feat: narrow down network acls for intra vpc connectivity to vpc address space (#471)

Author: imprateeksh

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "go.sum|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2023-03-21T00:26:22Z",
+  "generated_at": "2023-03-31T22:07:49Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"

README.md

@@ -95,6 +95,7 @@ You need the following permissions to run this module.
 | [ibm_is_vpc_address_prefix.subnet_prefix](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_address_prefix) | resource |
 | [ibm_is_vpc_routing_table.route_table](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table) | resource |
 | [ibm_is_vpc_routing_table_route.routing_table_routes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/is_vpc_routing_table_route) | resource |
+| [ibm_is_vpc_address_prefixes.get_address_prefixes](https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/data-sources/is_vpc_address_prefixes) | data source |
 
 ## Inputs
 
@@ -127,6 +128,7 @@ You need the following permissions to run this module.
 
 | Name | Description |
 |------|-------------|
+| <a name="output_cidr_blocks"></a> [cidr\_blocks](#output\_cidr\_blocks) | List of CIDR blocks present in VPC stack |
 | <a name="output_network_acls"></a> [network\_acls](#output\_network\_acls) | List of shortnames and IDs of network ACLs |
 | <a name="output_public_gateways"></a> [public\_gateways](#output\_public\_gateways) | Map of public gateways by zone |
 | <a name="output_subnet_detail_list"></a> [subnet\_detail\_list](#output\_subnet\_detail\_list) | A list of subnets containing names, CIDR blocks, and zones. |

examples/default/main.tf

@@ -52,4 +52,5 @@ module "slz_vpc" {
   create_authorization_policy_vpc_to_cos = var.create_authorization_policy_vpc_to_cos
   existing_cos_instance_guid             = ibm_resource_instance.cos_instance[0].guid
   existing_storage_bucket_name           = ibm_cos_bucket.cos_bucket[0].bucket_name
+  address_prefixes                       = var.address_prefixes
 }

examples/default/outputs.tf

@@ -26,3 +26,8 @@ output "cos_bucket_name" {
   value       = ibm_cos_bucket.cos_bucket[0].bucket_name
   description = "COS bucket name"
 }
+
+output "cidr_blocks" {
+  value       = module.slz_vpc.cidr_blocks
+  description = "CIDR values"
+}

examples/default/variables.tf

@@ -61,3 +61,21 @@ variable "create_authorization_policy_vpc_to_cos" {
   type        = bool
   default     = true
 }
+
+variable "address_prefixes" {
+  description = "OPTIONAL - IP range that will be defined for the VPC for a certain location. Use only with manual address prefixes"
+  type = object({
+    zone-1 = optional(list(string))
+    zone-2 = optional(list(string))
+    zone-3 = optional(list(string))
+  })
+  default = {
+    zone-1 = ["10.10.10.0/24"]
+    zone-2 = ["10.20.10.0/24"]
+    zone-3 = ["10.30.10.0/24"]
+  }
+  validation {
+    error_message = "Keys for `use_public_gateways` must be in the order `zone-1`, `zone-2`, `zone-3`."
+    condition     = var.address_prefixes == null ? true : (keys(var.address_prefixes)[0] == "zone-1" && keys(var.address_prefixes)[1] == "zone-2" && keys(var.address_prefixes)[2] == "zone-3")
+  }
+}

main.tf

@@ -36,6 +36,10 @@ resource "ibm_is_vpc_address_prefix" "address_prefixes" {
   cidr     = each.value.cidr
 }
 
+data "ibm_is_vpc_address_prefixes" "get_address_prefixes" {
+  depends_on = [ibm_is_vpc_address_prefix.address_prefixes, ibm_is_vpc_address_prefix.subnet_prefix]
+  vpc        = ibm_is_vpc.vpc.id
+}
 ##############################################################################
 
