From 37578821de75a60682b7522c9a129ac86224de2d Mon Sep 17 00:00:00 2001 From: badra001 Date: Mon, 10 May 2021 12:27:18 -0400 Subject: [PATCH] update --- CHANGELOG.md | 4 + common/defaults.tf | 27 +- common/variables.common.availability_zones.tf | 5 + common/variables.common.subnets.tf | 21 ++ .../variables.common.vpc_id.tf | 0 common/version.tf | 2 +- nacl-rules/README.md | 79 ++++++ nacl-rules/main.tf | 267 +++++------------- nacl-rules/outputs.tf | 12 + nacl-rules/variables.tf | 24 ++ nacls/data.tf | 1 + nacls/defaults.tf | 1 + nacls/main.tf | 61 ++++ nacls/outputs.tf | 10 + nacls/prefixes.tf | 1 + nacls/subnet-nacls.tf.x | 157 ++++++++++ nacls/variables.common.subnets.tf | 1 + nacls/variables.common.tf | 1 + nacls/variables.common.vpc.tf | 1 + nacls/variables.common.vpc_id.tf | 1 + nacls/version.tf | 1 + .../variables.common.availability_zones.tf | 1 + routing/variables.common.subnets.tf | 1 + routing/variables.common.vpc_id.tf | 1 + routing/variables.tf | 64 ++--- security-groups/variables.common.vpc_id.tf | 1 + .../variables.common.availability_zones.tf | 1 + subnets/variables.common.subnets.tf | 1 + subnets/variables.common.vpc_id.tf | 1 + subnets/variables.subnets.tf | 33 --- subnets/variables.tf | 5 - vpn/variables.common.vpc_id.tf | 1 + vpn/variables.tf | 5 - 33 files changed, 518 insertions(+), 274 deletions(-) create mode 100644 common/variables.common.availability_zones.tf create mode 100644 common/variables.common.subnets.tf rename security-groups/variables.tf => common/variables.common.vpc_id.tf (100%) create mode 100644 nacl-rules/README.md create mode 120000 nacls/data.tf create mode 120000 nacls/defaults.tf create mode 100644 nacls/main.tf create mode 100644 nacls/outputs.tf create mode 120000 nacls/prefixes.tf create mode 100644 nacls/subnet-nacls.tf.x create mode 120000 nacls/variables.common.subnets.tf create mode 120000 nacls/variables.common.tf create mode 120000 nacls/variables.common.vpc.tf create mode 120000 nacls/variables.common.vpc_id.tf create mode 120000 nacls/version.tf create mode 120000 routing/variables.common.availability_zones.tf create mode 120000 routing/variables.common.subnets.tf create mode 120000 routing/variables.common.vpc_id.tf create mode 120000 security-groups/variables.common.vpc_id.tf create mode 120000 subnets/variables.common.availability_zones.tf create mode 120000 subnets/variables.common.subnets.tf create mode 120000 subnets/variables.common.vpc_id.tf delete mode 100644 subnets/variables.subnets.tf delete mode 100644 subnets/variables.tf create mode 120000 vpn/variables.common.vpc_id.tf diff --git a/CHANGELOG.md b/CHANGELOG.md index a53a270..2992886 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,3 +10,7 @@ - add default route table (main) - vpn - add bgp_asn to output + +* v1.0.2 -- 20210505 + - add nacls, nacls-rules + - move variables into more common things and make links diff --git a/common/defaults.tf b/common/defaults.tf index 8d1ef16..9f6ec12 100644 --- a/common/defaults.tf +++ b/common/defaults.tf @@ -17,6 +17,31 @@ locals { "ses" = { "event_types" = ["bounce", "delivery", "complaint"] } + #--- + # description = "Map of all rules where each entry is a tuple of: [from_port, to_port, egress, protocol, action, description]" + # type = map(tuple([number, number, bool, string, string, string])) + #--- + "nacl_all_rules" = { + # basic outbounds + ephemeral_outbound = [1024, 65535, true, "tcp", "allow", "ephemeral-outbound"] + all_outbound = [0, 0, true, "all", "allow", "all-outbound"] + + # basic inbounds + all_inbound = [0, 0, false, "all", "allow", "all-inbound"] + http_inbound = [80, 80, false, "tcp", "allow", "http-inbound"] + https_inbound = [443, 443, false, "tcp", "allow", "https-inbound"] + ssh_inbound = [22, 22, false, "tcp", "allow", "https-inbound"] + } + #--- + # vpc varies by specific VPC cidr block, this will be merged with the actual vpc CIDR + #--- + "nacl_all_cidr_blocks" = { + "all" = ["0.0.0.0/0"] + "enterprise" = ["148.129.0.0/16", "172.16.0.0/12", "192.168.0.0/16"] + "vpc" = [] + "endpoints" = [] + "additional" = [] + "peers" = [] + } } } - diff --git a/common/variables.common.availability_zones.tf b/common/variables.common.availability_zones.tf new file mode 100644 index 0000000..3e17e57 --- /dev/null +++ b/common/variables.common.availability_zones.tf @@ -0,0 +1,5 @@ +variable "availability_zones" { + description = "AWS Availability Zones to use (by default will use all available)" + type = list(string) + default = [] +} diff --git a/common/variables.common.subnets.tf b/common/variables.common.subnets.tf new file mode 100644 index 0000000..ab8544e --- /dev/null +++ b/common/variables.common.subnets.tf @@ -0,0 +1,21 @@ +variable "public_subnets_ids" { + description = "List of public subnet objects including: subnet, label, availability_zone, id" + type = list(object({ + subnet = string + label = string + availability_zone = string + id = string + })) + default = [] +} + +variable "private_subnets_ids" { + description = "List of private subnet objects including: subnet, label, availability_zone, id" + type = list(object({ + subnet = string + label = string + availability_zone = string + id = string + })) + default = [] +} diff --git a/security-groups/variables.tf b/common/variables.common.vpc_id.tf similarity index 100% rename from security-groups/variables.tf rename to common/variables.common.vpc_id.tf diff --git a/common/version.tf b/common/version.tf index 374ba43..02c6357 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "1.0.1" + _module_version = "1.0.2" } diff --git a/nacl-rules/README.md b/nacl-rules/README.md new file mode 100644 index 0000000..1980a00 --- /dev/null +++ b/nacl-rules/README.md @@ -0,0 +1,79 @@ +# About aws-vpc-setup :: nacl-rules + +This submodule creates network access control lists rules (nacls). The submodule nacls sets up the network +acl and should be called first. + +# Usage + +```hcl +module "nacl-rules" { + source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules" + network_acl_id = module.nacls.private_network_acl + + rule_description = "Enterprise plus VPC" + rule_definitions = {} + named_cidr_blocks = [ "enterprise", "vpc", "other" ] + merge_cidr_blocks = { + "vpc" = var.vpc_cidr + "other" = [] + } + rules = [ "all_inbound", "all_outbound" ] + rule_number = 1000 + rule_increment = 10 + + tags = {} = +} +``` + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [cidr\_blocks](#input\_cidr\_blocks) | List of CIDR blocks for selected rules | `list(string)` | `[]` | no | +| [merge\_cidr\_blocks](#input\_merge\_cidr\_blocks) | Map of names to list of CIDR blocks | `map(list(string))` | `{}` | no | +| [named\_cidr\_blocks](#input\_named\_cidr\_blocks) | List of CIDR block names from defaults for selected rules: (all, enterprise, vpc, ...) | `list(string)` | `[]` | no | +| [network\_acl\_id](#input\_network\_acl\_id) | Network ACL ID to which to apply the rules | `string` | n/a | yes | +| [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | +| [rule\_definitions](#input\_rule\_definitions) | Map of rule port/proto definitions (default uses built-in all\_rules) | `map(tuple([number, number, bool, string, string, string]))` | `{}` | no | +| [rule\_description](#input\_rule\_description) | Text describing purpose of rule set | `string` | `""` | no | +| [rule\_increment](#input\_rule\_increment) | Rule number increment per new CIDR block | `number` | `10` | no | +| [rule\_number](#input\_rule\_number) | Starting rule number within the rule | `number` | `null` | no | +| [rules](#input\_rules) | Selected rule definitions from rule\_definitions or all\_rules (default: null) | `list(string)` | `[]` | no | +| [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | +| [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | VPC CIDR Block | `string` | `""` | no | +| [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no | +| [vpc\_full\_name](#input\_vpc\_full\_name) | VPC full name component (vpc{index}-{vpc\_name}) | `string` | `null` | no | +| [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes | +| [vpc\_index](#input\_vpc\_index) | VPC index number (integer starting at 1) | `number` | `null` | no | +| [vpc\_name](#input\_vpc\_name) | VPC name component used through the VPC descrbing its purpose (ex: dice-dev) | `string` | `null` | no | +| [vpc\_short\_name](#input\_vpc\_short\_name) | VPC short name component (vpc{index}) | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [nacl\_rules\_info](#output\_nacl\_rules\_info) | Information about NACL Rules | diff --git a/nacl-rules/main.tf b/nacl-rules/main.tf index 3434655..dbccffb 100644 --- a/nacl-rules/main.tf +++ b/nacl-rules/main.tf @@ -8,15 +8,23 @@ * * ```hcl * module "nacl-rules" { -* source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules" -* vpc_id = var.vpc_id +* source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules" +* network_acl_id = module.nacls.private_network_acl * -* vpc_name = var.vpc_name -* vpc_short_name = var.vpc_short_name -* vpc_full_name = var.vpc_full_name -* -* tags = {} +* rule_description = "Enterprise plus VPC" +* rule_definitions = {} +* named_cidr_blocks = [ "enterprise", "vpc", "other" ] +* merge_cidr_blocks = { +* "vpc" = var.vpc_cidr +* "other" = [] +* } +* rules = [ "all_inbound", "all_outbound" ] +* rule_number = 1000 +* rule_increment = 10 +* +* tags = {} = * } +* ``` */ locals { @@ -27,200 +35,65 @@ locals { "boc:tf_module_version" = local._module_version "boc:created_by" = "terraform" } - - # availability_zones = length(var.availability_zones) != 0 ? var.availability_zones : data.aws_availability_zones.zones.names - # az_count = length(local.availability_zones) - # az_count_list = range(local.az_count) - # az_list = toset(local.availability_zones) - # empty = toset([]) } -## locals { -## private_all = compact(concat(var.network_census, var.network_peers, list(var.vpc_cidr_block))) -## private_all_start = 1000 -## # endpoint = ["52.216.0.0/15", "54.231.0.0/17"] -## endpoint = [] -## endpoint_start = 2000 -## public_nat = "0.0.0.0/0" -## public_nat_start = 3000 -## public_nat_ports = [80, 443] -## } -## -## # IN -## resource "aws_network_acl_rule" "in_private_all" { -## count = length(local.private_all) -## network_acl_id = aws_network_acl.private.id -## rule_number = local.private_all_start + count.index * 10 -## egress = false -## protocol = "all" -## rule_action = "allow" -## from_port = 0 -## to_port = 0 -## cidr_block = local.private_all[count.index] -## } -## -## resource "aws_network_acl_rule" "in_endpoint" { -## count = length(local.endpoint) -## network_acl_id = aws_network_acl.private.id -## rule_number = local.endpoint_start + count.index * 10 -## egress = false -## protocol = "tcp" -## rule_action = "allow" -## from_port = 1024 -## to_port = 65535 -## cidr_block = local.endpoint[count.index] -## } -## -## resource "aws_network_acl_rule" "in_private_nat" { -## network_acl_id = aws_network_acl.private.id -## rule_number = local.public_nat_start -## egress = false -## protocol = "tcp" -## rule_action = "allow" -## from_port = 1024 -## to_port = 65535 -## cidr_block = local.public_nat -## } -## -## # OUT -## resource "aws_network_acl_rule" "out_private_all" { -## count = length(local.private_all) -## network_acl_id = aws_network_acl.private.id -## rule_number = local.private_all_start + count.index * 10 -## egress = true -## protocol = "all" -## rule_action = "allow" -## from_port = 0 -## to_port = 0 -## cidr_block = local.private_all[count.index] -## } -## -## resource "aws_network_acl_rule" "out_endpoint" { -## count = length(local.endpoint) -## network_acl_id = aws_network_acl.private.id -## rule_number = local.endpoint_start + count.index * 10 -## egress = true -## protocol = "tcp" -## rule_action = "allow" -## from_port = 443 -## to_port = 443 -## cidr_block = local.endpoint[count.index] -## } -## -## resource "aws_network_acl_rule" "out_private_nat" { -## count = length(local.public_nat_ports) -## network_acl_id = aws_network_acl.private.id -## rule_number = local.public_nat_start + count.index * 10 -## egress = true -## protocol = "tcp" -## rule_action = "allow" -## from_port = local.public_nat_ports[count.index] -## to_port = local.public_nat_ports[count.index] -## cidr_block = local.public_nat -## } - -## resource "aws_network_acl_rule" "in_nat" { -## network_acl_id = aws_network_acl.public.id -## rule_number = local.public_nat_start -## egress = false -## protocol = "tcp" -## rule_action = "allow" -## from_port = 1024 -## to_port = 65535 -## cidr_block = local.public_nat -## } -## -## resource "aws_network_acl_rule" "in_nat_vpc" { -## count = length(local.public_nat_ports) -## network_acl_id = aws_network_acl.public.id -## rule_number = aws_network_acl_rule.in_nat.rule_number + 10 + count.index * 10 -## egress = false -## protocol = "tcp" -## rule_action = "allow" -## from_port = local.public_nat_ports[count.index] -## to_port = local.public_nat_ports[count.index] -## cidr_block = var.vpc_cidr_block -## depends_on = [aws_network_acl_rule.in_nat] -## } -## -## resource "aws_network_acl_rule" "out_nat" { -## count = length(local.public_nat_ports) -## network_acl_id = aws_network_acl.public.id -## rule_number = local.public_nat_start + count.index * 10 -## egress = true -## protocol = "tcp" -## rule_action = "allow" -## from_port = local.public_nat_ports[count.index] -## to_port = local.public_nat_ports[count.index] -## cidr_block = local.public_nat -## } -## -## resource "aws_network_acl_rule" "out_nat_vpc" { -## count = 1 -## network_acl_id = aws_network_acl.public.id -## rule_number = local.public_nat_start + 100 + count.index * 10 -## egress = true -## protocol = "tcp" -## rule_action = "allow" -## from_port = 1024 -## to_port = 65535 -## cidr_block = var.vpc_cidr_block -## } -## -## +# private nacl +# private +# cidr enterprise+vpc+others +# in all +# out all +# 1000 +# endpoints +# cidr endpoint +# in ephemeral +# out 443 +# start 4000 +# public/nat +# cidr all +# in ephemeral +# out 80,443 +# +# public nacl +# private +# cidr vpc +# in 80,443 +# out ephemeral +# public/nat +# cidr all +# in ephemeral +# out 80,443 +locals { + cb1 = local._defaults["nacl_all_cidr_blocks"] + cb2 = { for k, v in var.merge_cidr_blocks : k => flatten(concat(lookup(local.cb1, k, []), v)) } + cb3 = merge(local.cb1, local.cb2) -# # main.tf -# module "clients-acl-rule" { -# source = "modules/acl" -# -# network_acl_id = "${aws_network_acl.public-acl.id}" -# -# all_acl_rules = "${var.acl_rules}" -# cidrs = "${var.cidr_blocks["clients"]}" -# rules = ["http_inbound", "https_inbound", "ephemeral_outbound"] -# rule_number = 20 -# } -# -# setproduct(var.cidrs,var.rules) + cidr_blocks = flatten([for c in var.named_cidr_blocks : lookup(local.cb3, c, [])]) -## variable "network_acl_id" { -## variable "rule_definitions" { -## variable "cidr_blocks" { -## variable "rules" { -## variable "rule_number" { -## variable "rule_increment" { + rules = ["http_inbound", "https_inbound", "all_inbound"] + rule_definitions = local._defaults["nacl_all_rules"] + rule_number = 1000 + rule_increment = var.rule_increment -locals { - r = setproduct(var.cidr_blocks, var.rules) + r1 = setproduct(local.cidr_blocks, local.rules) + r2 = [for p in local.r1 : { + label = format("%v%%%v", p[0], p[1]) + cidr = p[0] + rule_label = p[1] + description = local.rule_definitions[p[1]][4] + from_port = local.rule_definitions[p[1]][0] + to_port = local.rule_definitions[p[1]][1] + egress = local.rule_definitions[p[1]][2] + protocol = local.rule_definitions[p[1]][3] + action = local.rule_definitions[p[1]][3] + rule_number = local.rule_number } + ] + r3 = [for i in range(length(local.r2)) : + merge( + local.r2[i], + tomap({ rule_number = local.r2[i].rule_number + i * local.rule_increment }), + ) + ] + r4 = [for v in local.r3 : v.rule_number] + r5 = length(local.r4) > 0 ? max(local.r4...) : null } - - -## #--- -## # description = "Map of all rules where each entry is a tuple of: [from_port, to_port, egress, protocol, action, description]" -## # type = map(tuple([number, number, bool, string, string, string])) -## #--- -## "nacl_all_rules" = { -## # basic outbounds -## ephemeral_outbound = [1024, 65535, true, "tcp", "allow", "ephemeral-outbound"] -## all_outbound = [0, 0, true, "all", "allow", "all-outbound"] -## -## # basic inbounds -## all_inbound = [0, 0, false, "all", "allow", "all-inbound"] -## http_inbound = [80, 80, false, "tcp", "allow", "http-inbound"] -## https_inbound = [443, 443, false, "tcp", "allow", "https-inbound"] -## ssh_inbound = [22, 22, false, "tcp", "allow", "https-inbound"] -## } -## #--- -## # vpc varies by specific VPC cidr block, this will be merged with the actual vpc CIDR -## #--- -## "nacl_all_cidr_blocks" = { -## "all" = ["0.0.0.0/0"] -## "enterprise" = ["148.129.0.0/16", "172.16.0.0/12", "192.168.0.0/16"] -## "vpc" = [] -## "endpoints" = [] -## "additional" = [] -## "peers" = [] -## } -## } -## } diff --git a/nacl-rules/outputs.tf b/nacl-rules/outputs.tf index e69de29..b9f20f4 100644 --- a/nacl-rules/outputs.tf +++ b/nacl-rules/outputs.tf @@ -0,0 +1,12 @@ +output "nacl_rules_info" { + description = "Information about NACL Rules" + value = { + description = var.description + rule_count = length(local.r4) + last_rule_number = local.r5 + first_rule_number = local.rule_number + rule_increment = local.rule_increment + cidrs = local.cidr_blocks + rules = local.rules + } +} diff --git a/nacl-rules/variables.tf b/nacl-rules/variables.tf index 139cdfe..52357fb 100644 --- a/nacl-rules/variables.tf +++ b/nacl-rules/variables.tf @@ -17,6 +17,18 @@ variable "network_acl_id" { type = string } +variable "vpc_cidr_block" { + description = "VPC CIDR Block" + type = string + default = "" +} + +variable "rule_description" { + description = "Text describing purpose of rule set" + type = string + default = "" +} + /* * from_port = number (0 for all) * to_port = number (0 for all) @@ -39,6 +51,18 @@ variable "cidr_blocks" { default = [] } +variable "named_cidr_blocks" { + description = "List of CIDR block names from defaults for selected rules: (all, enterprise, vpc, ...)" + type = list(string) + default = [] +} + +variable "merge_cidr_blocks" { + description = "Map of names to list of CIDR blocks" + type = map(list(string)) + default = {} +} + variable "rules" { description = "Selected rule definitions from rule_definitions or all_rules (default: null)" type = list(string) diff --git a/nacls/data.tf b/nacls/data.tf new file mode 120000 index 0000000..995624d --- /dev/null +++ b/nacls/data.tf @@ -0,0 +1 @@ +../common/data.tf \ No newline at end of file diff --git a/nacls/defaults.tf b/nacls/defaults.tf new file mode 120000 index 0000000..a5556ac --- /dev/null +++ b/nacls/defaults.tf @@ -0,0 +1 @@ +../common/defaults.tf \ No newline at end of file diff --git a/nacls/main.tf b/nacls/main.tf new file mode 100644 index 0000000..86223fb --- /dev/null +++ b/nacls/main.tf @@ -0,0 +1,61 @@ +/* +* # About aws-vpc-setup :: nacls +* +* This submodule creates network access control lists (nacls). The submodule nacl-rules sets up the rules for +* each specific nacl. This creates both a public and a private NACL. +* +* # Usage +* +* ```hcl +* module "nacls" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacls" +* vpc_id = var.vpc_id +* public_subnets_ids = [ for s in module.subnets.public_subnets_ids : s.id ] +* private_subnets_ids = [ for s in module.subnets.private_subnets_ids : s.id ] +* vpc_full_name = var.vpc_full_name +* +* # optional +* vpc_name = var.vpc_name +* vpc_short_name = var.vpc_short_name +* +* tags = {} +* } +*/ + +locals { + account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id + account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" + + base_tags = { + "boc:tf_module_version" = local._module_version + "boc:created_by" = "terraform" + } +} + +#--- +# nacl: private +#--- +resource "aws_network_acl" "private" { + vpc_id = var.vpc_id + subnet_ids = [for subnet in var.private_subnets_ids : subnet.id] + + tags = merge( + local.base_tags, + var.tags, + map("Name", format("%v%v-%v", local._prefixes["network-acl"], var.vpc_full_name, "private")), + ) +} + +#--- +# nacl: public +#--- +resource "aws_network_acl" "public" { + vpc_id = aws_vpc.vpc.id + subnet_ids = [for subnet in var.public_subnets_ids : subnet.id] + + tags = merge( + local.base_tags, + var.tags, + map("Name", format("%v%v-%v", local._prefixes["network-acl"], var.vpc_full_name, "public")), + ) +} diff --git a/nacls/outputs.tf b/nacls/outputs.tf new file mode 100644 index 0000000..d9411fd --- /dev/null +++ b/nacls/outputs.tf @@ -0,0 +1,10 @@ +output "public_network_acl_id" { + description = "public network ACL ID" + value = aws_network_acl.public.id +} + +output "private_network_acl_id" { + description = "private network ACL ID" + value = aws_network_acl.private.id +} + diff --git a/nacls/prefixes.tf b/nacls/prefixes.tf new file mode 120000 index 0000000..7e265d5 --- /dev/null +++ b/nacls/prefixes.tf @@ -0,0 +1 @@ +../common/prefixes.tf \ No newline at end of file diff --git a/nacls/subnet-nacls.tf.x b/nacls/subnet-nacls.tf.x new file mode 100644 index 0000000..a6e923d --- /dev/null +++ b/nacls/subnet-nacls.tf.x @@ -0,0 +1,157 @@ +#--- +# nacl: private +#--- +resource "aws_network_acl" "private" { + vpc_id = var.vpc_id + subnet_ids = aws_subnet.private[*].id + + tags = merge( + local.common_tags, + map("Name", "nacl-${var.vpc_full_name}-private") + ) +} + +locals { + private_all = compact(concat(var.network_census, var.network_peers, list(var.vpc_cidr_block))) + private_all_start = 1000 + # endpoint = ["52.216.0.0/15", "54.231.0.0/17"] + endpoint = [] + endpoint_start = 2000 + public_nat = "0.0.0.0/0" + public_nat_start = 3000 + public_nat_ports = [80, 443] +} + +# IN +resource "aws_network_acl_rule" "in_private_all" { + count = length(local.private_all) + network_acl_id = aws_network_acl.private.id + rule_number = local.private_all_start + count.index * 10 + egress = false + protocol = "all" + rule_action = "allow" + from_port = 0 + to_port = 0 + cidr_block = local.private_all[count.index] +} + +resource "aws_network_acl_rule" "in_endpoint" { + count = length(local.endpoint) + network_acl_id = aws_network_acl.private.id + rule_number = local.endpoint_start + count.index * 10 + egress = false + protocol = "tcp" + rule_action = "allow" + from_port = 1024 + to_port = 65535 + cidr_block = local.endpoint[count.index] +} + +resource "aws_network_acl_rule" "in_private_nat" { + network_acl_id = aws_network_acl.private.id + rule_number = local.public_nat_start + egress = false + protocol = "tcp" + rule_action = "allow" + from_port = 1024 + to_port = 65535 + cidr_block = local.public_nat +} + +# OUT +resource "aws_network_acl_rule" "out_private_all" { + count = length(local.private_all) + network_acl_id = aws_network_acl.private.id + rule_number = local.private_all_start + count.index * 10 + egress = true + protocol = "all" + rule_action = "allow" + from_port = 0 + to_port = 0 + cidr_block = local.private_all[count.index] +} + +resource "aws_network_acl_rule" "out_endpoint" { + count = length(local.endpoint) + network_acl_id = aws_network_acl.private.id + rule_number = local.endpoint_start + count.index * 10 + egress = true + protocol = "tcp" + rule_action = "allow" + from_port = 443 + to_port = 443 + cidr_block = local.endpoint[count.index] +} + +resource "aws_network_acl_rule" "out_private_nat" { + count = length(local.public_nat_ports) + network_acl_id = aws_network_acl.private.id + rule_number = local.public_nat_start + count.index * 10 + egress = true + protocol = "tcp" + rule_action = "allow" + from_port = local.public_nat_ports[count.index] + to_port = local.public_nat_ports[count.index] + cidr_block = local.public_nat +} + +#--- +# public subnets +#--- +resource "aws_network_acl" "public" { + vpc_id = aws_vpc.vpc.id + subnet_ids = aws_subnet.public[*].id + + tags = merge( + local.common_tags, + map("Name", "nacl-${var.vpc_full_name}-public") + ) +} + +resource "aws_network_acl_rule" "in_nat" { + network_acl_id = aws_network_acl.public.id + rule_number = local.public_nat_start + egress = false + protocol = "tcp" + rule_action = "allow" + from_port = 1024 + to_port = 65535 + cidr_block = local.public_nat +} + +resource "aws_network_acl_rule" "in_nat_vpc" { + count = length(local.public_nat_ports) + network_acl_id = aws_network_acl.public.id + rule_number = aws_network_acl_rule.in_nat.rule_number + 10 + count.index * 10 + egress = false + protocol = "tcp" + rule_action = "allow" + from_port = local.public_nat_ports[count.index] + to_port = local.public_nat_ports[count.index] + cidr_block = var.vpc_cidr_block + depends_on = [aws_network_acl_rule.in_nat] +} + +resource "aws_network_acl_rule" "out_nat" { + count = length(local.public_nat_ports) + network_acl_id = aws_network_acl.public.id + rule_number = local.public_nat_start + count.index * 10 + egress = true + protocol = "tcp" + rule_action = "allow" + from_port = local.public_nat_ports[count.index] + to_port = local.public_nat_ports[count.index] + cidr_block = local.public_nat +} + +resource "aws_network_acl_rule" "out_nat_vpc" { + count = 1 + network_acl_id = aws_network_acl.public.id + rule_number = local.public_nat_start + 100 + count.index * 10 + egress = true + protocol = "tcp" + rule_action = "allow" + from_port = 1024 + to_port = 65535 + cidr_block = var.vpc_cidr_block +} diff --git a/nacls/variables.common.subnets.tf b/nacls/variables.common.subnets.tf new file mode 120000 index 0000000..ad715ca --- /dev/null +++ b/nacls/variables.common.subnets.tf @@ -0,0 +1 @@ +../common/variables.common.subnets.tf \ No newline at end of file diff --git a/nacls/variables.common.tf b/nacls/variables.common.tf new file mode 120000 index 0000000..7439ed8 --- /dev/null +++ b/nacls/variables.common.tf @@ -0,0 +1 @@ +../common/variables.common.tf \ No newline at end of file diff --git a/nacls/variables.common.vpc.tf b/nacls/variables.common.vpc.tf new file mode 120000 index 0000000..5e77d37 --- /dev/null +++ b/nacls/variables.common.vpc.tf @@ -0,0 +1 @@ +../common/variables.common.vpc.tf \ No newline at end of file diff --git a/nacls/variables.common.vpc_id.tf b/nacls/variables.common.vpc_id.tf new file mode 120000 index 0000000..bc2e061 --- /dev/null +++ b/nacls/variables.common.vpc_id.tf @@ -0,0 +1 @@ +../common/variables.common.vpc_id.tf \ No newline at end of file diff --git a/nacls/version.tf b/nacls/version.tf new file mode 120000 index 0000000..b83c5b7 --- /dev/null +++ b/nacls/version.tf @@ -0,0 +1 @@ +../common/version.tf \ No newline at end of file diff --git a/routing/variables.common.availability_zones.tf b/routing/variables.common.availability_zones.tf new file mode 120000 index 0000000..dca20a3 --- /dev/null +++ b/routing/variables.common.availability_zones.tf @@ -0,0 +1 @@ +../common/variables.common.availability_zones.tf \ No newline at end of file diff --git a/routing/variables.common.subnets.tf b/routing/variables.common.subnets.tf new file mode 120000 index 0000000..ad715ca --- /dev/null +++ b/routing/variables.common.subnets.tf @@ -0,0 +1 @@ +../common/variables.common.subnets.tf \ No newline at end of file diff --git a/routing/variables.common.vpc_id.tf b/routing/variables.common.vpc_id.tf new file mode 120000 index 0000000..bc2e061 --- /dev/null +++ b/routing/variables.common.vpc_id.tf @@ -0,0 +1 @@ +../common/variables.common.vpc_id.tf \ No newline at end of file diff --git a/routing/variables.tf b/routing/variables.tf index 5094cc1..66c0e5f 100644 --- a/routing/variables.tf +++ b/routing/variables.tf @@ -27,38 +27,38 @@ variable "enable_nat" { default = false } -variable "vpc_id" { - description = "VPC ID" - type = string -} - -variable "availability_zones" { - description = "AWS Availability Zones to use (by default will use all available)" - type = list(string) - default = [] -} - -variable "public_subnets_ids" { - description = "List of public subnet objects including: subnet, label, availability_zone, id" - type = list(object({ - subnet = string - label = string - availability_zone = string - id = string - })) - default = [] -} - -variable "private_subnets_ids" { - description = "List of private subnet objects including: subnet, label, availability_zone, id" - type = list(object({ - subnet = string - label = string - availability_zone = string - id = string - })) - default = [] -} +## variable "vpc_id" { +## description = "VPC ID" +## type = string +## } +## +## variable "availability_zones" { +## description = "AWS Availability Zones to use (by default will use all available)" +## type = list(string) +## default = [] +## } +## +## variable "public_subnets_ids" { +## description = "List of public subnet objects including: subnet, label, availability_zone, id" +## type = list(object({ +## subnet = string +## label = string +## availability_zone = string +## id = string +## })) +## default = [] +## } +## +## variable "private_subnets_ids" { +## description = "List of private subnet objects including: subnet, label, availability_zone, id" +## type = list(object({ +## subnet = string +## label = string +## availability_zone = string +## id = string +## })) +## default = [] +## } ### diff --git a/security-groups/variables.common.vpc_id.tf b/security-groups/variables.common.vpc_id.tf new file mode 120000 index 0000000..bc2e061 --- /dev/null +++ b/security-groups/variables.common.vpc_id.tf @@ -0,0 +1 @@ +../common/variables.common.vpc_id.tf \ No newline at end of file diff --git a/subnets/variables.common.availability_zones.tf b/subnets/variables.common.availability_zones.tf new file mode 120000 index 0000000..dca20a3 --- /dev/null +++ b/subnets/variables.common.availability_zones.tf @@ -0,0 +1 @@ +../common/variables.common.availability_zones.tf \ No newline at end of file diff --git a/subnets/variables.common.subnets.tf b/subnets/variables.common.subnets.tf new file mode 120000 index 0000000..ad715ca --- /dev/null +++ b/subnets/variables.common.subnets.tf @@ -0,0 +1 @@ +../common/variables.common.subnets.tf \ No newline at end of file diff --git a/subnets/variables.common.vpc_id.tf b/subnets/variables.common.vpc_id.tf new file mode 120000 index 0000000..bc2e061 --- /dev/null +++ b/subnets/variables.common.vpc_id.tf @@ -0,0 +1 @@ +../common/variables.common.vpc_id.tf \ No newline at end of file diff --git a/subnets/variables.subnets.tf b/subnets/variables.subnets.tf deleted file mode 100644 index 39a32d6..0000000 --- a/subnets/variables.subnets.tf +++ /dev/null @@ -1,33 +0,0 @@ -variable "availability_zones" { - description = "AWS Availability Zones to use (by default will use all available)" - type = list(string) - default = [] -} - -variable "public_subnets" { - description = "List of objects with public subnet information to be created" - type = list(object({ - base_cidr = string - label = string - bits = number - private = bool - # subnets = list(string) - # labels = list(string) - # availability_zones = list(string) - })) - default = [] -} - -variable "private_subnets" { - description = "List of objects with private subnet information to be created" - type = list(object({ - base_cidr = string - label = string - bits = number - private = bool - # subnets = list(string) - # labels = list(string) - # availability_zones = list(string) - })) - default = [] -} diff --git a/subnets/variables.tf b/subnets/variables.tf deleted file mode 100644 index 38ced37..0000000 --- a/subnets/variables.tf +++ /dev/null @@ -1,5 +0,0 @@ -variable "vpc_id" { - description = "VPC ID" - type = string -} - diff --git a/vpn/variables.common.vpc_id.tf b/vpn/variables.common.vpc_id.tf new file mode 120000 index 0000000..bc2e061 --- /dev/null +++ b/vpn/variables.common.vpc_id.tf @@ -0,0 +1 @@ +../common/variables.common.vpc_id.tf \ No newline at end of file diff --git a/vpn/variables.tf b/vpn/variables.tf index e256a5a..dba92e8 100644 --- a/vpn/variables.tf +++ b/vpn/variables.tf @@ -29,8 +29,3 @@ variable "route_table_ids" { default = [] } -variable "vpc_id" { - description = "VPC ID" - type = string -} -