chore: Add dedicated NACL rules to intra subnets in example with VPC and S3 Gateway endpoint (#367)

luigidifraiawork · antonbabenko · web-flow · commit c8bde3c336aa · 2022-10-31T18:52:46.000+01:00
Co-authored-by: Anton Babenko &lt;anton@antonbabenko.com&gt;
diff --git a/examples/with-vpc-s3-endpoint/README.md b/examples/with-vpc-s3-endpoint/README.md
@@ -48,6 +48,7 @@ Note that this example may create resources which cost money. Run `terraform des
 | Name | Type |
 |------|------|
 | [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+| [aws_ec2_managed_prefix_list.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
 | [aws_iam_policy_document.bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
diff --git a/examples/with-vpc-s3-endpoint/main.tf b/examples/with-vpc-s3-endpoint/main.tf
@@ -55,6 +55,10 @@ resource "random_pet" "this" {
   length = 2
 }
 
+data "aws_ec2_managed_prefix_list" "this" {
+  name = "com.amazonaws.${data.aws_region.current.name}.s3"
+}
+
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
   version = "~> 3.0"
@@ -66,6 +70,35 @@ module "vpc" {
 
   # Intra subnets are designed to have no Internet access via NAT Gateway.
   intra_subnets = ["10.0.1.0/24", "10.0.2.0/24", "10.0.3.0/24"]
+
+  intra_dedicated_network_acl = true
+  intra_inbound_acl_rules = concat(
+    # NACL rule for local traffic
+    [
+      {
+        rule_number = 100
+        rule_action = "allow"
+        from_port   = 0
+        to_port     = 0
+        protocol    = "-1"
+        cidr_block  = "10.0.0.0/16"
+      },
+    ],
+    # NACL rules for the response traffic from addresses in the AWS S3 prefix list
+    [for k, v in zipmap(
+      range(length(data.aws_ec2_managed_prefix_list.this.entries[*].cidr)),
+      data.aws_ec2_managed_prefix_list.this.entries[*].cidr
+      ) :
+      {
+        rule_number = 200 + k
+        rule_action = "allow"
+        from_port   = 1024
+        to_port     = 65535
+        protocol    = "tcp"
+        cidr_block  = v
+      }
+    ]
+  )
 }
 
 module "vpc_endpoints" {