 

module-metadata.json

@@ -372,6 +372,14 @@
     }
   },
   "outputs": {
+    "cidr_blocks": {
+      "name": "cidr_blocks",
+      "description": "List of CIDR blocks present in VPC stack",
+      "pos": {
+        "filename": "outputs.tf",
+        "line": 137
+      }
+    },
     "network_acls": {
       "name": "network_acls",
       "description": "List of shortnames and IDs of network ACLs",
@@ -490,7 +498,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 102
+        "line": 106
       }
     },
     "ibm_is_flow_log.flow_logs": {
@@ -510,7 +518,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 113
+        "line": 117
       }
     },
     "ibm_is_network_acl.network_acl": {
@@ -526,7 +534,7 @@
       },
       "pos": {
         "filename": "network_acls.tf",
-        "line": 133
+        "line": 137
       }
     },
     "ibm_is_public_gateway.gateway": {
@@ -543,7 +551,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 81
+        "line": 85
       }
     },
     "ibm_is_security_group_rule.default_vpc_rule": {
@@ -632,7 +640,7 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 46
+        "line": 50
       }
     },
     "ibm_is_vpc_routing_table_route.routing_table_routes": {
@@ -647,11 +655,24 @@
       },
       "pos": {
         "filename": "main.tf",
-        "line": 55
+        "line": 59
+      }
+    }
+  },
+  "data_resources": {
+    "data.ibm_is_vpc_address_prefixes.get_address_prefixes": {
+      "mode": "data",
+      "type": "ibm_is_vpc_address_prefixes",
+      "name": "get_address_prefixes",
+      "provider": {
+        "name": "ibm"
+      },
+      "pos": {
+        "filename": "main.tf",
+        "line": 39
       }
     }
   },
-  "data_resources": {},
   "module_calls": {
     "dynamic_values": {
       "name": "dynamic_values",

network_acls.tf

@@ -47,31 +47,35 @@ locals {
     }
   ]
 
-  vpc_connectivity_rules = [
-    # All connectivity across any subnet within VPC
-    # TODO: narrow down to VPC address spaces
+  vpc_inbound_rule = [
+    for address in data.ibm_is_vpc_address_prefixes.get_address_prefixes.address_prefixes :
     {
-      name        = "ibmflow-allow-vpc-connectivity-inbound"
+      name        = "ibmflow-allow-vpc-connectivity-inbound-${substr(address.id, -4, -1)}" # Providing unique rule names
       action      = "allow"
-      source      = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+      source      = address.cidr
       destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
       direction   = "inbound"
       tcp         = null
       udp         = null
       icmp        = null
-    },
+    }
+  ]
+  vpc_outbound_rule = [
+    for address in data.ibm_is_vpc_address_prefixes.get_address_prefixes.address_prefixes :
     {
-      name        = "ibmflow-allow-vpc-connectivity-outbound"
+      name        = "ibmflow-allow-vpc-connectivity-outbound-${substr(address.name, -4, -1)}"
       action      = "allow"
       source      = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
-      destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+      destination = address.cidr
       direction   = "outbound"
       tcp         = null
       udp         = null
       icmp        = null
     }
   ]
 
+  vpc_connectivity_rules = distinct(flatten(concat(local.vpc_inbound_rule, local.vpc_outbound_rule)))
+
   deny_all_rules = [
     {
       name        = "ibmflow-deny-all-inbound"

outputs.tf

@@ -134,3 +134,7 @@ output "vpc_flow_logs" {
 }
 
 ##############################################################################
+output "cidr_blocks" {
+  description = "List of CIDR blocks present in VPC stack"
+  value       = [for address in data.ibm_is_vpc_address_prefixes.get_address_prefixes.address_prefixes : address.cidr]
+}

tests/pr_test.go

@@ -10,12 +10,18 @@ import (
 const defaultExampleTerraformDir = "examples/default"
 const resourceGroup = "geretain-test-resources"
 
+// The ACL ignores can be removed once we merge this PR (https://github.com/terraform-ibm-modules/terraform-ibm-landing-zone-vpc/pull/471)
+var ignoreUpdates = []string{"module.slz_vpc.ibm_is_network_acl.network_acl[\"vpc-acl\"]"}
+
 func setupOptions(t *testing.T, prefix string) *testhelper.TestOptions {
 	options := testhelper.TestOptionsDefaultWithVars(&testhelper.TestOptions{
 		Testing:       t,
 		TerraformDir:  defaultExampleTerraformDir,
 		Prefix:        prefix,
 		ResourceGroup: resourceGroup,
+		IgnoreUpdates: testhelper.Exemptions{
+			List: ignoreUpdates,
+		},
 	})
 
 	return options