fix: removed the opening of 0.0.0.0/0 in the default value for network acls rules (#424)

jor2 · web-flow · commit f11a0a9bbc13 · 2023-03-15T13:22:46.000Z
BREAKING CHANGE: If you were consuming the module using the default value for var.network_acls and upgraded to this version, the `allow-all-443-inbound` and `allow-all-443-outbound` ACL rules will be removed since opening 0.0.0.0/0 is not FsCloud compliant.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -15,3 +15,6 @@ jobs:
   call-terraform-ci-pipeline:
     uses: terraform-ibm-modules/common-pipeline-assets/.github/workflows/common-terraform-module-ci.yml@v1.7.3
     secrets: inherit
+    with:
+      craTarget: "examples/default"
+      craGoalIgnoreFile: "cra-tf-validate-ignore-goals.json"
diff --git a/README.md b/README.md
@@ -111,7 +111,7 @@ You need the following permissions to run this module.
 | <a name="input_existing_storage_bucket_name"></a> [existing\_storage\_bucket\_name](#input\_existing\_storage\_bucket\_name) | Name of the COS bucket to collect VPC flow logs | `string` | `null` | no |
 | <a name="input_is_flow_log_collector_active"></a> [is\_flow\_log\_collector\_active](#input\_is\_flow\_log\_collector\_active) | Indicates whether the collector is active. If false, this collector is created in inactive mode. | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name for VPC | `string` | n/a | yes |
-| <a name="input_network_acls"></a> [network\_acls](#input\_network\_acls) | List of ACLs to create. Rules can be automatically created to allow inbound and outbound traffic from a VPC tier by adding the name of that tier to the `network_connections` list. Rules automatically generated by these network connections will be added at the beginning of a list, and will be web-tierlied to traffic first. At least one rule must be provided for each ACL. | <pre>list(<br>    object({<br>      name                         = string<br>      network_connections          = optional(list(string))<br>      add_ibm_cloud_internal_rules = optional(bool)<br>      add_vpc_connectivity_rules   = optional(bool)<br>      prepend_ibm_rules            = optional(bool)<br>      rules = list(<br>        object({<br>          name        = string<br>          action      = string<br>          destination = string<br>          direction   = string<br>          source      = string<br>          tcp = optional(<br>            object({<br>              port_max        = optional(number)<br>              port_min        = optional(number)<br>              source_port_max = optional(number)<br>              source_port_min = optional(number)<br>            })<br>          )<br>          udp = optional(<br>            object({<br>              port_max        = optional(number)<br>              port_min        = optional(number)<br>              source_port_max = optional(number)<br>              source_port_min = optional(number)<br>            })<br>          )<br>          icmp = optional(<br>            object({<br>              type = optional(number)<br>              code = optional(number)<br>            })<br>          )<br>        })<br>      )<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "add_ibm_cloud_internal_rules": true,<br>    "add_vpc_connectivity_rules": true,<br>    "name": "vpc-acl",<br>    "prepend_ibm_rules": true,<br>    "rules": [<br>      {<br>        "action": "allow",<br>        "destination": "0.0.0.0/0",<br>        "direction": "inbound",<br>        "name": "allow-all-443-inbound",<br>        "source": "0.0.0.0/0",<br>        "tcp": {<br>          "port_max": 443,<br>          "port_min": 443<br>        }<br>      },<br>      {<br>        "action": "allow",<br>        "destination": "0.0.0.0/0",<br>        "direction": "outbound",<br>        "name": "allow-all-443-outbound",<br>        "source": "0.0.0.0/0",<br>        "tcp": {<br>          "source_port_max": 443,<br>          "source_port_min": 443<br>        }<br>      }<br>    ]<br>  }<br>]</pre> | no |
+| <a name="input_network_acls"></a> [network\_acls](#input\_network\_acls) | List of ACLs to create. Rules can be automatically created to allow inbound and outbound traffic from a VPC tier by adding the name of that tier to the `network_connections` list. Rules automatically generated by these network connections will be added at the beginning of a list, and will be web-tierlied to traffic first. At least one rule must be provided for each ACL. | <pre>list(<br>    object({<br>      name                         = string<br>      network_connections          = optional(list(string))<br>      add_ibm_cloud_internal_rules = optional(bool)<br>      add_vpc_connectivity_rules   = optional(bool)<br>      prepend_ibm_rules            = optional(bool)<br>      rules = list(<br>        object({<br>          name        = string<br>          action      = string<br>          destination = string<br>          direction   = string<br>          source      = string<br>          tcp = optional(<br>            object({<br>              port_max        = optional(number)<br>              port_min        = optional(number)<br>              source_port_max = optional(number)<br>              source_port_min = optional(number)<br>            })<br>          )<br>          udp = optional(<br>            object({<br>              port_max        = optional(number)<br>              port_min        = optional(number)<br>              source_port_max = optional(number)<br>              source_port_min = optional(number)<br>            })<br>          )<br>          icmp = optional(<br>            object({<br>              type = optional(number)<br>              code = optional(number)<br>            })<br>          )<br>        })<br>      )<br>    })<br>  )</pre> | <pre>[<br>  {<br>    "add_ibm_cloud_internal_rules": true,<br>    "add_vpc_connectivity_rules": true,<br>    "name": "vpc-acl",<br>    "prepend_ibm_rules": true,<br>    "rules": []<br>  }<br>]</pre> | no |
 | <a name="input_network_cidr"></a> [network\_cidr](#input\_network\_cidr) | Network CIDR for the VPC. This is used to manage network ACL rules for cluster provisioning. | `string` | `"10.0.0.0/8"` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix that you would like to append to your resources | `string` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | The region to which to deploy the VPC | `string` | n/a | yes |
