From b0a22802b19b1dc36e90194ef43a3a7b6a24c985 Mon Sep 17 00:00:00 2001 From: badra001 Date: Fri, 30 Dec 2022 08:21:41 -0500 Subject: [PATCH] - nacls - split out attachment subnets, if present - create attachment nacl, add entries in all, out all --- CHANGELOG.md | 5 ++++ common/version.tf | 2 +- nacls/README.md | 22 +++++++++++------ nacls/main.tf | 60 +++++++++++++++++++++++++++++++++++++++++------ nacls/outputs.tf | 5 ++++ 5 files changed, 79 insertions(+), 15 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 14d0d9a..9ae1206 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -233,3 +233,8 @@ - update tags to a common format - add var.tags - detect if running in network account, and only add ec2_tags if not + +* 2.4.7 -- 2022-12-30 + - nacls + - split out attachment subnets, if present + - create attachment nacl, add entries in all, out all diff --git a/common/version.tf b/common/version.tf index f08b881..1d918eb 100644 --- a/common/version.tf +++ b/common/version.tf @@ -1,5 +1,5 @@ locals { - _module_version = "2.4.6" + _module_version = "2.4.7" _module_names = { "_main_" = "aws-vpc-setup" diff --git a/nacls/README.md b/nacls/README.md index 620629b..c35fb52 100644 --- a/nacls/README.md +++ b/nacls/README.md @@ -1,7 +1,8 @@ # About aws-vpc-setup :: nacls This submodule creates network access control lists (nacls). The submodule nacl-rules sets up the rules for -each specific nacl. This creates both a public and a private NACL. +each specific nacl. This creates both a public and a private NACL. This also creates an attachment NACL +for just the attachment subnets, where it will also have full open access to/from. This is needed for Transit Gateway. # Usage @@ -12,13 +13,14 @@ module "nacls" { vpc_full_name = var.vpc_full_name public_subnets_ids = module.subnets.public_subnets_ids private_subnets_ids = module.subnets.private_subnets_ids - - # optional - public_subnet_ids = [ for s in module.subnets.public_subnets_ids : s.id ] - private_subnet_ids = [ for s in module.subnets.private_subnets_ids : s.id ] vpc_name = var.vpc_name vpc_short_name = var.vpc_short_name + # optional + ## public_subnet_ids = [ for s in module.subnets.public_subnets_ids : s.id ] + ## private_subnet_ids = [ for s in module.subnets.private_subnets_ids : s.id ] + ## attachment_subnet_ids = [ for s in module.subnets.private_subnets_ids : s.id if lookup(s.tags, "boc:vpc:route-table", null) == "attachment"] + tags = {} } ``` @@ -30,6 +32,7 @@ module "nacls" { | [terraform](#requirement\_terraform) | >= 0.13 | | [aws](#requirement\_aws) | >= 3.66.0 | | [ldap](#requirement\_ldap) | >= 0.5.4 | +| [local](#requirement\_local) | >= 1.0.0 | | [null](#requirement\_null) | >= 3.0 | | [random](#requirement\_random) | >= 3.0 | | [template](#requirement\_template) | >= 2.0 | @@ -48,18 +51,22 @@ No modules. | Name | Type | |------|------| +| [aws_network_acl.attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource | | [aws_network_acl.private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource | | [aws_network_acl.public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource | +| [aws_network_acl_rule.attachment_in](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | +| [aws_network_acl_rule.attachment_out](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | | [aws_arn.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source | | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no | -| [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no | +| [account\_alias](#input\_account\_alias) | AWS Account Alias (default: will pull from current account\_alias) | `string` | `""` | no | +| [account\_id](#input\_account\_id) | AWS Account ID (default: will pull from current user) | `string` | `""` | no | | [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no | | [private\_subnet\_ids](#input\_private\_subnet\_ids) | List of private subnet IDs (not objects) | `list(string)` | `[]` | no | | [private\_subnets\_ids](#input\_private\_subnets\_ids) | List of private subnet objects including: subnet, label, availability\_zone, id | 
list(object({
    subnet            = string
    label             = string
