feat: customer acl rules(#360)

vburckhardt · web-flow · commit 6148fc248b1b · 2023-02-28T17:16:14.000Z
* feat: give option to append or prepend ibm rules
* feat: add a deny all as last element of the list (this is a best practice, and not mandatory as implicit - but absence typically raise questions)
* feat: add prefix "ibmflow-" to ibm rules

BREAKING CHANGE: The interface of the `network_acls` input variable has changed. If your code is setting this variable explicitly, this change requires to add a few extra optional parameters: `add_ibm_cloud_internal_rules`, `add_vpc_connectivity_rules`, `prepend_ibm_rules` . The parameter `add_cluster_rules` has been renamed `add_ibm_cloud_internal_rules`
diff --git a/README.md b/README.md
@@ -104,7 +104,7 @@ You need the following permissions to run this module.
 | <a name="input_default_routing_table_name"></a> [default\_routing\_table\_name](#input\_default\_routing\_table\_name) | OPTIONAL - Name of the Default Routing Table. If null, a name will be automatically generated | `string` | `null` | no |
 | <a name="input_default_security_group_name"></a> [default\_security\_group\_name](#input\_default\_security\_group\_name) | OPTIONAL - Name of the Default Security Group. If null, a name will be automatically generated | `string` | `null` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name for VPC | `string` | n/a | yes |
-| <a name="input_network_acls"></a> [network\_acls](#input\_network\_acls) | List of ACLs to create. Rules can be automatically created to allow inbound and outbound traffic from a VPC tier by adding the name of that tier to the `network_connections` list. Rules automatically generated by these network connections will be added at the beginning of a list, and will be web-tierlied to traffic first. At least one rule must be provided for each ACL. | <pre>list(<br>    object({<br>      name                = string<br>      network_connections = optional(list(string))<br>      add_cluster_rules   = optional(bool)<br>      rules = list(<br>        object({<br>          name        = string<br>          action      = string<br>          destination = string<br>          direction   = string<br>          source      = string<br>          tcp = optional(<br>            object({<br>              port_max        = optional(number)<br>              port_min        = optional(number)<br>              source_port_max = optional(number)<br>              source_port_min = optional(number)<br>            })<br>          )<br>          udp = optional(<br>            object({<br>              port_max        = optional(number)<br>              port_min        = optional(number)<br>              source_port_max = optional(number)<br>              source_port_min = optional(number)<br>            })<br>          )<br>          icmp = optional(<br>            object({<br>              type = optional(number)<br>              code = optional(number)<br>            })<br>          )<br>        })<br>      )<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "add_cluster_rules": true,<br>    "name": "vpc-acl",<br>    "rules": [<br>      {<br>        "action": "allow",<br>        "destination": "0.0.0.0/0",<br>        "direction": "inbound",<br>        "name": "allow-all-inbound",<br>        "source": "0.0.0.0/0"<br>      },<br>      {<br>        "action": "allow",<br>        "destination": "0.0.0.0/0",<br>        "direction": "outbound",<br>        "name": "allow-all-outbound",<br>        "source": "0.0.0.0/0"<br>      }<br>    ]<br>  }<br>]</pre> | no |
+| <a name="input_network_acls"></a> [network\_acls](#input\_network\_acls) | List of ACLs to create. Rules can be automatically created to allow inbound and outbound traffic from a VPC tier by adding the name of that tier to the `network_connections` list. Rules automatically generated by these network connections will be added at the beginning of a list, and will be web-tierlied to traffic first. At least one rule must be provided for each ACL. | <pre>list(<br>    object({<br>      name                         = string<br>      network_connections          = optional(list(string))<br>      add_ibm_cloud_internal_rules = optional(bool)<br>      add_vpc_connectivity_rules   = optional(bool)<br>      prepend_ibm_rules            = optional(bool)<br>      rules = list(<br>        object({<br>          name        = string<br>          action      = string<br>          destination = string<br>          direction   = string<br>          source      = string<br>          tcp = optional(<br>            object({<br>              port_max        = optional(number)<br>              port_min        = optional(number)<br>              source_port_max = optional(number)<br>              source_port_min = optional(number)<br>            })<br>          )<br>          udp = optional(<br>            object({<br>              port_max        = optional(number)<br>              port_min        = optional(number)<br>              source_port_max = optional(number)<br>              source_port_min = optional(number)<br>            })<br>          )<br>          icmp = optional(<br>            object({<br>              type = optional(number)<br>              code = optional(number)<br>            })<br>          )<br>        })<br>      )<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "add_ibm_cloud_internal_rules": true,<br>    "add_vpc_connectivity_rules": true,<br>    "name": "vpc-acl",<br>    "prepend_ibm_rules": true,<br>    "rules": [<br>      {<br>        "action": "allow",<br>        "destination": "0.0.0.0/0",<br>        "direction": "inbound",<br>        "name": "allow-all-443-inbound",<br>        "source": "0.0.0.0/0",<br>        "tcp": {<br>          "port_max": 443,<br>          "port_min": 443<br>        }<br>      },<br>      {<br>        "action": "allow",<br>        "destination": "0.0.0.0/0",<br>        "direction": "outbound",<br>        "name": "allow-all-443-outbound",<br>        "source": "0.0.0.0/0",<br>        "tcp": {<br>          "source_port_max": 443,<br>          "source_port_min": 443<br>        }<br>      }<br>    ]<br>  }<br>]</pre> | no |
