feat: adding the new shared subnet module

Added a new way of sharing subnets, curving out zones within a shared
network

Author: gambol99

README.md

@@ -35,7 +35,7 @@ module "vpc" {
   transit_gateway_id                    = data.aws_ec2_transit_gateway.this.id
   vpc_cidr                              = var.vpc_cidr
 
-  transit_gateway_rotues = {
+  transit_gateway_routes = {
     private = aws_ec2_managed_prefix_list.internal.id
   }
 }
@@ -230,63 +230,73 @@ Remember to:
 1. Ensure CIDR blocks don't overlap
 2. Consider your IP address space requirements
 3. Follow your organization's IP addressing scheme
-4. Update route tables and network ACLs accordingly
 
 The module include a convenient way to share subnets using AWS Resource Access Manager (RAM). Here is an example configuration:
 
 ```hcl
-## Alternatively you specify the subnets directly
+## Provision a network is no subnets inside
 module "vpc" {
   source = "../.."
 
   availability_zones = 3
   name               = "development"
   tags               = local.tags
   vpc_cidr           = "10.90.0.0/16"
+}
+
+## Curve out subnets for sharing
+module "subnets" {
+  source = "../../modules/shared"
+
+  name   = "product-a"
+  share  = { accounts = ["123456789012"] }
+  tags   = local.tags
+  vpc_id = module.vpc.vpc_id
+
+  ## Additional subnet to add to the isolation zone
+  permitted_subnets = [
+    "10.90.20.0/24",
+  ]
 
   subnets = {
-    prod = {
-      netmask = 24
+    web = {
+      cidrs = ["10.90.0.0/24", "10.90.1.0/24"]
     }
-    "dev" = {
-      netmask = 24
+    app = {
+      cidrs = ["10.90.10.0/24", "10.90.11.0/24"]
     }
   }
 }
+```
 
-## Note, due to the arns being dynamic this will be need to perform with a target,
-## i.e vpc must exist before the share can be applied.
-module "share_dev" {
-  source = "../../modules/shared"
+Note, this module will automatically create a network access control list (NACL) for the shared subnets, it will any
 
-  name        = "dev"
-  share       = { accounts = ["123456789012"] }
-  subnet_arns = module.vpc.all_subnets_by_name["dev"].arns
-  tags        = local.tags
+1. Permit all outbound and inbound traffic from the subnets
+2. Permit all outbound and inbound traffic from the `var.permitted_subnets` variable cidr_blocks.
+3. Deny all other traffic to the VPC CIDR block.
+4. Permit all outbound and inbound traffic not destined to the VPC CIDR block.
 
-  depends_on = [module.vpc]
-}
-```
+By performing the above to ensure the subnets are isolated from the rest of the VPC, while still allowing access to external resources.
 
-## Network Access Control Lists (NACLS)
+## Network Access Control Lists (NACLs)
 
 Network Access Control Lists (NACLs) are an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. Unlike security groups, NACLs are stateless, meaning that responses to allowed inbound traffic are subject to the rules for outbound traffic. NACLs allow you to explicitly allow or deny traffic based on IP address, port, and protocol. Here's an example of how to configure NACLs in this module:
 
 ```hcl
 module "vpc" {
   source = "../.."
-  
+
   name               = "production"
   vpc_cidr           = "10.0.0.0/16"
   availability_zones = 3
   tags               = local.tags
-  
+
   subnets = {
     private = {
       netmask = 24
     }
   }
-  
+
   nacl_rules = {
     private = {
       inbound_rules = [

examples/nacls/main.tf

@@ -20,7 +20,12 @@ module "vpc" {
 
   subnets = {
     private = {
-      netmask = 24
+      netmask       = 24
+      isolation_key = "private"
+    }
+    devops_apps = {
+      netmask       = 24
+      isolation_key = "devops"
     }
   }
 

examples/shared/README.md

@@ -0,0 +1,16 @@
+<!-- BEGIN_TF_DOCS -->
+## Providers
+
+No providers.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_network_inbound_acls"></a> [network\_inbound\_acls](#output\_network\_inbound\_acls) | The inbound network ACLs provisioned |
+| <a name="output_network_outbound_acls"></a> [network\_outbound\_acls](#output\_network\_outbound\_acls) | The outbound network ACLs provisioned |
+<!-- END_TF_DOCS -->

examples/shared/outputs.tf

@@ -5,7 +5,6 @@ locals {
     "GitRepo"     = "https://github.com/appvia/terraform-aws-network"
     "Terraform"   = "true"
   }
-
 }
 
