Merge pull request #31 from appvia/feat/nacls

feat: added the ability to support adding nacls

Author: gambol99

.github/workflows/terraform.yml

@@ -24,3 +24,9 @@ jobs:
     name: Shared Module Validation
     with:
       working-directory: modules/shared
+
+  nacls-validation:
+    uses: appvia/appvia-cicd-workflows/.github/workflows/terraform-module-validation.yml@main
+    name: NACLS Validation
+    with:
+      working-directory: modules/nacls

README.md

@@ -266,6 +266,52 @@ module "share_dev" {
 }
 ```
 
+## Network Access Control Lists (NACLS)
+
+Network Access Control Lists (NACLs) are an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. Unlike security groups, NACLs are stateless, meaning that responses to allowed inbound traffic are subject to the rules for outbound traffic. NACLs allow you to explicitly allow or deny traffic based on IP address, port, and protocol. Here's an example of how to configure NACLs in this module:
+
+```hcl
+module "vpc" {
+  source = "../.."
+  
+  name               = "production"
+  vpc_cidr           = "10.0.0.0/16"
+  availability_zones = 3
+  tags               = local.tags
+  
+  subnets = {
+    private = {
+      netmask = 24
+    }
+  }
+  
+  nacl_rules = {
+    private = {
+      inbound_rules = [
+        {
+          cidr_block  = "10.0.0.0/24"
+          from_port   = 22
+          to_port     = 22
+          protocol    = 6  # TCP
+          rule_action = "allow"
+          rule_number = 100
+        }
+      ],
+      outbound_rules = [
+        {
+          cidr_block  = "0.0.0.0/0"
+          from_port   = 0
+          to_port     = 65535
+          protocol    = -1  # All traffic
+          rule_action = "allow"
+          rule_number = 100
+        }
+      ]
+    }
+  }
+}
+```
+
 ## Update Documentation
 
 The `terraform-docs` utility is used to generate this README. Follow the below steps to update:
@@ -299,6 +345,7 @@ The `terraform-docs` utility is used to generate this README. Follow the below s
 | <a name="input_enable_transit_gateway_subnet_natgw"></a> [enable\_transit\_gateway\_subnet\_natgw](#input\_enable\_transit\_gateway\_subnet\_natgw) | Indicates if the transit gateway subnets should be connected to a nat gateway | `bool` | `false` | no |
 | <a name="input_exclude_route53_resolver_rules"></a> [exclude\_route53\_resolver\_rules](#input\_exclude\_route53\_resolver\_rules) | List of resolver rules to exclude from association | `list(string)` | `[]` | no |
 | <a name="input_ipam_pool_id"></a> [ipam\_pool\_id](#input\_ipam\_pool\_id) | An optional pool id to use for IPAM pool to use | `string` | `null` | no |
+| <a name="input_nacl_rules"></a> [nacl\_rules](#input\_nacl\_rules) | Map of NACL rules to apply to different subnet types. Each rule requires from\_port, to\_port, protocol, rule\_action, cidr\_block, and rule\_number | <pre>map(object({<br/>    inbound_rules = list(object({<br/>      cidr_block      = string<br/>      from_port       = number<br/>      icmp_code       = optional(number, 0)<br/>      icmp_type       = optional(number, 0)<br/>      ipv6_cidr_block = optional(string, null)<br/>      protocol        = optional(number, -1)<br/>      rule_action     = string<br/>      rule_number     = number<br/>      to_port         = number<br/>    }))<br/>    outbound_rules = list(object({<br/>      cidr_block      = string<br/>      from_port       = number<br/>      icmp_code       = optional(number, 0)<br/>      icmp_type       = optional(number, 0)<br/>      ipv6_cidr_block = optional(string, null)<br/>      protocol        = optional(number, -1)<br/>      rule_action     = string<br/>      rule_number     = number<br/>      to_port         = number<br/>    }))<br/>  }))</pre> | `{}` | no |
 | <a name="input_nat_gateway_mode"></a> [nat\_gateway\_mode](#input\_nat\_gateway\_mode) | The configuration mode of the NAT gateways | `string` | `"none"` | no |
 | <a name="input_private_subnet_netmask"></a> [private\_subnet\_netmask](#input\_private\_subnet\_netmask) | The netmask for the private subnets | `number` | `0` | no |
 | <a name="input_private_subnet_tags"></a> [private\_subnet\_tags](#input\_private\_subnet\_tags) | Additional tags for the private subnets | `map(string)` | `{}` | no |

examples/nacls/README.md

@@ -0,0 +1,37 @@
+<!-- BEGIN_TF_DOCS -->
+## Providers
+
+No providers.
