feat: Enable creating network acls for disjoint ip address spaces (#542)

Aashiq-J · web-flow · commit 6718c016d08c · 2023-06-14T10:31:28.000+05:30
* feat: Enable creating network acls for disjoint ip address spaces

* test: ignore vpc-acl

* test: update variable description

* test: update test for network_cidr

* fix: update the looping logic

* fix: update variable description
diff --git a/README.md b/README.md
@@ -141,7 +141,7 @@ To attach access management tags to resources in this module, you need the follo
 | <a name="input_is_flow_log_collector_active"></a> [is\_flow\_log\_collector\_active](#input\_is\_flow\_log\_collector\_active) | Indicates whether the collector is active. If false, this collector is created in inactive mode. | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name for VPC | `string` | n/a | yes |
 | <a name="input_network_acls"></a> [network\_acls](#input\_network\_acls) | The list of ACLs to create. Provide at least one rule for each ACL. | <pre>list(<br>    object({<br>      name                         = string<br>      add_ibm_cloud_internal_rules = optional(bool)<br>      add_vpc_connectivity_rules   = optional(bool)<br>      prepend_ibm_rules            = optional(bool)<br>      rules = list(<br>        object({<br>          name        = string<br>          action      = string<br>          destination = string<br>          direction   = string<br>          source      = string<br>          tcp = optional(<br>            object({<br>              port_max        = optional(number)<br>              port_min        = optional(number)<br>              source_port_max = optional(number)<br>              source_port_min = optional(number)<br>            })<br>          )<br>          udp = optional(<br>            object({<br>              port_max        = optional(number)<br>              port_min        = optional(number)<br>              source_port_max = optional(number)<br>              source_port_min = optional(number)<br>            })<br>          )<br>          icmp = optional(<br>            object({<br>              type = optional(number)<br>              code = optional(number)<br>            })<br>          )<br>        })<br>      )<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "add_ibm_cloud_internal_rules": true,<br>    "add_vpc_connectivity_rules": true,<br>    "name": "vpc-acl",<br>    "prepend_ibm_rules": true,<br>    "rules": []<br>  }<br>]</pre> | no |
-| <a name="input_network_cidr"></a> [network\_cidr](#input\_network\_cidr) | Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. | `string` | `"10.0.0.0/8"` | no |
+| <a name="input_network_cidrs"></a> [network\_cidrs](#input\_network\_cidrs) | List of Network CIDRs for the VPC. This is used to manage network ACL rules for cluster provisioning. | `list(string)` | <pre>[<br>  "10.0.0.0/8"<br>]</pre> | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix that you would like to append to your resources | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The region to which to deploy the VPC | `string` | n/a | yes |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the VPC to be created | `string` | n/a | yes |
diff --git a/dynamic_values.tf b/dynamic_values.tf
@@ -10,7 +10,7 @@ module "dynamic_values" {
   routes               = var.routes
   use_public_gateways  = var.use_public_gateways
   security_group_rules = var.security_group_rules
-  network_cidr         = var.network_cidr
+  network_cidrs        = var.network_cidrs
   network_acls         = var.network_acls
   subnets              = var.subnets
   public_gateways      = ibm_is_public_gateway.gateway
@@ -54,7 +54,7 @@ module "unit_tests" {
       name = "test-rule"
     }
   ]
-  network_cidr = "1.2.3.4/5"
+  network_cidrs = ["1.2.3.4/5"]
   network_acls = [
     {
       name                         = "acl"
diff --git a/dynamic_values.unit_tests.tf b/dynamic_values.unit_tests.tf
@@ -66,7 +66,7 @@ locals {
   # tflint-ignore: terraform_unused_declarations
   assert_cluster_rule_exists_in_position_0 = regex("roks-create-worker-nodes-inbound", module.unit_tests.acl_map["acl"].rules[0].name)
   # tflint-ignore: terraform_unused_declarations
-  assert_cluster_rule_uses_network_cidr = regex("1.2.3.4/5", module.unit_tests.acl_map["acl"].rules[0].destination)
+  assert_cluster_rule_uses_network_cidr = regex("0.0.0.0/0", module.unit_tests.acl_map["acl"].rules[0].destination)
