Merge pull request #13 from terraform-modules/fix-nacls

v1.4.2: fix nacl limit by adding flags
terraform-modules · Jan 9, 2022 · 9e4eaa4 · 9e4eaa4
2 parents 539eced + 7e3db4c
commit 9e4eaa4
Show file tree

Hide file tree

Showing 26 changed files with 177 additions and 27 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,7 @@
 # Versions
 
+## Version 1.x
+
 * v1.0.0 -- 20210502
   - initial creation
 
@@ -74,3 +76,13 @@
 * (no version) -- 20211119
   - add example for full-setup
 
+* v1.4.2 -- 20220109
+    - add common/versions.tf to prep for tf 0.13+
+  - common/defaults.tf
+    - add 10/8 to enteprise list and make the default, due to a max of 40 nacl entries in a nacl
+  - nacls-rules
+    - add variable enable_rules (boolean) to create or not create the rule
+  - peers
+    - add variables enable_nacl_entry_self and enable_nacl_entry_peer to determine whether to create the rule local/remote (default false)
+
+## Version 2.x
diff --git a/common/defaults.tf b/common/defaults.tf
@@ -40,7 +40,7 @@ locals {
     #---
     "nacl_all_cidr_blocks" = {
       "all"        = ["0.0.0.0/0"]
-      "enterprise" = ["148.129.0.0/16", "172.16.0.0/12", "192.168.0.0/16"]
+      "enterprise" = ["148.129.0.0/16", "172.16.0.0/12", "192.168.0.0/16", "10.0.0.0/8"]
       "vpc"        = []
       "endpoints"  = []
       "additional" = []

diff --git a/common/version.tf b/common/version.tf
@@ -1,3 +1,3 @@
 locals {
-  _module_version = "1.4.1"
+  _module_version = "1.4.2"
 }
diff --git a/common/versions.tf b/common/versions.tf
@@ -0,0 +1,22 @@
+# for tf 0.13+, ignored in tf 0.12
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 3.66.0"
+    }
+    null = {
+      source  = "hashicorp/null"
+      version = ">= 3.0"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.0"
+    }
+    template = {
+      source  = "hashicorp/template"
+      version = ">= 2.0"
+    }
+  }
+  #  required_version = ">= 0.13"
+}
diff --git a/examples/dns-vpc-region-vpcN/apps/README.md b/examples/dns-vpc-region-vpcN/apps/README.md
@@ -0,0 +1,23 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+No modules.
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
diff --git a/examples/dns-vpc-region/apps/README.md b/examples/dns-vpc-region/apps/README.md
@@ -0,0 +1,23 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+No modules.
+
+## Resources
+
+No resources.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
diff --git a/examples/dns-vpc-region/apps/dns/README.md b/examples/dns-vpc-region/apps/dns/README.md
@@ -0,0 +1,31 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_group.dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_route53_resolver_query_log_config.dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_query_log_config) | resource |
+| [aws_route53_resolver_query_log_config_association.dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_query_log_config_association) | resource |
+| [aws_vpc.all_vpcs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+| [aws_vpcs.all_vpcs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpcs) | data source |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+No outputs.
diff --git a/flowlogs-role/versions.tf b/flowlogs-role/versions.tf
@@ -0,0 +1 @@
+../common/versions.tf
diff --git a/flowlogs/versions.tf b/flowlogs/versions.tf
@@ -0,0 +1 @@
+../common/versions.tf
diff --git a/nacl-rules/README.md b/nacl-rules/README.md
@@ -27,13 +27,18 @@ module "nacls_enterprise" {
 
 ## Requirements
 
-No requirements.
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.66.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
+| <a name="requirement_template"></a> [template](#requirement\_template) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.66.0 |
 
 ## Modules
 
@@ -56,6 +61,7 @@ No modules.
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
 | <a name="input_cidr_blocks"></a> [cidr\_blocks](#input\_cidr\_blocks) | List of CIDR blocks for selected rules | `list(string)` | `[]` | no |
+| <a name="input_enable_rules"></a> [enable\_rules](#input\_enable\_rules) | Flag to determine whether to create the rules (default: true) | `bool` | `true` | no |
 | <a name="input_merge_cidr_blocks"></a> [merge\_cidr\_blocks](#input\_merge\_cidr\_blocks) | Map of names to list of CIDR blocks | `map(list(string))` | `{}` | no |
 | <a name="input_named_cidr_blocks"></a> [named\_cidr\_blocks](#input\_named\_cidr\_blocks) | List of CIDR block names from defaults for selected rules: (all, enterprise, vpc, ...) | `list(string)` | `[]` | no |
 | <a name="input_network_acl_id"></a> [network\_acl\_id](#input\_network\_acl\_id) | Network ACL ID to which to apply the rules | `string` | n/a | yes |

