From 37ef55f4e271ca01ef7ead75c4e8152f046b8b99 Mon Sep 17 00:00:00 2001 From: King Chung Huang Date: Tue, 25 Sep 2018 09:20:31 -0600 Subject: [PATCH 01/14] Add variables for network ACLs Add variables for specifying network ACLs for public, private, and intra subnets. The ACLs are defined in a list, with sets of seven elements for the rule number, rule action, from port, to port, protocol, and cidr block. --- variables.tf | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/variables.tf b/variables.tf index b052c6448..c8b6de72e 100644 --- a/variables.tf +++ b/variables.tf @@ -500,3 +500,33 @@ variable "default_vpc_tags" { description = "Additional tags for the Default VPC" default = {} } + +variable "public_inbound_acls" { + description = "Public subnets inbound network ACLs" + default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL inbound"] +} + +variable "public_outbound_acls" { + description = "Public subnets outbound network ACLs" + default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL outbound"] +} + +variable "private_inbound_acls" { + description = "Private subnets inbound network ACLs" + default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL inbound"] +} + +variable "private_outbound_acls" { + description = "Private subnets outbound network ACLs" + default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL outbound"] +} + +variable "intra_inbound_acls" { + description = "Intra subnets inbound network ACLs" + default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL inbound"] +} + +variable "intra_outbound_acls" { + description = "Intra subnets outbound network ACLs" + default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL outbound"] +} From f973b9871e0fba8e015c37d45ccdfcb49547e211 Mon Sep 17 00:00:00 2001 From: King Chung Huang Date: Tue, 25 Sep 2018 09:24:16 -0600 Subject: [PATCH 02/14] Add variables for network ACL tags Add variables to specify additional tags for public, private, and intra network ACL resources. --- variables.tf | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/variables.tf b/variables.tf index c8b6de72e..55664f5b6 100644 --- a/variables.tf +++ b/variables.tf @@ -418,6 +418,21 @@ variable "intra_subnet_tags" { default = {} } +variable "public_acl_tags" { + description = "Additional tags for the public subnets network ACLs" + default = {} +} + +variable "private_acl_tags" { + description = "Additional tags for the private subnets network ACLs" + default = {} +} + +variable "intra_acl_tags" { + description = "Additional tags for the intra subnets network ACLs" + default = {} +} + variable "dhcp_options_tags" { description = "Additional tags for the DHCP option set" default = {} From 03e23639ebabc92483ed92585672b75552e05dfd Mon Sep 17 00:00:00 2001 From: King Chung Huang Date: Tue, 25 Sep 2018 09:26:26 -0600 Subject: [PATCH 03/14] Add resources for network ACLs Add aws_network_acl and aws_network_acl_rule resources to specify inbound and outbound network ACL rules for public, private, and intra subnets. --- main.tf | 123 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 123 insertions(+) diff --git a/main.tf b/main.tf index fce2925fa..9236605b7 100644 --- a/main.tf +++ b/main.tf @@ -284,6 +284,129 @@ resource "aws_subnet" "intra" { tags = "${merge(map("Name", format("%s-${var.intra_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.tags, var.intra_subnet_tags)}" } +######################## +# Public Network ACLs +######################## + +resource "aws_network_acl" "public" { + count = "${var.create_vpc ? 1 : 0}" + + vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" + subnet_ids = ["${aws_subnet.public.*.id}"] + + tags = "${merge(var.tags, var.public_acl_tags, map("Name", format("%s-public", var.name)))}" +} + +resource "aws_network_acl_rule" "public_inbound" { + count = "${var.create_vpc ? length(var.public_inbound_acls) / 7 : 0}" + + network_acl_id = "${aws_network_acl.public.id}" + + egress = false + rule_number = "${element(var.public_inbound_acls, count.index * 7 + 0)}" + rule_action = "${element(var.public_inbound_acls, count.index * 7 + 1)}" + from_port = "${element(var.public_inbound_acls, count.index * 7 + 2)}" + to_port = "${element(var.public_inbound_acls, count.index * 7 + 3)}" + protocol = "${element(var.public_inbound_acls, count.index * 7 + 4)}" + cidr_block = "${element(var.public_inbound_acls, count.index * 7 + 5)}" +} + +resource "aws_network_acl_rule" "public_outbound" { + count = "${var.create_vpc ? length(var.public_outbound_acls) / 7 : 0}" + + network_acl_id = "${aws_network_acl.public.id}" + + egress = true + rule_number = "${element(var.public_outbound_acls, count.index * 7 + 0)}" + rule_action = "${element(var.public_outbound_acls, count.index * 7 + 1)}" + from_port = "${element(var.public_outbound_acls, count.index * 7 + 2)}" + to_port = "${element(var.public_outbound_acls, count.index * 7 + 3)}" + protocol = "${element(var.public_outbound_acls, count.index * 7 + 4)}" + cidr_block = "${element(var.public_outbound_acls, count.index * 7 + 5)}" +} + +####################### +# Private Network ACLs +####################### + +resource "aws_network_acl" "private" { + count = "${var.create_vpc ? 1 : 0}" + + vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" + subnet_ids = ["${aws_subnet.private.*.id}"] + + tags = "${merge(var.tags, var.private_acl_tags, map("Name", format("%s-private", var.name)))}" +} + +resource "aws_network_acl_rule" "private_inbound" { + count = "${var.create_vpc ? length(var.private_inbound_acls) / 7 : 0}" + + network_acl_id = "${aws_network_acl.private.id}" + + egress = false + rule_number = "${element(var.private_inbound_acls, count.index * 7 + 0)}" + rule_action = "${element(var.private_inbound_acls, count.index * 7 + 1)}" + from_port = "${element(var.private_inbound_acls, count.index * 7 + 2)}" + to_port = "${element(var.private_inbound_acls, count.index * 7 + 3)}" + protocol = "${element(var.private_inbound_acls, count.index * 7 + 4)}" + cidr_block = "${element(var.private_inbound_acls, count.index * 7 + 5)}" +} + +resource "aws_network_acl_rule" "private_outbound" { + count = "${var.create_vpc ? length(var.private_outbound_acls) / 7 : 0}" + + network_acl_id = "${aws_network_acl.private.id}" + + egress = true + rule_number = "${element(var.private_outbound_acls, count.index * 7 + 0)}" + rule_action = "${element(var.private_outbound_acls, count.index * 7 + 1)}" + from_port = "${element(var.private_outbound_acls, count.index * 7 + 2)}" + to_port = "${element(var.private_outbound_acls, count.index * 7 + 3)}" + protocol = "${element(var.private_outbound_acls, count.index * 7 + 4)}" + cidr_block = "${element(var.private_outbound_acls, count.index * 7 + 5)}" +} + +######################## +# Intra Network ACLs +######################## + +resource "aws_network_acl" "intra" { + count = "${var.create_vpc ? 1 : 0}" + + vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" + subnet_ids = ["${aws_subnet.intra.*.id}"] + + tags = "${merge(var.tags, var.intra_acl_tags, map("Name", format("%s-intra", var.name)))}" +} + +resource "aws_network_acl_rule" "intra_inbound" { + count = "${var.create_vpc ? length(var.intra_inbound_acls) / 7 : 0}" + + network_acl_id = "${aws_network_acl.intra.id}" + + egress = false + rule_number = "${element(var.intra_inbound_acls, count.index * 7 + 0)}" + rule_action = "${element(var.intra_inbound_acls, count.index * 7 + 1)}" + from_port = "${element(var.intra_inbound_acls, count.index * 7 + 2)}" + to_port = "${element(var.intra_inbound_acls, count.index * 7 + 3)}" + protocol = "${element(var.intra_inbound_acls, count.index * 7 + 4)}" + cidr_block = "${element(var.intra_inbound_acls, count.index * 7 + 5)}" +} + +resource "aws_network_acl_rule" "intra_outbound" { + count = "${var.create_vpc ? length(var.intra_outbound_acls) / 7 : 0}" + + network_acl_id = "${aws_network_acl.intra.id}" + + egress = true + rule_number = "${element(var.intra_outbound_acls, count.index * 7 + 0)}" + rule_action = "${element(var.intra_outbound_acls, count.index * 7 + 1)}" + from_port = "${element(var.intra_outbound_acls, count.index * 7 + 2)}" + to_port = "${element(var.intra_outbound_acls, count.index * 7 + 3)}" + protocol = "${element(var.intra_outbound_acls, count.index * 7 + 4)}" + cidr_block = "${element(var.intra_outbound_acls, count.index * 7 + 5)}" +} + ############## # NAT Gateway ############## From feab0dc2bffd1dce931f02f2b1f35747717473d8 Mon Sep 17 00:00:00 2001 From: King Chung Huang Date: Tue, 25 Sep 2018 09:27:30 -0600 Subject: [PATCH 04/14] Add resource for default network ACL Add a aws_default_network_acl resource to adopt the default network ACL in the VPC. --- main.tf | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/main.tf b/main.tf index 9236605b7..ceeee7955 100644 --- a/main.tf +++ b/main.tf @@ -284,6 +284,16 @@ resource "aws_subnet" "intra" { tags = "${merge(map("Name", format("%s-${var.intra_subnet_suffix}-%s", var.name, element(var.azs, count.index))), var.tags, var.intra_subnet_tags)}" } +####################### +# Default Network ACLs +####################### + +resource "aws_default_network_acl" "default" { + count = "${var.create_vpc ? 1 : 0}" + + default_network_acl_id = "${element(concat(aws_vpc.this.*.default_network_acl_id, list("")), 0)}" +} + ######################## # Public Network ACLs ######################## From 757e5732e2990a7f9d0762f4a8022f79531c1e26 Mon Sep 17 00:00:00 2001 From: King Chung Huang Date: Tue, 25 Sep 2018 09:31:40 -0600 Subject: [PATCH 05/14] Adjust spacing to match code style Remove the empty lines after comment blocks for network ACLs to match the style of the rest of this module. --- main.tf | 4 ---- 1 file changed, 4 deletions(-) diff --git a/main.tf b/main.tf index ceeee7955..02204bc18 100644 --- a/main.tf +++ b/main.tf @@ -287,7 +287,6 @@ resource "aws_subnet" "intra" { ####################### # Default Network ACLs ####################### - resource "aws_default_network_acl" "default" { count = "${var.create_vpc ? 1 : 0}" @@ -297,7 +296,6 @@ resource "aws_default_network_acl" "default" { ######################## # Public Network ACLs ######################## - resource "aws_network_acl" "public" { count = "${var.create_vpc ? 1 : 0}" @@ -338,7 +336,6 @@ resource "aws_network_acl_rule" "public_outbound" { ####################### # Private Network ACLs ####################### - resource "aws_network_acl" "private" { count = "${var.create_vpc ? 1 : 0}" @@ -379,7 +376,6 @@ resource "aws_network_acl_rule" "private_outbound" { ######################## # Intra Network ACLs ######################## - resource "aws_network_acl" "intra" { count = "${var.create_vpc ? 1 : 0}" From 5bc3c85c1d948ac362654243fc4ca898f670c554 Mon Sep 17 00:00:00 2001 From: King Chung Huang Date: Wed, 26 Sep 2018 13:01:23 -0600 Subject: [PATCH 06/14] Copy simple-vpc example as network-acls Copy the simple-vpc example and adapt it to demonstrate the configuration of network ACLs. A set of inbound and outbound ACLs are specified in main.tf. --- examples/network-acls/README.md | 31 ++++++++++++++++++++ examples/network-acls/main.tf | 49 ++++++++++++++++++++++++++++++++ examples/network-acls/outputs.tf | 33 +++++++++++++++++++++ 3 files changed, 113 insertions(+) create mode 100644 examples/network-acls/README.md create mode 100644 examples/network-acls/main.tf create mode 100644 examples/network-acls/outputs.tf diff --git a/examples/network-acls/README.md b/examples/network-acls/README.md new file mode 100644 index 000000000..a04890ca1 --- /dev/null +++ b/examples/network-acls/README.md @@ -0,0 +1,31 @@ +# Simple VPC with Network ACLs + +Configuration in this directory creates set of VPC resources along with network ACLs for public subnets. + +There is a public and private subnet created per availability zone in addition to single NAT Gateway shared between all 3 availability zones. Network ACL rules for inbound and outbound traffic are defined. + +## Usage + +To run this example you need to execute: + +```bash +$ terraform init +$ terraform plan +$ terraform apply +``` + +Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources. + + + +## Outputs + +| Name | Description | +|------|-------------| +| nat_public_ips | NAT gateways | +| private_subnets | Subnets | +| public_subnets | List of IDs of public subnets | +| vpc_cidr_block | CIDR blocks | +| vpc_id | VPC | + + diff --git a/examples/network-acls/main.tf b/examples/network-acls/main.tf new file mode 100644 index 000000000..faf528640 --- /dev/null +++ b/examples/network-acls/main.tf @@ -0,0 +1,49 @@ +provider "aws" { + region = "eu-west-1" +} + +module "vpc" { + source = "../../" + + name = "network-acls-example" + + cidr = "10.0.0.0/16" + + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + + public_inbound_acls = [ + "100", "allow", 80, 80, "tcp", "0.0.0.0/0", "Allows inbound HTTP traffic from any IPv4 address", + "110", "allow", 443, 443, "tcp", "0.0.0.0/0", "Allows inbound HTTPS traffic from any IPv4 address", + "120", "allow", 22, 22, "tcp", "0.0.0.0/0", "Allows inbound SSH traffic from any IPv4 address", + "130", "allow", 3389, 3389, "tcp", "0.0.0.0/0", "Allows inbound RDP traffic from any IPv4 address", + "140", "allow", 1024, 65535, "tcp", "0.0.0.0/0", "Allows inbound return traffic from hosts" + ] + + public_outbound_acls = [ + "100", "allow", 80, 80, "tcp", "0.0.0.0/0", "Allows outbound HTTP traffic from the subnet to the Internet", + "110", "allow", 443, 