update: main, variables

nacl-rules/data.tf

@@ -0,0 +1 @@
+../common/data.tf

nacl-rules/defaults.tf

@@ -0,0 +1 @@
+../common/defaults.tf

nacl-rules/main.tf

@@ -0,0 +1,226 @@
+/*
+* # About aws-vpc-setup :: nacl-rules
+* 
+* This submodule creates network access control lists rules (nacls).  The submodule nacls sets up the network
+* acl and should be called first.
+* 
+* # Usage
+* 
+* ```hcl
+* module "nacl-rules" {
+*   source               = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules"
+*   vpc_id               = var.vpc_id
+*
+*   vpc_name             = var.vpc_name
+*   vpc_short_name       = var.vpc_short_name
+*   vpc_full_name        = var.vpc_full_name
+* 
+*   tags = {}
+* }
+*/
+
+locals {
+  account_id          = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id
+  account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew"
+
+  base_tags = {
+    "boc:tf_module_version" = local._module_version
+    "boc:created_by"        = "terraform"
+  }
+
+  #  availability_zones = length(var.availability_zones) != 0 ? var.availability_zones : data.aws_availability_zones.zones.names
+  #  az_count           = length(local.availability_zones)
+  #  az_count_list      = range(local.az_count)
+  #  az_list            = toset(local.availability_zones)
+  #  empty              = toset([])
+}
+
+## locals {
+##   private_all       = compact(concat(var.network_census, var.network_peers, list(var.vpc_cidr_block)))
+##   private_all_start = 1000
+##   #  endpoint         = ["52.216.0.0/15", "54.231.0.0/17"]
+##   endpoint         = []
+##   endpoint_start   = 2000
+##   public_nat       = "0.0.0.0/0"
+##   public_nat_start = 3000
+##   public_nat_ports = [80, 443]
+## }
+## 
+## # IN
+## resource "aws_network_acl_rule" "in_private_all" {
+##   count          = length(local.private_all)
+##   network_acl_id = aws_network_acl.private.id
+##   rule_number    = local.private_all_start + count.index * 10
+##   egress         = false
+##   protocol       = "all"
+##   rule_action    = "allow"
+##   from_port      = 0
+##   to_port        = 0
+##   cidr_block     = local.private_all[count.index]
+## }
+## 
+## resource "aws_network_acl_rule" "in_endpoint" {
+##   count          = length(local.endpoint)
+##   network_acl_id = aws_network_acl.private.id
+##   rule_number    = local.endpoint_start + count.index * 10
+##   egress         = false
+##   protocol       = "tcp"
+##   rule_action    = "allow"
+##   from_port      = 1024
+##   to_port        = 65535
+##   cidr_block     = local.endpoint[count.index]
+## }
+## 
+## resource "aws_network_acl_rule" "in_private_nat" {
+##   network_acl_id = aws_network_acl.private.id
+##   rule_number    = local.public_nat_start
+##   egress         = false
+##   protocol       = "tcp"
+##   rule_action    = "allow"
+##   from_port      = 1024
+##   to_port        = 65535
+##   cidr_block     = local.public_nat
+## }
+## 
+## # OUT
+## resource "aws_network_acl_rule" "out_private_all" {
+##   count          = length(local.private_all)
+##   network_acl_id = aws_network_acl.private.id
+##   rule_number    = local.private_all_start + count.index * 10
+##   egress         = true
+##   protocol       = "all"
+##   rule_action    = "allow"
+##   from_port      = 0
+##   to_port        = 0
+##   cidr_block     = local.private_all[count.index]
+## }
+## 
+## resource "aws_network_acl_rule" "out_endpoint" {
+##   count          = length(local.endpoint)
+##   network_acl_id = aws_network_acl.private.id
+##   rule_number    = local.endpoint_start + count.index * 10
+##   egress         = true
+##   protocol       = "tcp"
+##   rule_action    = "allow"
+##   from_port      = 443
+##   to_port        = 443
+##   cidr_block     = local.endpoint[count.index]
+## }
+## 
+## resource "aws_network_acl_rule" "out_private_nat" {
+##   count          = length(local.public_nat_ports)
+##   network_acl_id = aws_network_acl.private.id
+##   rule_number    = local.public_nat_start + count.index * 10
+##   egress         = true
+##   protocol       = "tcp"
+##   rule_action    = "allow"
+##   from_port      = local.public_nat_ports[count.index]
+##   to_port        = local.public_nat_ports[count.index]
+##   cidr_block     = local.public_nat
+## }
+
+## resource "aws_network_acl_rule" "in_nat" {
+##   network_acl_id = aws_network_acl.public.id
+##   rule_number    = local.public_nat_start
+##   egress         = false
+##   protocol       = "tcp"
+##   rule_action    = "allow"
+##   from_port      = 1024
+##   to_port        = 65535
+##   cidr_block     = local.public_nat
+## }
+## 
+## resource "aws_network_acl_rule" "in_nat_vpc" {
+##   count          = length(local.public_nat_ports)
+##   network_acl_id = aws_network_acl.public.id
+##   rule_number    = aws_network_acl_rule.in_nat.rule_number + 10 + count.index * 10
+##   egress         = false
+##   protocol       = "tcp"
+##   rule_action    = "allow"
+##   from_port      = local.public_nat_ports[count.index]
+##   to_port        = local.public_nat_ports[count.index]
+##   cidr_block     = var.vpc_cidr_block
+##   depends_on     = [aws_network_acl_rule.in_nat]
+## }
+## 
+## resource "aws_network_acl_rule" "out_nat" {
+##   count          = length(local.public_nat_ports)
+##   network_acl_id = aws_network_acl.public.id
+##   rule_number    = local.public_nat_start + count.index * 10
+##   egress         = true
+##   protocol       = "tcp"
+##   rule_action    = "allow"
+##   from_port      = local.public_nat_ports[count.index]
+##   to_port        = local.public_nat_ports[count.index]
+##   cidr_block     = local.public_nat
+## }
+## 
+## resource "aws_network_acl_rule" "out_nat_vpc" {
+##   count          = 1
+##   network_acl_id = aws_network_acl.public.id
+##   rule_number    = local.public_nat_start + 100 + count.index * 10
+##   egress         = true
+##   protocol       = "tcp"
+##   rule_action    = "allow"
+##   from_port      = 1024
+##   to_port        = 65535
+##   cidr_block     = var.vpc_cidr_block
+## }
+## 
+## 
+
+
+# # main.tf
+# module "clients-acl-rule" {
+#  source = "modules/acl"
+# 
+#  network_acl_id = "${aws_network_acl.public-acl.id}"
+# 
+#  all_acl_rules = "${var.acl_rules}"
+#  cidrs = "${var.cidr_blocks["clients"]}"
+#  rules = ["http_inbound", "https_inbound", "ephemeral_outbound"]
+#  rule_number = 20
+# }
+# 
+# setproduct(var.cidrs,var.rules)
+
+## variable "network_acl_id" {
+## variable "rule_definitions" {
+## variable "cidr_blocks" {
+## variable "rules" {
+## variable "rule_number" {
+## variable "rule_increment" {
+
+locals {
+  r = setproduct(var.cidr_blocks, var.rules)
+}
+
+
+## #---
+## #   description = "Map of all rules where each entry is a tuple of: [from_port, to_port, egress, protocol, action, description]"
+## #   type        = map(tuple([number, number, bool, string, string, string]))
+## #---
+##     "nacl_all_rules" = {
+##       # basic outbounds
+##       ephemeral_outbound = [1024, 65535, true, "tcp", "allow", "ephemeral-outbound"]
+##       all_outbound       = [0, 0, true, "all", "allow", "all-outbound"]
+##   
+##       # basic inbounds
+##       all_inbound   = [0, 0, false, "all", "allow", "all-inbound"]
+##       http_inbound  = [80, 80, false, "tcp", "allow", "http-inbound"]
+##       https_inbound = [443, 443, false, "tcp", "allow", "https-inbound"]
+##       ssh_inbound   = [22, 22, false, "tcp", "allow", "https-inbound"]
+##     }
+## #---
+## # vpc varies by specific VPC cidr block, this will be merged with the actual vpc CIDR
+## #---
+##     "nacl_all_cidr_blocks" = {
+##       "all"        = ["0.0.0.0/0"]
+##       "enterprise" = ["148.129.0.0/16", "172.16.0.0/12", "192.168.0.0/16"]
+##       "vpc"        = []
+##       "endpoints"  = []
+##       "additional" = []
+##       "peers"      = []
+##     }
+##   }
+## }