diff --git a/nacl-rules/main.tf b/nacl-rules/main.tf
@@ -110,7 +110,7 @@ locals {
 }
 
 resource "aws_network_acl_rule" "in" {
-  for_each       = { for r in local.r3_in : r.label => r }
+  for_each       = var.enable_rules ? { for r in local.r3_in : r.label => r } : {}
   network_acl_id = var.network_acl_id
   rule_number    = each.value.rule_number
   egress         = each.value.egress
@@ -122,7 +122,7 @@ resource "aws_network_acl_rule" "in" {
 }
 
 resource "aws_network_acl_rule" "out" {
-  for_each       = { for r in local.r3_out : r.label => r }
+  for_each       = var.enable_rules ? { for r in local.r3_out : r.label => r } : {}
   network_acl_id = var.network_acl_id
   rule_number    = each.value.rule_number
   egress         = each.value.egress

diff --git a/nacl-rules/variables.tf b/nacl-rules/variables.tf
@@ -80,3 +80,10 @@ variable "rule_increment" {
   type        = number
   default     = 10
 }
+
+variable "enable_rules" {
+  description = "Flag to determine whether to create the rules (default: true)"
+  type        = bool
+  default     = true
+}
+
diff --git a/nacl-rules/versions.tf b/nacl-rules/versions.tf
@@ -0,0 +1 @@
+../common/versions.tf
diff --git a/nacls/versions.tf b/nacls/versions.tf
@@ -0,0 +1 @@
+../common/versions.tf
diff --git a/peer/README.md b/peer/README.md
@@ -31,6 +31,12 @@ for `vpc_index=2` (aka, vpc2), the rule number in the NACL rule at `rule_number
 
 `vpc_cidr_block` and `peer_vpc_cidr_block` are retrieved from the VPC itself, so it too is optional.
 
