From ed505085f54da7d91ae385b638bb7cdcaabddbb7 Mon Sep 17 00:00:00 2001
From: badra001 <donald.e.badrak.ii@census.gov>
Date: Wed, 5 Jun 2024 11:39:23 -0400
Subject: [PATCH] * 2.10.0 -- 2024-06-05   - tag-shared-vpc-resources     - use
 awscc provider to get network acl vs null resource

---
 CHANGELOG.md                                  |   5 +
 common/version.tf                             |   2 +-
 tag-shared-vpc-resources/tag-network-acls.tf  |   2 +-
 .../tag-network-acls.tf.old                   | 103 ++++++++++++++++++
 4 files changed, 110 insertions(+), 2 deletions(-)
 create mode 100644 tag-shared-vpc-resources/tag-network-acls.tf.old

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ed265c0..7cba568 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -395,3 +395,8 @@
 * 2.9.18 -- 2024-05-09
   - tag-shared-vpc-resources
     - remap Name tag of route_table if the AZ ID is different in the source vs the taget (within the assocaated subnets)
+
+* 2.10.0 -- 2024-06-05
+  - tag-shared-vpc-resources
+    - use awscc provider to get network acl vs null resource
+ 
diff --git a/common/version.tf b/common/version.tf
index a0e1c19..9bfe1c9 100644
--- a/common/version.tf
+++ b/common/version.tf
@@ -1,5 +1,5 @@
 locals {
-  _module_version = "2.9.18"
+  _module_version = "2.10.0"
   _module_names = {
     "_main_" = "aws-vpc-setup"
 
diff --git a/tag-shared-vpc-resources/tag-network-acls.tf b/tag-shared-vpc-resources/tag-network-acls.tf
index c22851e..c2eb481 100644
--- a/tag-shared-vpc-resources/tag-network-acls.tf
+++ b/tag-shared-vpc-resources/tag-network-acls.tf
@@ -40,7 +40,7 @@ locals {
   _nacl_enabled = var.tag_enabled_network_acls
   #  _network_acls         = { for k, v in data.local_file.network_acl : k => jsondecode(v.content) if local._nacl_enabled }
   #  network_acls_tags     = { for k, v in local.network_acls : k => merge({ for t in v.Tags : t.Key => t.Value }, { "boc:vpc:owner_id" = v.OwnerId }) }
-  network_acls_tags     = { for k, v in data.awscc_ec2_network_acl.nacls : k => merge(v.tags, { "boc:vpc:owner_id" = v.owner_id }) }
+  network_acls_tags     = { for k, v in data.awscc_ec2_network_acl.nacls : k => merge({ for t in v.tags : t.key => t.value }, { "boc:vpc:owner_id" = data.aws_caller_identity.network_account.account_id }) }
   network_acls_tags_map = flatten([for k, v in local.network_acls_tags : [for tk, tv in v : { label = format("%v__%v", k, tk), network_acl_id = k, key = tk, value = tv }]])
 }
 
