chore: resolving the issues post testing

Author: gambol99

examples/nacls/main.tf

@@ -11,19 +11,17 @@ locals {
 module "vpc" {
   source = "../.."
 
-  availability_zones = 3
-  enable_ssm         = true
-  name               = "operations"
-  tags               = local.tags
-  vpc_cidr           = "10.100.0.0/21"
+  availability_zones            = 2
+  enable_ssm                    = false
+  enable_route53_resolver_rules = false
+  name                          = "operations"
+  tags                          = local.tags
+  vpc_cidr                      = "10.100.0.0/21"
 
   subnets = {
     private = {
       netmask = 24
     }
-    public = {
-      netmask = 24
-    }
   }
 
   nacl_rules = {
@@ -35,7 +33,7 @@ module "vpc" {
           to_port     = 22
           protocol    = -1
           rule_action = "allow"
-          rule_number = 100
+          rule_number = 50
         }
       ]
       outbound_rules = [
@@ -45,7 +43,7 @@ module "vpc" {
           to_port     = 22
           protocol    = -1
           rule_action = "allow"
-          rule_number = 100
+          rule_number = 50
         }
       ]
     }

main.tf

@@ -22,12 +22,13 @@ module "nacls" {
   for_each = var.nacl_rules
   source   = "./modules/nacls"
 
-  vpc_id         = module.vpc.vpc_attributes.id
-  subnet_count   = var.availability_zones
-  subnet_ids     = local.all_subnets_by_name[each.key].ids
   inbound_rules  = var.nacl_rules[each.key].inbound_rules
+  name           = each.key
   outbound_rules = var.nacl_rules[each.key].outbound_rules
+  subnet_count   = var.availability_zones
+  subnet_ids     = local.all_subnets_by_name[each.key].ids
   tags           = var.tags
+  vpc_id         = module.vpc.vpc_attributes.id
 
   depends_on = [module.vpc]
 }
@@ -59,7 +60,7 @@ resource "aws_route53_resolver_query_log_config_association" "dns_query_log_asso
 
 ## Associate any resolver rules with the vpc if required
 resource "aws_route53_resolver_rule_association" "vpc_associations" {
-  for_each = var.enable_route53_resolver_rules ? toset(local.resolver_rules) : null
+  for_each = var.enable_route53_resolver_rules ? toset(local.resolver_rules) : []
 
   resolver_rule_id = each.value
   vpc_id           = module.vpc.vpc_attributes.id

modules/nacls/main.tf

@@ -1,16 +1,11 @@
 
 ## Provision the inbound NACL 
-resource "aws_network_acl" "inbound" {
+resource "aws_network_acl" "nacl" {
   vpc_id = var.vpc_id
-  tags   = var.tags
+  tags   = merge(var.tags, { Name = "${var.name}" })
 }
 
 ## Provision the outbound NACL  
-resource "aws_network_acl" "outbound" {
-  vpc_id = var.vpc_id
-  tags   = var.tags
-}
-
 ## Provision the inbound NACL rules 
 resource "aws_network_acl_rule" "inbound" {
   for_each = local.inbound
@@ -21,21 +16,13 @@ resource "aws_network_acl_rule" "inbound" {
   icmp_code       = each.value.rule.icmp_code
   icmp_type       = each.value.rule.icmp_type
   ipv6_cidr_block = each.value.rule.ipv6_cidr_block
-  network_acl_id  = aws_network_acl.inbound.id
+  network_acl_id  = aws_network_acl.nacl.id
   protocol        = each.value.rule.protocol
   rule_action     = each.value.rule.rule_action
   rule_number     = each.value.rule.rule_number
   to_port         = each.value.rule.to_port
 }
 
-## Associate the inbound NACL with the subnets  
-resource "aws_network_acl_association" "inbound" {
-  for_each = local.inbound
-
-  network_acl_id = aws_network_acl.inbound.id
-  subnet_id      = each.value.id
-}
-
 ## Provision the outbound NACL rules  
 resource "aws_network_acl_rule" "outbound" {
   for_each = local.outbound
@@ -46,17 +33,17 @@ resource "aws_network_acl_rule" "outbound" {
   icmp_code       = each.value.rule.icmp_code
   icmp_type       = each.value.rule.icmp_type
   ipv6_cidr_block = each.value.rule.ipv6_cidr_block
-  network_acl_id  = aws_network_acl.outbound.id
+  network_acl_id  = aws_network_acl.nacl.id
   protocol        = each.value.rule.protocol
   rule_action     = each.value.rule.rule_action
   rule_number     = each.value.rule.rule_number
   to_port         = each.value.rule.to_port
 }
 
