add outputs, add nacl rules

terraform-modules · Jun 1, 2021 · d04f48d · d04f48d
1 parent 3d74762
commit d04f48d
Show file tree

Hide file tree

Showing 8 changed files with 141 additions and 25 deletions.
diff --git a/peer/README.md b/peer/README.md
@@ -19,7 +19,7 @@ module "peer_services" {
   vpc_environment      = var.vpc_environment
   route_table_ids      = [ "rtb-12345678" ]
   network_acl_ids      = [ "nacl-12345678" ]
-  nacl_rule_number     = 2500
+  rule_number          = 2500
   rule_increment       = 1
   tags = {}
 
@@ -35,7 +35,7 @@ module "peer_services" {
   # peer_tags = {}
   peer_route_table_ids      = [ "rtb-87654321" ]
   peer_network_acl_ids      = [ "nacl-87654321" ]
-  peer_nacl_rule_number     = 2500
+  peer_rule_number          = 2500
   peer_rule_increment       = 1
 
   providers = {
@@ -58,7 +58,10 @@ No requirements.
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_nacl_rule_peer"></a> [nacl\_rule\_peer](#module\_nacl\_rule\_peer) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules |  |
+| <a name="module_nacl_rule_self"></a> [nacl\_rule\_self](#module\_nacl\_rule\_self) | git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules |  |
 
 ## Resources
 
@@ -72,8 +75,12 @@ No modules.
 | [aws_arn.self_current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/arn) | data source |
 | [aws_caller_identity.peer_current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_caller_identity.self_current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_network_acls.default_peer_network_acls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/network_acls) | data source |
+| [aws_network_acls.default_self_network_acls](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/network_acls) | data source |
 | [aws_region.peer_current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
 | [aws_region.self_current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
+| [aws_route_table.peer_route_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_table) | data source |
+| [aws_route_table.self_route_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_table) | data source |
 | [aws_route_tables.default_peer_route_tables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_tables) | data source |
 | [aws_route_tables.default_self_route_tables](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/route_tables) | data source |
 | [aws_vpc.peer_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
@@ -85,16 +92,15 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_account_alias"></a> [account\_alias](#input\_account\_alias) | AWS Account Alias | `string` | `""` | no |
 | <a name="input_account_id"></a> [account\_id](#input\_account\_id) | AWS Account ID (default will pull from current user) | `string` | `""` | no |
-| <a name="input_nacl_rule_number"></a> [nacl\_rule\_number](#input\_nacl\_rule\_number) | Starting rule number within the rule | `number` | `null` | no |
 | <a name="input_network_acl_ids"></a> [network\_acl\_ids](#input\_network\_acl\_ids) | VPC Network ACL IDs | `list(string)` | `[]` | no |
 | <a name="input_override_prefixes"></a> [override\_prefixes](#input\_override\_prefixes) | Override built-in prefixes by component. This should be used primarily for common infrastructure things | `map(string)` | `{}` | no |
 | <a name="input_peer_account_alias"></a> [peer\_account\_alias](#input\_peer\_account\_alias) | Peer AWS Account Alias | `string` | `""` | no |
 | <a name="input_peer_account_id"></a> [peer\_account\_id](#input\_peer\_account\_id) | Peer AWS Account ID | `string` | `""` | no |
-| <a name="input_peer_nacl_rule_number"></a> [peer\_nacl\_rule\_number](#input\_peer\_nacl\_rule\_number) | Peer Starting rule number within the rule | `number` | `null` | no |
 | <a name="input_peer_network_acl_ids"></a> [peer\_network\_acl\_ids](#input\_peer\_network\_acl\_ids) | Peer VPC Network ACL IDs | `list(string)` | `[]` | no |
 | <a name="input_peer_route_table_filter"></a> [peer\_route\_table\_filter](#input\_peer\_route\_table\_filter) | Peer VPC route table search filter list (default: services) | `list(string)` | <pre>[<br>  "route-*-services",<br>  "route-*-services-private*"<br>]</pre> | no |
 | <a name="input_peer_route_table_ids"></a> [peer\_route\_table\_ids](#input\_peer\_route\_table\_ids) | Peer VPC route table IDs (default: all *private* route tables at peer VPC) | `list(string)` | `[]` | no |
 | <a name="input_peer_rule_increment"></a> [peer\_rule\_increment](#input\_peer\_rule\_increment) | Peer Rule number increment per new CIDR block | `number` | `1` | no |
+| <a name="input_peer_rule_number"></a> [peer\_rule\_number](#input\_peer\_rule\_number) | Peer Starting rule number within the rule | `number` | `null` | no |
 | <a name="input_peer_tags"></a> [peer\_tags](#input\_peer\_tags) | Peer AWS Tags to apply to appropriate resources (default: current var.tags) | `map(string)` | `{}` | no |
 | <a name="input_peer_vpc_cidr_block"></a> [peer\_vpc\_cidr\_block](#input\_peer\_vpc\_cidr\_block) | Peer VPC CIDR Block (default: obtain from peer VPC) | `string` | `""` | no |
 | <a name="input_peer_vpc_environment"></a> [peer\_vpc\_environment](#input\_peer\_vpc\_environment) | Peer VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
@@ -106,6 +112,7 @@ No modules.
 | <a name="input_route_table_filter"></a> [route\_table\_filter](#input\_route\_table\_filter) | VPC route table search filter list (default: all private) | `list(string)` | <pre>[<br>  "*-private-*"<br>]</pre> | no |
 | <a name="input_route_table_ids"></a> [route\_table\_ids](#input\_route\_table\_ids) | Self VPC route table IDs (default: all *private* route tables at self VPC) | `list(string)` | `[]` | no |
 | <a name="input_rule_increment"></a> [rule\_increment](#input\_rule\_increment) | Rule number increment per new CIDR block | `number` | `1` | no |
+| <a name="input_rule_number"></a> [rule\_number](#input\_rule\_number) | Starting rule number within the rule | `number` | `null` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | AWS Tags to apply to appropriate resources (S3, KMS).  Do not include safeguard tags here, use the data\_safeguard field for such things. | `map(string)` | `{}` | no |
 | <a name="input_vpc_cidr_block"></a> [vpc\_cidr\_block](#input\_vpc\_cidr\_block) | Self VPC CIDR Block (default: obtain from self VPC) | `string` | `""` | no |
 | <a name="input_vpc_environment"></a> [vpc\_environment](#input\_vpc\_environment) | VPC environment purpose (infrastructure, common, shared, dev, stage, ite, prod) | `string` | `null` | no |
@@ -117,4 +124,8 @@ No modules.
 
