From 94584aea112f90e6950716738afd11278b063520 Mon Sep 17 00:00:00 2001 From: Allan Denot Date: Wed, 29 Jan 2025 08:35:20 +1000 Subject: [PATCH 1/2] Add a custom list of cidrs to allow on each NACL table --- _variables.tf | 18 ++++++++++++++++++ nacl-private.tf | 25 +++++++++++++++++++++++++ nacl-public.tf | 25 +++++++++++++++++++++++++ nacl-secure.tf | 24 ++++++++++++++++++++++++ 4 files changed, 92 insertions(+) diff --git a/_variables.tf b/_variables.tf index 7f750ee..cabc719 100644 --- a/_variables.tf +++ b/_variables.tf @@ -150,6 +150,24 @@ variable "secure_nacl_allow_public" { description = "Allow traffic between public and secure" } +variable "public_nacl_allow_cidrs" { + type = list(string) + default = [] + description = "CIDRs to allow traffic from public subnet" +} + +variable "private_nacl_allow_cidrs" { + type = list(string) + default = [] + description = "CIDRs to allow traffic from private subnet" +} + +variable "secure_nacl_allow_cidrs" { + type = list(string) + default = [] + description = "CIDRs to allow traffic from secure subnet" +} + variable "vpc_flow_logs" { type = bool default = true diff --git a/nacl-private.tf b/nacl-private.tf index 52d1723..cba9dbf 100644 --- a/nacl-private.tf +++ b/nacl-private.tf @@ -158,3 +158,28 @@ resource "aws_network_acl_rule" "out_private_from_secure" { from_port = 0 to_port = 0 } + + +resource "aws_network_acl_rule" "in_private_from_allowed_cidrs" { + count = length(var.private_nacl_allow_cidrs) + network_acl_id = aws_network_acl.private.id + rule_number = count.index + 601 + egress = false + protocol = -1 + rule_action = "allow" + cidr_block = var.private_nacl_allow_cidrs[count.index] + from_port = 0 + to_port = 0 +} + +resource "aws_network_acl_rule" "out_private_from_allowed_cidrs" { + count = length(var.private_nacl_allow_cidrs) + network_acl_id = aws_network_acl.private.id + rule_number = count.index + 601 + egress = true + protocol = -1 + rule_action = "allow" + cidr_block = var.private_nacl_allow_cidrs[count.index] + from_port = 0 + to_port = 0 +} diff --git a/nacl-public.tf b/nacl-public.tf index 3a5d174..a3cf6c2 100644 --- a/nacl-public.tf +++ b/nacl-public.tf @@ -179,3 +179,28 @@ resource "aws_network_acl_rule" "in_public_from_secure" { from_port = 0 to_port = 0 } + + +resource "aws_network_acl_rule" "in_public_from_allowed_cidrs" { + count = length(var.public_nacl_allow_cidrs) + network_acl_id = aws_network_acl.public.id + rule_number = count.index + 801 + egress = false + protocol = -1 + rule_action = "allow" + cidr_block = var.public_nacl_allow_cidrs[count.index] + from_port = 0 + to_port = 0 +} + +resource "aws_network_acl_rule" "out_public_from_allowed_cidrs" { + count = length(var.public_nacl_allow_cidrs) + network_acl_id = aws_network_acl.public.id + rule_number = count.index + 801 + egress = true + protocol = -1 + rule_action = "allow" + cidr_block = var.public_nacl_allow_cidrs[count.index] + from_port = 0 + to_port = 0 +} diff --git a/nacl-secure.tf b/nacl-secure.tf index 2adfa79..114cebc 100644 --- a/nacl-secure.tf +++ b/nacl-secure.tf @@ -149,3 +149,27 @@ resource "aws_network_acl_rule" "out_secure_to_dynamodb" { from_port = 0 to_port = 0 } + +resource "aws_network_acl_rule" "in_secure_from_allowed_cidrs" { + count = length(var.secure_nacl_allow_cidrs) + network_acl_id = aws_network_acl.secure.id + rule_number = count.index + 801 + egress = false + protocol = -1 + rule_action = "allow" + cidr_block = var.secure_nacl_allow_cidrs[count.index] + from_port = 0 + to_port = 0 +} + +resource "aws_network_acl_rule" "out_secure_from_allowed_cidrs" { + count = length(var.secure_nacl_allow_cidrs) + network_acl_id = aws_network_acl.secure.id + rule_number = count.index + 801 + egress = true + protocol = -1 + rule_action = "allow" + cidr_block = var.secure_nacl_allow_cidrs[count.index] + from_port = 0 + to_port = 0 +} From 051435d95937240daf15e6bf489a74eec22351b3 Mon Sep 17 00:00:00 2001 From: adenot Date: Tue, 28 Jan 2025 22:36:06 +0000 Subject: [PATCH 2/2] terraform-docs: automated update action --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 00007e3..2ab069e 100644 --- a/README.md +++ b/README.md @@ -87,13 +87,16 @@ module "network" { | nat | Deploy NAT instance(s) | `bool` | `true` | no | | network\_firewall | Enable or disable VPC Network Firewall | `bool` | `false` | no | | newbits | Number of bits to add to the vpc cidr when building subnets | `number` | `5` | no | +| private\_nacl\_allow\_cidrs | CIDRs to allow traffic from private subnet | `list(string)` | `[]` | no | | private\_netnum\_offset | Start with this subnet for private ones, plus number of AZs | `number` | `5` | no | +| public\_nacl\_allow\_cidrs | CIDRs to allow traffic from public subnet | `list(string)` | `[]` | no | | public\_nacl\_icmp | Allows ICMP traffic to and from the public subnet | `bool` | `true` | no | | public\_nacl\_inbound\_tcp\_ports | TCP Ports to allow inbound on public subnet via NACLs (this list cannot be empty) | `list(string)` | 
[
  "80",
  "443",
  "22",
  "1194"
]
| no | | public\_nacl\_inbound\_udp\_ports | UDP Ports to allow inbound on public subnet via NACLs (this list cannot be empty) | `list(string)` | `[]` | no | | public\_nacl\_outbound\_tcp\_ports | TCP Ports to allow outbound to external services (use [0] to allow all ports) | `list(string)` | 
[
  "0"
]
| no | | public\_nacl\_outbound\_udp\_ports | UDP Ports to allow outbound to external services (use [0] to allow all ports) | `list(string)` | 
[
  "0"
]
| no | | public\_netnum\_offset | Start with this subnet for public ones, plus number of AZs | `number` | `0` | no | +| secure\_nacl\_allow\_cidrs | CIDRs to allow traffic from secure subnet | `list(string)` | `[]` | no | | secure\_nacl\_allow\_public | Allow traffic between public and secure | `bool` | `false` | no | | secure\_netnum\_offset | Start with this subnet for secure ones, plus number of AZs | `number` | `10` | no | | tags | Extra tags to attach to resources | `map(string)` | `{}` | no |