   # tflint-ignore: terraform_unused_declarations
   assert_acl_rule_exists_in_last_position = regex("test-rule", module.unit_tests.acl_map["acl"].rules[length(module.unit_tests.acl_map["acl"].rules) - 1].name)
   # tflint-ignore: terraform_unused_declarations
diff --git a/dynamic_values/network_acls.tf b/dynamic_values/network_acls.tf
@@ -10,7 +10,7 @@ locals {
         [
           # These rules cannot be added in a conditional operator due to inconsistant typing
           # This will add all cluster_rules if the acl object contains prepend_ibm_rules as true
-          for rule in local.cluster_rules :
+          for rule in local.rules :
           rule if network_acl.prepend_ibm_rules == true
         ],
         network_acl.rules
@@ -33,7 +33,7 @@ locals {
       name        = "roks-create-worker-nodes-inbound"
       action      = "allow"
       source      = "161.26.0.0/16"
-      destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+      destination = "0.0.0.0/0"
       direction   = "inbound"
       tcp         = null
       udp         = null
@@ -43,7 +43,7 @@ locals {
       name        = "roks-create-worker-nodes-outbound"
       action      = "allow"
       destination = "161.26.0.0/16"
-      source      = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+      source      = "0.0.0.0/0"
       direction   = "outbound"
       tcp         = null
       udp         = null
@@ -53,7 +53,7 @@ locals {
       name        = "roks-nodes-to-service-inbound"
       action      = "allow"
       source      = "166.8.0.0/14"
-      destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+      destination = "0.0.0.0/0"
       direction   = "inbound"
       tcp         = null
       udp         = null
@@ -63,18 +63,31 @@ locals {
       name        = "roks-nodes-to-service-outbound"
       action      = "allow"
       destination = "166.8.0.0/14"
-      source      = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+      source      = "0.0.0.0/0"
       direction   = "outbound"
       tcp         = null
       udp         = null
       icmp        = null
-    },
-    # App Rules
+    }
+  ]
+
+  cluster_rules_list = flatten([
+    for rules in local.cluster_rules : [
+      for index, cidrs in var.network_cidrs != null ? var.network_cidrs : ["0.0.0.0/0"] :
+      merge(rules, {
+        name   = "${rules.name}-${index}"
+        source = cidrs
+      })
+    ]
+  ])
+
+  # App Rules
+  app_rules = [
     {
       name        = "allow-app-incoming-traffic-requests"
       action      = "allow"
-      source      = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
-      destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+      source      = "0.0.0.0/0"
+      destination = "0.0.0.0/0"
       direction   = "inbound"
       tcp = {
         source_port_min = 30000
@@ -86,8 +99,8 @@ locals {
     {
       name        = "allow-app-outgoing-traffic-requests"
       action      = "allow"
-      source      = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
-      destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+      source      = "0.0.0.0/0"
+      destination = "0.0.0.0/0"
       direction   = "outbound"
       tcp = {
         port_min = 30000
@@ -99,8 +112,8 @@ locals {
     {
       name        = "allow-lb-incoming-traffic-requests"
       action      = "allow"
-      source      = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
-      destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+      source      = "0.0.0.0/0"
+      destination = "0.0.0.0/0"
       direction   = "inbound"
       tcp = {
         port_min = 443
@@ -112,8 +125,8 @@ locals {
     {
       name        = "allow-lb-outgoing-traffic-requests"
       action      = "allow"
-      source      = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
-      destination = var.network_cidr != null ? var.network_cidr : "0.0.0.0/0"
+      source      = "0.0.0.0/0"
+      destination = "0.0.0.0/0"
       direction   = "outbound"
       tcp = {
         source_port_min = 443
@@ -123,6 +136,21 @@ locals {
       icmp = null
     }
   ]
+
+
+  app_rules_list = flatten([
+    for rules in local.app_rules : [
+      for index, cidrs in var.network_cidrs != null ? var.network_cidrs : ["0.0.0.0/0"] :
+      merge(rules, {
+        name        = "${rules.name}-${index}"
+        source      = cidrs
+        destination = cidrs
+      })
+    ]
+  ])
+
+  rules = concat(local.cluster_rules_list, local.app_rules_list)
+
 }
 