 ## Outputs
 
-No outputs.
+| Name | Description |
+|------|-------------|
+| <a name="output_network_acl_ids"></a> [network\_acl\_ids](#output\_network\_acl\_ids) | Network ACL IDs for peering |
+| <a name="output_peering_info"></a> [peering\_info](#output\_peering\_info) | Peering Information |
+| <a name="output_route_table_ids"></a> [route\_table\_ids](#output\_route\_table\_ids) | Route Table IDs for Peering |
diff --git a/peer/data.peer.tf b/peer/data.peer.tf
@@ -18,12 +18,31 @@ data "aws_vpc" "peer_vpc" {
 
 # defaults to all private and services vpc
 data "aws_route_tables" "default_peer_route_tables" {
-  #  count    = length(var.peer_route_table_ids) > 0 ? 1 : 0
   provider = aws.peer
   vpc_id   = var.peer_vpc_id
   filter {
-    name = "tag:Name"
-    #    values = ["*-private-*", "route-*-services"]
+    name   = "tag:Name"
     values = var.peer_route_table_filter
   }
 }
+
+# get one per found route table to get subnet associations
+data "aws_route_table" "peer_route_table" {
+  provider       = aws.peer
+  for_each       = toset(data.aws_route_tables.default_peer_route_tables.ids)
+  route_table_id = each.key
+}
+
+locals {
+  peer_subnets = flatten([for rt in data.aws_route_table.peer_route_table : [for a in rt.associations : a.subnet_id]])
+}
+
+# get network acls associated with subnets in route table
+data "aws_network_acls" "default_peer_network_acls" {
+  provider = aws.peer
+  vpc_id   = var.peer_vpc_id
+  filter {
+    name   = "association.subnet-id"
+    values = local.peer_subnets
+  }
+}
diff --git a/peer/data.self.tf b/peer/data.self.tf
@@ -18,12 +18,31 @@ data "aws_vpc" "self_vpc" {
 
 # defaults to all private and services vpc
 data "aws_route_tables" "default_self_route_tables" {
-  #  count    = length(var.route_table_ids) > 0 ? 1 : 0
   provider = aws.self
   vpc_id   = var.vpc_id
   filter {
-    name = "tag:Name"
-    #    values = ["*-private-*"]
+    name   = "tag:Name"
     values = var.route_table_filter
   }
 }
+
+# get one per found route table to get subnet associations
+data "aws_route_table" "self_route_table" {
+  provider       = aws.self
+  for_each       = toset(data.aws_route_tables.default_self_route_tables.ids)
+  route_table_id = each.key
+}
+
+locals {
+  self_subnets = flatten([for rt in data.aws_route_table.self_route_table : [for a in rt.associations : a.subnet_id]])
+}
+
+# get network acls associated with subnets in route table
+data "aws_network_acls" "default_self_network_acls" {
+  provider = aws.self
+  vpc_id   = var.self_vpc_id
+  filter {
+    name   = "association.subnet-id"
+    values = local.self_subnets
+  }
+}
diff --git a/peer/main.tf b/peer/main.tf
@@ -20,7 +20,7 @@
 *   vpc_environment      = var.vpc_environment
 *   route_table_ids      = [ "rtb-12345678" ]
 *   network_acl_ids      = [ "nacl-12345678" ]
-*   nacl_rule_number     = 2500
+*   rule_number          = 2500
 *   rule_increment       = 1
 *   tags = {}
 *
@@ -36,7 +36,7 @@
 *   # peer_tags = {}
 *   peer_route_table_ids      = [ "rtb-87654321" ]
 *   peer_network_acl_ids      = [ "nacl-87654321" ]
-*   peer_nacl_rule_number     = 2500
+*   peer_rule_number          = 2500
 *   peer_rule_increment       = 1
 *
 *   providers = {
@@ -76,8 +76,11 @@ locals {
   self_label = format("%v%v %v:%v", local._prefixes["vpc-peer"], var.vpc_full_name, local.peer_account_id, var.peer_vpc_full_name)
   peer_label = format("%v%v %v:%v", local._prefixes["vpc-peer"], var.peer_vpc_full_name, local.self_account_id, var.vpc_full_name)
 
