From 94584aea112f90e6950716738afd11278b063520 Mon Sep 17 00:00:00 2001 From: Allan Denot Date: Wed, 29 Jan 2025 08:35:20 +1000 Subject: [PATCH] Add a custom list of cidrs to allow on each NACL table --- _variables.tf | 18 ++++++++++++++++++ nacl-private.tf | 25 +++++++++++++++++++++++++ nacl-public.tf | 25 +++++++++++++++++++++++++ nacl-secure.tf | 24 ++++++++++++++++++++++++ 4 files changed, 92 insertions(+) diff --git a/_variables.tf b/_variables.tf index 7f750ee..cabc719 100644 --- a/_variables.tf +++ b/_variables.tf @@ -150,6 +150,24 @@ variable "secure_nacl_allow_public" { description = "Allow traffic between public and secure" } +variable "public_nacl_allow_cidrs" { + type = list(string) + default = [] + description = "CIDRs to allow traffic from public subnet" +} + +variable "private_nacl_allow_cidrs" { + type = list(string) + default = [] + description = "CIDRs to allow traffic from private subnet" +} + +variable "secure_nacl_allow_cidrs" { + type = list(string) + default = [] + description = "CIDRs to allow traffic from secure subnet" +} + variable "vpc_flow_logs" { type = bool default = true diff --git a/nacl-private.tf b/nacl-private.tf index 52d1723..cba9dbf 100644 --- a/nacl-private.tf +++ b/nacl-private.tf @@ -158,3 +158,28 @@ resource "aws_network_acl_rule" "out_private_from_secure" { from_port = 0 to_port = 0 } + + +resource "aws_network_acl_rule" "in_private_from_allowed_cidrs" { + count = length(var.private_nacl_allow_cidrs) + network_acl_id = aws_network_acl.private.id + rule_number = count.index + 601 + egress = false + protocol = -1 + rule_action = "allow" + cidr_block = var.private_nacl_allow_cidrs[count.index] + from_port = 0 + to_port = 0 +} + +resource "aws_network_acl_rule" "out_private_from_allowed_cidrs" { + count = length(var.private_nacl_allow_cidrs) + network_acl_id = aws_network_acl.private.id + rule_number = count.index + 601 + egress = true + protocol = -1 + rule_action = "allow" + cidr_block = var.private_nacl_allow_cidrs[count.index] + from_port = 0 + to_port = 0 +} diff --git a/nacl-public.tf b/nacl-public.tf index 3a5d174..a3cf6c2 100644 --- a/nacl-public.tf +++ b/nacl-public.tf @@ -179,3 +179,28 @@ resource "aws_network_acl_rule" "in_public_from_secure" { from_port = 0 to_port = 0 } + + +resource "aws_network_acl_rule" "in_public_from_allowed_cidrs" { + count = length(var.public_nacl_allow_cidrs) + network_acl_id = aws_network_acl.public.id + rule_number = count.index + 801 + egress = false + protocol = -1 + rule_action = "allow" + cidr_block = var.public_nacl_allow_cidrs[count.index] + from_port = 0 + to_port = 0 +} + +resource "aws_network_acl_rule" "out_public_from_allowed_cidrs" { + count = length(var.public_nacl_allow_cidrs) + network_acl_id = aws_network_acl.public.id + rule_number = count.index + 801 + egress = true + protocol = -1 + rule_action = "allow" + cidr_block = var.public_nacl_allow_cidrs[count.index] + from_port = 0 + to_port = 0 +} diff --git a/nacl-secure.tf b/nacl-secure.tf index 2adfa79..114cebc 100644 --- a/nacl-secure.tf +++ b/nacl-secure.tf @@ -149,3 +149,27 @@ resource "aws_network_acl_rule" "out_secure_to_dynamodb" { from_port = 0 to_port = 0 } + +resource "aws_network_acl_rule" "in_secure_from_allowed_cidrs" { + count = length(var.secure_nacl_allow_cidrs) + network_acl_id = aws_network_acl.secure.id + rule_number = count.index + 801 + egress = false + protocol = -1 + rule_action = "allow" + cidr_block = var.secure_nacl_allow_cidrs[count.index] + from_port = 0 + to_port = 0 +} + +resource "aws_network_acl_rule" "out_secure_from_allowed_cidrs" { + count = length(var.secure_nacl_allow_cidrs) + network_acl_id = aws_network_acl.secure.id + rule_number = count.index + 801 + egress = true + protocol = -1 + rule_action = "allow" + cidr_block = var.secure_nacl_allow_cidrs[count.index] + from_port = 0 + to_port = 0 +}