 ##############################################################################
diff --git a/dynamic_values/outputs.tf b/dynamic_values/outputs.tf
@@ -48,7 +48,7 @@ output "security_group_rules" {
 
 output "cluster_rules" {
   description = "Cluster creation ACL allow rules"
-  value       = local.cluster_rules
+  value       = local.rules
 }
 
 ##############################################################################
diff --git a/dynamic_values/variables.tf b/dynamic_values/variables.tf
@@ -108,9 +108,9 @@ variable "security_group_rules" {
 # Network CIDR
 ##############################################################################
 
-variable "network_cidr" {
-  description = "direct reference to network cidr"
-  type        = string
+variable "network_cidrs" {
+  description = "direct reference to network cidrs"
+  type        = list(string)
 }
 
 ##############################################################################
diff --git a/examples/default/main.tf b/examples/default/main.tf
@@ -54,4 +54,5 @@ module "slz_vpc" {
   existing_cos_instance_guid             = ibm_resource_instance.cos_instance[0].guid
   existing_storage_bucket_name           = ibm_cos_bucket.cos_bucket[0].bucket_name
   address_prefixes                       = var.address_prefixes
+  network_cidrs                          = var.network_cidrs
 }
diff --git a/examples/default/variables.tf b/examples/default/variables.tf
@@ -85,3 +85,9 @@ variable "address_prefixes" {
     condition     = var.address_prefixes == null ? true : (keys(var.address_prefixes)[0] == "zone-1" && keys(var.address_prefixes)[1] == "zone-2" && keys(var.address_prefixes)[2] == "zone-3")
   }
 }
+
+variable "network_cidrs" {
+  description = "List of Network CIDRs for the VPC. This is used to manage network ACL rules for cluster provisioning."
+  type        = list(string)
+  default     = ["10.0.0.0/8", "164.0.0.0/8"]
+}
diff --git a/landing-zone-submodule/management-vpc/README.md b/landing-zone-submodule/management-vpc/README.md
@@ -43,7 +43,7 @@ No resources.
 | <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | IBM Cloud API Key that will be used for authentication in scripts run in this module. Only required if certain options are chosen, such as the 'clean\_default\_*' variables being 'true'. | `string` | `null` | no |
 | <a name="input_ibmcloud_api_visibility"></a> [ibmcloud\_api\_visibility](#input\_ibmcloud\_api\_visibility) | IBM Cloud API visibility used by scripts run in this module. Must be 'public', 'private', or 'public-and-private' | `string` | `"public"` | no |
 | <a name="input_network_acls"></a> [network\_acls](#input\_network\_acls) | List of network ACLs to create with VPC | <pre>list(<br>    object({<br>      name                         = string<br>      add_ibm_cloud_internal_rules = optional(bool)<br>      add_vpc_connectivity_rules   = optional(bool)<br>      prepend_ibm_rules            = optional(bool)<br>      rules = list(<br>        object({<br>          name        = string<br>          action      = string<br>          destination = string<br>          direction   = string<br>          source      = string<br>          tcp = optional(<br>            object({<br>              port_max        = optional(number)<br>              port_min        = optional(number)<br>              source_port_max = optional(number)<br>              source_port_min = optional(number)<br>            })<br>          )<br>          udp = optional(<br>            object({<br>              port_max        = optional(number)<br>              port_min        = optional(number)<br>              source_port_max = optional(number)<br>              source_port_min = optional(number)<br>            })<br>          )<br>          icmp = optional(<br>            object({<br>              type = optional(number)<br>              code = optional(number)<br>            })<br>          )<br>        })<br>      )<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "add_ibm_cloud_internal_rules": true,<br>    "add_vpc_connectivity_rules": true,<br>    "name": "management-acl",<br>    "prepend_ibm_rules": true,<br>    "rules": []<br>  }<br>]</pre> | no |
-| <a name="input_network_cidr"></a> [network\_cidr](#input\_network\_cidr) | Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. | `string` | `"10.0.0.0/8"` | no |
+| <a name="input_network_cidrs"></a> [network\_cidrs](#input\_network\_cidrs) | Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. | `list(string)` | <pre>[<br>  "10.0.0.0/8"<br>]</pre> | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix that you would like to append to your resources | `string` | `"management"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region to which to deploy the VPC | `string` | `"au-syd"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the VPC to be created | `string` | n/a | yes |
diff --git a/landing-zone-submodule/management-vpc/main.tf b/landing-zone-submodule/management-vpc/main.tf
@@ -10,7 +10,7 @@ module "management_vpc" {
   resource_group_id                      = var.resource_group_id
   region                                 = var.region
   prefix                                 = var.prefix
-  network_cidr                           = var.network_cidr
+  network_cidrs                          = var.network_cidrs
   classic_access                         = var.classic_access
   default_network_acl_name               = var.default_network_acl_name
   default_security_group_name            = var.default_security_group_name
diff --git a/landing-zone-submodule/management-vpc/variables.tf b/landing-zone-submodule/management-vpc/variables.tf
@@ -31,10 +31,10 @@ variable "access_tags" {
 # VPC variables
 #############################################################################
 