-  self_route_table_ids = length(var.route_table_ids) > 0 ? var.route_table_ids : flatten(data.aws_route_tables.default_self_route_tables[*].ids)
-  peer_route_table_ids = length(var.peer_route_table_ids) > 0 ? var.peer_route_table_ids : flatten(data.aws_route_tables.default_peer_route_tables[*].ids)
+  self_route_table_ids = length(var.route_table_ids) > 0 ? var.route_table_ids : data.aws_route_tables.default_self_route_tables.ids
+  peer_route_table_ids = length(var.peer_route_table_ids) > 0 ? var.peer_route_table_ids : data.aws_route_tables.default_peer_route_tables.ids
+
+  self_network_acl_ids = length(var.network_acl_ids) > 0 ? var.network_acl_ids : data.aws_network_acls.default_peer_network_acls.ids
+  peer_network_acl_ids = length(var.peer_network_acl_ids) > 0 ? var.peer_network_acl_ids : data.aws_network_acls.default_peer_network_acls.ids
 
   self_tags = merge(
     var.tags,
@@ -142,3 +145,41 @@ resource "aws_route" "peer" {
   destination_cidr_block    = local.self_cidr_block
   vpc_peering_connection_id = aws_vpc_peering_connection.self.id
 }
+
+#---
+# network acls
+#---
+module "nacl_rule_self" {
+  source         = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules"
+  provider       = aws.self
+  network_acl_id = local.self_network_acl_ids[0]
+
+  rule_description = local.self_label
+  cidr_blocks      = [local.peer_cidr_block]
+  rules            = ["all_inbound", "all_outbound"]
+  rule_number      = var.rule_number
+  rule_increment   = var.rule_increment
+  tags = merge(
+    var.tags,
+    local.base_tags,
+  )
+}
+
+#---
+# network acls
+#---
+module "nacl_rule_peer" {
+  source         = "git@github.e.it.census.gov:terraform-modules/aws-vpc-setup.git//nacl-rules"
+  provider       = aws.peer
+  network_acl_id = local.peer_network_acl_ids[0]
+
+  rule_description = local.peer_label
+  cidr_blocks      = [local.self_cidr_block]
+  rules            = ["all_inbound", "all_outbound"]
+  rule_number      = var.peer_rule_number
+  rule_increment   = var.peer_rule_increment
+  tags = merge(
+    var.tags,
+    local.base_tags,
+  )
+}
diff --git a/peer/outputs.tf b/peer/outputs.tf
@@ -0,0 +1,33 @@
+output "network_acl_ids" {
+  description = "Network ACL IDs for peering"
+  value = {
+    self = local.self_network_acl_ids
+    peer = local.peer_network_acl_ids
+  }
+}
+
+output "route_table_ids" {
+  description = "Route Table IDs for Peering"
+  value = {
+    self = local.self_route_table_ids
+    peer = local.peer_route_table_ids
+  }
+}
+
+output "peering_info" {
+  description = "Peering Information"
+  value = {
+    self = {
+      vpc_id     = local.self_vpc_id
+      tag_name   = local.self_vpc_tag_name
+      cidr_block = local.self_cidr_block
+      label      = local.self_label
+    }
+    peer = {
+      vpc_id     = local.peer_vpc_id
+      tag_name   = local.peer_vpc_tag_name
+      cidr_block = local.peer_cidr_block
+      label      = local.peer_label
+    }
+  }
+}
diff --git a/peer/variables.peer.tf b/peer/variables.peer.tf
@@ -75,7 +75,7 @@ variable "peer_network_acl_ids" {
   default     = []
 }
 
-variable "peer_nacl_rule_number" {
+variable "peer_rule_number" {
   description = "Peer Starting rule number within the rule"
   type        = number
   default     = null

diff --git a/peer/variables.peers.auto.tfvars.disabled b/peer/variables.peers.auto.tfvars.disabled
diff --git a/peer/variables.self.tf b/peer/variables.self.tf
@@ -22,7 +22,7 @@ variable "network_acl_ids" {
   default     = []
 }
 
-variable "nacl_rule_number" {
+variable "rule_number" {
   description = "Starting rule number within the rule"
   type        = number
   default     = null