Add a custom list of cidrs to allow on each NACL table

DNXLabs · Jan 28, 2025 · 94584ae · 94584ae
1 parent 7415034
commit 94584ae
Show file tree

Hide file tree

Showing 4 changed files with 92 additions and 0 deletions.
diff --git a/_variables.tf b/_variables.tf
@@ -150,6 +150,24 @@ variable "secure_nacl_allow_public" {
   description = "Allow traffic between public and secure"
 }
 
+variable "public_nacl_allow_cidrs" {
+  type        = list(string)
+  default     = []
+  description = "CIDRs to allow traffic from public subnet"
+}
+
+variable "private_nacl_allow_cidrs" {
+  type        = list(string)
+  default     = []
+  description = "CIDRs to allow traffic from private subnet"
+}
+
+variable "secure_nacl_allow_cidrs" {
+  type        = list(string)
+  default     = []
+  description = "CIDRs to allow traffic from secure subnet"
+}
+
 variable "vpc_flow_logs" {
   type        = bool
   default     = true

diff --git a/nacl-private.tf b/nacl-private.tf
@@ -158,3 +158,28 @@ resource "aws_network_acl_rule" "out_private_from_secure" {
   from_port      = 0
   to_port        = 0
 }
+
+
+resource "aws_network_acl_rule" "in_private_from_allowed_cidrs" {
+  count          = length(var.private_nacl_allow_cidrs)
+  network_acl_id = aws_network_acl.private.id
+  rule_number    = count.index + 601
+  egress         = false
+  protocol       = -1
+  rule_action    = "allow"
+  cidr_block     = var.private_nacl_allow_cidrs[count.index]
+  from_port      = 0
+  to_port        = 0
+}
+
+resource "aws_network_acl_rule" "out_private_from_allowed_cidrs" {
+  count          = length(var.private_nacl_allow_cidrs)
+  network_acl_id = aws_network_acl.private.id
+  rule_number    = count.index + 601
+  egress         = true
+  protocol       = -1
+  rule_action    = "allow"
+  cidr_block     = var.private_nacl_allow_cidrs[count.index]
+  from_port      = 0
+  to_port        = 0
+}
diff --git a/nacl-public.tf b/nacl-public.tf
@@ -179,3 +179,28 @@ resource "aws_network_acl_rule" "in_public_from_secure" {
   from_port      = 0
   to_port        = 0
 }
+
+
+resource "aws_network_acl_rule" "in_public_from_allowed_cidrs" {
+  count          = length(var.public_nacl_allow_cidrs)
+  network_acl_id = aws_network_acl.public.id
+  rule_number    = count.index + 801
+  egress         = false
+  protocol       = -1
+  rule_action    = "allow"
+  cidr_block     = var.public_nacl_allow_cidrs[count.index]
+  from_port      = 0
+  to_port        = 0
+}
+
+resource "aws_network_acl_rule" "out_public_from_allowed_cidrs" {
+  count          = length(var.public_nacl_allow_cidrs)
+  network_acl_id = aws_network_acl.public.id
+  rule_number    = count.index + 801
+  egress         = true
+  protocol       = -1
+  rule_action    = "allow"
+  cidr_block     = var.public_nacl_allow_cidrs[count.index]
+  from_port      = 0
+  to_port        = 0
+}
diff --git a/nacl-secure.tf b/nacl-secure.tf
@@ -149,3 +149,27 @@ resource "aws_network_acl_rule" "out_secure_to_dynamodb" {
   from_port      = 0
   to_port        = 0
 }
+
+resource "aws_network_acl_rule" "in_secure_from_allowed_cidrs" {
+  count          = length(var.secure_nacl_allow_cidrs)
+  network_acl_id = aws_network_acl.secure.id
+  rule_number    = count.index + 801
+  egress         = false
+  protocol       = -1
+  rule_action    = "allow"
+  cidr_block     = var.secure_nacl_allow_cidrs[count.index]
+  from_port      = 0
+  to_port        = 0
+}
+
+resource "aws_network_acl_rule" "out_secure_from_allowed_cidrs" {
+  count          = length(var.secure_nacl_allow_cidrs)
+  network_acl_id = aws_network_acl.secure.id
+  rule_number    = count.index + 801
+  egress         = true
+  protocol       = -1
+  rule_action    = "allow"
+  cidr_block     = var.secure_nacl_allow_cidrs[count.index]
+  from_port      = 0
+  to_port        = 0
+}