-variable "network_cidr" {
+variable "network_cidrs" {
   description = "Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning."
-  type        = string
-  default     = "10.0.0.0/8"
+  type        = list(string)
+  default     = ["10.0.0.0/8"]
 }
 
 variable "classic_access" {
diff --git a/landing-zone-submodule/workload-vpc/README.md b/landing-zone-submodule/workload-vpc/README.md
@@ -44,7 +44,7 @@ No resources.
 | <a name="input_ibmcloud_api_key"></a> [ibmcloud\_api\_key](#input\_ibmcloud\_api\_key) | IBM Cloud API Key that will be used for authentication in scripts run in this module. Only required if certain options are chosen, such as the 'clean\_default\_*' variables being 'true'. | `string` | `null` | no |
 | <a name="input_ibmcloud_api_visibility"></a> [ibmcloud\_api\_visibility](#input\_ibmcloud\_api\_visibility) | IBM Cloud API visibility used by scripts run in this module. Must be 'public', 'private', or 'public-and-private' | `string` | `"public"` | no |
 | <a name="input_network_acls"></a> [network\_acls](#input\_network\_acls) | List of network ACLs to create with VPC | <pre>list(<br>    object({<br>      name                         = string<br>      add_ibm_cloud_internal_rules = optional(bool)<br>      add_vpc_connectivity_rules   = optional(bool)<br>      prepend_ibm_rules            = optional(bool)<br>      rules = list(<br>        object({<br>          name        = string<br>          action      = string<br>          destination = string<br>          direction   = string<br>          source      = string<br>          tcp = optional(<br>            object({<br>              port_max        = optional(number)<br>              port_min        = optional(number)<br>              source_port_max = optional(number)<br>              source_port_min = optional(number)<br>            })<br>          )<br>          udp = optional(<br>            object({<br>              port_max        = optional(number)<br>              port_min        = optional(number)<br>              source_port_max = optional(number)<br>              source_port_min = optional(number)<br>            })<br>          )<br>          icmp = optional(<br>            object({<br>              type = optional(number)<br>              code = optional(number)<br>            })<br>          )<br>        })<br>      )<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "add_ibm_cloud_internal_rules": true,<br>    "add_vpc_connectivity_rules": true,<br>    "name": "workload-acl",<br>    "prepend_ibm_rules": true,<br>    "rules": []<br>  }<br>]</pre> | no |
-| <a name="input_network_cidr"></a> [network\_cidr](#input\_network\_cidr) | Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. | `string` | `"10.0.0.0/8"` | no |
+| <a name="input_network_cidrs"></a> [network\_cidrs](#input\_network\_cidrs) | Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. | `list(string)` | <pre>[<br>  "10.0.0.0/8"<br>]</pre> | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix that you would like to append to your resources | `string` | `"workload"` | no |
 | <a name="input_region"></a> [region](#input\_region) | The region to which to deploy the VPC | `string` | `"au-syd"` | no |
 | <a name="input_resource_group_id"></a> [resource\_group\_id](#input\_resource\_group\_id) | The resource group ID where the VPC to be created | `string` | n/a | yes |
diff --git a/landing-zone-submodule/workload-vpc/main.tf b/landing-zone-submodule/workload-vpc/main.tf
@@ -10,7 +10,7 @@ module "workload_vpc" {
   resource_group_id                      = var.resource_group_id
   region                                 = var.region
   prefix                                 = var.prefix
-  network_cidr                           = var.network_cidr
+  network_cidrs                          = var.network_cidrs
   classic_access                         = var.classic_access
   default_network_acl_name               = var.default_network_acl_name
   default_security_group_name            = var.default_security_group_name
diff --git a/landing-zone-submodule/workload-vpc/variables.tf b/landing-zone-submodule/workload-vpc/variables.tf
@@ -31,10 +31,10 @@ variable "access_tags" {
 # VPC variables
 #############################################################################
 