 | <a name="input_network_cidr"></a> [network\_cidr](#input\_network\_cidr) | Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. | `string` | `"10.0.0.0/8"` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix that you would like to append to your resources | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The region to which to deploy the VPC | `string` | n/a | yes |
diff --git a/common-dev-assets b/common-dev-assets
@@ -1 +1 @@
-Subproject commit 1814d884cb801f3a89920e4d512544691ebec58d
+Subproject commit d9e733d1391648efd265f49291f6bc4fd7caa7b7
diff --git a/module-metadata.json b/module-metadata.json
@@ -92,26 +92,36 @@
     },
     "network_acls": {
       "name": "network_acls",
-      "type": "list(\n    object({\n      name                = string\n      network_connections = optional(list(string))\n      add_cluster_rules   = optional(bool)\n      rules = list(\n        object({\n          name        = string\n          action      = string\n          destination = string\n          direction   = string\n          source      = string\n          tcp = optional(\n            object({\n              port_max        = optional(number)\n              port_min        = optional(number)\n              source_port_max = optional(number)\n              source_port_min = optional(number)\n            })\n          )\n          udp = optional(\n            object({\n              port_max        = optional(number)\n              port_min        = optional(number)\n              source_port_max = optional(number)\n              source_port_min = optional(number)\n            })\n          )\n          icmp = optional(\n            object({\n              type = optional(number)\n              code = optional(number)\n            })\n          )\n        })\n      )\n    })\n  )",
+      "type": "list(\n    object({\n      name                         = string\n      network_connections          = optional(list(string))\n      add_ibm_cloud_internal_rules = optional(bool)\n      add_vpc_connectivity_rules   = optional(bool)\n      prepend_ibm_rules            = optional(bool)\n      rules = list(\n        object({\n          name        = string\n          action      = string\n          destination = string\n          direction   = string\n          source      = string\n          tcp = optional(\n            object({\n              port_max        = optional(number)\n              port_min        = optional(number)\n              source_port_max = optional(number)\n              source_port_min = optional(number)\n            })\n          )\n          udp = optional(\n            object({\n              port_max        = optional(number)\n              port_min        = optional(number)\n              source_port_max = optional(number)\n              source_port_min = optional(number)\n            })\n          )\n          icmp = optional(\n            object({\n              type = optional(number)\n              code = optional(number)\n            })\n          )\n        })\n      )\n    })\n  )",
       "description": "List of ACLs to create. Rules can be automatically created to allow inbound and outbound traffic from a VPC tier by adding the name of that tier to the `network_connections` list. Rules automatically generated by these network connections will be added at the beginning of a list, and will be web-tierlied to traffic first. At least one rule must be provided for each ACL.",
       "default": [
         {
-          "add_cluster_rules": true,
+          "add_ibm_cloud_internal_rules": true,
+          "add_vpc_connectivity_rules": true,
           "name": "vpc-acl",
+          "prepend_ibm_rules": true,
           "rules": [
             {
               "action": "allow",
               "destination": "0.0.0.0/0",
               "direction": "inbound",
-              "name": "allow-all-inbound",
-              "source": "0.0.0.0/0"
+              "name": "allow-all-443-inbound",
+              "source": "0.0.0.0/0",
+              "tcp": {
+                "port_max": 443,
+                "port_min": 443
+              }
             },
             {
               "action": "allow",
               "destination": "0.0.0.0/0",
               "direction": "outbound",
-              "name": "allow-all-outbound",
-              "source": "0.0.0.0/0"
+              "name": "allow-all-443-outbound",
+              "source": "0.0.0.0/0",
+              "tcp": {
+                "source_port_max": 443,
+                "source_port_min": 443
+              }
             }
           ]
         }
@@ -202,7 +212,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 362
+        "line": 374
       }
     },
     "security_group_rules": {
@@ -221,7 +231,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 296
+        "line": 308
       }
     },
     "subnets": {
@@ -259,7 +269,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 233
+        "line": 245
       }
     },
     "tags": {
@@ -312,7 +322,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 207
+        "line": 219
       }
     }
   },
@@ -419,7 +429,7 @@
       },
       "pos": {
         "filename": "network_acls.tf",
-        "line": 121
+        "line": 133
       }
     },
     "ibm_is_public_gateway.gateway": {
diff --git a/network_acls.tf b/network_acls.tf
@@ -3,10 +3,10 @@
 ##############################################################################
 