nacl-rules/prefixes.tf

@@ -0,0 +1 @@
+../common/prefixes.tf

nacl-rules/variables.common.tf

@@ -0,0 +1 @@
+../common/variables.common.tf

nacl-rules/variables.common.vpc.tf

@@ -0,0 +1 @@
+../common/variables.common.vpc.tf

nacl-rules/variables.common.vpc_id.tf

@@ -0,0 +1 @@
+../common/variables.common.vpc_id.tf

nacl-rules/variables.tf

@@ -0,0 +1,58 @@
+# # main.tf
+# module "clients-acl-rule" {
+#  source = "modules/acl"
+# 
+#  network_acl_id = "${aws_network_acl.public-acl.id}"
+# 
+#  all_acl_rules = "${var.acl_rules}"
+#  cidrs = "${var.cidr_blocks["clients"]}"
+#  rules = ["http_inbound", "https_inbound", "ephemeral_outbound"]
+#  rule_number = 20
+# }
+# 
+# setproduct(var.cidrs,var.rules)
+
+variable "network_acl_id" {
+  description = "Network ACL ID to which to apply the rules"
+  type        = string
+}
+
+/*
+*  from_port = number (0 for all)
+*   to_port = number (0 for all)
+*   egress = true | false
+*   protocol = "all" | "tcp" | "udp" | "icmp" 
+*   action = "allow" | "deny"
+*   description = text-string
+* 
+*  example: http_inbound = [80,80,false,"tcp","allow","http-inbound"]
+*/
+variable "rule_definitions" {
+  description = "Map of rule port/proto definitions (default uses built-in all_rules)"
+  type        = map(tuple([number, number, bool, string, string, string]))
+  default     = {}
+}
+
+variable "cidr_blocks" {
+  description = "List of CIDR blocks for selected rules"
+  type        = list(string)
+  default     = []
+}
+
+variable "rules" {
+  description = "Selected rule definitions from rule_definitions or all_rules (default: null)"
+  type        = list(string)
+  default     = []
+}
+
+variable "rule_number" {
+  description = "Starting rule number within the rule"
+  type        = number
+  default     = null
+}
+
+variable "rule_increment" {
+  description = "Rule number increment per new CIDR block"
+  type        = number
+  default     = 10
+}

nacl-rules/version.tf

@@ -0,0 +1 @@
+../common/version.tf