443, "tcp", "0.0.0.0/0", "Allows outbound HTTPS traffic from the subnet to the Internet", + "120", "allow", 1433, 1433, "tcp", "10.0.100.0/22", "Allows outbound MS SQL access to database servers in the private subnet", + "140", "allow", 32768, 65535, "tcp", "0.0.0.0/0", "Allows outbound responses to clients on the Internet", + "150", "allow", 22, 22, "tcp", "10.0.100.0/22", "Allows outbound SSH access to instances in your private subnet" + ] + + assign_generated_ipv6_cidr_block = true + + enable_nat_gateway = true + single_nat_gateway = true + + public_subnet_tags = { + Name = "overridden-name-public" + } + + tags = { + Owner = "user" + Environment = "dev" + } + + vpc_tags = { + Name = "vpc-name" + } +} diff --git a/examples/network-acls/outputs.tf b/examples/network-acls/outputs.tf new file mode 100644 index 000000000..35eb73359 --- /dev/null +++ b/examples/network-acls/outputs.tf @@ -0,0 +1,33 @@ +# VPC +output "vpc_id" { + description = "The ID of the VPC" + value = "${module.vpc.vpc_id}" +} + +# CIDR blocks +output "vpc_cidr_block" { + description = "The CIDR block of the VPC" + value = ["${module.vpc.vpc_cidr_block}"] +} + +//output "vpc_ipv6_cidr_block" { +// description = "The IPv6 CIDR block" +// value = ["${module.vpc.vpc_ipv6_cidr_block}"] +//} + +# Subnets +output "private_subnets" { + description = "List of IDs of private subnets" + value = ["${module.vpc.private_subnets}"] +} + +output "public_subnets" { + description = "List of IDs of public subnets" + value = ["${module.vpc.public_subnets}"] +} + +# NAT gateways +output "nat_public_ips" { + description = "List of public Elastic IPs created for AWS NAT Gateway" + value = ["${module.vpc.nat_public_ips}"] +} From 0a75f64e43b5058e000bfa0f279632db1bd71faf Mon Sep 17 00:00:00 2001 From: King Chung Huang Date: Tue, 2 Oct 2018 14:25:40 -0600 Subject: [PATCH 07/14] Rename variables from _acls to _acl_rules Clarify the variables for specifying ACL rules by renaming them from *_acls to *_acl_rules. The values are used to create rules, not create ACLs. --- examples/network-acls/main.tf | 4 +- main.tf | 84 +++++++++++++++++------------------ variables.tf | 12 ++--- 3 files changed, 50 insertions(+), 50 deletions(-) diff --git a/examples/network-acls/main.tf b/examples/network-acls/main.tf index faf528640..3f1969435 100644 --- a/examples/network-acls/main.tf +++ b/examples/network-acls/main.tf @@ -13,7 +13,7 @@ module "vpc" { private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] - public_inbound_acls = [ + public_inbound_acl_rules = [ "100", "allow", 80, 80, "tcp", "0.0.0.0/0", "Allows inbound HTTP traffic from any IPv4 address", "110", "allow", 443, 443, "tcp", "0.0.0.0/0", "Allows inbound HTTPS traffic from any IPv4 address", "120", "allow", 22, 22, "tcp", "0.0.0.0/0", "Allows inbound SSH traffic from any IPv4 address", @@ -21,7 +21,7 @@ module "vpc" { "140", "allow", 1024, 65535, "tcp", "0.0.0.0/0", "Allows inbound return traffic from hosts" ] - public_outbound_acls = [ + public_outbound_acl_rules = [ "100", "allow", 80, 80, "tcp", "0.0.0.0/0", "Allows outbound HTTP traffic from the subnet to the Internet", "110", "allow", 443, 443, "tcp", "0.0.0.0/0", "Allows outbound HTTPS traffic from the subnet to the Internet", "120", "allow", 1433, 1433, "tcp", "10.0.100.0/22", "Allows outbound MS SQL access to database servers in the private subnet", diff --git a/main.tf b/main.tf index 02204bc18..5907b5b51 100644 --- a/main.tf +++ b/main.tf @@ -306,31 +306,31 @@ resource "aws_network_acl" "public" { } resource "aws_network_acl_rule" "public_inbound" { - count = "${var.create_vpc ? length(var.public_inbound_acls) / 7 : 0}" + count = "${var.create_vpc ? length(var.public_inbound_acl_rules) / 7 : 0}" network_acl_id = "${aws_network_acl.public.id}" egress = false - rule_number = "${element(var.public_inbound_acls, count.index * 7 + 0)}" - rule_action = "${element(var.public_inbound_acls, count.index * 7 + 1)}" - from_port = "${element(var.public_inbound_acls, count.index * 7 + 2)}" - to_port = "${element(var.public_inbound_acls, count.index * 7 + 3)}" - protocol = "${element(var.public_inbound_acls, count.index * 7 + 4)}" - cidr_block = "${element(var.public_inbound_acls, count.index * 7 + 5)}" + rule_number = "${element(var.public_inbound_acl_rules, count.index * 7 + 0)}" + rule_action = "${element(var.public_inbound_acl_rules, count.index * 7 + 1)}" + from_port = "${element(var.public_inbound_acl_rules, count.index * 7 + 2)}" + to_port = "${element(var.public_inbound_acl_rules, count.index * 7 + 3)}" + protocol = "${element(var.public_inbound_acl_rules, count.index * 7 + 4)}" + cidr_block = "${element(var.public_inbound_acl_rules, count.index * 7 + 5)}" } resource "aws_network_acl_rule" "public_outbound" { - count = "${var.create_vpc ? length(var.public_outbound_acls) / 7 : 0}" + count = "${var.create_vpc ? length(var.public_outbound_acl_rules) / 7 : 0}" network_acl_id = "${aws_network_acl.public.id}" egress = true - rule_number = "${element(var.public_outbound_acls, count.index * 7 + 0)}" - rule_action = "${element(var.public_outbound_acls, count.index * 7 + 1)}" - from_port = "${element(var.public_outbound_acls, count.index * 7 + 2)}" - to_port = "${element(var.public_outbound_acls, count.index * 7 + 3)}" - protocol = "${element(var.public_outbound_acls, count.index * 7 + 4)}" - cidr_block = "${element(var.public_outbound_acls, count.index * 7 + 5)}" + rule_number = "${element(var.public_outbound_acl_rules, count.index * 7 + 0)}" + rule_action = "${element(var.public_outbound_acl_rules, count.index * 7 + 1)}" + from_port = "${element(var.public_outbound_acl_rules, count.index * 7 + 2)}" + to_port = "${element(var.public_outbound_acl_rules, count.index * 7 + 3)}" + protocol = "${element(var.public_outbound_acl_rules, count.index * 7 + 4)}" + cidr_block = "${element(var.public_outbound_acl_rules, count.index * 7 + 5)}" } ####################### @@ -346,31 +346,31 @@ resource "aws_network_acl" "private" { } resource "aws_network_acl_rule" "private_inbound" { - count = "${var.create_vpc ? length(var.private_inbound_acls) / 7 : 0}" + count = "${var.create_vpc ? length(var.private_inbound_acl_rules) / 7 : 0}" network_acl_id = "${aws_network_acl.private.id}" egress = false - rule_number = "${element(var.private_inbound_acls, count.index * 7 + 0)}" - rule_action = "${element(var.private_inbound_acls, count.index * 7 + 1)}" - from_port = "${element(var.private_inbound_acls, count.index * 7 + 2)}" - to_port = "${element(var.private_inbound_acls, count.index * 7 + 3)}" - protocol = "${element(var.private_inbound_acls, count.index * 7 + 4)}" - cidr_block = "${element(var.private_inbound_acls, count.index * 7 + 5)}" + rule_number = "${element(var.private_inbound_acl_rules, count.index * 7 + 0)}" + rule_action = "${element(var.private_inbound_acl_rules, count.index * 7 + 1)}" + from_port = "${element(var.private_inbound_acl_rules, count.index * 7 + 2)}" + to_port = "${element(var.private_inbound_acl_rules, count.index * 7 + 3)}" + protocol = "${element(var.private_inbound_acl_rules, count.index * 7 + 4)}" + cidr_block = "${element(var.private_inbound_acl_rules, count.index * 7 + 5)}" } resource "aws_network_acl_rule" "private_outbound" { - count = "${var.create_vpc ? length(var.private_outbound_acls) / 7 : 0}" + count = "${var.create_vpc ? length(var.private_outbound_acl_rules) / 7 : 0}" network_acl_id = "${aws_network_acl.private.id}" egress = true - rule_number = "${element(var.private_outbound_acls, count.index * 7 + 0)}" - rule_action = "${element(var.private_outbound_acls, count.index * 7 + 1)}" - from_port = "${element(var.private_outbound_acls, count.index * 7 + 2)}" - to_port = "${element(var.private_outbound_acls, count.index * 7 + 3)}" - protocol = "${element(var.private_outbound_acls, count.index * 7 + 4)}" - cidr_block = "${element(var.private_outbound_acls, count.index * 7 + 5)}" + rule_number = "${element(var.private_outbound_acl_rules, count.index * 7 + 0)}" + rule_action = "${element(var.private_outbound_acl_rules, count.index * 7 + 1)}" + from_port = "${element(var.private_outbound_acl_rules, count.index * 7 + 2)}" + to_port = "${element(var.private_outbound_acl_rules, count.index * 7 + 3)}" + protocol = "${element(var.private_outbound_acl_rules, count.index * 7 + 4)}" + cidr_block = "${element(var.private_outbound_acl_rules, count.index * 7 + 5)}" } ######################## @@ -386,31 +386,31 @@ resource "aws_network_acl" "intra" { } resource "aws_network_acl_rule" "intra_inbound" { - count = "${var.create_vpc ? length(var.intra_inbound_acls) / 7 : 0}" + count = "${var.create_vpc ? length(var.intra_inbound_acl_rules) / 7 : 0}" network_acl_id = "${aws_network_acl.intra.id}" egress = false - rule_number = "${element(var.intra_inbound_acls, count.index * 7 + 0)}" - rule_action = "${element(var.intra_inbound_acls, count.index * 7 + 1)}" - from_port = "${element(var.intra_inbound_acls, count.index * 7 + 2)}" - to_port = "${element(var.intra_inbound_acls, count.index * 7 + 3)}" - protocol = "${element(var.intra_inbound_acls, count.index * 7 + 4)}" - cidr_block = "${element(var.intra_inbound_acls, count.index * 7 + 5)}" + rule_number = "${element(var.intra_inbound_acl_rules, count.index * 7 + 0)}" + rule_action = "${element(var.intra_inbound_acl_rules, count.index * 7 + 1)}" + from_port = "${element(var.intra_inbound_acl_rules, count.index * 7 + 2)}" + to_port = "${element(var.intra_inbound_acl_rules, count.index * 7 + 3)}" + protocol = "${element(var.intra_inbound_acl_rules, count.index * 7 + 4)}" + cidr_block = "${element(var.intra_inbound_acl_rules, count.index * 7 + 5)}" } resource "aws_network_acl_rule" "intra_outbound" { - count = "${var.create_vpc ? length(var.intra_outbound_acls) / 7 : 0}" + count = "${var.create_vpc ? length(var.intra_outbound_acl_rules) / 7 : 0}" network_acl_id = "${aws_network_acl.intra.id}" egress = true - rule_number = "${element(var.intra_outbound_acls, count.index * 7 + 0)}" - rule_action = "${element(var.intra_outbound_acls, count.index * 7 + 1)}" - from_port = "${element(var.intra_outbound_acls, count.index * 7 + 2)}" - to_port = "${element(var.intra_outbound_acls, count.index * 7 + 3)}" - protocol = "${element(var.intra_outbound_acls, count.index * 7 + 4)}" - cidr_block = "${element(var.intra_outbound_acls, count.index * 7 + 5)}" + rule_number = "${element(var.intra_outbound_acl_rules, count.index * 7 + 0)}" + rule_action = "${element(var.intra_outbound_acl_rules, count.index * 7 + 1)}" + from_port = "${element(var.intra_outbound_acl_rules, count.index * 7 + 2)}" + to_port = "${element(var.intra_outbound_acl_rules, count.index * 7 + 3)}" + protocol = "${element(var.intra_outbound_acl_rules, count.index * 7 + 4)}" + cidr_block = "${element(var.intra_outbound_acl_rules, count.index * 7 + 5)}" } ############## diff --git a/variables.tf b/variables.tf index 55664f5b6..c53ea95d2 100644 --- a/variables.tf +++ b/variables.tf @@ -516,32 +516,32 @@ variable "default_vpc_tags" { default = {} } -variable "public_inbound_acls" { +variable "public_inbound_acl_rules" { description = "Public subnets inbound network ACLs" default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL inbound"] } -variable "public_outbound_acls" { +variable "public_outbound_acl_rules" { description = "Public subnets outbound network ACLs" default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL outbound"] } -variable "private_inbound_acls" { +variable "private_inbound_acl_rules" { description = "Private subnets inbound network ACLs" default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL inbound"] } -variable "private_outbound_acls" { +variable "private_outbound_acl_rules" { description = "Private subnets outbound network ACLs" default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL outbound"] } -variable "intra_inbound_acls" { +variable "intra_inbound_acl_rules" { description = "Intra subnets inbound network ACLs" default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL inbound"] } -variable "intra_outbound_acls" { +variable "intra_outbound_acl_rules" { description = "Intra subnets outbound network ACLs" default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL outbound"] } From d469a8cab428aee3b1f0af8694932ed088a5e69e Mon Sep 17 00:00:00 2001 From: King Chung Huang Date: Tue, 2 Oct 2018 14:32:17 -0600 Subject: [PATCH 08/14] Add nacl resources and variables for other subnets Add aws_network_acl and aws_network_acl_rule resources for database, redshift, and elasticache subnets, along with corresponding variables. This provides network ACL coverage to all subnet types produced by this module. --- main.tf | 120 +++++++++++++++++++++++++++++++++++++++++++++++++++ variables.tf | 30 +++++++++++++ 2 files changed, 150 insertions(+) diff --git a/main.tf b/main.tf index 5907b5b51..2b01cfec6 100644 --- a/main.tf +++ b/main.tf @@ -413,6 +413,126 @@ resource "aws_network_acl_rule" "intra_outbound" { cidr_block = "${element(var.intra_outbound_acl_rules, count.index * 7 + 5)}" } +######################## +# Database Network ACLs +######################## +resource "aws_network_acl" "database" { + count = "${var.create_vpc ? 1 : 0}" + + vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" + subnet_ids = ["${aws_subnet.database.