 locals {
-  cluster_rules = [
-    # Cluster Rules
+  ibm_cloud_internal_rules = [
+    # IaaS and PaaS Rules. Note that this coarse grained list will be narrowed in upcoming releases.
     {
-      name        = "roks-create-worker-nodes-inbound"
+      name        = "ibmflow-iaas-inbound"
       action      = "allow"
       source      = "161.26.0.0/16"
       destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
@@ -16,7 +16,7 @@ locals {
       icmp        = null
     },
     {
-      name        = "roks-create-worker-nodes-outbound"
+      name        = "ibmflow-iaas-outbound"
       action      = "allow"
       destination = "161.26.0.0/16"
       source      = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
@@ -26,7 +26,7 @@ locals {
       icmp        = null
     },
     {
-      name        = "roks-nodes-to-service-inbound"
+      name        = "ibmflow-paas-inbound"
       action      = "allow"
       source      = "166.8.0.0/14"
       destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
@@ -36,67 +36,62 @@ locals {
       icmp        = null
     },
     {
-      name        = "roks-nodes-to-service-outbound"
+      name        = "ibmflow-paas-outbound"
       action      = "allow"
       destination = "166.8.0.0/14"
       source      = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
       direction   = "outbound"
       tcp         = null
       udp         = null
       icmp        = null
-    },
-    # App Rules
+    }
+  ]
+
+  vpc_connectivity_rules = [
+    # All connectivity across any subnet within VPC
+    # TODO: narrow down to VPC address spaces
     {
-      name        = "allow-app-incoming-traffic-requests"
+      name        = "ibmflow-allow-vpc-connectivity-inbound"
       action      = "allow"
       source      = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
       destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
       direction   = "inbound"
-      tcp = {
-        source_port_min = 30000
-        source_port_max = 32767
-      }
-      udp  = null
-      icmp = null
+      tcp         = null
+      udp         = null
+      icmp        = null
     },
     {
-      name        = "allow-app-outgoing-traffic-requests"
+      name        = "ibmflow-allow-vpc-connectivity-outbound"
       action      = "allow"
       source      = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
       destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
       direction   = "outbound"
-      tcp = {
-        port_min = 30000
-        port_max = 32767
-      }
-      udp  = null
-      icmp = null
-    },
+      tcp         = null
+      udp         = null
+      icmp        = null
+    }
+  ]
+
+  deny_all_rules = [
     {
-      name        = "allow-lb-incoming-traffic-requests"
-      action      = "allow"
-      source      = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
-      destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+      name        = "ibmflow-deny-all-inbound"
+      action      = "deny"
+      source      = "0.0.0.0/0"
+      destination = "0.0.0.0/0"
       direction   = "inbound"
-      tcp = {
-        port_min = 443
-        port_max = 443
-      }
-      udp  = null
-      icmp = null
+      tcp         = null
+      udp         = null
+      icmp        = null
     },
     {
-      name        = "allow-lb-outgoing-traffic-requests"
-      action      = "allow"
-      source      = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
-      destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+      name        = "ibmflow-deny-all-outbound"
+      action      = "deny"
+      source      = "0.0.0.0/0"
+      destination = "0.0.0.0/0"
       direction   = "outbound"
-      tcp = {
-        source_port_min = 443
-        source_port_max = 443
-      }
-      udp  = null
-      icmp = null
+      tcp         = null
+      udp         = null
+      icmp        = null
     }
   ]
 
