Updates acl rules to use terraform provider (#48)

Signed-off-by: Sean Sundberg <[email protected]>

Author: Sean Sundberg

README.md

@@ -51,7 +51,6 @@ module "dev_vpc" {
   resource_group_name = module.resource_group.name
   region              = var.region
   name_prefix         = var.name_prefix
-  ibmcloud_api_key    = var.ibmcloud_api_key
 }
 ```
 

main.tf

@@ -43,17 +43,64 @@ resource ibm_is_vpc_address_prefix cidr_prefix {
   is_default = count.index < local.zone_count
 }
 
-resource null_resource setup_default_acl {
-  depends_on = [ibm_is_vpc.vpc]
-  count = false && var.provision ? 1 : 0
+resource ibm_is_network_acl_rule allow_internal_egress {
+  network_acl = data.ibm_is_vpc.vpc.default_network_acl
+  name        = "allow-internal-egress"
+  action      = "allow"
+  source      = var.internal_cidr
+  destination = var.internal_cidr
+  direction   = "outbound"
+}
 
-  provisioner "local-exec" {
-    command = "${path.module}/scripts/setup-default-acl.sh ${data.ibm_is_vpc.vpc.default_network_acl} ${var.region} ${var.resource_group_name}"
+resource ibm_is_network_acl_rule allow_internal_ingress {
+  network_acl = data.ibm_is_vpc.vpc.default_network_acl
+  name        = "allow-internal-ingress"
+  action      = "allow"
+  source      = var.internal_cidr
+  destination = var.internal_cidr
+  direction   = "inbound"
+  before      = ibm_is_network_acl_rule.deny_external_ssh.rule_id
+}
 
-    environment = {
-      IBMCLOUD_API_KEY = var.ibmcloud_api_key
-    }
+resource ibm_is_network_acl_rule deny_external_ssh {
+  network_acl = data.ibm_is_vpc.vpc.default_network_acl
+  name        = "deny-external-ssh"
+  action      = "deny"
+  source      = "0.0.0.0/0"
+  destination = "0.0.0.0/0"
+  direction   = "inbound"
+  tcp {
+    port_max        = 22
+    port_min        = 22
+    source_port_max = 22
+    source_port_min = 22
   }
+  before      = ibm_is_network_acl_rule.deny_external_rdp.rule_id
+}
+
+resource ibm_is_network_acl_rule deny_external_rdp {
+  network_acl = data.ibm_is_vpc.vpc.default_network_acl
+  name        = "deny-external-rdp"
+  action      = "deny"
+  source      = "0.0.0.0/0"
+  destination = "0.0.0.0/0"
+  direction   = "inbound"
+  tcp {
+    port_max        = 3389
+    port_min        = 3389
+    source_port_max = 3389
+    source_port_min = 3389
+  }
+  before = ibm_is_network_acl_rule.deny_external_ingress.rule_id
+}
+
+resource ibm_is_network_acl_rule deny_external_ingress {
+  network_acl    = data.ibm_is_vpc.vpc.default_network_acl
+  name           = "deny-external-ingress"
+  action         = "deny"
+  source         = "0.0.0.0/0"
+  destination    = "0.0.0.0/0"
+  direction      = "inbound"
 }
 
 resource ibm_is_security_group base {

module.yaml

@@ -29,5 +29,3 @@ versions:
       scope: module
     - name: name_prefix
       scope: global
-    - name: ibmcloud_api_key
-      scope: global

scripts/setup-default-acl.sh

@@ -5,7 +5,6 @@ module "dev_vpc" {
   resource_group_name  = module.resource_group.name
   region               = var.region
   name_prefix          = var.name_prefix
-  ibmcloud_api_key     = var.ibmcloud_api_key
   address_prefix_count = var.address_prefix_count
   address_prefixes     = jsondecode(var.address_prefixes)
 }

test/stages/stage2-vpc.tf

@@ -26,11 +26,6 @@ variable "name_prefix" {
   default     = ""
 }
 
-variable "ibmcloud_api_key" {
-  type        = string
-  description = "The IBM Cloud api token"
-}
-
 variable "provision" {
   type        = bool
   description = "Flag indicating that the instance should be provisioned. If false then an existing instance will be looked up"
@@ -54,3 +49,9 @@ variable "base_security_group_name" {
   description = "The name of the base security group. If not provided the name will be based on the vpc name"
   default     = ""
 }
+
+variable "internal_cidr" {
+  type        = string
+  description = "The cidr range of the internal network"
+  default     = "10.0.0.0/8"
+}