Configure network ACLs for public/private/intra subnets #174
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kinghuang
changed the title
|
On further thought, maybe this is better done as a separate module. Otherwise, there's a lot of repetition involved, especially if the database, redshift, and elasticache subnets are covered, too. |
|
Hi King, I like the code you have pushed so far very much. I think it is important to provide all NACL rules in this module even if there will be some repetitions. The users of this module will benefit from having more features using one module. Thank you for your contribution! |
|
I've added ACL resources to cover database, redshift, and elasticache subnets. And, refined the variable names to better reflect that they configure ACL rules, not ACLs. |
|
When I try to use this branch I get an error: Maybe this is because the variables are defined like "public_inbound_acl_rules", with '_rules' but the examples are written as "public_inbound_acls = [" |
|
I also got some strange errors, and couldn't refresh my state, after I inserted a new rule into the public_inbound_acls list to: it seems like terraform was keeping track of the rules by their position the the list not the priority number.. so adding an item at the beginning caused problems ws_route.private_nat_gateway[1]: Refreshing state... (ID: r-rtb-0c9743f91b1aa428c1080289494) Error: Error refreshing state: 1 error(s) occurred: |
|
When you dig into the code here is the line which creates the internal hash. So as you see they are using the rule number for this. |
|
@kinghuang Will you finished on that pull request, looks like there are conflicts? |
|
Any plans for merging this PR into master? |
|
@ppieprzycki Yes, there are plans but I have not enough time in a day to cover all projects I work for free. Regarding this PR, it requires some improvements related to conditional creation. I will fix and test it manually. |
|
Sorry, I forgot about the changes. I can rebase and take a stab at that today. |
|
hi, why not use lookup function instead of element function? With lookup function, our nacl definition is more readable and formatable.
I think that this will give more flexibility in a more complex environment Regards |
|
I like the structure and ideas described by @jczerniak very much. @kinghuang will you be able to update this PR? |
Add variables for specifying network ACLs for public, private, and intra subnets. The ACLs are defined in a list, with sets of seven elements for the rule number, rule action, from port, to port, protocol, and cidr block.
Add variables to specify additional tags for public, private, and intra network ACL resources.
Add aws_network_acl and aws_network_acl_rule resources to specify inbound and outbound network ACL rules for public, private, and intra subnets.
Add a aws_default_network_acl resource to adopt the default network ACL in the VPC.
Remove the empty lines after comment blocks for network ACLs to match the style of the rest of this module.
Copy the simple-vpc example and adapt it to demonstrate the configuration of network ACLs. A set of inbound and outbound ACLs are specified in main.tf.
Clarify the variables for specifying ACL rules by renaming them from *_acls to *_acl_rules. The values are used to create rules, not create ACLs.
Add aws_network_acl and aws_network_acl_rule resources for database, redshift, and elasticache subnets, along with corresponding variables. This provides network ACL coverage to all subnet types produced by this module.
For each subnet type, only create ACL resources if there are subnets defined. For example, if database_subnets is empty, then don't create ACL resources for database subnets.
Add the missing variable declarations for database_acl_tags, redshift_acl_tags, and elasticache_acl_tags.
A single ACL is created for each of the subnet types. Update the variable descriptions to reflect this.
Convert the NACL rule specifications from a list of lists to a list of maps, as suggested by @jczerniak. This improves the readability of rules.
Restructure the network ACL rules in the network-acls example to use local variables to specify the rules, split between default and custom rules.