diff --git a/cra-tf-validate-ignore-goals.json b/cra-tf-validate-ignore-goals.json
@@ -0,0 +1,40 @@
+{
+    "scc_goals": [
+        {
+            "scc_goal_id": "3000102",
+            "description:": "Check whether Cloud Object Storage is enabled with customer-managed encryption and Bring Your Own Key (BYOK)",
+            "ignore_reason": "This module does not create any Cloud object storage and it is used in an example for testing purpose.",
+            "is_valid": false
+        },
+        {
+            "scc_goal_id": "3000107",
+            "description:": "Check whether Cloud Object Storage network access is restricted to a specific IP range",
+            "ignore_reason": "This module does not create any Cloud object storage and it is used in an example for testing purpose.",
+            "is_valid": false
+        },
+        {
+            "scc_goal_id": "3000108",
+            "description:": "Check whether Cloud Object Storage is enabled with customer-managed encryption and Keep Your Own Key (KYOK)",
+            "ignore_reason": "This module does not create any Cloud object storage and it is used in an example for testing purpose.",
+            "is_valid": false
+        },
+        {
+            "scc_goal_id": "3000114",
+            "description:": "Check whether Cloud Object Storage buckets are enabled with IBM Activity Tracker",
+            "ignore_reason": "This module does not create any Cloud object storage bucket and it is used in an example for testing purpose.",
+            "is_valid": false
+        },
+        {
+            "scc_goal_id": "3000115",
+            "description:": "Check whether Cloud Object Storage buckets are enabled with IBM Cloud Monitoring",
+            "ignore_reason": "This module does not create any Cloud object storage bucket and it is used in an example for testing purpose.",
+            "is_valid": false
+        },
+        {
+            "scc_goal_id": "3000116",
+            "description:": "Check whether Cloud Object Storage bucket resiliency is set to cross region",
+            "ignore_reason": "This module does not create any Cloud object storage bucket and it is used in an example for testing purpose.",
+            "is_valid": false
+        }
+    ]
+}
diff --git a/module-metadata.json b/module-metadata.json
@@ -39,7 +39,7 @@
       "default": false,
       "pos": {
         "filename": "variables.tf",
-        "line": 408
+        "line": 415
       }
     },
     "default_network_acl_name": {
@@ -101,7 +101,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 402
+        "line": 409
       }
     },
     "existing_cos_instance_guid": {
@@ -113,7 +113,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 414
+        "line": 421
       },
       "immutable": true,
       "computed": true
@@ -128,7 +128,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 420
+        "line": 427
       },
       "immutable": true
     },
@@ -142,7 +142,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 426
+        "line": 433
       }
     },
     "name": {
@@ -165,30 +165,7 @@
           "add_vpc_connectivity_rules": true,
           "name": "vpc-acl",
           "prepend_ibm_rules": true,
-          "rules": [
-            {
-              "action": "allow",
-              "destination": "0.0.0.0/0",
-              "direction": "inbound",
-              "name": "allow-all-443-inbound",
-              "source": "0.0.0.0/0",
-              "tcp": {
-                "port_max": 443,
-                "port_min": 443
-              }
-            },
-            {
-              "action": "allow",
-              "destination": "0.0.0.0/0",
-              "direction": "outbound",
-              "name": "allow-all-443-outbound",
-              "source": "0.0.0.0/0",
-              "tcp": {
-                "source_port_max": 443,
-                "source_port_min": 443
-              }
-            }
-          ]
+          "rules": []
         }
       ],
       "source": [
@@ -279,7 +256,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 374
+        "line": 381
       }
     },
     "security_group_rules": {
@@ -298,7 +275,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 308
+        "line": 315
       }
     },
     "subnets": {
@@ -336,7 +313,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 245
+        "line": 252
       }
     },
     "tags": {
@@ -390,7 +367,7 @@
       ],
       "pos": {
         "filename": "variables.tf",
-        "line": 219
+        "line": 226
       }
     }
   },
diff --git a/variables.tf b/variables.tf
@@ -145,28 +145,35 @@ variable "network_acls" {
       add_vpc_connectivity_rules   = true
       prepend_ibm_rules            = true
       rules = [
-        {
-          name      = "allow-all-443-inbound"
-          action    = "allow"
-          direction = "inbound"
-          tcp = {
-            port_min = 443
-            port_max = 443
-          }
-          destination = "0.0.0.0/0"
-          source      = "0.0.0.0/0"
-        },
-        {
-          name      = "allow-all-443-outbound"
-          action    = "allow"
-          direction = "outbound"
-          tcp = {
-            source_port_min = 443
-            source_port_max = 443
-          }
-          destination = "0.0.0.0/0"
-          source      = "0.0.0.0/0"
-        }
+        ## The below rules may be added to easily provide network connectivity for a loadbalancer
+        ## Note that opening 0.0.0.0/0 is not FsCloud compliant
+        # {
+        #   name      = "allow-all-443-inbound"
+        #   action    = "allow"
+        #   direction = "inbound"
+        #   tcp = {
+
+        #     port_min = 443
+        #     port_max = 443
+        #     source_port_min = 1024
+        #     source_port_max = 65535
+        #   }
+        #   destination = "0.0.0.0/0"
+        #   source      = "0.0.0.0/0"
+        # },
+        # {
+        #   name      = "allow-all-443-outbound"
+        #   action    = "allow"
+        #   direction = "outbound"
+        #   tcp = {
+        #     source_port_min = 443
+        #     source_port_max = 443
+        #     port_min = 1024
+        #     port_max = 65535
+        #   }
+        #   destination = "0.0.0.0/0"
+        #   source      = "0.0.0.0/0"
+        # }
       ]
     }
   ]
