From 7e3db4c36f9355590f26347686ba93f3ca6d7683 Mon Sep 17 00:00:00 2001 From: badra001 Date: Sun, 9 Jan 2022 09:51:23 -0500 Subject: [PATCH] v1.4.2: add flags for handling peer and self nacls --- CHANGELOG.md | 12 ++++++++ common/defaults.tf | 2 +- common/version.tf | 2 +- common/versions.tf | 22 +++++++++++++++ examples/dns-vpc-region-vpcN/apps/README.md | 23 +++++++++++++++ examples/dns-vpc-region/apps/README.md | 23 +++++++++++++++ examples/dns-vpc-region/apps/dns/README.md | 31 +++++++++++++++++++++ flowlogs-role/versions.tf | 1 + flowlogs/versions.tf | 1 + nacl-rules/README.md | 10 +++++-- nacl-rules/main.tf | 4 +-- nacl-rules/variables.tf | 7 +++++ nacl-rules/versions.tf | 1 + nacls/versions.tf | 1 + peer/README.md | 19 +++++++++++-- peer/main.tf | 8 ++++++ peer/requirements.tf | 18 ------------ peer/variables.peer.tf | 6 ++++ peer/variables.self.tf | 6 ++++ peer/versions.tf | 1 + routing/versions.tf | 1 + security-groups/versions.tf | 1 + subnets/versions.tf | 1 + vpc-interface-endpoint/versions.tf | 1 + vpc/versions.tf | 1 + vpn/versions.tf | 1 + 26 files changed, 177 insertions(+), 27 deletions(-) create mode 100644 common/versions.tf create mode 100644 examples/dns-vpc-region-vpcN/apps/README.md create mode 100644 examples/dns-vpc-region/apps/README.md create mode 100644 examples/dns-vpc-region/apps/dns/README.md create mode 120000 flowlogs-role/versions.tf create mode 120000 flowlogs/versions.tf create mode 120000 nacl-rules/versions.tf create mode 120000 nacls/versions.tf delete mode 100644 peer/requirements.tf create mode 120000 peer/versions.tf create mode 120000 routing/versions.tf create mode 120000 security-groups/versions.tf create mode 120000 subnets/versions.tf create mode 120000 vpc-interface-endpoint/versions.tf create mode 120000 vpc/versions.tf create mode 120000 vpn/versions.tf diff --git a/CHANGELOG.md b/CHANGELOG.md index 1599ba2..e9a3932 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,7 @@ # Versions +## Version 1.x + * v1.0.0 -- 20210502 - initial creation @@ -74,3 +76,13 @@ * (no version) -- 20211119 - add example for full-setup +* v1.4.2 -- 20220109 + - add common/versions.tf to prep for tf 0.13+ + - common/defaults.tf + - add 10/8 to enteprise list and make the default, due to a max of 40 nacl entries in a nacl + - nacls-rules + - add variable enable_rules (boolean) to create or not create the rule + - peers + - add variables enable_nacl_entry_self and enable_nacl_entry_peer to determine whether to create the rule local/remote (default false) + +## Version 2.x diff --git a/common/defaults.tf b/common/defaults.tf index 2078a4b..6d963af 100644 --- a/common/defaults.tf +++ b/common/defaults.tf @@ -40,7 +40,7 @@ locals { #--- "nacl_all_cidr_blocks" = { "all" = ["0.0.0.0/0"] - "enterprise" = ["148.129.0.0/16", "172.16.0.0/12", "192.168.0.0/16"] + "enterprise" = ["148.129.0.0/16", "172.16.0.0/12", "192.168.0.0/16", "10.0.0.0/8"] "vpc" = [] "endpoints" = [] "additional" = [] diff --git a/common/version.tf b/common/version.tf index a34718a..f549198 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,3 +1,3 @@ locals { - _module_version = "1.4.1" + _module_version = "1.4.2" } diff --git a/common/versions.tf b/common/versions.tf new file mode 100644 index 0000000..9fb912a --- /dev/null +++ b/common/versions.tf @@ -0,0 +1,22 @@ +# for tf 0.13+, ignored in tf 0.12 +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 3.66.0" + } + null = { + source = "hashicorp/null" + version = ">= 3.0" + } + random = { + source = "hashicorp/random" + version = ">= 3.0" + } + template = { + source = "hashicorp/template" + version = ">= 2.0" + } + } + # required_version = ">= 0.13" +} diff --git a/examples/dns-vpc-region-vpcN/apps/README.md b/examples/dns-vpc-region-vpcN/apps/README.md new file mode 100644 index 0000000..5ca9045 --- /dev/null +++ b/examples/dns-vpc-region-vpcN/apps/README.md @@ -0,0 +1,23 @@ +## Requirements + +No requirements. + +## Providers + +No