@@ -106,13 +101,30 @@ locals {
     network_acl.name => {
       name = network_acl.name
       rules = flatten([
+        # Prepend ibm rules
         [
           # These rules cannot be added in a conditional operator due to inconsistant typing
-          # This will add all cluster rules if the acl object contains add_cluster rules
-          for rule in local.cluster_rules :
-          rule if network_acl.add_cluster_rules == true
+          # This will add all internal rules if the acl object contains add_ibm_cloud_internal_rules rules
+          for rule in local.ibm_cloud_internal_rules :
+          rule if network_acl.add_ibm_cloud_internal_rules == true && network_acl.prepend_ibm_rules == true
+        ],
+        [
+          for rule in local.vpc_connectivity_rules :
+          rule if network_acl.add_vpc_connectivity_rules == true && network_acl.prepend_ibm_rules == true
+        ],
+        # Customer rules
+        network_acl.rules,
+        # Append ibm rules
+        [
+          for rule in local.ibm_cloud_internal_rules :
+          rule if network_acl.add_ibm_cloud_internal_rules == true && network_acl.prepend_ibm_rules != true
+        ],
+        [
+          for rule in local.vpc_connectivity_rules :
+          rule if network_acl.add_vpc_connectivity_rules == true && network_acl.prepend_ibm_rules != true
         ],
-        network_acl.rules
+        # Best practice to add deny all at the end of ACL
+        local.deny_all_rules
       ])
     }
   }
diff --git a/tests/pr_test.go b/tests/pr_test.go
@@ -32,6 +32,8 @@ func TestRunBasicExample(t *testing.T) {
 }
 
 func TestRunUpgradeBasicExample(t *testing.T) {
+	// Breaking change in this PR leading to next major version - skip upgrade test
+	t.Skip()
 	t.Parallel()
 
 	options := setupOptions(t, "slz-vpc-upg")
diff --git a/variables.tf b/variables.tf
@@ -99,9 +99,11 @@ variable "network_acls" {
   description = "List of ACLs to create. Rules can be automatically created to allow inbound and outbound traffic from a VPC tier by adding the name of that tier to the `network_connections` list. Rules automatically generated by these network connections will be added at the beginning of a list, and will be web-tierlied to traffic first. At least one rule must be provided for each ACL."
   type = list(
     object({
-      name                = string
-      network_connections = optional(list(string))
-      add_cluster_rules   = optional(bool)
+      name                         = string
+      network_connections          = optional(list(string))
+      add_ibm_cloud_internal_rules = optional(bool)
+      add_vpc_connectivity_rules   = optional(bool)
+      prepend_ibm_rules            = optional(bool)
       rules = list(
         object({
           name        = string
@@ -138,20 +140,30 @@ variable "network_acls" {
 
   default = [
     {
-      name              = "vpc-acl"
-      add_cluster_rules = true
+      name                         = "vpc-acl"
+      add_ibm_cloud_internal_rules = true
+      add_vpc_connectivity_rules   = true
+      prepend_ibm_rules            = true
       rules = [
         {
-          name        = "allow-all-inbound"
-          action      = "allow"
-          direction   = "inbound"
+          name      = "allow-all-443-inbound"
+          action    = "allow"
+          direction = "inbound"
+          tcp = {
+            port_min = 443
+            port_max = 443
+          }
           destination = "0.0.0.0/0"
           source      = "0.0.0.0/0"
         },
         {
-          name        = "allow-all-outbound"
-          action      = "allow"
-          direction   = "outbound"
+          name      = "allow-all-443-outbound"
+          action    = "allow"
+          direction = "outbound"
+          tcp = {
+            source_port_min = 443
+            source_port_max = 443
+          }
           destination = "0.0.0.0/0"
           source      = "0.0.0.0/0"
         }

Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,8 @@ func TestRunBasicExample(t *testing.T) {`
`32`	`32`	`}`
`33`	`33`
`34`	`34`	`func TestRunUpgradeBasicExample(t *testing.T) {`
	`35`	`+ // Breaking change in this PR leading to next major version - skip upgrade test`
	`36`	`+ t.Skip()`
`35`	`37`	`t.Parallel()`
`36`	`38`
`37`	`39`	`options := setupOptions(t, "slz-vpc-upg")`