*.id}"] + + tags = "${merge(var.tags, var.database_acl_tags, map("Name", format("%s-database", var.name)))}" +} + +resource "aws_network_acl_rule" "database_inbound" { + count = "${var.create_vpc ? length(var.database_inbound_acl_rules) / 7 : 0}" + + network_acl_id = "${aws_network_acl.database.id}" + + egress = false + rule_number = "${element(var.database_inbound_acl_rules, count.index * 7 + 0)}" + rule_action = "${element(var.database_inbound_acl_rules, count.index * 7 + 1)}" + from_port = "${element(var.database_inbound_acl_rules, count.index * 7 + 2)}" + to_port = "${element(var.database_inbound_acl_rules, count.index * 7 + 3)}" + protocol = "${element(var.database_inbound_acl_rules, count.index * 7 + 4)}" + cidr_block = "${element(var.database_inbound_acl_rules, count.index * 7 + 5)}" +} + +resource "aws_network_acl_rule" "database_outbound" { + count = "${var.create_vpc ? length(var.database_outbound_acl_rules) / 7 : 0}" + + network_acl_id = "${aws_network_acl.database.id}" + + egress = true + rule_number = "${element(var.database_outbound_acl_rules, count.index * 7 + 0)}" + rule_action = "${element(var.database_outbound_acl_rules, count.index * 7 + 1)}" + from_port = "${element(var.database_outbound_acl_rules, count.index * 7 + 2)}" + to_port = "${element(var.database_outbound_acl_rules, count.index * 7 + 3)}" + protocol = "${element(var.database_outbound_acl_rules, count.index * 7 + 4)}" + cidr_block = "${element(var.database_outbound_acl_rules, count.index * 7 + 5)}" +} + +######################## +# Redshift Network ACLs +######################## +resource "aws_network_acl" "redshift" { + count = "${var.create_vpc ? 1 : 0}" + + vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" + subnet_ids = ["${aws_subnet.redshift.*.id}"] + + tags = "${merge(var.tags, var.redshift_acl_tags, map("Name", format("%s-redshift", var.name)))}" +} + +resource "aws_network_acl_rule" "redshift_inbound" { + count = "${var.create_vpc ? length(var.redshift_inbound_acl_rules) / 7 : 0}" + + network_acl_id = "${aws_network_acl.redshift.id}" + + egress = false + rule_number = "${element(var.redshift_inbound_acl_rules, count.index * 7 + 0)}" + rule_action = "${element(var.redshift_inbound_acl_rules, count.index * 7 + 1)}" + from_port = "${element(var.redshift_inbound_acl_rules, count.index * 7 + 2)}" + to_port = "${element(var.redshift_inbound_acl_rules, count.index * 7 + 3)}" + protocol = "${element(var.redshift_inbound_acl_rules, count.index * 7 + 4)}" + cidr_block = "${element(var.redshift_inbound_acl_rules, count.index * 7 + 5)}" +} + +resource "aws_network_acl_rule" "redshift_outbound" { + count = "${var.create_vpc ? length(var.redshift_outbound_acl_rules) / 7 : 0}" + + network_acl_id = "${aws_network_acl.redshift.id}" + + egress = true + rule_number = "${element(var.redshift_outbound_acl_rules, count.index * 7 + 0)}" + rule_action = "${element(var.redshift_outbound_acl_rules, count.index * 7 + 1)}" + from_port = "${element(var.redshift_outbound_acl_rules, count.index * 7 + 2)}" + to_port = "${element(var.redshift_outbound_acl_rules, count.index * 7 + 3)}" + protocol = "${element(var.redshift_outbound_acl_rules, count.index * 7 + 4)}" + cidr_block = "${element(var.redshift_outbound_acl_rules, count.index * 7 + 5)}" +} + +########################### +# Elasticache Network ACLs +########################### +resource "aws_network_acl" "elasticache" { + count = "${var.create_vpc ? 1 : 0}" + + vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" + subnet_ids = ["${aws_subnet.elasticache.*.id}"] + + tags = "${merge(var.tags, var.elasticache_acl_tags, map("Name", format("%s-elasticache", var.name)))}" +} + +resource "aws_network_acl_rule" "elasticache_inbound" { + count = "${var.create_vpc ? length(var.elasticache_inbound_acl_rules) / 7 : 0}" + + network_acl_id = "${aws_network_acl.elasticache.id}" + + egress = false + rule_number = "${element(var.elasticache_inbound_acl_rules, count.index * 7 + 0)}" + rule_action = "${element(var.elasticache_inbound_acl_rules, count.index * 7 + 1)}" + from_port = "${element(var.elasticache_inbound_acl_rules, count.index * 7 + 2)}" + to_port = "${element(var.elasticache_inbound_acl_rules, count.index * 7 + 3)}" + protocol = "${element(var.elasticache_inbound_acl_rules, count.index * 7 + 4)}" + cidr_block = "${element(var.elasticache_inbound_acl_rules, count.index * 7 + 5)}" +} + +resource "aws_network_acl_rule" "elasticache_outbound" { + count = "${var.create_vpc ? length(var.elasticache_outbound_acl_rules) / 7 : 0}" + + network_acl_id = "${aws_network_acl.elasticache.id}" + + egress = true + rule_number = "${element(var.elasticache_outbound_acl_rules, count.index * 7 + 0)}" + rule_action = "${element(var.elasticache_outbound_acl_rules, count.index * 7 + 1)}" + from_port = "${element(var.elasticache_outbound_acl_rules, count.index * 7 + 2)}" + to_port = "${element(var.elasticache_outbound_acl_rules, count.index * 7 + 3)}" + protocol = "${element(var.elasticache_outbound_acl_rules, count.index * 7 + 4)}" + cidr_block = "${element(var.elasticache_outbound_acl_rules, count.index * 7 + 5)}" +} + ############## # NAT Gateway ############## diff --git a/variables.tf b/variables.tf index c53ea95d2..4dcc21738 100644 --- a/variables.tf +++ b/variables.tf @@ -545,3 +545,33 @@ variable "intra_outbound_acl_rules" { description = "Intra subnets outbound network ACLs" default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL outbound"] } + +variable "database_inbound_acl_rules" { + description = "database subnets inbound network ACL rules" + default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL inbound"] +} + +variable "database_outbound_acl_rules" { + description = "database subnets outbound network ACL rules" + default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL outbound"] +} + +variable "redshift_inbound_acl_rules" { + description = "redshift subnets inbound network ACL rules" + default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL inbound"] +} + +variable "redshift_outbound_acl_rules" { + description = "redshift subnets outbound network ACL rules" + default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL outbound"] +} + +variable "elasticache_inbound_acl_rules" { + description = "elasticache subnets inbound network ACL rules" + default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL inbound"] +} + +variable "elasticache_outbound_acl_rules" { + description = "elasticache subnets outbound network ACL rules" + default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL outbound"] +} From e70cff31b28d988cd0a4a5131e711b4a2ea86691 Mon Sep 17 00:00:00 2001 From: King Chung Huang Date: Tue, 2 Oct 2018 14:34:55 -0600 Subject: [PATCH 09/14] Create ACLs only if there are subnets For each subnet type, only create ACL resources if there are subnets defined. For example, if database_subnets is empty, then don't create ACL resources for database subnets. --- main.tf | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/main.tf b/main.tf index 2b01cfec6..6c91afde5 100644 --- a/main.tf +++ b/main.tf @@ -297,7 +297,7 @@ resource "aws_default_network_acl" "default" { # Public Network ACLs ######################## resource "aws_network_acl" "public" { - count = "${var.create_vpc ? 1 : 0}" + count = "${var.create_vpc && length(var.public_subnets) > 0 ? 1 : 0}" vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" subnet_ids = ["${aws_subnet.public.*.id}"] @@ -306,7 +306,7 @@ resource "aws_network_acl" "public" { } resource "aws_network_acl_rule" "public_inbound" { - count = "${var.create_vpc ? length(var.public_inbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.public_subnets) > 0 ? length(var.public_inbound_acl_rules) / 7 : 0}" network_acl_id = "${aws_network_acl.public.id}" @@ -320,7 +320,7 @@ resource "aws_network_acl_rule" "public_inbound" { } resource "aws_network_acl_rule" "public_outbound" { - count = "${var.create_vpc ? length(var.public_outbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.public_subnets) > 0 ? length(var.public_outbound_acl_rules) / 7 : 0}" network_acl_id = "${aws_network_acl.public.id}" @@ -337,7 +337,7 @@ resource "aws_network_acl_rule" "public_outbound" { # Private Network ACLs ####################### resource "aws_network_acl" "private" { - count = "${var.create_vpc ? 1 : 0}" + count = "${var.create_vpc && length(var.private_subnets) > 0 ? 1 : 0}" vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" subnet_ids = ["${aws_subnet.private.*.id}"] @@ -346,7 +346,7 @@ resource "aws_network_acl" "private" { } resource "aws_network_acl_rule" "private_inbound" { - count = "${var.create_vpc ? length(var.private_inbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.private_subnets) > 0 ? length(var.private_inbound_acl_rules) / 7 : 0}" network_acl_id = "${aws_network_acl.private.id}" @@ -360,7 +360,7 @@ resource "aws_network_acl_rule" "private_inbound" { } resource "aws_network_acl_rule" "private_outbound" { - count = "${var.create_vpc ? length(var.private_outbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.private_subnets) > 0 ? length(var.private_outbound_acl_rules) / 7 : 0}" network_acl_id = "${aws_network_acl.private.id}" @@ -377,7 +377,7 @@ resource "aws_network_acl_rule" "private_outbound" { # Intra Network ACLs ######################## resource "aws_network_acl" "intra" { - count = "${var.create_vpc ? 1 : 0}" + count = "${var.create_vpc && length(var.intra_subnets) > 0 ? 1 : 0}" vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" subnet_ids = ["${aws_subnet.intra.*.id}"] @@ -386,7 +386,7 @@ resource "aws_network_acl" "intra" { } resource "aws_network_acl_rule" "intra_inbound" { - count = "${var.create_vpc ? length(var.intra_inbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_inbound_acl_rules) / 7 : 0}" network_acl_id = "${aws_network_acl.intra.id}" @@ -400,7 +400,7 @@ resource "aws_network_acl_rule" "intra_inbound" { } resource "aws_network_acl_rule" "intra_outbound" { - count = "${var.create_vpc ? length(var.intra_outbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_outbound_acl_rules) / 7 : 0}" network_acl_id = "${aws_network_acl.intra.id}" @@ -417,7 +417,7 @@ resource "aws_network_acl_rule" "intra_outbound" { # Database Network ACLs ######################## resource "aws_network_acl" "database" { - count = "${var.create_vpc ? 1 : 0}" + count = "${var.create_vpc && length(var.database_subnets) > 0 ? 1 : 0}" vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" subnet_ids = ["${aws_subnet.database.*.id}"] @@ -426,7 +426,7 @@ resource "aws_network_acl" "database" { } resource "aws_network_acl_rule" "database_inbound" { - count = "${var.create_vpc ? length(var.database_inbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.database_subnets) > 0 ? length(var.database_inbound_acl_rules) / 7 : 0}" network_acl_id = "${aws_network_acl.database.id}" @@ -440,7 +440,7 @@ resource "aws_network_acl_rule" "database_inbound" { } resource "aws_network_acl_rule" "database_outbound" { - count = "${var.create_vpc ? length(var.database_outbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.database_subnets) > 0 ? length(var.database_outbound_acl_rules) / 7 : 0}" network_acl_id = "${aws_network_acl.database.id}" @@ -457,7 +457,7 @@ resource "aws_network_acl_rule" "database_outbound" { # Redshift Network ACLs ######################## resource "aws_network_acl" "redshift" { - count = "${var.create_vpc ? 1 : 0}" + count = "${var.create_vpc && length(var.redshift_subnets) > 0 ? 1 : 0}" vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" subnet_ids = ["${aws_subnet.redshift.*.id}"] @@ -466,7 +466,7 @@ resource "aws_network_acl" "redshift" { } resource "aws_network_acl_rule" "redshift_inbound" { - count = "${var.create_vpc ? length(var.redshift_inbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_inbound_acl_rules) / 7 : 0}" network_acl_id = "${aws_network_acl.redshift.id}" @@ -480,7 +480,7 @@ resource "aws_network_acl_rule" "redshift_inbound" { } resource "aws_network_acl_rule" "redshift_outbound" { - count = "${var.create_vpc ? length(var.redshift_outbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_outbound_acl_rules) / 7 : 0}" network_acl_id = "${aws_network_acl.redshift.id}" @@ -497,7 +497,7 @@ resource "aws_network_acl_rule" "redshift_outbound" { # Elasticache Network ACLs ########################### resource "aws_network_acl" "elasticache" { - count = "${var.create_vpc ? 1 : 0}" + count = "${var.create_vpc && length(var.elasticache_subnets) > 0 ? 1 : 0}" vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" subnet_ids = ["${aws_subnet.elasticache.