From 91175cd5e7b71d6a9be2d9dac7631581a02e5993 Mon Sep 17 00:00:00 2001 From: badra001 Date: Mon, 10 May 2021 12:17:57 -0400 Subject: [PATCH] update: main, variables --- nacl-rules/data.tf | 1 + nacl-rules/defaults.tf | 1 + nacl-rules/main.tf | 226 ++++++++++++++++++++++++++ nacl-rules/outputs.tf | 0 nacl-rules/prefixes.tf | 1 + nacl-rules/variables.common.tf | 1 + nacl-rules/variables.common.vpc.tf | 1 + nacl-rules/variables.common.vpc_id.tf | 1 + nacl-rules/variables.tf | 58 +++++++ nacl-rules/version.tf | 1 + 10 files changed, 291 insertions(+) create mode 120000 nacl-rules/data.tf create mode 120000 nacl-rules/defaults.tf create mode 100644 nacl-rules/main.tf create mode 100644 nacl-rules/outputs.tf create mode 120000 nacl-rules/prefixes.tf create mode 120000 nacl-rules/variables.common.tf create mode 120000 nacl-rules/variables.common.vpc.tf create mode 120000 nacl-rules/variables.common.vpc_id.tf create mode 100644 nacl-rules/variables.tf create mode 120000 nacl-rules/version.tf diff --git a/nacl-rules/data.tf b/nacl-rules/data.tf new file mode 120000 index 0000000..995624d --- /dev/null +++ b/nacl-rules/data.tf @@ -0,0 +1 @@ +../common/data.tf \ No newline at end of file diff --git a/nacl-rules/defaults.tf b/nacl-rules/defaults.tf new file mode 120000 index 0000000..a5556ac --- /dev/null +++ b/nacl-rules/defaults.tf @@ -0,0 +1 @@ +../common/defaults.tf \ No newline at end of file diff --git a/nacl-rules/main.tf b/nacl-rules/main.tf new file mode 100644 index 0000000..3434655 --- /dev/null +++ b/nacl-rules/main.tf @@ -0,0 +1,226 @@ +/* +* # About aws-vpc-setup :: nacl-rules +* +* This submodule creates network access control lists rules (nacls). The submodule nacls sets up the network +* acl and should be called first. +* +* # Usage +* +* ```hcl +* module "nacl-rules" { +* source = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules" +* vpc_id = var.vpc_id +* +* vpc_name = var.vpc_name +* vpc_short_name = var.vpc_short_name +* vpc_full_name = var.vpc_full_name +* +* tags = {} +* } +*/ + +locals { + account_id = var.account_id != "" ? var.account_id : data.aws_caller_identity.current.account_id + account_environment = data.aws_arn.current.partition == "aws-us-gov" ? "gov" : "ew" + + base_tags = { + "boc:tf_module_version" = local._module_version + "boc:created_by" = "terraform" + } + + # availability_zones = length(var.availability_zones) != 0 ? var.availability_zones : data.aws_availability_zones.zones.names + # az_count = length(local.availability_zones) + # az_count_list = range(local.az_count) + # az_list = toset(local.availability_zones) + # empty = toset([]) +} + +## locals { +## private_all = compact(concat(var.network_census, var.network_peers, list(var.vpc_cidr_block))) +## private_all_start = 1000 +## # endpoint = ["52.216.0.0/15", "54.231.0.0/17"] +## endpoint = [] +## endpoint_start = 2000 +## public_nat = "0.0.0.0/0" +## public_nat_start = 3000 +## public_nat_ports = [80, 443] +## } +## +## # IN +## resource "aws_network_acl_rule" "in_private_all" { +## count = length(local.private_all) +## network_acl_id = aws_network_acl.private.id +## rule_number = local.private_all_start + count.index * 10 +## egress = false +## protocol = "all" +## rule_action = "allow" +## from_port = 0 +## to_port = 0 +## cidr_block = local.private_all[count.index] +## } +## +## resource "aws_network_acl_rule" "in_endpoint" { +## count = length(local.endpoint) +## network_acl_id = aws_network_acl.private.id +## rule_number = local.endpoint_start + count.index * 10 +## egress = false +## protocol = "tcp" +## rule_action = "allow" +## from_port = 1024 +## to_port = 65535 +## cidr_block = local.endpoint[count.index] +## } +## +## resource "aws_network_acl_rule" "in_private_nat" { +## network_acl_id = aws_network_acl.private.id +## rule_number = local.public_nat_start +## egress = false +## protocol = "tcp" +## rule_action = "allow" +## from_port = 1024 +## to_port = 65535 +## cidr_block = local.public_nat +## } +## +## # OUT +## resource "aws_network_acl_rule" "out_private_all" { +## count = length(local.private_all) +## network_acl_id = aws_network_acl.private.id +## rule_number = local.private_all_start + count.index * 10 +## egress = true +## protocol = "all" +## rule_action = "allow" +## from_port = 0 +## to_port = 0 +## cidr_block = local.private_all[count.index] +## } +## +## resource "aws_network_acl_rule" "out_endpoint" { +## count = length(local.endpoint) +## network_acl_id = aws_network_acl.private.id +## rule_number = local.endpoint_start + count.index * 10 +## egress = true +## protocol = "tcp" +## rule_action = "allow" +## from_port = 443 +## to_port = 443 +## cidr_block = local.endpoint[count.index] +## } +## +## resource "aws_network_acl_rule" "out_private_nat" { +## count = length(local.public_nat_ports) +## network_acl_id = aws_network_acl.private.id +## rule_number = local.public_nat_start + count.index * 10 +## egress = true +## protocol = "tcp" +## rule_action = "allow" +## from_port = local.public_nat_ports[count.index] +## to_port = local.public_nat_ports[count.index] +## cidr_block = local.public_nat +## } + +## resource "aws_network_acl_rule" "in_nat" { +## network_acl_id = aws_network_acl.public.id +## rule_number = local.public_nat_start +## egress = false +## protocol = "tcp" +## rule_action = "allow" +## from_port = 1024 +## to_port = 65535 +## cidr_block = local.public_nat +## } +## +## resource "aws_network_acl_rule" "in_nat_vpc" { +## count = length(local.public_nat_ports) +## network_acl_id = aws_network_acl.public.id +## rule_number = aws_network_acl_rule.in_nat.rule_number + 10 + count.index * 10 +## egress = false +## protocol = "tcp" +## rule_action = "allow" +## from_port = local.public_nat_ports[count.index] +## to_port = local.public_nat_ports[count.index] +## cidr_block = var.vpc_cidr_block +## depends_on = [aws_network_acl_rule.in_nat] +## } +## +## resource "aws_network_acl_rule" "out_nat" { +## count = length(local.public_nat_ports) +## network_acl_id = aws_network_acl.public.id +## rule_number = local.public_nat_start + count.index * 10 +## egress = true +## protocol = "tcp" +## rule_action = "allow" +## from_port = local.public_nat_ports[count.index] +## to_port = local.public_nat_ports[count.index] +## cidr_block = local.public_nat +## } +## +## resource "aws_network_acl_rule" "out_nat_vpc" { +## count = 1 +## network_acl_id = aws_network_acl.public.id +## rule_number = local.public_nat_start + 100 + count.index * 10 +## egress = true +## protocol = "tcp" +## rule_action = "allow" +## from_port = 1024 +## to_port = 65535 +## cidr_block = var.vpc_cidr_block +## } +## +## + + +# # main.tf +# module "clients-acl-rule" { +# source = "modules/acl" +# +# network_acl_id = "${aws_network_acl.public-acl.id}" +# +# all_acl_rules = "${var.acl_rules}" +# cidrs = "${var.cidr_blocks["clients"]}" +# rules = ["http_inbound", "https_inbound", "ephemeral_outbound"] +# rule_number = 20 +# } +# +# setproduct(var.cidrs,var.rules) + +## variable "network_acl_id" { +## variable "rule_definitions" { +## variable "cidr_blocks" { +## variable "rules" { +## variable "rule_number" { +## variable "rule_increment" { + +locals { + r = setproduct(var.cidr_blocks, var.rules) +} + + +## #--- +## # description = "Map of all rules where each entry is a tuple of: [from_port, to_port, egress, protocol, action, description]" +## # type = map(tuple([number, number, bool, string, string, string])) +## #--- +## "nacl_all_rules" = { +## # basic