|
Following @jczerniak's suggestions, I've change the rules from lists of lists to lists of maps. And, updated the network-acls example to use locals and a concatenation of "default" and "custom" rules, instead of inline rules. |
antonbabenko
added a commit
that referenced
this pull request
Mar 22, 2019
* Add variables for network ACLs Add variables for specifying network ACLs for public, private, and intra subnets. The ACLs are defined in a list, with sets of seven elements for the rule number, rule action, from port, to port, protocol, and cidr block. * Add variables for network ACL tags Add variables to specify additional tags for public, private, and intra network ACL resources. * Add resources for network ACLs Add aws_network_acl and aws_network_acl_rule resources to specify inbound and outbound network ACL rules for public, private, and intra subnets. * Add resource for default network ACL Add a aws_default_network_acl resource to adopt the default network ACL in the VPC. * Adjust spacing to match code style Remove the empty lines after comment blocks for network ACLs to match the style of the rest of this module. * Copy simple-vpc example as network-acls Copy the simple-vpc example and adapt it to demonstrate the configuration of network ACLs. A set of inbound and outbound ACLs are specified in main.tf. * Rename variables from _acls to _acl_rules Clarify the variables for specifying ACL rules by renaming them from *_acls to *_acl_rules. The values are used to create rules, not create ACLs. * Add nacl resources and variables for other subnets Add aws_network_acl and aws_network_acl_rule resources for database, redshift, and elasticache subnets, along with corresponding variables. This provides network ACL coverage to all subnet types produced by this module. * Create ACLs only if there are subnets For each subnet type, only create ACL resources if there are subnets defined. For example, if database_subnets is empty, then don't create ACL resources for database subnets. * Add missing variables for ACL tags Add the missing variable declarations for database_acl_tags, redshift_acl_tags, and elasticache_acl_tags. * Make ACL singular in description for _acl_tags A single ACL is created for each of the subnet types. Update the variable descriptions to reflect this. * Convert rules to nested list of maps Convert the NACL rule specifications from a list of lists to a list of maps, as suggested by @jczerniak. This improves the readability of rules. * Restructure example config to use locals Restructure the network ACL rules in the network-acls example to use local variables to specify the rules, split between default and custom rules. * Follow-up for #174
|
v1.60.0 has been released! Huge thanks to @kinghuang for the great contribution! |
guneriu
added a commit
to Yilu-Archive/terraform-aws-vpc
that referenced
this pull request
May 14, 2021
* Fixing typo overriden -> overridden (terraform-aws-modules#150) just a typo in the docs and in the public_subnet_tags in the simple example * Provide separate route tables for db/elasticache/redshift (terraform-aws-modules#155) * Provide separate route tables for db/elasticache/redshift * Added example for saperate routes * Updated PR with suggestions * Make redshift to use separate subnet route table also * More cleanup and updates * Fixed one more spelling mistake * Add minimum support for IPv6 to VPC (terraform-aws-modules#156) * Added support for IPv6 to VPC * Removed IPv6 from outputs (fixed terraform-aws-modules#157) (terraform-aws-modules#158) * Add secondary CIDR block support (terraform-aws-modules#163) * Add secondary CIDR block support using a local variable to derive the vpc id to ensure the CIDR block operations are applied before the CIDR operations * Add secondary cidr block outputs to module output * Add the wonderful examples from matthiasr's PR located at terraform-aws-modules#162 all credit goes to them for this wonderful example * From copy and paste accidentally used variable name that differed from these variables * Resolve typo in secondary_cidr_blocks * Fixed README formatting * Followups for terraform-aws-modules#161 * Added local.vpc_id with description * add vars for custom subnet and route table names (terraform-aws-modules#168) * add vars for custom subnet and route table names * revert