*.id}"] @@ -506,7 +506,7 @@ resource "aws_network_acl" "elasticache" { } resource "aws_network_acl_rule" "elasticache_inbound" { - count = "${var.create_vpc ? length(var.elasticache_inbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_inbound_acl_rules) / 7 : 0}" network_acl_id = "${aws_network_acl.elasticache.id}" @@ -520,7 +520,7 @@ resource "aws_network_acl_rule" "elasticache_inbound" { } resource "aws_network_acl_rule" "elasticache_outbound" { - count = "${var.create_vpc ? length(var.elasticache_outbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_outbound_acl_rules) / 7 : 0}" network_acl_id = "${aws_network_acl.elasticache.id}" From 60e1a3a578e4b91147a4c4d22f48be5c493fb158 Mon Sep 17 00:00:00 2001 From: King Chung Huang Date: Tue, 2 Oct 2018 14:41:19 -0600 Subject: [PATCH 10/14] Add missing variables for ACL tags Add the missing variable declarations for database_acl_tags, redshift_acl_tags, and elasticache_acl_tags. --- variables.tf | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/variables.tf b/variables.tf index 4dcc21738..20a0901a7 100644 --- a/variables.tf +++ b/variables.tf @@ -433,6 +433,21 @@ variable "intra_acl_tags" { default = {} } +variable "database_acl_tags" { + description = "Additional tags for the database subnets network ACLs" + default = {} +} + +variable "redshift_acl_tags" { + description = "Additional tags for the redshift subnets network ACLs" + default = {} +} + +variable "elasticache_acl_tags" { + description = "Additional tags for the elasticache subnets network ACLs" + default = {} +} + variable "dhcp_options_tags" { description = "Additional tags for the DHCP option set" default = {} From 3f8362f0bfd73d977fe24c5180a0ac7a48b1a6f1 Mon Sep 17 00:00:00 2001 From: King Chung Huang Date: Tue, 2 Oct 2018 14:42:10 -0600 Subject: [PATCH 11/14] Make ACL singular in description for _acl_tags A single ACL is created for each of the subnet types. Update the variable descriptions to reflect this. --- variables.tf | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/variables.tf b/variables.tf index 20a0901a7..499f49a86 100644 --- a/variables.tf +++ b/variables.tf @@ -419,32 +419,32 @@ variable "intra_subnet_tags" { } variable "public_acl_tags" { - description = "Additional tags for the public subnets network ACLs" + description = "Additional tags for the public subnets network ACL" default = {} } variable "private_acl_tags" { - description = "Additional tags for the private subnets network ACLs" + description = "Additional tags for the private subnets network ACL" default = {} } variable "intra_acl_tags" { - description = "Additional tags for the intra subnets network ACLs" + description = "Additional tags for the intra subnets network ACL" default = {} } variable "database_acl_tags" { - description = "Additional tags for the database subnets network ACLs" + description = "Additional tags for the database subnets network ACL" default = {} } variable "redshift_acl_tags" { - description = "Additional tags for the redshift subnets network ACLs" + description = "Additional tags for the redshift subnets network ACL" default = {} } variable "elasticache_acl_tags" { - description = "Additional tags for the elasticache subnets network ACLs" + description = "Additional tags for the elasticache subnets network ACL" default = {} } From 51157a6d9189321f3be045e428dbc9bdb56feaf5 Mon Sep 17 00:00:00 2001 From: King Chung Huang Date: Mon, 25 Feb 2019 11:01:58 -0700 Subject: [PATCH 12/14] Convert rules to nested list of maps Convert the NACL rule specifications from a list of lists to a list of maps, as suggested by @jczerniak. This improves the readability of rules. --- examples/network-acls/main.tf | 100 ++++++++++++++++++-- main.tf | 168 +++++++++++++++++----------------- variables.tf | 144 ++++++++++++++++++++++++++--- 3 files changed, 306 insertions(+), 106 deletions(-) diff --git a/examples/network-acls/main.tf b/examples/network-acls/main.tf index 3f1969435..af88e8d21 100644 --- a/examples/network-acls/main.tf +++ b/examples/network-acls/main.tf @@ -14,19 +14,99 @@ module "vpc" { public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] public_inbound_acl_rules = [ - "100", "allow", 80, 80, "tcp", "0.0.0.0/0", "Allows inbound HTTP traffic from any IPv4 address", - "110", "allow", 443, 443, "tcp", "0.0.0.0/0", "Allows inbound HTTPS traffic from any IPv4 address", - "120", "allow", 22, 22, "tcp", "0.0.0.0/0", "Allows inbound SSH traffic from any IPv4 address", - "130", "allow", 3389, 3389, "tcp", "0.0.0.0/0", "Allows inbound RDP traffic from any IPv4 address", - "140", "allow", 1024, 65535, "tcp", "0.0.0.0/0", "Allows inbound return traffic from hosts" + { + rule_number = 100 + rule_action = "allow" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + description = "Allow inbound HTTP traffic from any IPv4 address" + }, + { + rule_number = 110 + rule_action = "allow" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + description = "Allow inbound HTTPS traffic from any IPv4 address" + }, + { + rule_number = 120 + rule_action = "allow" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + description = "Allow inbound SSH traffic from any IPv4 address" + }, + { + rule_number = 130 + rule_action = "allow" + from_port = 3389 + to_port = 3389 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + description = "Allow inbound RDP traffic from any IPv4 address" + }, + { + rule_number = 140 + rule_action = "allow" + from_port = 1024 + to_port = 65535 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + description = "Allow inbound return traffic from hosts" + }, ] public_outbound_acl_rules = [ - "100", "allow", 80, 80, "tcp", "0.0.0.0/0", "Allows outbound HTTP traffic from the subnet to the Internet", - "110", "allow", 443, 443, "tcp", "0.0.0.0/0", "Allows outbound HTTPS traffic from the subnet to the Internet", - "120", "allow", 1433, 1433, "tcp", "10.0.100.0/22", "Allows outbound MS SQL access to database servers in the private subnet", - "140", "allow", 32768, 65535, "tcp", "0.0.0.0/0", "Allows outbound responses to clients on the Internet", - "150", "allow", 22, 22, "tcp", "10.0.100.0/22", "Allows outbound SSH access to instances in your private subnet" + { + rule_number = 100 + rule_action = "allow" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + description = "Allow outbound HTTP traffic from the subnet to the Internet" + }, + { + rule_number = 110 + rule_action = "allow" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + description = "Allow outbound HTTPS traffic from the subnet to the Internet" + }, + { + rule_number = 120 + rule_action = "allow" + from_port = 1433 + to_port = 1433 + protocol = "tcp" + cidr_block = "10.0.100.0/22" + description = "Allow outbound MS SQL access to database servers in the private subnet" + }, + { + rule_number = 130 + rule_action = "allow" + from_port = 32768 + to_port = 65535 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + description = "Allows outbound responses to clients on the Internet" + }, + { + rule_number = 140 + rule_action = "allow" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_block = "10.0.100.0/22" + description = "Allows outbound SSH access to instances in your private subnet" + }, ] assign_generated_ipv6_cidr_block = true diff --git a/main.tf b/main.tf index 6c91afde5..91421ce59 100644 --- a/main.tf +++ b/main.tf @@ -306,31 +306,31 @@ resource "aws_network_acl" "public" { } resource "aws_network_acl_rule" "public_inbound" { - count = "${var.create_vpc && length(var.public_subnets) > 0 ? length(var.public_inbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.public_subnets) > 0 ? length(var.public_inbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.public.id}" egress = false - rule_number = "${element(var.public_inbound_acl_rules, count.index * 7 + 0)}" - rule_action = "${element(var.public_inbound_acl_rules, count.index * 7 + 1)}" - from_port = "${element(var.public_inbound_acl_rules, count.index * 7 + 2)}" - to_port = "${element(var.public_inbound_acl_rules, count.index * 7 + 3)}" - protocol = "${element(var.public_inbound_acl_rules, count.index * 7 + 4)}" - cidr_block = "${element(var.public_inbound_acl_rules, count.index * 7 + 5)}" + rule_number = "${lookup(var.public_inbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.public_inbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.public_inbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.public_inbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.public_inbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.public_inbound_acl_rules[count.index], "cidr_block")}" } resource "aws_network_acl_rule" "public_outbound" { - count = "${var.create_vpc && length(var.public_subnets) > 0 ? length(var.public_outbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.public_subnets) > 0 ? length(var.public_outbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.public.id}" egress = true - rule_number = "${element(var.public_outbound_acl_rules, count.index * 7 + 0)}" - rule_action = "${element(var.public_outbound_acl_rules, count.index * 7 + 1)}" - from_port = "${element(var.public_outbound_acl_rules, count.index * 7 + 2)}" - to_port = "${element(var.public_outbound_acl_rules, count.index * 7 + 3)}" - protocol = "${element(var.public_outbound_acl_rules, count.index * 7 + 4)}" - cidr_block = "${element(var.public_outbound_acl_rules, count.index * 7 + 5)}" + rule_number = "${lookup(var.public_outbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.public_outbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.public_outbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.public_outbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.public_outbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.public_outbound_acl_rules[count.index], "cidr_block")}" } ####################### @@ -346,31 +346,31 @@ resource "aws_network_acl" "private" { } resource "aws_network_acl_rule" "private_inbound" { - count = "${var.create_vpc && length(var.private_subnets) > 0 ? length(var.private_inbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.private_subnets) > 0 ? length(var.private_inbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.private.id}" egress = false - rule_number = "${element(var.private_inbound_acl_rules, count.index * 7 + 0)}" - rule_action = "${element(var.private_inbound_acl_rules, count.index * 7 + 1)}" - from_port = "${element(var.private_inbound_acl_rules, count.index * 7 + 2)}" - to_port = "${element(var.private_inbound_acl_rules, count.index * 7 + 3)}" - protocol = "${element(var.private_inbound_acl_rules, count.index * 7 + 4)}" - cidr_block = "${element(var.private_inbound_acl_rules, count.index * 7 + 5)}" + rule_number = "${lookup(var.private_inbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.private_inbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.private_inbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.private_inbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.private_inbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.private_inbound_acl_rules[count.index], "cidr_block")}" } resource "aws_network_acl_rule" "private_outbound" { - count = "${var.create_vpc && length(var.private_subnets) > 0 ? length(var.private_outbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.private_subnets) > 0 ? length(var.private_outbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.private.id}" egress = true - rule_number = "${element(var.private_outbound_acl_rules, count.index * 7 + 0)}" - rule_action = "${element(var.private_outbound_acl_rules, count.index * 7 + 1)}" - from_port = "${element(var.private_outbound_acl_rules, count.index * 7 + 2)}" - to_port = "${element(var.private_outbound_acl_rules, count.index * 7 + 3)}" - protocol = "${element(var.private_outbound_acl_rules, count.index * 7 + 4)}" - cidr_block = "${element(var.private_outbound_acl_rules, count.index * 7 + 5)}" + rule_number = "${lookup(var.private_outbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.private_outbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.private_outbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.private_outbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.private_outbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.private_outbound_acl_rules[count.index], "cidr_block")}" } ######################## @@ -386,31 +386,31 @@ resource "aws_network_acl" "intra" { } resource "aws_network_acl_rule" "intra_inbound" { - count = "${var.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_inbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_inbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.intra.id}" egress = false - rule_number = "${element(var.intra_inbound_acl_rules, count.index * 7 + 0)}" - rule_action = "${element(var.intra_inbound_acl_rules, count.index * 7 + 1)}" - from_port = "${element(var.intra_inbound_acl_rules, count.index * 7 + 2)}" - to_port = "${element(var.intra_inbound_acl_rules, count.index * 7 + 3)}" - protocol = "${element(var.intra_inbound_acl_rules, count.index * 7 + 4)}" - cidr_block = "${element(var.intra_inbound_acl_rules, count.index * 7 + 5)}" + rule_number = "${lookup(var.intra_inbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.intra_inbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.intra_inbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.intra_inbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.intra_inbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.intra_inbound_acl_rules[count.index], "cidr_block")}" } resource "aws_network_acl_rule" "intra_outbound" { - count = "${var.