Skip to content

Commit

Permalink
Create infrastructure network ACL
Browse files Browse the repository at this point in the history
* Creates a network ACL with ocnfigurable rules
* If egress/ingress lockdown is enabled, all traffic will be blocked by
  default
* The ACL is applied to all the subnets created in the infrastructure
  • Loading branch information
Stretch96 committed Nov 23, 2023
1 parent 453808d commit 2f373ef
Show file tree
Hide file tree
Showing 4 changed files with 118 additions and 0 deletions.
5 changes: 5 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ This project creates and manages resources within an AWS account for infrastruct
| [aws_kms_alias.infrastructure](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
| [aws_kms_key.infrastructure](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
| [aws_nat_gateway.infrastructure](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource |
| [aws_network_acl.infrastructure](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource |
| [aws_route.infrustructure_public_internet_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
| [aws_route.private_nat_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
| [aws_route_table.infrastructure_private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
Expand Down Expand Up @@ -74,6 +75,10 @@ This project creates and manages resources within an AWS account for infrastruct
| <a name="input_infrastructure_vpc_flow_logs_s3_with_athena"></a> [infrastructure\_vpc\_flow\_logs\_s3\_with\_athena](#input\_infrastructure\_vpc\_flow\_logs\_s3\_with\_athena) | Enable VPC flow logs in infrastructure VPC to the S3 logs bucket. A compatible Glue table/database and Athena workgroup will also be created to allow querying the logs. | `bool` | n/a | yes |
| <a name="input_infrastructure_vpc_flow_logs_traffic_type"></a> [infrastructure\_vpc\_flow\_logs\_traffic\_type](#input\_infrastructure\_vpc\_flow\_logs\_traffic\_type) | Infrastructure VPC flow logs traffic type | `string` | n/a | yes |
| <a name="input_infrastructure_vpc_instance_tenancy"></a> [infrastructure\_vpc\_instance\_tenancy](#input\_infrastructure\_vpc\_instance\_tenancy) | Infrastructure VPC instance tenancy | `string` | n/a | yes |
| <a name="input_infrastructure_vpc_network_acl_egress_custom_rules"></a> [infrastructure\_vpc\_network\_acl\_egress\_custom\_rules](#input\_infrastructure\_vpc\_network\_acl\_egress\_custom\_rules) | Infrastructure vpc egress custom rules. These will be evaluated before any automatically added rules. | <pre>list(object({<br> protocol = string<br> from_port = number<br> to_port = number<br> actiion = string<br> cidr_block = string<br> ipv6_cidr_block = optional(string, null)<br> icmp_type = optional(number, null)<br> icmp_code = optional(number, null)<br> }))</pre> | n/a | yes |
| <a name="input_infrastructure_vpc_network_acl_egress_lockdown"></a> [infrastructure\_vpc\_network\_acl\_egress\_lockdown](#input\_infrastructure\_vpc\_network\_acl\_egress\_lockdown) | Creates a network ACL which blocks all egress traffic, except the ports required for services that are launched. | `bool` | n/a | yes |
| <a name="input_infrastructure_vpc_network_acl_ingress_custom_rules"></a> [infrastructure\_vpc\_network\_acl\_ingress\_custom\_rules](#input\_infrastructure\_vpc\_network\_acl\_ingress\_custom\_rules) | Infrastructure vpc ingress custom rules. These will be evaluated before any automatically added rules. | <pre>list(object({<br> protocol = string<br> from_port = number<br> to_port = number<br> actiion = string<br> cidr_block = string<br> ipv6_cidr_block = optional(string, null)<br> icmp_type = optional(number, null)<br> icmp_code = optional(number, null)<br> }))</pre> | n/a | yes |
| <a name="input_infrastructure_vpc_network_acl_ingress_lockdown"></a> [infrastructure\_vpc\_network\_acl\_ingress\_lockdown](#input\_infrastructure\_vpc\_network\_acl\_ingress\_lockdown) | Creates a network ACL which blocks all ingress traffic, except the ports required for services that are launched. | `bool` | n/a | yes |
| <a name="input_infrastructure_vpc_network_availability_zones"></a> [infrastructure\_vpc\_network\_availability\_zones](#input\_infrastructure\_vpc\_network\_availability\_zones) | A list of availability zone characters (eg. ["a", "b", "c"]) | `list(string)` | n/a | yes |
| <a name="input_infrastructure_vpc_network_enable_private"></a> [infrastructure\_vpc\_network\_enable\_private](#input\_infrastructure\_vpc\_network\_enable\_private) | Enable private networking on Infrastructure VPC. This will create subnets with a route to a NAT Gateway (If Public networking has been enabled) | `bool` | n/a | yes |
| <a name="input_infrastructure_vpc_network_enable_public"></a> [infrastructure\_vpc\_network\_enable\_public](#input\_infrastructure\_vpc\_network\_enable\_public) | Enable public networking on Infrastructure VPC. This will create subnets with a route to an Internet Gateway | `bool` | n/a | yes |
Expand Down
4 changes: 4 additions & 0 deletions locals.tf
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,10 @@ locals {
infrastructure_vpc_network_private_cidr = cidrsubnet(local.infrastructure_vpc_cidr_block, 1, 1)
infrastructure_vpc_network_private_cidr_prefix = basename(local.infrastructure_vpc_network_private_cidr)
infrastructure_vpc_network_private_cidr_newbits = 24 - local.infrastructure_vpc_network_private_cidr_prefix
infrastructure_vpc_network_acl_egress_lockdown = var.infrastructure_vpc_network_acl_egress_lockdown
infrastructure_vpc_network_acl_egress_custom_rules = var.infrastructure_vpc_network_acl_egress_custom_rules
infrastructure_vpc_network_acl_ingress_lockdown = var.infrastructure_vpc_network_acl_ingress_lockdown
infrastructure_vpc_network_acl_ingress_custom_rules = var.infrastructure_vpc_network_acl_ingress_custom_rules
infrastructure_vpc_flow_logs_cloudwatch_logs = var.infrastructure_vpc_flow_logs_cloudwatch_logs && local.infrastructure_vpc
infrastructure_vpc_flow_logs_s3_with_athena = var.infrastructure_vpc_flow_logs_s3_with_athena && local.infrastructure_vpc
infrastructure_vpc_flow_logs_s3_key_prefix = trim(var.infrastructure_vpc_flow_logs_s3_key_prefix, "/")
Expand Down
38 changes: 38 additions & 0 deletions variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -102,3 +102,41 @@ variable "infrastructure_vpc_network_availability_zones" {
description = "A list of availability zone characters (eg. [\"a\", \"b\", \"c\"])"
type = list(string)
}