db suffix to "db" * Added cloudcraft.co as a sponsor for this module * Added cloudcraft.co as a sponsor for this module * Removed comments starting from # to fix README * Updated link to cloudcraft * Updated link to cloudcraft * Reordering tag merging (terraform-aws-modules#148) * Added amazon_side_asn to vpn_gateway (terraform-aws-modules#159) * Added amazon_side_asn to vpn_gateway * change to Amazon default ASN (as per API) (terraform-aws-modules#176) https://docs.aws.amazon.com/cli/latest/reference/ec2/create-vpn-gateway.html * Updated README.md after merge * Fixed terraform-aws-modules#177 - public_subnets should not always be validated * Fix for the error: module.vpc.aws_redshift_subnet_group.redshift: only lowercase alphanumeric characters and hyphens allowed in name Read more: terraform-aws-modules#180 * Updated pre-commit version with new terraform-docs script * Added IGW route for DB subnets (based on terraform-aws-modules#179) * Reverted complete-example * Added azs to outputs which is an argument * Added possibility to control creation of elasticache and redshift subnet groups * Added SSM and EC2 VPC endpoints (fixes terraform-aws-modules#195, terraform-aws-modules#194) * adding option to create a route to nat gateway in database subnets * Reordered vars in count for database_nat_gateway route * add endpoints ec2messages, ssmmessages as those are required by Systems Manager in addition to ec2 and ssm. * fix typo * add additional endpoints to examples * add files updated by pre-commit * switch to terraform-docs v0.6.0 * Added option to create ECR api and dkr endpoints * Added subnet ids to ecr endpoints * Fixed formatting after terraform-aws-modules#205 * Fixed formatting after terraform-aws-modules#213 * Added intra subnet suffix. (terraform-aws-modules#220) * Added intra subnet suffix. * Fixed duplicate intra * Fixed tag * Added CHANGELOG.md (terraform-aws-modules#221) * Bump version * API gateway Endpoint (terraform-aws-modules#225) * Updated changelog * docs: Update comment in docs (terraform-aws-modules#226) * Redshift public subnets (terraform-aws-modules#222) * add public subnet for redshift to enable access for kinesis * fix redshift subnet group name * fix redshift public association * add public redshift to documentation * fix doc typo * update code after review * Redshift public subnets (terraform-aws-modules#222) * Resolved conflicts after merge * Updated changelog * Network ACLs (terraform-aws-modules#238) * Add variables for network ACLs Add variables for specifying network ACLs for public, private, and intra subnets. The ACLs are defined in a list, with sets of seven elements for the rule number, rule action, from port, to port, protocol, and cidr block. * Add variables for network ACL tags Add variables to specify additional tags for public, private, and intra network ACL resources. * Add resources for network ACLs Add aws_network_acl and aws_network_acl_rule resources to specify inbound and outbound network ACL rules for public, private, and intra subnets. * Add resource for default network ACL Add a aws_default_network_acl resource to adopt the default network ACL in the VPC. * Adjust spacing to match code style Remove the empty lines after comment blocks for network ACLs to match the style of the rest of this module. * Copy simple-vpc example as network-acls Copy the simple-vpc example and adapt it to demonstrate the configuration of network ACLs. A set of inbound and outbound ACLs are specified in main.tf. * Rename variables from _acls to _acl_rules Clarify the variables for specifying ACL rules by renaming them from *_acls to *_acl_rules. The values are used to create rules, not create ACLs. * Add nacl resources and variables for other subnets Add aws_network_acl and aws_network_acl_rule resources for database, redshift, and elasticache subnets, along with corresponding variables. This provides network ACL coverage to all subnet types produced by this module. * Create ACLs only if there are subnets For each subnet type, only create ACL resources if there are subnets defined. For example, if database_subnets is empty, then don't create ACL resources for database subnets. * Add missing variables for ACL tags Add the missing variable declarations for database_acl_tags, redshift_acl_tags, and elasticache_acl_tags. * Make