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_nat_public_ips"></a> [nat\_public\_ips](#output\_nat\_public\_ips) | The public IPs of the NAT Gateways i.e [public\_ip, public\_ip] |
+| <a name="output_natgw_id_per_az"></a> [natgw\_id\_per\_az](#output\_natgw\_id\_per\_az) | The IDs of the NAT Gateways (see aws-ia/vpc/aws for details) |
+| <a name="output_private_route_table_ids"></a> [private\_route\_table\_ids](#output\_private\_route\_table\_ids) | The IDs of the private route tables ie. [route\_table\_id, route\_table\_id] |
+| <a name="output_private_subnet_attributes_by_az"></a> [private\_subnet\_attributes\_by\_az](#output\_private\_subnet\_attributes\_by\_az) | The attributes of the private subnets (see aws-ia/vpc/aws for details) |
+| <a name="output_private_subnet_cidr_by_id"></a> [private\_subnet\_cidr\_by\_id](#output\_private\_subnet\_cidr\_by\_id) | A map of the private subnet ID to CIDR block i.e. us-west-2a => subnet\_cidr |
+| <a name="output_private_subnet_cidrs"></a> [private\_subnet\_cidrs](#output\_private\_subnet\_cidrs) | A list of the CIDRs for the private subnets |
+| <a name="output_private_subnet_id_by_az"></a> [private\_subnet\_id\_by\_az](#output\_private\_subnet\_id\_by\_az) | A map of availability zone to subnet id of the private subnets i.e. eu-west-2a => subnet\_id |
+| <a name="output_private_subnet_ids"></a> [private\_subnet\_ids](#output\_private\_subnet\_ids) | The IDs of the private subnets i.e. [subnet\_id, subnet\_id] |
+| <a name="output_public_route_table_ids"></a> [public\_route\_table\_ids](#output\_public\_route\_table\_ids) | The IDs of the public route tables ie. [route\_table\_id, route\_table\_id] |
+| <a name="output_public_subnet_attributes_by_az"></a> [public\_subnet\_attributes\_by\_az](#output\_public\_subnet\_attributes\_by\_az) | The attributes of the public subnets (see aws-ia/vpc/aws for details) |
+| <a name="output_public_subnet_cidr_by_id"></a> [public\_subnet\_cidr\_by\_id](#output\_public\_subnet\_cidr\_by\_id) | A map of the public subnet ID to CIDR block i.e. us-west-2a => subnet\_cidr |
+| <a name="output_public_subnet_cidrs"></a> [public\_subnet\_cidrs](#output\_public\_subnet\_cidrs) | A list of the CIDRs for the public subnets i.e. [subnet\_cidr, subnet\_cidr] |
+| <a name="output_public_subnet_id_by_az"></a> [public\_subnet\_id\_by\_az](#output\_public\_subnet\_id\_by\_az) | A map of availability zone to subnet id of the public subnets i.e. eu-west-2a => subnet\_id |
+| <a name="output_public_subnet_ids"></a> [public\_subnet\_ids](#output\_public\_subnet\_ids) | The IDs of the public subnets i.e. [subnet\_id, subnet\_id] |
+| <a name="output_rt_attributes_by_type_by_az"></a> [rt\_attributes\_by\_type\_by\_az](#output\_rt\_attributes\_by\_type\_by\_az) | The attributes of the route tables (see aws-ia/vpc/aws for details) |
+| <a name="output_transit_gateway_attachment_id"></a> [transit\_gateway\_attachment\_id](#output\_transit\_gateway\_attachment\_id) | The ID of the transit gateway attachment if enabled |
+| <a name="output_transit_route_table_by_az"></a> [transit\_route\_table\_by\_az](#output\_transit\_route\_table\_by\_az) | A map of availability zone to transit gateway route table ID i.e eu-west-2a => route\_table\_id |
+| <a name="output_transit_route_table_ids"></a> [transit\_route\_table\_ids](#output\_transit\_route\_table\_ids) | The IDs of the transit gateway route tables ie. [route\_table\_id, route\_table\_id] |
+| <a name="output_transit_subnet_attributes_by_az"></a> [transit\_subnet\_attributes\_by\_az](#output\_transit\_subnet\_attributes\_by\_az) | The attributes of the transit gateway subnets (see aws-ia/vpc/aws for details) |
+| <a name="output_transit_subnet_ids"></a> [transit\_subnet\_ids](#output\_transit\_subnet\_ids) | The IDs of the transit gateway subnets ie. [subnet\_id, subnet\_id] |
+| <a name="output_vpc_attributes"></a> [vpc\_attributes](#output\_vpc\_attributes) | The attributes of the VPC (see aws-ia/vpc/aws for details) |
+| <a name="output_vpc_cidr"></a> [vpc\_cidr](#output\_vpc\_cidr) | The CIDR block of the VPC |
+| <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | The ID of the VPC |
+<!-- END_TF_DOCS -->

examples/nacls/main.tf

@@ -0,0 +1,51 @@
+
+locals {
+  tags = {
+    "Environment" = "test"
+    "GitRepo"     = "https://github.com/appvia/terraform-aws-network"
+    "Terraform"   = "true"
+  }
+}
+
+## Provision a VPC with public and private subnets
+module "vpc" {
+  source = "../.."