diff --git a/tag-shared-vpc-resources/tag-network-acls.tf.old b/tag-shared-vpc-resources/tag-network-acls.tf.old
new file mode 100644
index 0000000..a7edc48
--- /dev/null
+++ b/tag-shared-vpc-resources/tag-network-acls.tf.old
@@ -0,0 +1,103 @@
+data "aws_network_acls" "network_acls" {
+  for_each = local._nacl_enabled ? toset(data.aws_vpcs.vpcs.ids) : toset([])
+  filter {
+    name   = "owner-id"
+    values = [data.aws_arn.network_account.account]
+  }
+  filter {
+    name   = "vpc-id"
+    values = [each.key]
+  }
+}
+
+## data "aws_network_acl" "network_acl" {
+##   provider = aws.network_account
+##   for_each = toset(flatten(concat([for k, v in data.aws_network_acls.network_acls : v.ids])))
+##   id       = each.key
+## }
+
+# there is no aws_network_acl data resource. Fake this out with null_resource
+#  aws --profile "057445207498-ent-gov-network-sa" --region $(get-region) ec2 describe-network-acls --network-acl-id "acl-0c19a5f3ea6a86d51"  > X.json
+# there is still no aws_network_acl, but there is an issue for it
+#   https://github.com/hashicorp/terraform-provider-aws/issues/19754
+
+resource "null_resource" "setup_directory" {
+  triggers = {
+    directory = "setup"
+  }
+
+  provisioner "local-exec" {
+    command = "test -d ${path.root}/${self.triggers.directory} || mkdir -p ${path.root}/${self.triggers.directory}"
+  }
+}
+
+resource "null_resource" "network_acl" {
+  for_each = toset(flatten(concat([for k, v in data.aws_network_acls.network_acls : v.ids])))
+  triggers = {
+    directory      = null_resource.setup_directory.triggers.directory
+    network_acl_id = each.key
+    filename       = "network_acl.${each.key}.json"
+    full_filename  = format("%v/%v/%v", path.root, "setup", "network_acl.${each.key}.json")
+  }
+
+  provisioner "local-exec" {
+    working_dir = path.root
+    command     = "${path.module}/bin/assume_role_wrapper.sh aws ec2 describe-network-acls --network-acl-id ${each.key} --output json > ${self.triggers.directory}/${self.triggers.filename}"
+    environment = {
+      AWS_PROFILE = var.profile
+      AWS_REGION  = local.region
+      ROLE_ARN    = var.role_arn
+    }
+  }
+}
+
+data "local_file" "network_acl" {
+  #  for_each = toset(flatten(concat([for k, v in data.aws_network_acls.network_acls : v.ids])))
+  for_each = null_resource.network_acl
+  #  filename = format("%v/%v/%v", path.root, each.value.triggers.directory, each.value.triggers.filename)
+  filename = each.value.triggers.full_filename
+}
+
+resource "null_resource" "network_acls" {
+  triggers = {
+    network_acls = join(",", [for k, v in data.local_file.network_acl : v.filename])
+    filename     = format("%v/%v/%v", path.root, "setup", "network_acls_extracted.dat")
+  }
+  provisioner "local-exec" {
+    command = "touch ${self.triggers.filename}"
+  }
+}
+
+
+## output "network_acls" {
+##   value = data.aws_network_acls.network_acls
+## }
+## 
+## output "network_acl" {
+## ##  value = data.aws_network_acl.network_acl
+##   value = local.network_acls
+## }
+
+locals {
+  #  _nacl_enabled         = var.tag_enabled_network_acls
+  #  _network_acls         = local._nacl_enabled ? { for k, v in data.local_file.network_acl : k => jsondecode(v.content) } : {}
+  #  network_acls          = fileexists(null_resource.network_acls.triggers.filename) ? { for k, v in local._network_acls : k => lookup(v, "NetworkAcls", [{ "Tags" : [], "OwnerId" : "" }])[0] } : {}
+  #  network_acls_tags     = fileexists(null_resource.network_acls.triggers.filename) ? { for k, v in local.network_acls : k => merge({ for t in v.Tags : t.Key => t.Value }, { "boc:vpc:owner_id" = v.OwnerId }) } : {}
+  #  network_acls_tags_map = fileexists(null_resource.network_acls.triggers.filename) ? flatten([for k, v in local.network_acls_tags : [for tk, tv in v : { label = format("%v__%v", k, tk), network_acl_id = k, key = tk, value = tv }]]) : []
+
+  _nacl_enabled         = var.tag_enabled_network_acls
+  _network_acls         = { for k, v in data.local_file.network_acl : k => jsondecode(v.content) if local._nacl_enabled }
+  network_acls          = { for k, v in local._network_acls : k => lookup(v, "NetworkAcls", [{ "Tags" : [], "OwnerId" : "" }])[0] }
+  network_acls_tags     = { for k, v in local.network_acls : k => merge({ for t in v.Tags : t.Key => t.Value }, { "boc:vpc:owner_id" = v.OwnerId }) }
+  network_acls_tags_map = flatten([for k, v in local.network_acls_tags : [for tk, tv in v : { label = format("%v__%v", k, tk), network_acl_id = k, key = tk, value = tv }]])
+}
+
+resource "aws_ec2_tag" "network_acls" {
+  for_each = { for t in local.network_acls_tags_map : t.label => t }
+
+  resource_id = each.value.network_acl_id
+  key         = each.value.key
+  value       = each.value.value
+
+  #  depends_on = [null_resource.network_acl]
+}