)
+## default = []
+## }
+##
+## variable "public_subnets_ids" {
+## description = "List of public subnet objects including: subnet, label, availability_zone, id"
+## type = list(object({
+## subnet = string
+## label = string
+## availability_zone = string
+## id = string
+## }))
+## default = []
+## }
+##
+## variable "private_subnets_ids" {
+## description = "List of private subnet objects including: subnet, label, availability_zone, id"
+## type = list(object({
+## subnet = string
+## label = string
+## availability_zone = string
+## id = string
+## }))
+## default = []
+## }
###
diff --git a/security-groups/variables.common.vpc_id.tf b/security-groups/variables.common.vpc_id.tf
new file mode 120000
index 0000000..bc2e061
--- /dev/null
+++ b/security-groups/variables.common.vpc_id.tf
@@ -0,0 +1 @@
+../common/variables.common.vpc_id.tf
\ No newline at end of file
diff --git a/subnets/variables.common.availability_zones.tf b/subnets/variables.common.availability_zones.tf
new file mode 120000
index 0000000..dca20a3
--- /dev/null
+++ b/subnets/variables.common.availability_zones.tf
@@ -0,0 +1 @@
+../common/variables.common.availability_zones.tf
\ No newline at end of file
diff --git a/subnets/variables.common.subnets.tf b/subnets/variables.common.subnets.tf
new file mode 120000
index 0000000..ad715ca
--- /dev/null
+++ b/subnets/variables.common.subnets.tf
@@ -0,0 +1 @@
+../common/variables.common.subnets.tf
\ No newline at end of file
diff --git a/subnets/variables.common.vpc_id.tf b/subnets/variables.common.vpc_id.tf
new file mode 120000
index 0000000..bc2e061
--- /dev/null
+++ b/subnets/variables.common.vpc_id.tf
@@ -0,0 +1 @@
+../common/variables.common.vpc_id.tf
\ No newline at end of file
diff --git a/subnets/variables.subnets.tf b/subnets/variables.subnets.tf
deleted file mode 100644
index 39a32d6..0000000
--- a/subnets/variables.subnets.tf
+++ /dev/null
@@ -1,33 +0,0 @@
-variable "availability_zones" {
- description = "AWS Availability Zones to use (by default will use all available)"
- type = list(string)
- default = []
-}
-
-variable "public_subnets" {
- description = "List of objects with public subnet information to be created"
- type = list(object({
- base_cidr = string
- label = string
- bits = number
- private = bool
- # subnets = list(string)
- # labels = list(string)
- # availability_zones = list(string)
- }))
- default = []
-}
-
-variable "private_subnets" {
- description = "List of objects with private subnet information to be created"
- type = list(object({
- base_cidr = string
- label = string
- bits = number
- private = bool
- # subnets = list(string)
- # labels = list(string)
- # availability_zones = list(string)
- }))
- default = []
-}
diff --git a/subnets/variables.tf b/subnets/variables.tf
deleted file mode 100644
index 38ced37..0000000
--- a/subnets/variables.tf
+++ /dev/null
@@ -1,5 +0,0 @@
-variable "vpc_id" {
- description = "VPC ID"
- type = string
-}
-
diff --git a/vpn/variables.common.vpc_id.tf b/vpn/variables.common.vpc_id.tf
new file mode 120000
index 0000000..bc2e061
--- /dev/null
+++ b/vpn/variables.common.vpc_id.tf
@@ -0,0 +1 @@
+../common/variables.common.vpc_id.tf
\ No newline at end of file
diff --git a/vpn/variables.tf b/vpn/variables.tf
index e256a5a..dba92e8 100644
--- a/vpn/variables.tf
+++ b/vpn/variables.tf
@@ -29,8 +29,3 @@ variable "route_table_ids" {
default = []
}
-variable "vpc_id" {
- description = "VPC ID"
- type = string
-}
-