+
+  availability_zones            = 2
+  enable_ssm                    = false
+  enable_route53_resolver_rules = false
+  name                          = "operations"
+  tags                          = local.tags
+  vpc_cidr                      = "10.100.0.0/21"
+
+  subnets = {
+    private = {
+      netmask = 24
+    }
+  }
+
+  nacl_rules = {
+    private = {
+      inbound_rules = [
+        {
+          cidr_block  = "10.100.0.0/24"
+          from_port   = 22
+          to_port     = 22
+          protocol    = -1
+          rule_action = "allow"
+          rule_number = 50
+        }
+      ]
+      outbound_rules = [
+        {
+          cidr_block  = "10.100.0.0/24"
+          from_port   = 22
+          to_port     = 22
+          protocol    = -1
+          rule_action = "allow"
+          rule_number = 50
+        }
+      ]
+    }
+  }
+}

examples/nacls/outputs.tf

@@ -0,0 +1,115 @@
+
+output "vpc_id" {
+  description = "The ID of the VPC"
+  value       = module.vpc.vpc_id
+}
+
+output "vpc_cidr" {
+  description = "The CIDR block of the VPC"
+  value       = module.vpc.vpc_attributes.cidr_block
+}
+
+output "vpc_attributes" {
+  description = "The attributes of the VPC (see aws-ia/vpc/aws for details)"
+  value       = module.vpc.vpc_attributes
+}
+
+output "private_subnet_cidrs" {
+  description = "A list of the CIDRs for the private subnets"
+  value       = module.vpc.private_subnet_cidrs
+}
+
+output "public_subnet_cidrs" {
+  description = "A list of the CIDRs for the public subnets i.e. [subnet_cidr, subnet_cidr]"
+  value       = module.vpc.public_subnet_cidrs
+}
+
+output "private_subnet_cidr_by_id" {
+  description = "A map of the private subnet ID to CIDR block i.e. us-west-2a => subnet_cidr"
+  value       = module.vpc.private_subnet_cidr_by_id
+}
+
+output "public_subnet_cidr_by_id" {
+  description = "A map of the public subnet ID to CIDR block i.e. us-west-2a => subnet_cidr"
+  value       = module.vpc.public_subnet_cidr_by_id
+}
+
+output "private_subnet_id_by_az" {
+  description = "A map of availability zone to subnet id of the private subnets i.e. eu-west-2a => subnet_id"
+  value       = module.vpc.private_subnet_id_by_az
+}
+
+output "public_subnet_id_by_az" {
+  description = "A map of availability zone to subnet id of the public subnets i.e. eu-west-2a => subnet_id"
+  value       = module.vpc.public_subnet_id_by_az
+}
+
+output "private_subnet_attributes_by_az" {
+  description = "The attributes of the private subnets (see aws-ia/vpc/aws for details)"
+  value       = module.vpc.private_subnet_attributes_by_az
+}
+
+output "public_subnet_attributes_by_az" {
+  description = "The attributes of the public subnets (see aws-ia/vpc/aws for details)"
+  value       = module.vpc.public_subnet_attributes_by_az
+}
+
+output "transit_subnet_attributes_by_az" {
+  description = "The attributes of the transit gateway subnets (see aws-ia/vpc/aws for details)"
+  value       = module.vpc.transit_subnet_attributes_by_az
+}
+
+output "natgw_id_per_az" {
+  description = "The IDs of the NAT Gateways (see aws-ia/vpc/aws for details)"
+  value       = module.vpc.natgw_id_per_az
+}
+
+output "rt_attributes_by_type_by_az" {
+  description = "The attributes of the route tables (see aws-ia/vpc/aws for details)"
+  value       = module.vpc.rt_attributes_by_type_by_az
+}
+
+output "private_subnet_ids" {
+  description = "The IDs of the private subnets i.e. [subnet_id, subnet_id]"
+  value       = module.vpc.private_subnet_ids
+}
+
+output "public_subnet_ids" {
+  description = "The IDs of the public subnets i.e. [subnet_id, subnet_id]"
+  value       = module.vpc.public_subnet_ids
+}
+
+output "transit_subnet_ids" {
+  description = "The IDs of the transit gateway subnets ie. [subnet_id, subnet_id]"
+  value       = module.vpc.transit_subnet_ids
+}
+
+output "private_route_table_ids" {
+  description = "The IDs of the private route tables ie. [route_table_id, route_table_id]"
+  value       = module.vpc.private_route_table_ids
+}
+
+output "public_route_table_ids" {
+  description = "The IDs of the public route tables ie. [route_table_id, route_table_id]"
+  value       = module.vpc.public_route_table_ids
+}
+
+output "transit_route_table_ids" {
+  description = "The IDs of the transit gateway route tables ie. [route_table_id, route_table_id]"
