Skip to content

Commit

Permalink
use awscc for network acls
Browse files Browse the repository at this point in the history
  • Loading branch information
@badra001
badra001 committed Jun 5, 2024
1 parent 2a07d37 commit 38779bd
Show file tree
Hide file tree
Showing 3 changed files with 35 additions and 80 deletions.
18 changes: 8 additions & 10 deletions tag-shared-vpc-resources/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -366,7 +366,8 @@ COMMAND tf-directory-setup.py -l s3
| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.66.0 |
| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.0 |
| <a name="requirement_awscc"></a> [awscc](#requirement\_awscc) | >= 1.0 |
| <a name="requirement_ldap"></a> [ldap](#requirement\_ldap) | >= 0.5.4 |
| <a name="requirement_local"></a> [local](#requirement\_local) | >= 1.0.0 |
| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.0 |
Expand All @@ -377,10 +378,10 @@ COMMAND tf-directory-setup.py -l s3

| Name | Version |
|------|---------|
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
| <a name="provider_aws.network_account"></a> [aws.network\_account](#provider\_aws.network\_account) | >= 3.66.0 |
| <a name="provider_local"></a> [local](#provider\_local) | >= 1.0.0 |
| <a name="provider_null"></a> [null](#provider\_null) | >= 3.0 |
| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.0 |
| <a name="provider_aws.network_account"></a> [aws.network\_account](#provider\_aws.network\_account) | >= 5.0 |
| <a name="provider_awscc"></a> [awscc](#provider\_awscc) | >= 1.0 |
| <a name="provider_awscc.network_account"></a> [awscc.network\_account](#provider\_awscc.network\_account) | >= 1.0 |

## Modules

Expand All @@ -396,9 +397,6 @@ No modules.
| [aws_ec2_tag.subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
| [aws_ec2_tag.transit_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
| [aws_ec2_tag.vpcs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_tag) | resource |
| [null_resource.network_acl](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [null_resource.network_acls](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [null_resource.setup_directory](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
| [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_arn.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
| [aws_availability_zone.zone](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/availability_zone) | data source |
Expand All @@ -407,7 +405,6 @@ No modules.
| [aws_caller_identity.network_account](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
| [aws_ec2_transit_gateway.transit_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway) | data source |
| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
| [aws_network_acls.network_acls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/network_acls) | data source |
| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
| [aws_route_table.route_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_table) | data source |
| [aws_route_tables.route_tables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_tables) | data source |
Expand All @@ -416,7 +413,8 @@ No modules.
| [aws_vpc.vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
| [aws_vpc_dhcp_options.dhcp_options](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_dhcp_options) | data source |
| [aws_vpcs.vpcs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpcs) | data source |
| [local_file.network_acl](https://registry.terraform.io/providers/hashicorp/local/latest/docs/data-sources/file) | data source |
| [awscc_ec2_network_acl.nacls](https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/data-sources/ec2_network_acl) | data source |
| [awscc_ec2_network_acls.nacls](https://registry.terraform.io/providers/hashicorp/awscc/latest/docs/data-sources/ec2_network_acls) | data source |

## Inputs

Expand Down
90 changes: 21 additions & 69 deletions tag-shared-vpc-resources/tag-network-acls.tf
View file
Original file line number Diff line number Diff line change
@@ -1,72 +1,24 @@
data "aws_network_acls" "network_acls" {
for_each = local._nacl_enabled ? toset(data.aws_vpcs.vpcs.ids) : toset([])
filter {
name = "owner-id"
values = [data.aws_arn.network_account.account]
}
filter {
name = "vpc-id"
values = [each.key]
}
data "awscc_ec2_network_acls" "nacls" {
count = local._nacl_enabled ? 1 : 0
}

## data "aws_network_acl" "network_acl" {
## provider = aws.network_account
## for_each = toset(flatten(concat([for k, v in data.aws_network_acls.network_acls : v.ids])))
## id = each.key
## }