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_outbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_outbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.intra.id}" egress = true - rule_number = "${element(var.intra_outbound_acl_rules, count.index * 7 + 0)}" - rule_action = "${element(var.intra_outbound_acl_rules, count.index * 7 + 1)}" - from_port = "${element(var.intra_outbound_acl_rules, count.index * 7 + 2)}" - to_port = "${element(var.intra_outbound_acl_rules, count.index * 7 + 3)}" - protocol = "${element(var.intra_outbound_acl_rules, count.index * 7 + 4)}" - cidr_block = "${element(var.intra_outbound_acl_rules, count.index * 7 + 5)}" + rule_number = "${lookup(var.intra_outbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.intra_outbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.intra_outbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.intra_outbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.intra_outbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.intra_outbound_acl_rules[count.index], "cidr_block")}" } ######################## @@ -426,31 +426,31 @@ resource "aws_network_acl" "database" { } resource "aws_network_acl_rule" "database_inbound" { - count = "${var.create_vpc && length(var.database_subnets) > 0 ? length(var.database_inbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.database_subnets) > 0 ? length(var.database_inbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.database.id}" egress = false - rule_number = "${element(var.database_inbound_acl_rules, count.index * 7 + 0)}" - rule_action = "${element(var.database_inbound_acl_rules, count.index * 7 + 1)}" - from_port = "${element(var.database_inbound_acl_rules, count.index * 7 + 2)}" - to_port = "${element(var.database_inbound_acl_rules, count.index * 7 + 3)}" - protocol = "${element(var.database_inbound_acl_rules, count.index * 7 + 4)}" - cidr_block = "${element(var.database_inbound_acl_rules, count.index * 7 + 5)}" + rule_number = "${lookup(var.database_inbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.database_inbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.database_inbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.database_inbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.database_inbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.database_inbound_acl_rules[count.index], "cidr_block")}" } resource "aws_network_acl_rule" "database_outbound" { - count = "${var.create_vpc && length(var.database_subnets) > 0 ? length(var.database_outbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.database_subnets) > 0 ? length(var.database_outbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.database.id}" egress = true - rule_number = "${element(var.database_outbound_acl_rules, count.index * 7 + 0)}" - rule_action = "${element(var.database_outbound_acl_rules, count.index * 7 + 1)}" - from_port = "${element(var.database_outbound_acl_rules, count.index * 7 + 2)}" - to_port = "${element(var.database_outbound_acl_rules, count.index * 7 + 3)}" - protocol = "${element(var.database_outbound_acl_rules, count.index * 7 + 4)}" - cidr_block = "${element(var.database_outbound_acl_rules, count.index * 7 + 5)}" + rule_number = "${lookup(var.database_outbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.database_outbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.database_outbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.database_outbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.database_outbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.database_outbound_acl_rules[count.index], "cidr_block")}" } ######################## @@ -466,31 +466,31 @@ resource "aws_network_acl" "redshift" { } resource "aws_network_acl_rule" "redshift_inbound" { - count = "${var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_inbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_inbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.redshift.id}" egress = false - rule_number = "${element(var.redshift_inbound_acl_rules, count.index * 7 + 0)}" - rule_action = "${element(var.redshift_inbound_acl_rules, count.index * 7 + 1)}" - from_port = "${element(var.redshift_inbound_acl_rules, count.index * 7 + 2)}" - to_port = "${element(var.redshift_inbound_acl_rules, count.index * 7 + 3)}" - protocol = "${element(var.redshift_inbound_acl_rules, count.index * 7 + 4)}" - cidr_block = "${element(var.redshift_inbound_acl_rules, count.index * 7 + 5)}" + rule_number = "${lookup(var.redshift_inbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.redshift_inbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.redshift_inbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.redshift_inbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.redshift_inbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.redshift_inbound_acl_rules[count.index], "cidr_block")}" } resource "aws_network_acl_rule" "redshift_outbound" { - count = "${var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_outbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_outbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.redshift.id}" egress = true - rule_number = "${element(var.redshift_outbound_acl_rules, count.index * 7 + 0)}" - rule_action = "${element(var.redshift_outbound_acl_rules, count.index * 7 + 1)}" - from_port = "${element(var.redshift_outbound_acl_rules, count.index * 7 + 2)}" - to_port = "${element(var.redshift_outbound_acl_rules, count.index * 7 + 3)}" - protocol = "${element(var.redshift_outbound_acl_rules, count.index * 7 + 4)}" - cidr_block = "${element(var.redshift_outbound_acl_rules, count.index * 7 + 5)}" + rule_number = "${lookup(var.redshift_outbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.redshift_outbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.redshift_outbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.redshift_outbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.redshift_outbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.redshift_outbound_acl_rules[count.index], "cidr_block")}" } ########################### @@ -506,31 +506,31 @@ resource "aws_network_acl" "elasticache" { } resource "aws_network_acl_rule" "elasticache_inbound" { - count = "${var.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_inbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_inbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.elasticache.id}" egress = false - rule_number = "${element(var.elasticache_inbound_acl_rules, count.index * 7 + 0)}" - rule_action = "${element(var.elasticache_inbound_acl_rules, count.index * 7 + 1)}" - from_port = "${element(var.elasticache_inbound_acl_rules, count.index * 7 + 2)}" - to_port = "${element(var.elasticache_inbound_acl_rules, count.index * 7 + 3)}" - protocol = "${element(var.elasticache_inbound_acl_rules, count.index * 7 + 4)}" - cidr_block = "${element(var.elasticache_inbound_acl_rules, count.index * 7 + 5)}" + rule_number = "${lookup(var.elasticache_inbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.elasticache_inbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.elasticache_inbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.elasticache_inbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.elasticache_inbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.elasticache_inbound_acl_rules[count.index], "cidr_block")}" } resource "aws_network_acl_rule" "elasticache_outbound" { - count = "${var.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_outbound_acl_rules) / 7 : 0}" + count = "${var.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_outbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.elasticache.id}" egress = true - rule_number = "${element(var.elasticache_outbound_acl_rules, count.index * 7 + 0)}" - rule_action = "${element(var.elasticache_outbound_acl_rules, count.index * 7 + 1)}" - from_port = "${element(var.elasticache_outbound_acl_rules, count.index * 7 + 2)}" - to_port = "${element(var.elasticache_outbound_acl_rules, count.index * 7 + 3)}" - protocol = "${element(var.elasticache_outbound_acl_rules, count.index * 7 + 4)}" - cidr_block = "${element(var.elasticache_outbound_acl_rules, count.index * 7 + 5)}" + rule_number = "${lookup(var.elasticache_outbound_acl_rules[count.index], "rule_number")}" + rule_action = "${lookup(var.elasticache_outbound_acl_rules[count.index], "rule_action")}" + from_port = "${lookup(var.elasticache_outbound_acl_rules[count.index], "from_port")}" + to_port = "${lookup(var.elasticache_outbound_acl_rules[count.index], "to_port")}" + protocol = "${lookup(var.elasticache_outbound_acl_rules[count.index], "protocol")}" + cidr_block = "${lookup(var.elasticache_outbound_acl_rules[count.index], "cidr_block")}" } ############## diff --git a/variables.tf b/variables.tf index 499f49a86..144f19c8e 100644 --- a/variables.tf +++ b/variables.tf @@ -533,60 +533,180 @@ variable "default_vpc_tags" { variable "public_inbound_acl_rules" { description = "Public subnets inbound network ACLs" - default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL inbound"] + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + description = "Allow ALL inbound" + } + ] } variable "public_outbound_acl_rules" { description = "Public subnets outbound network ACLs" - default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL outbound"] + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + description = "Allow ALL outbound" + } + ] } variable "private_inbound_acl_rules" { description = "Private subnets inbound network ACLs" - default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL inbound"] + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + description = "Allow ALL inbound" + } + ] } variable "private_outbound_acl_rules" { description = "Private subnets outbound network ACLs" - default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL outbound"] + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + description = "Allow ALL outbound" + } + ] } variable "intra_inbound_acl_rules" { description = "Intra subnets inbound network ACLs" - default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL inbound"] + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + description = "Allow ALL inbound" + } + ] } variable "intra_outbound_acl_rules" { description = "Intra subnets outbound network ACLs" - default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL outbound"] + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + description = "Allow ALL outbound" + } + ] } variable "database_inbound_acl_rules" { description = "database subnets inbound network ACL rules" - default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL inbound"] + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + description = "Allow ALL inbound" + } + ] } variable "database_outbound_acl_rules" { description = "database subnets outbound network ACL rules" - default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL outbound"] + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + description = "Allow ALL outbound" + } + ] } variable "redshift_inbound_acl_rules" { description = "redshift subnets inbound network ACL rules" - default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL inbound"] + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + description = "Allow ALL inbound" + } + ] } variable "redshift_outbound_acl_rules" { description = "redshift subnets outbound network ACL rules" - default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL outbound"] + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + description = "Allow ALL outbound" + } + ] } variable "elasticache_inbound_acl_rules" { description = "elasticache subnets inbound network ACL rules" - default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL inbound"] + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + description = "Allow ALL inbound" + } + ] } variable "elasticache_outbound_acl_rules" { description = "elasticache subnets outbound network ACL rules" - default = ["100", "allow", 0, 0, "-1", "0.0.0.0/0", "Allow ALL outbound"] + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + description = "Allow ALL outbound" + } + ] } From 6b833882a0c5417b5a1d66a415c361b999be727a Mon Sep 17 00:00:00 2001 From: King Chung Huang Date: Mon, 25 Feb 2019 11:50:15 -0700 Subject: [PATCH 13/14] Restructure example config to use locals Restructure the network ACL rules in the network-acls example to use local variables to specify the rules, split between default and custom rules. --- examples/network-acls/main.tf | 204 ++++++++++++++++++---------------- 1 file changed, 109 insertions(+), 95 deletions(-) diff --git a/examples/network-acls/main.tf b/examples/network-acls/main.tf index af88e8d21..4785fc969 100644 --- a/examples/network-acls/main.tf +++ b/examples/network-acls/main.tf @@ -13,101 +13,8 @@ module "vpc" { private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] - public_inbound_acl_rules = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_block = "0.0.0.0/0" - description = "Allow inbound HTTP traffic from any IPv4 address" - }, - { - rule_number = 110 - rule_action = "allow" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_block = "0.0.0.0/0" - description = "Allow inbound HTTPS traffic from any IPv4 address" - }, - { - rule_number = 120 - rule_action = "allow" - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_block = "0.0.0.0/0" - description = "Allow inbound SSH traffic from any IPv4 address" - }, - { - rule_number = 130 - rule_action = "allow" - from_port = 3389 - to_port = 3389 - protocol = "tcp" - cidr_block = "0.0.0.0/0" - description = "Allow inbound RDP traffic from any IPv4 address" - }, - { - rule_number = 140 - rule_action = "allow" - from_port = 1024 - to_port = 65535 - protocol = "tcp" - cidr_block = "0.0.0.0/0" - description = "Allow inbound return traffic from hosts" - }, - ] - - public_outbound_acl_rules = [ - { - rule_number = 100 - rule_action = "allow" - from_port = 80 - to_port = 80 - protocol = "tcp" - cidr_block = "0.0.0.0/0" - description = "Allow outbound HTTP traffic from the subnet to the Internet" - }, - { - rule_number = 110 - rule_action = "allow" - from_port = 443 - to_port = 443 - protocol = "tcp" - cidr_block = "0.0.0.0/0" - description = "Allow outbound HTTPS traffic