+  value       = module.vpc.transit_route_table_ids
+}
+
+output "transit_route_table_by_az" {
+  description = "A map of availability zone to transit gateway route table ID i.e eu-west-2a => route_table_id"
+  value       = module.vpc.transit_route_table_by_az
+}
+
+output "transit_gateway_attachment_id" {
+  description = "The ID of the transit gateway attachment if enabled"
+  value       = module.vpc.transit_gateway_attachment_id
+}
+
+output "nat_public_ips" {
+  description = "The public IPs of the NAT Gateways i.e [public_ip, public_ip]"
+  value       = module.vpc.nat_public_ips
+}

examples/nacls/terraform.tf

@@ -0,0 +1,11 @@
+
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.0.0"
+    }
+  }
+}

examples/nacls/variables.tf

@@ -17,6 +17,22 @@ module "vpc" {
   vpc_ipv4_netmask_length  = var.vpc_netmask
 }
 
+## Provision the NACLs for each of the subnets
+module "nacls" {
+  for_each = var.nacl_rules
+  source   = "./modules/nacls"
+
+  inbound_rules  = var.nacl_rules[each.key].inbound_rules
+  name           = each.key
+  outbound_rules = var.nacl_rules[each.key].outbound_rules
+  subnet_count   = var.availability_zones
+  subnet_ids     = local.all_subnets_by_name[each.key].ids
+  tags           = var.tags
+  vpc_id         = module.vpc.vpc_attributes.id
+
+  depends_on = [module.vpc]
+}
+
 ## Enable DNS request logging if required
 resource "aws_cloudwatch_log_group" "dns_query_logs" {
   count = var.enable_dns_request_logging ? 1 : 0
@@ -44,7 +60,7 @@ resource "aws_route53_resolver_query_log_config_association" "dns_query_log_asso
 
 ## Associate any resolver rules with the vpc if required
 resource "aws_route53_resolver_rule_association" "vpc_associations" {
-  for_each = var.enable_route53_resolver_rules ? toset(local.resolver_rules) : null
+  for_each = var.enable_route53_resolver_rules ? toset(local.resolver_rules) : []
 
   resolver_rule_id = each.value
   vpc_id           = module.vpc.vpc_attributes.id

main.tf

@@ -0,0 +1,23 @@
+<!-- BEGIN_TF_DOCS -->
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.0 |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_name"></a> [name](#input\_name) | The name of the subnets to create the NACL for | `string` | n/a | yes |
+| <a name="input_subnet_count"></a> [subnet\_count](#input\_subnet\_count) | The number of subnets to create the NACL for | `number` | n/a | yes |
+| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | The subnet IDs to apply the NACL to | `list(string)` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to apply to the NACL | `map(string)` | n/a | yes |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | The VPC ID to create the NACL in | `string` | n/a | yes |
+| <a name="input_inbound_rules"></a> [inbound\_rules](#input\_inbound\_rules) | The inbound rules to apply to the NACL | <pre>list(object({<br/>    cidr_block      = string<br/>    from_port       = number<br/>    icmp_code       = optional(number, 0)<br/>    icmp_type       = optional(number, 0)<br/>    ipv6_cidr_block = optional(string, null)<br/>    protocol        = optional(number, -1)<br/>    rule_action     = string<br/>    rule_number     = number<br/>    to_port         = number<br/>  }))</pre> | `[]` | no |
+| <a name="input_outbound_rules"></a> [outbound\_rules](#input\_outbound\_rules) | The outbound rules to apply to the NACL | <pre>list(object({<br/>    cidr_block      = string<br/>    from_port       = number<br/>    icmp_code       = optional(number, 0)<br/>    icmp_type       = optional(number, 0)<br/>    ipv6_cidr_block = optional(string, null)<br/>    protocol        = optional(number, -1)<br/>    rule_action     = string<br/>    rule_number     = number<br/>    to_port         = number<br/>  }))</pre> | `[]` | no |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

modules/nacls/README.md

@@ -0,0 +1,21 @@
+locals {
+  inbound = merge([
+    for idx in range(var.subnet_count) : {
+      for rule_idx, rule in try(var.inbound_rules, []) :
+      "${idx}-${rule_idx}" => {
+        id   = var.subnet_ids[idx]
+        rule = rule
+      }
+    }
+  ]...)
+
+  outbound = merge([
+    for idx in range(var.subnet_count) : {
+      for rule_idx, rule in try(var.outbound_rules, []) :
+      "${idx}-${rule_idx}" => {
+        id   = var.subnet_ids[idx]
+        rule = rule
+      }
+    }
+  ]...)
+}