-variable "network_cidr" {
+variable "network_cidrs" {
   description = "Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning."
-  type        = string
-  default     = "10.0.0.0/8"
+  type        = list(string)
+  default     = ["10.0.0.0/8"]
 }
 
 variable "classic_access" {
diff --git a/module-metadata.json b/module-metadata.json
@@ -247,11 +247,13 @@
         "line": 105
       }
     },
-    "network_cidr": {
-      "name": "network_cidr",
-      "type": "string",
-      "description": "Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning.",
-      "default": "10.0.0.0/8",
+    "network_cidrs": {
+      "name": "network_cidrs",
+      "type": "list(string)",
+      "description": "List of Network CIDRs for the VPC. This is used to manage network ACL rules for cluster provisioning.",
+      "default": [
+        "10.0.0.0/8"
+      ],
       "source": [
         "module.dynamic_values"
       ],
@@ -598,7 +600,7 @@
       },
       "pos": {
         "filename": "network_acls.tf",
-        "line": 137
+        "line": 152
       }
     },
     "ibm_is_public_gateway.gateway": {
@@ -777,7 +779,7 @@
       "attributes": {
         "address_prefixes": "address_prefixes",
         "network_acls": "network_acls",
-        "network_cidr": "network_cidr",
+        "network_cidrs": "network_cidrs",
         "prefix": "prefix",
         "region": "region",
         "routes": "routes",
@@ -809,7 +811,7 @@
         "cluster_rules": {
           "name": "cluster_rules",
           "description": "Cluster creation ACL allow rules",
-          "value": "local.cluster_rules",
+          "value": "local.rules",
           "pos": {
             "filename": "dynamic_values/outputs.tf",
             "line": 49
@@ -911,7 +913,7 @@
         "cluster_rules": {
           "name": "cluster_rules",
           "description": "Cluster creation ACL allow rules",
-          "value": "local.cluster_rules",
+          "value": "local.rules",
           "pos": {
             "filename": "dynamic_values/outputs.tf",
             "line": 49
diff --git a/network_acls.tf b/network_acls.tf
diff --git a/tests/pr_test.go b/tests/pr_test.go
diff --git a/variables.tf b/variables.tf

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ module "dynamic_values" {`
`10`	`10`	`routes = var.routes`
`11`	`11`	`use_public_gateways = var.use_public_gateways`
`12`	`12`	`security_group_rules = var.security_group_rules`
`13`		`- network_cidr = var.network_cidr`
	`13`	`+ network_cidrs = var.network_cidrs`
`14`	`14`	`network_acls = var.network_acls`
`15`	`15`	`subnets = var.subnets`
`16`	`16`	`public_gateways = ibm_is_public_gateway.gateway`
`@@ -54,7 +54,7 @@ module "unit_tests" {`
`54`	`54`	`name = "test-rule"`
`55`	`55`	`}`
`56`	`56`	`]`
`57`		`- network_cidr = "1.2.3.4/5"`
	`57`	`+ network_cidrs = ["1.2.3.4/5"]`
`58`	`58`	`network_acls = [`
`59`	`59`	`{`
`60`	`60`	`name = "acl"`
Original file line number	Diff line number	Diff line change
`@@ -48,7 +48,7 @@ output "security_group_rules" {`
`48`	`48`
`49`	`49`	`output "cluster_rules" {`
`50`	`50`	`description = "Cluster creation ACL allow rules"`
`51`		`- value = local.cluster_rules`
	`51`	`+ value = local.rules`
`52`	`52`	`}`
`53`	`53`
`54`	`54`	`##############################################################################`
Original file line number	Diff line number	Diff line change
`@@ -54,4 +54,5 @@ module "slz_vpc" {`
`54`	`54`	`existing_cos_instance_guid = ibm_resource_instance.cos_instance[0].guid`
`55`	`55`	`existing_storage_bucket_name = ibm_cos_bucket.cos_bucket[0].bucket_name`
`56`	`56`	`address_prefixes = var.address_prefixes`
	`57`	`+ network_cidrs = var.network_cidrs`
`57`	`58`	`}`
Original file line number	Diff line number	Diff line change
`@@ -85,3 +85,9 @@ variable "address_prefixes" {`
`85`	`85`	`condition = var.address_prefixes == null ? true : (keys(var.address_prefixes)[0] == "zone-1" && keys(var.address_prefixes)[1] == "zone-2" && keys(var.address_prefixes)[2] == "zone-3")`
`86`	`86`	`}`
`87`	`87`	`}`
	`88`	`+`
	`89`	`+variable "network_cidrs" {`
	`90`	`+ description = "List of Network CIDRs for the VPC. This is used to manage network ACL rules for cluster provisioning."`
	`91`	`+ type = list(string)`
	`92`	`+ default = ["10.0.0.0/8", "164.0.0.0/8"]`
	`93`	`+}`