from the subnet to the Internet" - }, - { - rule_number = 120 - rule_action = "allow" - from_port = 1433 - to_port = 1433 - protocol = "tcp" - cidr_block = "10.0.100.0/22" - description = "Allow outbound MS SQL access to database servers in the private subnet" - }, - { - rule_number = 130 - rule_action = "allow" - from_port = 32768 - to_port = 65535 - protocol = "tcp" - cidr_block = "0.0.0.0/0" - description = "Allows outbound responses to clients on the Internet" - }, - { - rule_number = 140 - rule_action = "allow" - from_port = 22 - to_port = 22 - protocol = "tcp" - cidr_block = "10.0.100.0/22" - description = "Allows outbound SSH access to instances in your private subnet" - }, - ] + public_inbound_acl_rules = "${concat(local.network_acls["default_inbound"], local.network_acls["public_inbound"])}" + public_outbound_acl_rules = "${concat(local.network_acls["default_outbound"], local.network_acls["public_outbound"])}" assign_generated_ipv6_cidr_block = true @@ -127,3 +34,110 @@ module "vpc" { Name = "vpc-name" } } + +locals { + network_acls = { + default_inbound = [ + { + rule_number = 900 + rule_action = "allow" + from_port = 1024 + to_port = 65535 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + description = "Allow inbound return traffic from hosts" + }, + ] + + default_outbound = [ + { + rule_number = 900 + rule_action = "allow" + from_port = 32768 + to_port = 65535 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + description = "Allows outbound responses to clients" + }, + ] + + public_inbound = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + description = "Allow inbound HTTP traffic from any IPv4 address" + }, + { + rule_number = 110 + rule_action = "allow" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + description = "Allow inbound HTTPS traffic from any IPv4 address" + }, + { + rule_number = 120 + rule_action = "allow" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + description = "Allow inbound SSH traffic from any IPv4 address" + }, + { + rule_number = 130 + rule_action = "allow" + from_port = 3389 + to_port = 3389 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + description = "Allow inbound RDP traffic from any IPv4 address" + }, + ] + + public_outbound = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + description = "Allow outbound HTTP traffic from the subnet to the Internet" + }, + { + rule_number = 110 + rule_action = "allow" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + description = "Allow outbound HTTPS traffic from the subnet to the Internet" + }, + { + rule_number = 120 + rule_action = "allow" + from_port = 1433 + to_port = 1433 + protocol = "tcp" + cidr_block = "10.0.100.0/22" + description = "Allow outbound MS SQL access to database servers in the private subnet" + }, + + { + rule_number = 130 + rule_action = "allow" + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_block = "10.0.100.0/22" + description = "Allows outbound SSH access to instances in your private subnet" + }, + ] + } +} From caa7928e921d2fce116dbac0bd436c8e44ccd5b1 Mon Sep 17 00:00:00 2001 From: Anton Babenko Date: Fri, 22 Mar 2019 14:31:00 +0100 Subject: [PATCH 14/14] Follow-up for #174 --- README.md | 47 +++++++++ examples/network-acls/README.md | 22 ++-- examples/network-acls/main.tf | 27 ++--- examples/network-acls/outputs.tf | 21 ++++ main.tf | 61 ++++++----- outputs.tf | 30 ++++++ variables.tf | 173 +++++++++++++++++++++++-------- 7 files changed, 289 insertions(+), 92 deletions(-) diff --git a/README.md b/README.md index d50399d2f..c9be086b5 100644 --- a/README.md +++ b/README.md @@ -11,6 +11,7 @@ These types of resources are supported: * [Route](https://www.terraform.io/docs/providers/aws/r/route.html) * [Route table](https://www.terraform.io/docs/providers/aws/r/route_table.html) * [Internet Gateway](https://www.terraform.io/docs/providers/aws/r/internet_gateway.html) +* [Network ACL](https://www.terraform.io/docs/providers/aws/r/network_acl.html) * [NAT Gateway](https://www.terraform.io/docs/providers/aws/r/nat_gateway.html) * [VPN Gateway](https://www.terraform.io/docs/providers/aws/r/vpn_gateway.html) * [VPC Endpoint](https://www.terraform.io/docs/providers/aws/r/vpc_endpoint.html): @@ -21,6 +22,7 @@ These types of resources are supported: * [Redshift Subnet Group](https://www.terraform.io/docs/providers/aws/r/redshift_subnet_group.html) * [DHCP Options Set](https://www.terraform.io/docs/providers/aws/r/vpc_dhcp_options.html) * [Default VPC](https://www.terraform.io/docs/providers/aws/r/default_vpc.html) +* [Default Network ACL](https://www.terraform.io/docs/providers/aws/r/default_network_acl.html) Sponsored by [Cloudcraft - the best way to draw AWS diagrams](https://cloudcraft.co/?utm_source=terraform-aws-vpc) @@ -165,6 +167,14 @@ Sometimes it is handy to have public access to RDS instances (it is not recommen enable_dns_support = true ``` +## Network Access Control Lists (ACL or NACL) + +This module can manage network ACL and rules. Once VPC is created, AWS creates the default network ACL, which can be controlled using this module (`manage_default_network_acl = true`). + +Also, each type of subnet may have its own network ACL with custom rules per subnet. Eg, set `public_dedicated_network_acl = true` to use dedicated network ACL for the public subnets; set values of `public_inbound_acl_rules` and `public_outbound_acl_rules` to specify all the NACL rules you need to have on public subnets (see `variables.tf` for default values and structures). + +By default, all subnets are associated with the default network ACL. + ## Terraform version Terraform version 0.10.3 or newer is required for this module to work. @@ -174,6 +184,7 @@ Terraform version 0.10.3 or newer is required for this module to work. * [Simple VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/simple-vpc) * [Complete VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/complete-vpc) * [Manage Default VPC](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/manage-default-vpc) +* [Network ACL](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/network-acls) * Few tests and edge cases examples: [#46](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/issue-46-no-private-subnets), [#44](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/issue-44-asymmetric-private-subnets), [#108](https://github.com/terraform-aws-modules/terraform-aws-vpc/tree/master/examples/issue-108-route-already-exists) @@ -194,11 +205,19 @@ Terraform version 0.10.3 or newer is required for this module to work. | create\_redshift\_subnet\_group | Controls if redshift subnet group should be created | string | `"true"` | no | | create\_redshift\_subnet\_route\_table | Controls if separate route table for redshift should be created | string | `"false"` | no | | create\_vpc | Controls if VPC should be created (it affects almost all resources) | string | `"true"` | no | +| database\_acl\_tags | Additional tags for the database subnets network ACL | map | `{}` | no | +| database\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for database subnets | string | `"false"` | no | +| database\_inbound\_acl\_rules | Database subnets inbound network ACL rules | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| database\_outbound\_acl\_rules | Database subnets outbound network ACL rules | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | | database\_route\_table\_tags | Additional tags for the database route tables | map | `{}` | no | | database\_subnet\_group\_tags | Additional tags for the database subnet group | map | `{}` | no | | database\_subnet\_suffix | Suffix to append to database subnets name | string | `"db"` | no | | database\_subnet\_tags | Additional tags for the database subnets | map | `{}` | no | | database\_subnets | A list of database subnets | list | `[]` | no | +| default\_network\_acl\_egress | List of maps of egress rules to set on the Default Network ACL | list | `[ { "action": "allow", "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_no": 100, "to_port": 0 }, { "action": "allow", "from_port": 0, "ipv6_cidr_block": "::/0", "protocol": "-1", "rule_no": 101, "to_port": 0 } ]` | no | +| default\_network\_acl\_ingress | List of maps of ingress rules to set on the Default Network ACL | list | `[ { "action": "allow", "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_no": 100, "to_port": 0 }, { "action": "allow", "from_port": 0, "ipv6_cidr_block": "::/0", "protocol": "-1", "rule_no": 101, "to_port": 0 } ]` | no | +| default\_network\_acl\_name | Name to be used on the Default Network ACL | string | `""` | no | +| default\_network\_acl\_tags | Additional tags for the Default Network ACL | map | `{}` | no | | default\_vpc\_enable\_classiclink | Should be true to enable ClassicLink in the Default VPC | string | `"false"` | no | | default\_vpc\_enable\_dns\_hostnames | Should be true to enable DNS hostnames in the Default VPC | string | `"false"` | no | | default\_vpc\_enable\_dns\_support | Should be true to enable DNS support in the Default VPC | string | `"true"` | no | @@ -222,6 +241,10 @@ Terraform version 0.10.3 or newer is required for this module to work. | ecr\_dkr\_endpoint\_private\_dns\_enabled | Whether or not to associate a private hosted zone with the specified VPC for ECR DKR endpoint | string | `"false"` | no | | ecr\_dkr\_endpoint\_security\_group\_ids | The ID of one or more security groups to associate with the network interface for ECR DKR endpoint | list | `[]` | no | | ecr\_dkr\_endpoint\_subnet\_ids | The ID of one or more subnets in which to create a network interface for ECR dkr endpoint. If omitted, private subnets will be used. | list | `[]` | no | +| elasticache\_acl\_tags | Additional tags for the elasticache subnets network ACL | map | `{}` | no | +| elasticache\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets | string | `"false"` | no | +| elasticache\_inbound\_acl\_rules | Elasticache subnets inbound network ACL rules | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| elasticache\_outbound\_acl\_rules | Elasticache subnets outbound network ACL rules | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | | elasticache\_route\_table\_tags | Additional tags for the elasticache route tables | map | `{}` | no | | elasticache\_subnet\_suffix | Suffix to append to elasticache subnets name | string | `"elasticache"` | no | | elasticache\_subnet\_tags | Additional tags for the elasticache subnets | map | `{}` | no | @@ -242,25 +265,43 @@ Terraform version 0.10.3 or newer is required for this module to work. | external\_nat\_ip\_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list | `[]` | no | | igw\_tags | Additional tags for the internet gateway | map | `{}` | no | | instance\_tenancy | A tenancy option for instances launched into the VPC | string | `"default"` | no | +| intra\_acl\_tags | Additional tags for the intra subnets network ACL | map | `{}` | no | +| intra\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for intra subnets | string | `"false"` | no | +| intra\_inbound\_acl\_rules | Intra subnets inbound network ACLs | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| intra\_outbound\_acl\_rules | Intra subnets outbound network ACLs | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | | intra\_route\_table\_tags | Additional tags for the intra route tables | map | `{}` | no | +| intra\_subnet\_suffix | Suffix to append to intra subnets name | string | `"intra"` | no | | intra\_subnet\_tags | Additional tags for the intra subnets | map | `{}` | no | | intra\_subnets | A list of intra subnets | list | `[]` | no | +| manage\_default\_network\_acl | Should be true to adopt and manage Default Network ACL | string | `"false"` | no | | manage\_default\_vpc | Should be true to adopt and manage Default VPC | string | `"false"` | no | | map\_public\_ip\_on\_launch | Should be false if you do not want to auto-assign public IP on launch | string | `"true"` | no | | name | Name to be used on all the resources as identifier | string | `""` | no | | nat\_eip\_tags | Additional tags for the NAT EIP | map | `{}` | no | | nat\_gateway\_tags | Additional tags for the NAT gateways | map | `{}` | no | | one\_nat\_gateway\_per\_az | Should be true if you want only one NAT Gateway per availability zone. Requires `var.azs` to be set, and the number of `public_subnets` created to be greater than or equal to the number of availability zones specified in `var.azs`. | string | `"false"` | no | +| private\_acl\_tags | Additional tags for the private subnets network ACL | map | `{}` | no | +| private\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for private subnets | string | `"false"` | no | +| private\_inbound\_acl\_rules | Private subnets inbound network ACLs | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| private\_outbound\_acl\_rules | Private subnets outbound network ACLs | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | | private\_route\_table\_tags | Additional tags for the private route tables | map | `{}` | no | | private\_subnet\_suffix | Suffix to append to private subnets name | string | `"private"` | no | | private\_subnet\_tags | Additional tags for the private subnets | map | `{}` | no | | private\_subnets | A list of private subnets inside the VPC | list | `[]` | no | | propagate\_private\_route\_tables\_vgw | Should be true if you want route table propagation | string | `"false"` | no | | propagate\_public\_route\_tables\_vgw | Should be true if you want route table propagation | string | `"false"` | no | +| public\_acl\_tags | Additional tags for the public subnets network ACL | map | `{}` | no | +| public\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for public subnets | string | `"false"` | no | +| public\_inbound\_acl\_rules | Public subnets inbound network ACLs | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| public\_outbound\_acl\_rules | Public subnets outbound network ACLs | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | | public\_route\_table\_tags | Additional tags for the public route tables | map | `{}` | no | | public\_subnet\_suffix | Suffix to append to public subnets name | string | `"public"` | no | | public\_subnet\_tags | Additional tags for the public subnets | map | `{}` | no | | public\_subnets | A list of public subnets inside the VPC | list | `[]` | no | +| redshift\_acl\_tags | Additional tags for the redshift subnets network ACL | map | `{}` | no | +| redshift\_dedicated\_network\_acl | Whether to use dedicated network ACL (not default) and custom rules for redshift subnets | string | `"false"` | no | +| redshift\_inbound\_acl\_rules | Redshift subnets inbound network ACL rules | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | +| redshift\_outbound\_acl\_rules | Redshift subnets outbound network ACL rules | list | `[ { "cidr_block": "0.0.0.0/0", "from_port": 0, "protocol": "-1", "rule_action": "allow", "rule_number": 100, "to_port": 0 } ]` | no | | redshift\_route\_table\_tags | Additional tags for the redshift route tables | map | `{}` | no | | redshift\_subnet\_group\_tags | Additional tags for the redshift subnet group | map | `{}` | no | | redshift\_subnet\_suffix | Suffix to append to redshift subnets name | string | `"redshift"` | no | @@ -285,6 +326,7 @@ Terraform version 0.10.3 or newer is required for this module to work. | Name | Description | |------|-------------| | azs | A list of availability zones specified as argument to this module | +| database\_network\_acl\_id | ID of the database network ACL | | database\_route\_table\_ids | List of IDs of database route tables | | database\_subnet\_group | ID of database subnet group | | database\_subnets | List of IDs of database subnets | @@ -301,24 +343,29 @@ Terraform version 0.10.3 or newer is required for this module to work. | default\_vpc\_id | The ID of the VPC | | default\_vpc\_instance\_tenancy | Tenancy of instances spin up within VPC | | default\_vpc\_main\_route\_table\_id | The ID of the main route table associated with this VPC | +| elasticache\_network\_acl\_id | ID of the elasticache network ACL | | elasticache\_route\_table\_ids | List of IDs of elasticache route tables | | elasticache\_subnet\_group | ID of elasticache subnet group | | elasticache\_subnet\_group\_name | Name of elasticache subnet group | | elasticache\_subnets | List of IDs of elasticache subnets | | elasticache\_subnets\_cidr\_blocks | List of cidr_blocks of elasticache subnets | | igw\_id | The ID of the Internet Gateway | +| intra\_network\_acl\_id | ID of the intra network ACL | | intra\_route\_table\_ids | List of IDs of intra route tables | | intra\_subnets | List of IDs of intra subnets | | intra\_subnets\_cidr\_blocks | List of cidr_blocks of intra subnets | | nat\_ids | List of allocation ID of Elastic IPs created for AWS NAT Gateway | | nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway | | natgw\_ids | List of NAT Gateway IDs | +| private\_network\_acl\_id | ID of the private network ACL | | private\_route\_table\_ids | List of IDs of private route tables | | private\_subnets | List of IDs of private subnets | | private\_subnets\_cidr\_blocks | List of cidr_blocks of private subnets | +| public\_network\_acl\_id | ID of the public network ACL | | public\_route\_table\_ids | List of IDs of public route tables | | public\_subnets | List of IDs of public subnets | | public\_subnets\_cidr\_blocks | List of cidr_blocks of public subnets | +| redshift\_network\_acl\_id | ID of the redshift network ACL | | redshift\_route\_table\_ids | List of IDs of redshift route tables | | redshift\_subnet\_group | ID of redshift subnet group | | redshift\_subnets | List of IDs of redshift subnets | diff --git a/examples/network-acls/README.md b/examples/network-acls/README.md index a04890ca1..79305c7cd 100644 --- a/examples/network-acls/README.md +++ b/examples/network-acls/README.md @@ -2,7 +2,12 @@ Configuration in this directory creates set of VPC resources along with network ACLs for public subnets. -There is a public and private subnet created per availability zone in addition to single NAT Gateway shared between all 3 availability zones. Network ACL rules for inbound and outbound traffic are defined. +There is a public and private subnet created per availability zone in addition to single NAT Gateway shared between all 3 availability zones. + +Network ACL rules for inbound and outbound traffic are defined as the following: +1. Public subnets will have network ACL rules provided +1. Private subnets will be associated with the default network ACL rules (IPV4-only ingress and egress is open for all) +1. Elasticache subnets will use the default network ACL (created and managed by AWS) ## Usage @@ -17,15 +22,18 @@ $ terraform apply Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources. - ## Outputs | Name | Description | |------|-------------| -| nat_public_ips | NAT gateways | -| private_subnets | Subnets | -| public_subnets | List of IDs of public subnets | -| vpc_cidr_block | CIDR blocks | -| vpc_id | VPC | +| default\_network\_acl\_id | The ID of the default network ACL | +| elasticache\_network\_acl\_id | ID of the elasticache network ACL | +| nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway | +| private\_network\_acl\_id | ID of the private network ACL | +| private\_subnets | List of IDs of private subnets | +| public\_network\_acl\_id | ID of the public network ACL | +| public\_subnets | List of IDs of public subnets | +| vpc\_cidr\_block | The CIDR block of the VPC | +| vpc\_id | The ID of the VPC | diff --git a/examples/network-acls/main.tf b/examples/network-acls/main.tf index 4785fc969..0e3f6a29c 100644 --- a/examples/network-acls/main.tf +++ b/examples/network-acls/main.tf @@ -9,16 +9,20 @@ module "vpc" { cidr = "10.0.0.0/16" - azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] - private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] - public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + azs = ["eu-west-1a", "eu-west-1b", "eu-west-1c"] + private_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"] + public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] + elasticache_subnets = ["10.0.201.0/24", "10.0.202.0/24", "10.0.203.0/24"] - public_inbound_acl_rules = "${concat(local.network_acls["default_inbound"], local.network_acls["public_inbound"])}" - public_outbound_acl_rules = "${concat(local.network_acls["default_outbound"], local.network_acls["public_outbound"])}" + public_dedicated_network_acl = true + public_inbound_acl_rules = "${concat(local.network_acls["default_inbound"], local.network_acls["public_inbound"])}" + public_outbound_acl_rules = "${concat(local.network_acls["default_outbound"], local.network_acls["public_outbound"])}" + + private_dedicated_network_acl = true assign_generated_ipv6_cidr_block = true - enable_nat_gateway = true + enable_nat_gateway = false single_nat_gateway = true public_subnet_tags = { @@ -45,7 +49,6 @@ locals { to_port = 65535 protocol = "tcp" cidr_block = "0.0.0.0/0" - description = "Allow inbound return traffic from hosts" }, ] @@ -57,7 +60,6 @@ locals { to_port = 65535 protocol = "tcp" cidr_block = "0.0.0.0/0" - description = "Allows outbound responses to clients" }, ] @@ -69,7 +71,6 @@ locals { to_port = 80 protocol = "tcp" cidr_block = "0.0.0.0/0" - description = "Allow inbound HTTP traffic from any IPv4 address" }, { rule_number = 110 @@ -78,7 +79,6 @@ locals { to_port = 443 protocol = "tcp" cidr_block = "0.0.0.0/0" - description = "Allow inbound HTTPS traffic from any IPv4 address" }, { rule_number = 120 @@ -87,7 +87,6 @@ locals { to_port = 22 protocol = "tcp" cidr_block = "0.0.0.0/0" - description = "Allow inbound SSH traffic from any IPv4 address" }, { rule_number = 130 @@ -96,7 +95,6 @@ locals { to_port = 3389 protocol = "tcp" cidr_block = "0.0.0.0/0" - description = "Allow inbound RDP traffic from any IPv4 address" }, ] @@ -108,7 +106,6 @@ locals { to_port = 80 protocol = "tcp" cidr_block = "0.0.0.0/0" - description = "Allow outbound HTTP traffic from the subnet to the Internet" }, { rule_number = 110 @@ -117,7 +114,6 @@ locals { to_port = 443 protocol = "tcp" cidr_block = "0.0.0.0/0" - description = "Allow outbound HTTPS traffic from the subnet to the Internet" }, { rule_number = 120 @@ -126,9 +122,7 @@ locals { to_port = 1433 protocol = "tcp" cidr_block = "10.0.100.0/22" - description = "Allow outbound MS SQL access to database servers in the private subnet" }, - { rule_number = 130 rule_action = "allow" @@ -136,7 +130,6 @@ locals { to_port = 22 protocol = "tcp" cidr_block = "10.0.100.0/22" - description = "Allows outbound SSH access to instances in your private subnet" }, ] } diff --git a/examples/network-acls/outputs.tf b/examples/network-acls/outputs.tf index 35eb73359..535d5f43e 100644 --- a/examples/network-acls/outputs.tf +++ b/examples/network-acls/outputs.tf @@ -31,3 +31,24 @@ output "nat_public_ips" { description = "List of public Elastic IPs created for AWS NAT Gateway" value = ["${module.vpc.nat_public_ips}"] } + +# Network ACLs +output "public_network_acl_id" { + description = "ID of the public network ACL" + value = "${module.vpc.public_network_acl_id}" +} + +output "private_network_acl_id" { + description = "ID of the private network ACL" + value = "${module.vpc.private_network_acl_id}" +} + +output "elasticache_network_acl_id" { + description = "ID of the elasticache network ACL" + value = "${module.vpc.elasticache_network_acl_id}" +} + +output "default_network_acl_id" { + description = "The ID of the default network ACL" + value = "${module.vpc.default_network_acl_id}" +} diff --git a/main.tf b/main.tf index 91421ce59..2a54225bc 100644 --- a/main.tf +++ b/main.tf @@ -287,26 +287,35 @@ resource "aws_subnet" "intra" { ####################### # Default Network ACLs ####################### -resource "aws_default_network_acl" "default" { - count = "${var.create_vpc ? 1 : 0}" +resource "aws_default_network_acl" "this" { + count = "${var.create_vpc && var.manage_default_network_acl ? 1 : 0}" default_network_acl_id = "${element(concat(aws_vpc.this.*.default_network_acl_id, list("")), 0)}" + + ingress = "${var.default_network_acl_ingress}" + egress = "${var.default_network_acl_egress}" + + tags = "${merge(map("Name", format("%s", var.default_network_acl_name)), var.tags, var.default_network_acl_tags)}" + + lifecycle { + ignore_changes = ["subnet_ids"] + } } ######################## # Public Network ACLs ######################## resource "aws_network_acl" "public" { - count = "${var.create_vpc && length(var.public_subnets) > 0 ? 1 : 0}" + count = "${var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? 1 : 0}" vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" subnet_ids = ["${aws_subnet.public.*.id}"] - tags = "${merge(var.tags, var.public_acl_tags, map("Name", format("%s-public", var.name)))}" + tags = "${merge(map("Name", format("%s-${var.public_subnet_suffix}", var.name)), var.tags, var.public_acl_tags)}" } resource "aws_network_acl_rule" "public_inbound" { - count = "${var.create_vpc && length(var.public_subnets) > 0 ? length(var.public_inbound_acl_rules) : 0}" + count = "${var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? length(var.public_inbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.public.id}" @@ -320,7 +329,7 @@ resource "aws_network_acl_rule" "public_inbound" { } resource "aws_network_acl_rule" "public_outbound" { - count = "${var.create_vpc && length(var.public_subnets) > 0 ? length(var.public_outbound_acl_rules) : 0}" + count = "${var.create_vpc && var.public_dedicated_network_acl && length(var.public_subnets) > 0 ? length(var.public_outbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.public.id}" @@ -337,16 +346,16 @@ resource "aws_network_acl_rule" "public_outbound" { # Private Network ACLs ####################### resource "aws_network_acl" "private" { - count = "${var.create_vpc && length(var.private_subnets) > 0 ? 1 : 0}" + count = "${var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? 1 : 0}" vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" subnet_ids = ["${aws_subnet.private.*.id}"] - tags = "${merge(var.tags, var.private_acl_tags, map("Name", format("%s-private", var.name)))}" + tags = "${merge(map("Name", format("%s-${var.private_subnet_suffix}", var.name)), var.tags, var.private_acl_tags)}" } resource "aws_network_acl_rule" "private_inbound" { - count = "${var.create_vpc && length(var.private_subnets) > 0 ? length(var.private_inbound_acl_rules) : 0}" + count = "${var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? length(var.private_inbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.private.id}" @@ -360,7 +369,7 @@ resource "aws_network_acl_rule" "private_inbound" { } resource "aws_network_acl_rule" "private_outbound" { - count = "${var.create_vpc && length(var.private_subnets) > 0 ? length(var.private_outbound_acl_rules) : 0}" + count = "${var.create_vpc && var.private_dedicated_network_acl && length(var.private_subnets) > 0 ? length(var.private_outbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.private.id}" @@ -377,16 +386,16 @@ resource "aws_network_acl_rule" "private_outbound" { # Intra Network ACLs ######################## resource "aws_network_acl" "intra" { - count = "${var.create_vpc && length(var.intra_subnets) > 0 ? 