 ## Alteratively you specifiy the subnets directly
@@ -16,26 +15,29 @@ module "vpc" {
   name               = "development"
   tags               = local.tags
   vpc_cidr           = "10.90.0.0/16"
-
-  subnets = {
-    prod = {
-      netmask = 24
-    }
-    "dev" = {
-      netmask = 24
-    }
-  }
 }
 
 ## Note, due to the arns being dynamic this will be need to perfomed with a target,
 ## i.e vpc must exist before the share can be applied.
-module "share_dev" {
+module "subnets" {
   source = "../../modules/shared"
 
-  name        = "dev"
-  share       = { accounts = ["123456789012"] }
-  subnet_arns = module.vpc.all_subnets_by_name["dev"].arns
-  tags        = local.tags
+  name   = "dev"
+  share  = { accounts = ["123456789012"] }
+  tags   = local.tags
+  vpc_id = module.vpc.vpc_id
 
-  depends_on = [module.vpc]
+  permitted_subnets = [
+    "10.90.20.0/24",
+  ]
+
+  subnets = {
+    web = {
+      cidrs = ["10.90.0.0/24", "10.90.1.0/24"]
+    }
+    app = {
+      cidrs = ["10.90.10.0/24", "10.90.11.0/24"]
+    }
+  }
 }
+

examples/sharing/README.md

@@ -0,0 +1,10 @@
+
+output "network_inbound_acls" {
+  description = "The inbound network ACLs provisioned"
+  value       = module.subnets.inbound_network_acls
+}
+
+output "network_outbound_acls" {
+  description = "The outbound network ACLs provisioned"
+  value       = module.subnets.outbound_network_acls
+}

examples/shared/main.tf examples/sharing/main.tfexamples/shared/main.tf renamed to examples/sharing/main.tf

@@ -42,15 +42,17 @@ locals {
     }
   } : null
 
-  ## A collection of all the tags for all the resources 
+  ## A collection of all the tags for all the resources
   tags = merge(var.tags, {})
   # A map of all the subnets by name i.e. private/us-east-1a, public/us-east-1a, etc.
   all_subnets = merge(module.vpc.private_subnet_attributes_by_az, module.vpc.public_subnet_attributes_by_az)
   ## A list of all the names of the subnets
   all_subnets_by_name = { for name in keys(try(var.subnets, {})) : name => {
-    arns = [for k, v in local.all_subnets : format("arn:aws:ec2:%s:%s:subnet/%s", local.region, local.account_id, v.id) if startswith(k, "${name}/")]
-    ids  = [for k, v in local.all_subnets : v.id if startswith(k, "${name}/")]
+    arns        = [for k, v in local.all_subnets : format("arn:aws:ec2:%s:%s:subnet/%s", local.region, local.account_id, v.id) if startswith(k, "${name}/")]
+    cidr_blocks = [for k, v in local.all_subnets : v.cidr_block if startswith(k, "${name}/")]
+    ids         = [for k, v in local.all_subnets : v.id if startswith(k, "${name}/")]
   } }
+
   # A list of all the private subnets cidr blocks
   private_subnet_cidrs = [for k, x in module.vpc.private_subnet_attributes_by_az : x.cidr_block if startswith(k, "private/")]
   # A map of private subnet id to cidr block
@@ -78,6 +80,7 @@ locals {
   # A map of the route table ids for the transit gateway by az
   transit_route_table_by_az = local.enable_transit_gateway ? { for k, v in module.vpc.rt_attributes_by_type_by_az.transit_gateway : k => v.id } : {}
 
+  ## A list of all the subnets
   subnets = merge(
     local.private_subnet,
     local.public_subnet,