ACL singular in description for _acl_tags A single ACL is created for each of the subnet types. Update the variable descriptions to reflect this. * Convert rules to nested list of maps Convert the NACL rule specifications from a list of lists to a list of maps, as suggested by @jczerniak. This improves the readability of rules. * Restructure example config to use locals Restructure the network ACL rules in the network-acls example to use local variables to specify the rules, split between default and custom rules. * Follow-up for terraform-aws-modules#174 * Updated CHANGELOG * Added missing VPC endpoints outputs (resolves terraform-aws-modules#246) (terraform-aws-modules#247) * Updated CHANGELOG * Add support for KMS VPC endpoint creation (terraform-aws-modules#243) * Updated CHANGELOG * Added ARN of VPC in module output (terraform-aws-modules#245) I need in my policy generator the arn of vpc so I would like to include this * Fixed formatting * Updated CHANGELOG * Add Output Of Subnet ARNs (terraform-aws-modules#242) * Add Output Of Subnet ARNs Facilitates resource access manager, subnet sharing across accounts * Update Readme For Subnet ARN Output * Fixed formatting * Updated CHANGELOG * Improving DHCP options docs (terraform-aws-modules#260) * Improving DHCP options docs * generating README from variables description * Updated CHANGELOG * ECS endpoint (terraform-aws-modules#261) * add ecs vpc endpoints * add ecs vpcendpoints outputs * add ecs vpc endpoints to readme inputs/outputs table * add ecs vpc endpoints to readme endpoint list * Added VPC endpoints for SQS (closes terraform-aws-modules#248) * Updated CHANGELOG * Finally, Terraform 0.12 support (terraform-aws-modules#266) * run terraform 0.12upgrade * Cleanup for Terraform 0.12 (closes terraform-aws-modules#265, terraform-aws-modules#228) * Fixed merge conflicts * Updated CHANGELOG * Upgrade Docker Image to fix CI (terraform-aws-modules#270) * Added VPC Endpoints for SNS, Cloudtrail, ELB, Cloudwatch (terraform-aws-modules#269) * Updated CHANGELOG * Updated Terraform versions in README * Updated CHANGELOG * Fixed opportunity to create the vpc, vpn gateway routes (bug during upgrade to 0.12) * Updated CHANGELOG * Fixed broken 2.3.0 * Updated CHANGELOG * Updated CHANGELOG * Update tflint to 0.8.2 for circleci task (terraform-aws-modules#280) * Updated VPC endpoint example (fixed terraform-aws-modules#249) * Updated CHANGELOG * Updated pre-commit-terraform to support terraform-docs and Terraform 0.12 (terraform-aws-modules#288) * Updated CHANGELOG * Enable backwards compatibility * KAN-380 terraform 0.12 upgrade * enable backwards compatibility Co-authored-by: Tristan Escalada <tristan@escalada.us> Co-authored-by: Anton Babenko <anton@antonbabenko.com> Co-authored-by: Rupert Broad <rupert.broad@exact.com> Co-authored-by: Scott Crooks <sc250024@users.noreply.github.com> Co-authored-by: Mayur Nagekar <mayur@meetbeam.com> Co-authored-by: ebarault <eric.barault@gmail.com> Co-authored-by: tbugfinder <github@online.ms> Co-authored-by: Michiel Dhadamus <michiel.dhadamus@dataminded.be> Co-authored-by: Kinnaird McQuade <kmcquade@users.noreply.github.com> Co-authored-by: tharun-allu <tharun-allu@users.noreply.github.com> Co-authored-by: Kyle <1kylecameron@gmail.com> Co-authored-by: bmihaescu <bmihaescu@gmail.com> Co-authored-by: Nikos Loutas <nloutas@gmail.com> Co-authored-by: Rafael Bernardo <rafaelbernardo@protonmail.com> Co-authored-by: Blaine Schanfeldt <git@blaines.me> Co-authored-by: Andreas Wittig <andreas@widdix.de> Co-authored-by: Ilia Lazebnik <Ilia.lazebnik@gmail.com> Co-authored-by: Niklas Wagner <Skaro@Skaronator.com> Co-authored-by: Sebastian Geidies <sebastian.geidies@bcgdv.com> Co-authored-by: ugur.guneri <ugur.guneri@yiluhub.com>
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Network ACLs provide a layer of security to VPCs with stateless rules for inbound and outbound network connections. This PR adds support for configuring network ACLs for public, private, and intra subnets using a series of variables.
Here is an example that implements some of the rules from Recommended Rules for Scenario 2.
aws_network_acl and aws_network_acl_rule resources are created for the ACL rules. An aws_default_network_acl resource is also created to adopt the default network ACL in the VPC.
Closes #173.