# there is no aws_network_acl data resource. Fake this out with null_resource
# aws --profile "057445207498-ent-gov-network-sa" --region $(get-region) ec2 describe-network-acls --network-acl-id "acl-0c19a5f3ea6a86d51" > X.json
# there is still no aws_network_acl, but there is an issue for it
# https://github.com/hashicorp/terraform-provider-aws/issues/19754

resource "null_resource" "setup_directory" {
triggers = {
directory = "setup"
}

provisioner "local-exec" {
command = "test -d ${path.root}/${self.triggers.directory} || mkdir -p ${path.root}/${self.triggers.directory}"
}
}

resource "null_resource" "network_acl" {
for_each = toset(flatten(concat([for k, v in data.aws_network_acls.network_acls : v.ids])))
triggers = {
directory = null_resource.setup_directory.triggers.directory
network_acl_id = each.key
filename = "network_acl.${each.key}.json"
full_filename = format("%v/%v/%v", path.root, "setup", "network_acl.${each.key}.json")
}

provisioner "local-exec" {
working_dir = path.root
command = "${path.module}/bin/assume_role_wrapper.sh aws ec2 describe-network-acls --network-acl-id ${each.key} --output json > ${self.triggers.directory}/${self.triggers.filename}"
environment = {
AWS_PROFILE = var.profile
AWS_REGION = local.region
ROLE_ARN = var.role_arn
}
}
data "awscc_ec2_network_acl" "nacls" {
provider = awscc.network_account
for_each = local._nacl_enabled ? data.awscc_ec2_network_acls.nacls[0].ids : toset([])
id = each.key
}

data "local_file" "network_acl" {
# for_each = toset(flatten(concat([for k, v in data.aws_network_acls.network_acls : v.ids])))
for_each = null_resource.network_acl
# filename = format("%v/%v/%v", path.root, each.value.triggers.directory, each.value.triggers.filename)
filename = each.value.triggers.full_filename
}

resource "null_resource" "network_acls" {
triggers = {
network_acls = join(",", [for k, v in data.local_file.network_acl : v.filename])
filename = format("%v/%v/%v", path.root, "setup", "network_acls_extracted.dat")
}
provisioner "local-exec" {
command = "touch ${self.triggers.filename}"
}
}
# data "aws_network_acls" "network_acls" {
# for_each = local._nacl_enabled ? toset(data.aws_vpcs.vpcs.ids) : toset([])
# filter {
# name = "owner-id"
# values = [data.aws_arn.network_account.account]
# }
# filter {
# name = "vpc-id"
# values = [each.key]
# }
# }


## output "network_acls" {
Expand All @@ -85,10 +37,10 @@ locals {
# network_acls_tags = fileexists(null_resource.network_acls.triggers.filename) ? { for k, v in local.network_acls : k => merge({ for t in v.Tags : t.Key => t.Value }, { "boc:vpc:owner_id" = v.OwnerId }) } : {}
# network_acls_tags_map = fileexists(null_resource.network_acls.triggers.filename) ? flatten([for k, v in local.network_acls_tags : [for tk, tv in v : { label = format("%v__%v", k, tk), network_acl_id = k, key = tk, value = tv }]]) : []

_nacl_enabled = var.tag_enabled_network_acls
_network_acls = { for k, v in data.local_file.network_acl : k => jsondecode(v.content) if local._nacl_enabled }
network_acls = { for k, v in local._network_acls : k => lookup(v, "NetworkAcls", [{ "Tags" : [], "OwnerId" : "" }])[0] }
network_acls_tags = { for k, v in local.network_acls : k => merge({ for t in v.Tags : t.Key => t.Value }, { "boc:vpc:owner_id" = v.OwnerId }) }
_nacl_enabled = var.tag_enabled_network_acls
# _network_acls = { for k, v in data.local_file.network_acl : k => jsondecode(v.content) if local._nacl_enabled }
# network_acls_tags = { for k, v in local.network_acls : k => merge({ for t in v.Tags : t.Key => t.Value }, { "boc:vpc:owner_id" = v.OwnerId }) }
network_acls_tags = { for k, v in data.awsccl_ec2_network_acl.nacls : k => merge(v.tags, { "boc:vpc:owner_id" = v.owner_id }) }
network_acls_tags_map = flatten([for k, v in local.network_acls_tags : [for tk, tv in v : { label = format("%v__%v", k, tk), network_acl_id = k, key = tk, value = tv }]])
}

Expand Down
7 changes: 6 additions & 1 deletion tag-shared-vpc-resources/versions.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,9 +4,14 @@ terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 3.66.0"
version = ">= 5.0"
configuration_aliases = [aws.network_account]
}
awscc = {
source = "hashicorp/awscc"
version = ">= 1.0"
configuration_aliases = [awscc.network_account]
}
null = {
source = "hashicorp/null"
version = ">= 3.0"
Expand Down

0 comments on commit 38779bd

Please sign in to comment.