Feature: Network ACL (#3)

* add init script

* add nacl

* remove public ip

bastion.tf

@@ -11,6 +11,8 @@ resource "aws_instance" "bastion-vm" {
 
   subnet_id = aws_subnet.main-vpc-subnet-public[0].id
 
+  user_data =  "${file("helper/init.sh")}"
+
   vpc_security_group_ids = [
     aws_security_group.allow_ssh.id,
     aws_security_group.allow_egress.id

helper/init.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+echo "init bastion vm script"

output.tf

@@ -12,7 +12,6 @@ output "private-vm" {
     name              = aws_instance.private-vm.tags_all["Name"]
     availability_zone = aws_instance.private-vm.availability_zone
     private_ip        = aws_instance.private-vm.private_ip
-    public_ip         = aws_instance.private-vm.public_ip
   }
 }
 

security_group.tf

@@ -64,4 +64,60 @@ resource "aws_vpc_security_group_egress_rule" "allow_egress_rule_ipv6" {
 
   ip_protocol = -1
   cidr_ipv6   = "::/0"
+}
+
+resource "aws_network_acl" "main-vpc-nacl-public" {
+  vpc_id = aws_vpc.main-vpc.id
+  subnet_ids =[for i in aws_subnet.main-vpc-subnet-public : i.id]
+
+  egress {
+    protocol   = -1
+    rule_no    = 100
+    action     = "allow"
+    cidr_block = "0.0.0.0/0"
+    from_port  = 0
+    to_port    = 0
+  }
+
+  ingress {
+    protocol   = -1
+    rule_no    = 100
+    action     = "allow"
+    cidr_block = "0.0.0.0/0"
+    from_port  = 0
+    to_port    = 0
+  }
+
+  tags = {
+    Name = "main-vpc-nacl-public"
+    Type = "public"
+  }
+}
+
+resource "aws_network_acl" "main-vpc-nacl-private" {
+  vpc_id = aws_vpc.main-vpc.id
+  subnet_ids = [for i in aws_subnet.main-vpc-subnet-private : i.id]
+
+  egress {
+    protocol   = -1
+    rule_no    = 100
+    action     = "allow"
+    cidr_block = "0.0.0.0/0"
+    from_port  = 0
+    to_port    = 0
+  }
+
+  ingress {
+    protocol   = -1
+    rule_no    = 100
+    action     = "allow"
+    cidr_block = "0.0.0.0/0"
+    from_port  = 0
+    to_port    = 0
+  }
+
+  tags = {
+    Name = "main-vpc-nacl-private"
+    Type = "private"
+  }
 }