-## Associate the outbound NACL with the subnets  
-resource "aws_network_acl_association" "outbound" {
-  for_each = local.outbound
+## Associate the inbound NACL with the subnets  
+resource "aws_network_acl_association" "nacl" {
+  for_each = local.inbound
 
-  network_acl_id = aws_network_acl.outbound.id
+  network_acl_id = aws_network_acl.nacl.id
   subnet_id      = each.value.id
 }

modules/nacls/variables.tf

@@ -1,4 +1,9 @@
 
+variable "name" {
+  description = "The name of the subnets to create the NACL for"
+  type        = string
+}
+
 variable "vpc_id" {
   description = "The VPC ID to create the NACL in"
   type        = string

tests/nacls.tftest.hcl

@@ -75,6 +75,7 @@ run "check_nacl_rules" {
   }
 
   variables {
+    name         = "private"
     vpc_id       = "vpc-1234567890"
     subnet_count = 3
     subnet_ids   = ["subnet-1234567890", "subnet-1234567891", "subnet-1234567892"]
@@ -106,63 +107,38 @@ run "check_nacl_rules" {
   }
 
   assert {
-    condition     = aws_network_acl.inbound != null
+    condition     = aws_network_acl.nacl != null
     error_message = "Inbound NACL should be created"
   }
 
   assert {
-    condition     = aws_network_acl.inbound.vpc_id == "vpc-1234567890"
+    condition     = aws_network_acl.nacl.vpc_id == "vpc-1234567890"
     error_message = "Inbound NACL should be associated with the VPC"
   }
 
   assert {
-    condition     = aws_network_acl.outbound != null
-    error_message = "Outbound NACL should be created"
-  }
-
-  assert {
-    condition     = length(aws_network_acl.inbound.tags) > 0
+    condition     = length(aws_network_acl.nacl.tags) > 0
     error_message = "Inbound NACL should have the correct tags"
   }
 
   assert {
-    condition     = aws_network_acl.outbound.vpc_id == "vpc-1234567890"
+    condition     = aws_network_acl.nacl.vpc_id == "vpc-1234567890"
     error_message = "Outbound NACL should be associated with the VPC"
   }
 
-  assert {
-    condition     = length(aws_network_acl.outbound.tags) > 0
-    error_message = "Outbound NACL should have the correct tags"
-  }
-
   assert {
     error_message = "It should associate the inbound NACL with the subnets"
-    condition     = aws_network_acl_association.inbound["0-0"].subnet_id == "subnet-1234567890"
+    condition     = aws_network_acl_association.nacl["0-0"].subnet_id == "subnet-1234567890"
   }
 
   assert {
     error_message = "It should associate the inbound NACL with the subnets"
-    condition     = aws_network_acl_association.inbound["1-0"].subnet_id == "subnet-1234567891"
+    condition     = aws_network_acl_association.nacl["1-0"].subnet_id == "subnet-1234567891"
   }
 
   assert {
     error_message = "It should associate the inbound NACL with the subnets"
-    condition     = aws_network_acl_association.inbound["2-0"].subnet_id == "subnet-1234567892"
-  }
-
-  assert {
-    error_message = "It should associate the outbound NACL with the subnets"
-    condition     = aws_network_acl_association.outbound["0-0"].subnet_id == "subnet-1234567890"
-  }
-
-  assert {
-    error_message = "It should associate the outbound NACL with the subnets"
-    condition     = aws_network_acl_association.outbound["1-0"].subnet_id == "subnet-1234567891"
-  }
-
-  assert {
-    error_message = "It should associate the outbound NACL with the subnets"
-    condition     = aws_network_acl_association.outbound["2-0"].subnet_id == "subnet-1234567892"
+    condition     = aws_network_acl_association.nacl["2-0"].subnet_id == "subnet-1234567892"
   }
 
   assert {