+We have hit the maximum number of NACL entries in a rule (40) using this per-VPC rule creation method.
+As of version 1.4.2, this will be disabld by default, and it will use the entire 10/8 address space as
+added in another location.  This in essence renders the tracking of the peer pairs for and setting nalcs
+for any peers within the 10/8 obsolete.   We may come upon a need to create nacl entries for DENY
+and we will address this at that time.
+
 # Usage
 
 ```hcl
@@ -72,14 +78,19 @@ module "peer_services" {
 
 ## Requirements
 
-No requirements.
+| Name | Version |
+|------|---------|
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.66.0 |
+| <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.0 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
+| <a name="requirement_template"></a> [template](#requirement\_template) | >= 2.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws.peer"></a> [aws.peer](#provider\_aws.peer) | n/a |
-| <a name="provider_aws.self"></a> [aws.self](#provider\_aws.self) | n/a |
+| <a name="provider_aws.peer"></a> [aws.peer](#provider\_aws.peer) | >= 3.66.0 |
+| <a name="provider_aws.self"></a> [aws.self](#provider\_aws.self) | >= 3.66.0 |
 
 ## Modules
 
@@ -123,6 +134,7 @@ No requirements.
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_peer_account_alias"></a> [peer\_account\_alias](#input\_peer\_account\_alias) | Peer AWS Account Alias | `string` | `""` | no |
 | <a name="input_peer_account_id"></a> [peer\_account\_id](#input\_peer\_account\_id) | Peer AWS Account ID | `string` | `""` | no |
+| <a name="input_peer_enable_rules"></a> [peer\_enable\_rules](#input\_peer\_enable\_rules) | Flag to control creating NACL entries/rules on peer (default: false) | `bool` | `false` | no |
 | <a name="input_peer_network_acl_filter"></a> [peer\_network\_acl\_filter](#input\_peer\_network\_acl\_filter) | Peer VPC Network ACL filter list | `list(string)` | `[]` | no |
 | <a name="input_peer_network_acl_ids"></a> [peer\_network\_acl\_ids](#input\_peer\_network\_acl\_ids) | Peer VPC Network ACL IDs | `list(string)` | `[]` | no |
 | <a name="input_peer_route_table_filter"></a> [peer\_route\_table\_filter](#input\_peer\_route\_table\_filter) | Peer VPC route table search filter list (default: services) | `list(string)` | <pre>[<br>  "route-*-services",<br>  "route-*-services-private*"<br>]</pre> | no |
@@ -141,6 +153,7 @@ No requirements.
 | <a name="input_route_table_ids"></a> [route\_table\_ids](#input\_route\_table\_ids) | Self VPC route table IDs (default: all *private* route tables at self VPC) | `list(string)` | `[]` | no |
 | <a name="input_rule_increment"></a> [rule\_increment](#input\_rule\_increment) | Rule number increment per new CIDR block | `number` | `1` | no |
 | <a name="input_rule_number"></a> [rule\_number](#input\_rule\_number) | Starting rule number within the rule | `number` | `null` | no |
+| <a name="input_self_enable_rules"></a> [self\_enable\_rules](#input\_self\_enable\_rules) | Flag to control creating NACL entries/rules on self (default: false) | `bool` | `false` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 | <a name="input_vpc_cidr_block"></a> [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | Self VPC CIDR Block (default: obtain from self VPC) | `string` | `""` | no |
 | <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |

diff --git a/peer/main.tf b/peer/main.tf
@@ -32,6 +32,12 @@
 *
 * `vpc_cidr_block` and `peer_vpc_cidr_block` are retrieved from the VPC itself, so it too is optional.
 * 
+* We have hit the maximum number of NACL entries in a rule (40) using this per-VPC rule creation method.
+* As of version 1.4.2, this will be disabld by default, and it will use the entire 10/8 address space as
+* added in another location.  This in essence renders the tracking of the peer pairs for and setting nalcs
+* for any peers within the 10/8 obsolete.   We may come upon a need to create nacl entries for DENY
+* and we will address this at that time.
+*
 * # Usage
 * 
 * ```hcl
@@ -185,6 +191,7 @@ module "nacl_rule_self" {
   rule_definitions  = {}
   named_cidr_blocks = ["vpc"]
   merge_cidr_blocks = { "vpc" = [local.peer_cidr_block] }
+  enable_rules      = var.self_enable_rules
   rules             = ["all_inbound", "all_outbound"]
   rule_number       = var.rule_number
   rule_increment    = var.rule_increment
@@ -208,6 +215,7 @@ module "nacl_rule_peer" {
   rule_definitions  = {}
   named_cidr_blocks = ["vpc"]
   merge_cidr_blocks = { "vpc" = [local.self_cidr_block] }
+  enable_rules      = var.peer_enable_rules
   rules             = ["all_inbound", "all_outbound"]
   rule_number       = var.peer_rule_number
   rule_increment    = var.peer_rule_increment

diff --git a/peer/requirements.tf b/peer/requirements.tf
diff --git a/peer/variables.peer.tf b/peer/variables.peer.tf
@@ -92,3 +92,9 @@ variable "peer_rule_increment" {
   type        = number
   default     = 1
 }
+
+variable "peer_enable_rules" {
+  description = "Flag to control creating NACL entries/rules on peer (default: false)"
+  type        = bool
+  default     = false
+}
diff --git a/peer/variables.self.tf b/peer/variables.self.tf
@@ -33,3 +33,9 @@ variable "rule_increment" {
   type        = number
   default     = 1
 }
+
+variable "self_enable_rules" {
+  description = "Flag to control creating NACL entries/rules on self (default: false)"
+  type        = bool
+  default     = false
+}
diff --git a/peer/versions.tf b/peer/versions.tf
@@ -0,0 +1 @@
+../common/versions.tf
diff --git a/routing/versions.tf b/routing/versions.tf
@@ -0,0 +1 @@
+../common/versions.tf
diff --git a/security-groups/versions.tf b/security-groups/versions.tf
@@ -0,0 +1 @@
+../common/versions.tf
diff --git a/subnets/versions.tf b/subnets/versions.tf
@@ -0,0 +1 @@
+../common/versions.tf
diff --git a/vpc-interface-endpoint/versions.tf b/vpc-interface-endpoint/versions.tf
@@ -0,0 +1 @@
+../common/versions.tf
diff --git a/vpc/versions.tf b/vpc/versions.tf
@@ -0,0 +1 @@
+../common/versions.tf
diff --git a/vpn/versions.tf b/vpn/versions.tf
@@ -0,0 +1 @@
+../common/versions.tf