1 : 0}" + count = "${var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? 1 : 0}" vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" subnet_ids = ["${aws_subnet.intra.*.id}"] - tags = "${merge(var.tags, var.intra_acl_tags, map("Name", format("%s-intra", var.name)))}" + tags = "${merge(map("Name", format("%s-${var.intra_subnet_suffix}", var.name)), var.tags, var.intra_acl_tags)}" } resource "aws_network_acl_rule" "intra_inbound" { - count = "${var.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_inbound_acl_rules) : 0}" + count = "${var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? length(var.intra_inbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.intra.id}" @@ -400,7 +409,7 @@ resource "aws_network_acl_rule" "intra_inbound" { } resource "aws_network_acl_rule" "intra_outbound" { - count = "${var.create_vpc && length(var.intra_subnets) > 0 ? length(var.intra_outbound_acl_rules) : 0}" + count = "${var.create_vpc && var.intra_dedicated_network_acl && length(var.intra_subnets) > 0 ? length(var.intra_outbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.intra.id}" @@ -417,16 +426,16 @@ resource "aws_network_acl_rule" "intra_outbound" { # Database Network ACLs ######################## resource "aws_network_acl" "database" { - count = "${var.create_vpc && length(var.database_subnets) > 0 ? 1 : 0}" + count = "${var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? 1 : 0}" vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" subnet_ids = ["${aws_subnet.database.*.id}"] - tags = "${merge(var.tags, var.database_acl_tags, map("Name", format("%s-database", var.name)))}" + tags = "${merge(map("Name", format("%s-${var.database_subnet_suffix}", var.name)), var.tags, var.database_acl_tags)}" } resource "aws_network_acl_rule" "database_inbound" { - count = "${var.create_vpc && length(var.database_subnets) > 0 ? length(var.database_inbound_acl_rules) : 0}" + count = "${var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? length(var.database_inbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.database.id}" @@ -440,7 +449,7 @@ resource "aws_network_acl_rule" "database_inbound" { } resource "aws_network_acl_rule" "database_outbound" { - count = "${var.create_vpc && length(var.database_subnets) > 0 ? length(var.database_outbound_acl_rules) : 0}" + count = "${var.create_vpc && var.database_dedicated_network_acl && length(var.database_subnets) > 0 ? length(var.database_outbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.database.id}" @@ -457,16 +466,16 @@ resource "aws_network_acl_rule" "database_outbound" { # Redshift Network ACLs ######################## resource "aws_network_acl" "redshift" { - count = "${var.create_vpc && length(var.redshift_subnets) > 0 ? 1 : 0}" + count = "${var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? 1 : 0}" vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" subnet_ids = ["${aws_subnet.redshift.*.id}"] - tags = "${merge(var.tags, var.redshift_acl_tags, map("Name", format("%s-redshift", var.name)))}" + tags = "${merge(map("Name", format("%s-${var.redshift_subnet_suffix}", var.name)), var.tags, var.redshift_acl_tags)}" } resource "aws_network_acl_rule" "redshift_inbound" { - count = "${var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_inbound_acl_rules) : 0}" + count = "${var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? length(var.redshift_inbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.redshift.id}" @@ -480,7 +489,7 @@ resource "aws_network_acl_rule" "redshift_inbound" { } resource "aws_network_acl_rule" "redshift_outbound" { - count = "${var.create_vpc && length(var.redshift_subnets) > 0 ? length(var.redshift_outbound_acl_rules) : 0}" + count = "${var.create_vpc && var.redshift_dedicated_network_acl && length(var.redshift_subnets) > 0 ? length(var.redshift_outbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.redshift.id}" @@ -497,16 +506,16 @@ resource "aws_network_acl_rule" "redshift_outbound" { # Elasticache Network ACLs ########################### resource "aws_network_acl" "elasticache" { - count = "${var.create_vpc && length(var.elasticache_subnets) > 0 ? 1 : 0}" + count = "${var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? 1 : 0}" vpc_id = "${element(concat(aws_vpc.this.*.id, list("")), 0)}" subnet_ids = ["${aws_subnet.elasticache.*.id}"] - tags = "${merge(var.tags, var.elasticache_acl_tags, map("Name", format("%s-elasticache", var.name)))}" + tags = "${merge(map("Name", format("%s-${var.elasticache_subnet_suffix}", var.name)), var.tags, var.elasticache_acl_tags)}" } resource "aws_network_acl_rule" "elasticache_inbound" { - count = "${var.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_inbound_acl_rules) : 0}" + count = "${var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? length(var.elasticache_inbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.elasticache.id}" @@ -520,7 +529,7 @@ resource "aws_network_acl_rule" "elasticache_inbound" { } resource "aws_network_acl_rule" "elasticache_outbound" { - count = "${var.create_vpc && length(var.elasticache_subnets) > 0 ? length(var.elasticache_outbound_acl_rules) : 0}" + count = "${var.create_vpc && var.elasticache_dedicated_network_acl && length(var.elasticache_subnets) > 0 ? length(var.elasticache_outbound_acl_rules) : 0}" network_acl_id = "${aws_network_acl.elasticache.id}" diff --git a/outputs.tf b/outputs.tf index 277706622..d885ce35e 100644 --- a/outputs.tf +++ b/outputs.tf @@ -258,6 +258,36 @@ output "default_vpc_main_route_table_id" { // value = "${element(concat(aws_default_vpc.this.*.ipv6_cidr_block, list("")), 0)}" //} +output "public_network_acl_id" { + description = "ID of the public network ACL" + value = "${element(concat(aws_network_acl.public.*.id, list("")), 0)}" +} + +output "private_network_acl_id" { + description = "ID of the private network ACL" + value = "${element(concat(aws_network_acl.private.*.id, list("")), 0)}" +} + +output "intra_network_acl_id" { + description = "ID of the intra network ACL" + value = "${element(concat(aws_network_acl.intra.*.id, list("")), 0)}" +} + +output "database_network_acl_id" { + description = "ID of the database network ACL" + value = "${element(concat(aws_network_acl.database.*.id, list("")), 0)}" +} + +output "redshift_network_acl_id" { + description = "ID of the redshift network ACL" + value = "${element(concat(aws_network_acl.redshift.*.id, list("")), 0)}" +} + +output "elasticache_network_acl_id" { + description = "ID of the elasticache network ACL" + value = "${element(concat(aws_network_acl.elasticache.*.id, list("")), 0)}" +} + # VPC Endpoints output "vpc_endpoint_s3_id" { description = "The ID of VPC endpoint for S3" diff --git a/variables.tf b/variables.tf index 144f19c8e..22e88518b 100644 --- a/variables.tf +++ b/variables.tf @@ -531,9 +531,99 @@ variable "default_vpc_tags" { default = {} } +variable "manage_default_network_acl" { + description = "Should be true to adopt and manage Default Network ACL" + default = false +} + +variable "default_network_acl_name" { + description = "Name to be used on the Default Network ACL" + default = "" +} + +variable "default_network_acl_tags" { + description = "Additional tags for the Default Network ACL" + default = {} +} + +variable "public_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for public subnets" + default = false +} + +variable "private_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for private subnets" + default = false +} + +variable "intra_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for intra subnets" + default = false +} + +variable "database_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for database subnets" + default = false +} + +variable "redshift_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for redshift subnets" + default = false +} + +variable "elasticache_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for elasticache subnets" + default = false +} + +variable "default_network_acl_ingress" { + description = "List of maps of ingress rules to set on the Default Network ACL" + + default = [{ + rule_no = 100 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + { + rule_no = 101 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + ipv6_cidr_block = "::/0" + }, + ] +} + +variable "default_network_acl_egress" { + description = "List of maps of egress rules to set on the Default Network ACL" + + default = [{ + rule_no = 100 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + { + rule_no = 101 + action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + ipv6_cidr_block = "::/0" + }, + ] +} + variable "public_inbound_acl_rules" { description = "Public subnets inbound network ACLs" - default = [ + + default = [ { rule_number = 100 rule_action = "allow" @@ -541,14 +631,14 @@ variable "public_inbound_acl_rules" { to_port = 0 protocol = "-1" cidr_block = "0.0.0.0/0" - description = "Allow ALL inbound" - } + }, ] } variable "public_outbound_acl_rules" { description = "Public subnets outbound network ACLs" - default = [ + + default = [ { rule_number = 100 rule_action = "allow" @@ -556,14 +646,14 @@ variable "public_outbound_acl_rules" { to_port = 0 protocol = "-1" cidr_block = "0.0.0.0/0" - description = "Allow ALL outbound" - } + }, ] } variable "private_inbound_acl_rules" { description = "Private subnets inbound network ACLs" - default = [ + + default = [ { rule_number = 100 rule_action = "allow" @@ -571,14 +661,14 @@ variable "private_inbound_acl_rules" { to_port = 0 protocol = "-1" cidr_block = "0.0.0.0/0" - description = "Allow ALL inbound" - } + }, ] } variable "private_outbound_acl_rules" { description = "Private subnets outbound network ACLs" - default = [ + + default = [ { rule_number = 100 rule_action = "allow" @@ -586,14 +676,14 @@ variable "private_outbound_acl_rules" { to_port = 0 protocol = "-1" cidr_block = "0.0.0.0/0" - description = "Allow ALL outbound" - } + }, ] } variable "intra_inbound_acl_rules" { description = "Intra subnets inbound network ACLs" - default = [ + + default = [ { rule_number = 100 rule_action = "allow" @@ -601,14 +691,14 @@ variable "intra_inbound_acl_rules" { to_port = 0 protocol = "-1" cidr_block = "0.0.0.0/0" - description = "Allow ALL inbound" - } + }, ] } variable "intra_outbound_acl_rules" { description = "Intra subnets outbound network ACLs" - default = [ + + default = [ { rule_number = 100 rule_action = "allow" @@ -616,14 +706,14 @@ variable "intra_outbound_acl_rules" { to_port = 0 protocol = "-1" cidr_block = "0.0.0.0/0" - description = "Allow ALL outbound" - } + }, ] } variable "database_inbound_acl_rules" { - description = "database subnets inbound network ACL rules" - default = [ + description = "Database subnets inbound network ACL rules" + + default = [ { rule_number = 100 rule_action = "allow" @@ -631,14 +721,14 @@ variable "database_inbound_acl_rules" { to_port = 0 protocol = "-1" cidr_block = "0.0.0.0/0" - description = "Allow ALL inbound" - } + }, ] } variable "database_outbound_acl_rules" { - description = "database subnets outbound network ACL rules" - default = [ + description = "Database subnets outbound network ACL rules" + + default = [ { rule_number = 100 rule_action = "allow" @@ -646,14 +736,14 @@ variable "database_outbound_acl_rules" { to_port = 0 protocol = "-1" cidr_block = "0.0.0.0/0" - description = "Allow ALL outbound" - } + }, ] } variable "redshift_inbound_acl_rules" { - description = "redshift subnets inbound network ACL rules" - default = [ + description = "Redshift subnets inbound network ACL rules" + + default = [ { rule_number = 100 rule_action = "allow" @@ -661,14 +751,14 @@ variable "redshift_inbound_acl_rules" { to_port = 0 protocol = "-1" cidr_block = "0.0.0.0/0" - description = "Allow ALL inbound" - } + }, ] } variable "redshift_outbound_acl_rules" { - description = "redshift subnets outbound network ACL rules" - default = [ + description = "Redshift subnets outbound network ACL rules" + + default = [ { rule_number = 100 rule_action = "allow" @@ -676,14 +766,14 @@ variable "redshift_outbound_acl_rules" { to_port = 0 protocol = "-1" cidr_block = "0.0.0.0/0" - description = "Allow ALL outbound" - } + }, ] } variable "elasticache_inbound_acl_rules" { - description = "elasticache subnets inbound network ACL rules" - default = [ + description = "Elasticache subnets inbound network ACL rules" + + default = [ { rule_number = 100 rule_action = "allow" @@ -691,14 +781,14 @@ variable "elasticache_inbound_acl_rules" { to_port = 0 protocol = "-1" cidr_block = "0.0.0.0/0" - description = "Allow ALL inbound" - } + }, ] } variable "elasticache_outbound_acl_rules" { - description = "elasticache subnets outbound network ACL rules" - default = [ + description = "Elasticache subnets outbound network ACL rules" + + default = [ { rule_number = 100 rule_action = "allow" @@ -706,7 +796,6 @@ variable "elasticache_outbound_acl_rules" { to_port = 0 protocol = "-1" cidr_block = "0.0.0.0/0" - description = "Allow ALL outbound" - } + }, ] }