outbounds +## ephemeral_outbound = [1024, 65535, true, "tcp", "allow", "ephemeral-outbound"] +## all_outbound = [0, 0, true, "all", "allow", "all-outbound"] +## +## # basic inbounds +## all_inbound = [0, 0, false, "all", "allow", "all-inbound"] +## http_inbound = [80, 80, false, "tcp", "allow", "http-inbound"] +## https_inbound = [443, 443, false, "tcp", "allow", "https-inbound"] +## ssh_inbound = [22, 22, false, "tcp", "allow", "https-inbound"] +## } +## #--- +## # vpc varies by specific VPC cidr block, this will be merged with the actual vpc CIDR +## #--- +## "nacl_all_cidr_blocks" = { +## "all" = ["0.0.0.0/0"] +## "enterprise" = ["148.129.0.0/16", "172.16.0.0/12", "192.168.0.0/16"] +## "vpc" = [] +## "endpoints" = [] +## "additional" = [] +## "peers" = [] +## } +## } +## } diff --git a/nacl-rules/outputs.tf b/nacl-rules/outputs.tf new file mode 100644 index 0000000..e69de29 diff --git a/nacl-rules/prefixes.tf b/nacl-rules/prefixes.tf new file mode 120000 index 0000000..7e265d5 --- /dev/null +++ b/nacl-rules/prefixes.tf @@ -0,0 +1 @@ +../common/prefixes.tf \ No newline at end of file diff --git a/nacl-rules/variables.common.tf b/nacl-rules/variables.common.tf new file mode 120000 index 0000000..7439ed8 --- /dev/null +++ b/nacl-rules/variables.common.tf @@ -0,0 +1 @@ +../common/variables.common.tf \ No newline at end of file diff --git a/nacl-rules/variables.common.vpc.tf b/nacl-rules/variables.common.vpc.tf new file mode 120000 index 0000000..5e77d37 --- /dev/null +++ b/nacl-rules/variables.common.vpc.tf @@ -0,0 +1 @@ +../common/variables.common.vpc.tf \ No newline at end of file diff --git a/nacl-rules/variables.common.vpc_id.tf b/nacl-rules/variables.common.vpc_id.tf new file mode 120000 index 0000000..bc2e061 --- /dev/null +++ b/nacl-rules/variables.common.vpc_id.tf @@ -0,0 +1 @@ +../common/variables.common.vpc_id.tf \ No newline at end of file diff --git a/nacl-rules/variables.tf b/nacl-rules/variables.tf new file mode 100644 index 0000000..139cdfe --- /dev/null +++ b/nacl-rules/variables.tf @@ -0,0 +1,58 @@ +# # main.tf +# module "clients-acl-rule" { +# source = "modules/acl" +# +# network_acl_id = "${aws_network_acl.public-acl.id}" +# +# all_acl_rules = "${var.acl_rules}" +# cidrs = "${var.cidr_blocks["clients"]}" +# rules = ["http_inbound", "https_inbound", "ephemeral_outbound"] +# rule_number = 20 +# } +# +# setproduct(var.cidrs,var.rules) + +variable "network_acl_id" { + description = "Network ACL ID to which to apply the rules" + type = string +} + +/* +* from_port = number (0 for all) +* to_port = number (0 for all) +* egress = true | false +* protocol = "all" | "tcp" | "udp" | "icmp" +* action = "allow" | "deny" +* description = text-string +* +* example: http_inbound = [80,80,false,"tcp","allow","http-inbound"] +*/ +variable "rule_definitions" { + description = "Map of rule port/proto definitions (default uses built-in all_rules)" + type = map(tuple([number, number, bool, string, string, string])) + default = {} +} + +variable "cidr_blocks" { + description = "List of CIDR blocks for selected rules" + type = list(string) + default = [] +} + +variable "rules" { + description = "Selected rule definitions from rule_definitions or all_rules (default: null)" + type = list(string) + default = [] +} + +variable "rule_number" { + description = "Starting rule number within the rule" + type = number + default = null +} + +variable "rule_increment" { + description = "Rule number increment per new CIDR block" + type = number + default = 10 +} diff --git a/nacl-rules/version.tf b/nacl-rules/version.tf new file mode 120000 index 0000000..b83c5b7 --- /dev/null +++ b/nacl-rules/version.tf @@ -0,0 +1 @@ +../common/version.tf \ No newline at end of file