    availability_zone = string
    id                = string
  }))
| `[]` | no | @@ -77,5 +84,6 @@ No modules. | Name | Description | |------|-------------| +| [attachment\_network\_acl\_id](#output\_attachment\_network\_acl\_id) | attachment network ACL ID | | [private\_network\_acl\_id](#output\_private\_network\_acl\_id) | private network ACL ID | | [public\_network\_acl\_id](#output\_public\_network\_acl\_id) | public network ACL ID | diff --git a/nacls/main.tf b/nacls/main.tf index 4605ee1..e399673 100644 --- a/nacls/main.tf +++ b/nacls/main.tf @@ -2,7 +2,8 @@ * # About aws-vpc-setup :: nacls * * This submodule creates network access control lists (nacls). The submodule nacl-rules sets up the rules for -* each specific nacl. This creates both a public and a private NACL. +* each specific nacl. This creates both a public and a private NACL. This also creates an attachment NACL +* for just the attachment subnets, where it will also have full open access to/from. This is needed for Transit Gateway. * * # Usage * @@ -13,12 +14,13 @@ * vpc_full_name = var.vpc_full_name * public_subnets_ids = module.subnets.public_subnets_ids * private_subnets_ids = module.subnets.private_subnets_ids -* -* # optional -* public_subnet_ids = [ for s in module.subnets.public_subnets_ids : s.id ] -* private_subnet_ids = [ for s in module.subnets.private_subnets_ids : s.id ] * vpc_name = var.vpc_name * vpc_short_name = var.vpc_short_name +* +* # optional +* ## public_subnet_ids = [ for s in module.subnets.public_subnets_ids : s.id ] +* ## private_subnet_ids = [ for s in module.subnets.private_subnets_ids : s.id ] +* ## attachment_subnet_ids = [ for s in module.subnets.private_subnets_ids : s.id if lookup(s.tags, "boc:vpc:route-table", null) == "attachment"] * * tags = {} * } @@ -34,8 +36,9 @@ locals { "boc:created_by" = "terraform" } - public_ids = length(var.public_subnet_ids) > 0 ? var.public_subnet_ids : [for subnet in var.public_subnets_ids : subnet.id] - private_ids = length(var.private_subnet_ids) > 0 ? var.private_subnet_ids : [for subnet in var.private_subnets_ids : subnet.id] + public_ids = length(var.public_subnet_ids) > 0 ? var.public_subnet_ids : [for subnet in var.public_subnets_ids : subnet.id if lookup(subnet.tags, "boc:vpc:route-table", null) != "attachment"] + private_ids = length(var.private_subnet_ids) > 0 ? var.private_subnet_ids : [for subnet in var.private_subnets_ids : subnet.id] + attachment_ids = length(var.attachment_subnet_ids) > 0 ? var.attachment_subnet_ids : [for subnet in var.private_subnets_ids : subnet.id if lookup(subnet.tags, "boc:vpc:route-table", null) == "attachment"] } #--- @@ -65,3 +68,46 @@ resource "aws_network_acl" "public" { { "Name" = format("%v%v-%v", local._prefixes["network-acl"], var.vpc_full_name, "public") }, ) } + +#--- +# nacl: attachment. This also makes it inbound=0/0, outbound=0/0 +#--- +resource "aws_network_acl" "attachment" { + count = length(local.attachment_ids) > 0 ? 1 : 0 + vpc_id = var.vpc_id + subnet_ids = local.attachment_ids + + tags = merge( + local.base_tags, + var.tags, + { + "Name" = format("%v%v-%v", local._prefixes["network-acl"], var.vpc_full_name, "attachment") + "boc:vpc:route-table" = "attachment" + }, + ) +} + +resource "aws_network_acl_rule" "attachment_in" { + count = length(local.attachment_ids) > 0 ? 1 : 0 + network_acl_id = try(aws_network_acl.attachment[0].id, null) + rule_number = 100 + egress = false + cidr_block = "0.0.0.0/0" + rule_action = "allow" + to_port = 0 + from_port = 0 + protocol = "-1" +} + +resource "aws_network_acl_rule" "attachment_out" { + count = length(local.attachment_ids) > 0 ? 1 : 0 + network_acl_id = try(aws_network_acl.attachment[0].id, null) + rule_number = 100 + egress = true + cidr_block = "0.0.0.0/0" + rule_action = "allow" + to_port = 0 + from_port = 0 + protocol = "-1" +} + diff --git a/nacls/outputs.tf b/nacls/outputs.tf index d9411fd..e9c8fac 100644 --- a/nacls/outputs.tf +++ b/nacls/outputs.tf @@ -8,3 +8,8 @@ output "private_network_acl_id" { value = aws_network_acl.private.id } +output "attachment_network_acl_id" { + description = "attachment network ACL ID" + value = try(aws_network_acl.attachment[0].id, null) +} +