providers. + +## Modules + +No modules. + +## Resources + +No resources. + +## Inputs + +No inputs. + +## Outputs + +No outputs. diff --git a/examples/dns-vpc-region/apps/README.md b/examples/dns-vpc-region/apps/README.md new file mode 100644 index 0000000..5ca9045 --- /dev/null +++ b/examples/dns-vpc-region/apps/README.md @@ -0,0 +1,23 @@ +## Requirements + +No requirements. + +## Providers + +No providers. + +## Modules + +No modules. + +## Resources + +No resources. + +## Inputs + +No inputs. + +## Outputs + +No outputs. diff --git a/examples/dns-vpc-region/apps/dns/README.md b/examples/dns-vpc-region/apps/dns/README.md new file mode 100644 index 0000000..e6d6ea2 --- /dev/null +++ b/examples/dns-vpc-region/apps/dns/README.md @@ -0,0 +1,31 @@ +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_log_group.dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_route53_resolver_query_log_config.dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_query_log_config) | resource | +| [aws_route53_resolver_query_log_config_association.dns](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_resolver_query_log_config_association) | resource | +| [aws_vpc.all_vpcs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source | +| [aws_vpcs.all_vpcs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpcs) | data source | + +## Inputs + +No inputs. + +## Outputs + +No outputs. diff --git a/flowlogs-role/versions.tf b/flowlogs-role/versions.tf new file mode 120000 index 0000000..41bb22f --- /dev/null +++ b/flowlogs-role/versions.tf @@ -0,0 +1 @@ +../common/versions.tf \ No newline at end of file diff --git a/flowlogs/versions.tf b/flowlogs/versions.tf new file mode 120000 index 0000000..41bb22f --- /dev/null +++ b/flowlogs/versions.tf @@ -0,0 +1 @@ +../common/versions.tf \ No newline at end of file diff --git a/nacl-rules/README.md b/nacl-rules/README.md index 49db01c..ef61c9a 100644 --- a/nacl-rules/README.md +++ b/nacl-rules/README.md @@ -27,13 +27,18 @@ module "nacls_enterprise" { ## Requirements -No requirements. +| Name | Version | +|------|---------| +| [aws](#requirement\_aws) | >= 3.66.0 | +| [null](#requirement\_null) | >= 3.0 | +| [random](#requirement\_random) | >= 3.0 | +| [template](#requirement\_template) | >= 2.0 | ## Providers | Name | Version | |------|---------| -| [aws](#provider\_aws) | n/a | +| [aws](#provider\_aws) | >= 3.66.0 | ## Modules @@ -56,6 +61,7 @@ No modules. | [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | | [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | | [cidr\_blocks](#input\_cidr\_blocks) | List of CIDR blocks for selected rules | `list(string)` | `[]` | no | +| [enable\_rules](#input\_enable\_rules) | Flag to determine whether to create the rules (default: true) | `bool` | `true` | no | | [merge\_cidr\_blocks](#input\_merge\_cidr\_blocks) | Map of names to list of CIDR blocks | `map(list(string))` | `{}` | no | | [named\_cidr\_blocks](#input\_named\_cidr\_blocks) | List of CIDR block names from defaults for selected rules: (all, enterprise, vpc, ...) | `list(string)` | `[]` | no | | [network\_acl\_id](#input\_network\_acl\_id) | Network ACL ID to which to apply the rules | `string` | n/a | yes | diff --git a/nacl-rules/main.tf b/nacl-rules/main.tf index 7332493..e00382f 100644 --- a/nacl-rules/main.tf +++ b/nacl-rules/main.tf @@ -110,7 +110,7 @@ locals { } resource "aws_network_acl_rule" "in" { - for_each = { for r in local.r3_in : r.label => r } + for_each = var.enable_rules ? { for r in local.r3_in : r.label => r } : {} network_acl_id = var.network_acl_id rule_number = each.value.rule_number egress = each.value.egress @@ -122,7 +122,7 @@ resource "aws_network_acl_rule" "in" { } resource "aws_network_acl_rule" "out" { - for_each = { for r in local.r3_out : r.label => r } + for_each = var.enable_rules ? { for r in local.r3_out : r.label => r } : {} network_acl_id = var.network_acl_id rule_number = each.value.rule_number egress = each.value.egress diff --git a/nacl-rules/variables.tf b/nacl-rules/variables.tf index 52357fb..46edf0f 100644 --- a/nacl-rules/variables.tf +++ b/nacl-rules/variables.tf @@ -80,3 +80,10 @@ variable "rule_increment" { type = number default = 10 } + +variable "enable_rules" { + description = "Flag to determine whether to create the rules (default: true)" + type = bool + default = true +} + diff --git a/nacl-rules/versions.tf b/nacl-rules/versions.tf new file mode 120000 index 0000000..41bb22f --- /dev/null +++ b/nacl-rules/versions.tf @@ -0,0 +1 @@ +../common/versions.tf \ No newline at end of file diff --git a/nacls/versions.tf b/nacls/versions.tf new file mode 120000 index 0000000..41bb22f --- /dev/null +++ b/nacls/versions.tf @@ -0,0 +1 @@ +../common/versions.tf \ No newline at end of file diff --git a/peer/README.md b/peer/README.md index 4c1bea6..b16c07d 100644 --- a/peer/README.md +++ b/peer/README.md @@ -31,6 +31,12 @@ for `vpc_index=2` (aka, vpc2), the rule number in the NACL rule at `rule_number `vpc_cidr_block` and `peer_vpc_cidr_block` are retrieved from the VPC itself, so it too is optional. +We have hit the maximum number of NACL entries in a rule (40) using this per-VPC rule creation method. +As of version 1.4.2, this will be disabld by default, and it will use the entire 10/8 address space as +added in another location. This in essence renders the tracking of the peer pairs for and setting nalcs +for any peers within the 10/8 obsolete. We may come upon a need to create nacl entries for DENY +and we will address this at that time. + # Usage ```hcl @@ -72,14 +78,19 @@ module "peer_services" { ## Requirements -No requirements. +| Name | Version | +|------|---------| +| [aws](#requirement\_aws) | >= 3.66.0 | +| [null](#requirement\_null) | >= 3.0 | +| [random](#requirement\_random) | >= 3.0 | +| [template](#requirement\_template) | >= 2.0 | ## Providers | Name | Version | |------|---------| -| [aws.peer](#provider\_aws.peer) | n/a | -| [aws.self](#provider\_aws.self) | n/a | +| [aws.peer](#provider\_aws.peer) | >= 3.66.0 | +| [aws.self](#provider\_aws.self) | >= 3.66.0 | ## Modules @@ -123,6 +134,7 @@ No requirements. | [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | | [peer\_account\_alias](#input\_peer\_account\_alias) | Peer AWS Account Alias | `string` | `""` | no | | [peer\_account\_id](#input\_peer\_account\_id) | Peer AWS Account ID | `string` | `""` | no | +| [peer\_enable\_rules](#input\_peer\_enable\_rules) | Flag to control creating NACL entries/rules on peer (default: false) | `bool` | `false` | no | | [peer\_network\_acl\_filter](#input\_peer\_network\_acl\_filter) | Peer VPC Network ACL filter list | `list(string)` | `[]` | no | | [peer\_network\_acl\_ids](#input\_peer\_network\_acl\_ids) | Peer VPC Network ACL IDs | `list(string)` | `[]` | no | | [peer\_route\_table\_filter](#input\_peer\_route\_table\_filter) | Peer VPC route table search filter list (default: services) | `list(string)` | 
[
  "route-*-services",
  "route-*-services-private*"
]
| no | @@ -141,6 +153,7 @@ No requirements. | [route\_table\_ids](#input\_route\_table\_ids) | Self VPC route table IDs (default: all *private* route tables at self VPC) | `list(string)` | `[]` | no | | [rule\_increment](#input\_rule\_increment) | Rule number increment per new CIDR block | `number` | `1` | no | | [rule\_number](#input\_rule\_number) | Starting rule number within the rule | `number` | `null` | no | +| [self\_enable\_rules](#input\_self\_enable\_rules) | Flag to control creating NACL entries/rules on self (default: false) | `bool` | `false` | no | | [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS). Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no | | [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | Self VPC CIDR Block (default: obtain from self VPC) | `string` | `""` | no | | [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no | diff --git a/peer/main.tf b/peer/main.tf index d9a9106..8cb4b2e 100644 --- a/peer/main.tf +++ b/peer/main.tf @@ -32,6 +32,12 @@ * * `vpc_cidr_block` and `peer_vpc_cidr_block` are retrieved from the VPC itself, so it too is optional. * +* We have hit the maximum number of NACL entries in a rule (40) using this per-VPC rule creation method. +* As of version 1.4.2, this will be disabld by default, and it will use the entire 10/8 address space as +* added in another location. This in essence renders the tracking of the peer pairs for and setting nalcs +* for any peers within the 10/8 obsolete. We may come upon a need to create nacl entries for DENY +* and we will address this at that time. +* * # Usage * * ```hcl @@ -185,6 +191,7 @@ module "nacl_rule_self" { rule_definitions = {} named_cidr_blocks = ["vpc"] merge_cidr_blocks = { "vpc" = [local.peer_cidr_block] } + enable_rules = var.self_enable_rules rules = ["all_inbound", "all_outbound"] rule_number = var.rule_number rule_increment = var.rule_increment @@ -208,6 +215,7 @@ module "nacl_rule_peer" { rule_definitions = {} named_cidr_blocks = ["vpc"] merge_cidr_blocks = { "vpc" = [local.self_cidr_block] } + enable_rules = var.peer_enable_rules rules = ["all_inbound", "all_outbound"] rule_number = var.peer_rule_number rule_increment = var.peer_rule_increment diff --git a/peer/requirements.tf b/peer/requirements.tf deleted file mode 100644 index ced4bd0..0000000 --- a/peer/requirements.tf +++ /dev/null @@ -1,18 +0,0 @@ -# this throws a warning in 0.12 -terraform { - required_providers { - aws = { - source = "hashicorp/aws" - } - } -} - -### only in 0.13+ -##terraform { -## required_providers { -## aws = { -## source = "hashicorp/aws" -## configuration_aliases = [aws.self, aws.peer] -## } -## } -##} diff --git a/peer/variables.peer.tf b/peer/variables.peer.tf index 32626f0..0b8c767 100644 --- a/peer/variables.peer.tf +++ b/peer/variables.peer.tf @@ -92,3 +92,9 @@ variable "peer_rule_increment" { type = number default = 1 } + +variable "peer_enable_rules" { + description = "Flag to control creating NACL entries/rules on peer (default: false)" + type = bool + default = false +} diff --git a/peer/variables.self.tf b/peer/variables.self.tf index b4e9da5..1b1dda8 100644 --- a/peer/variables.self.tf +++ b/peer/variables.self.tf @@ -33,3 +33,9 @@ variable "rule_increment" { type = number default = 1 } + +variable "self_enable_rules" { + description = "Flag to control creating NACL entries/rules on self (default: false)" + type = bool + default = false +} diff --git a/peer/versions.tf b/peer/versions.tf new file mode 120000 index 0000000..41bb22f --- /dev/null +++ b/peer/versions.tf @@ -0,0 +1 @@ +../common/versions.tf \ No newline at end of file diff --git a/routing/versions.tf b/routing/versions.tf new file mode 120000 index 0000000..41bb22f --- /dev/null +++ b/routing/versions.tf @@ -0,0 +1 @@ +../common/versions.tf \ No newline at end of file diff --git a/security-groups/versions.tf b/security-groups/versions.tf new file mode 120000 index 0000000..41bb22f --- /dev/null +++ b/security-groups/versions.tf @@ -0,0 +1 @@ +../common/versions.tf \ No newline at end of file diff --git a/subnets/versions.tf b/subnets/versions.tf new file mode 120000 index 0000000..41bb22f --- /dev/null +++ b/subnets/versions.tf @@ -0,0 +1 @@ +../common/versions.tf \ No newline at end of file diff --git a/vpc-interface-endpoint/versions.tf b/vpc-interface-endpoint/versions.tf new file mode 120000 index 0000000..41bb22f --- /dev/null +++ b/vpc-interface-endpoint/versions.tf @@ -0,0 +1 @@ +../common/versions.tf \ No newline at end of file diff --git a/vpc/versions.tf b/vpc/versions.tf new file mode 120000 index 0000000..41bb22f --- /dev/null +++ b/vpc/versions.tf @@ -0,0 +1 @@ +../common/versions.tf \ No newline at end of file diff --git a/vpn/versions.tf b/vpn/versions.tf new file mode 120000 index 0000000..41bb22f --- /dev/null +++ b/vpn/versions.tf @@ -0,0 +1 @@ +../common/versions.tf \ No newline at end of file