variable "infrastructure_vpc_network_acl_egress_lockdown" {
description = "Creates a network ACL which blocks all egress traffic, except the ports required for services that are launched."
type = bool
}

variable "infrastructure_vpc_network_acl_egress_custom_rules" {
description = "Infrastructure vpc egress custom rules. These will be evaluated before any automatically added rules."
type = list(object({
protocol = string
from_port = number
to_port = number
actiion = string
cidr_block = string
ipv6_cidr_block = optional(string, null)
icmp_type = optional(number, null)
icmp_code = optional(number, null)
}))
}

variable "infrastructure_vpc_network_acl_ingress_lockdown" {
description = "Creates a network ACL which blocks all ingress traffic, except the ports required for services that are launched."
type = bool
}

variable "infrastructure_vpc_network_acl_ingress_custom_rules" {
description = "Infrastructure vpc ingress custom rules. These will be evaluated before any automatically added rules."
type = list(object({
protocol = string
from_port = number
to_port = number
actiion = string
cidr_block = string
ipv6_cidr_block = optional(string, null)
icmp_type = optional(number, null)
icmp_code = optional(number, null)
}))
}
71 changes: 71 additions & 0 deletions vpc-infrastructure-network-acl.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
resource "aws_network_acl" "infrastructure" {
count = local.infrastructure_vpc ? 1 : 0

vpc_id = aws_vpc.infrastructure[0].id
subnet_ids = concat(
local.infrastructure_vpc_network_enable_public ? [for subnet in aws_subnet.infrastructure_public : subnet.id] : [],
local.infrastructure_vpc_network_enable_private ? [for subnet in aws_subnet.infrastructure_private : subnet.id] : []
)

dynamic "egress" {
for_each = local.infrastructure_vpc_network_acl_egress_custom_rules

content {
protocol = egress.value["protocol"]
from_port = egress.value["from_port"]
to_port = egress.value["to_port"]
action = egress.value["action"]
cidr_block = egress.value["cidr_block"]
ipv6_cidr_block = egress.value["ipv6_cidr_block"]
icmp_type = egress.value["icmp_type"]
icmp_code = egress.value["icmp_code"]
rule_no = each.key + 1
}
}

dynamic "egress" {
for_each = local.infrastructure_vpc_network_acl_egress_lockdown ? [] : [1]

content {
protocol = "all"
from_port = 0
to_port = 0
action = "allow"
cidr_block = "0.0.0.0/0"
rule_no = length(local.infrastructure_vpc_network_acl_egress_custom_rules) + 1
}
}

dynamic "ingress" {
for_each = local.infrastructure_vpc_network_acl_ingress_custom_rules

content {
protocol = ingress.value["protocol"]
from_port = ingress.value["from_port"]
to_port = ingress.value["to_port"]
action = ingress.value["action"]
cidr_block = ingress.value["cidr_block"]
ipv6_cidr_block = ingress.value["ipv6_cidr_block"]
icmp_type = ingress.value["icmp_type"]
icmp_code = ingress.value["icmp_code"]
rule_no = each.key + 1
}
}

dynamic "ingress" {
for_each = local.infrastructure_vpc_network_acl_ingress_lockdown ? [] : [1]

content {
protocol = "all"
from_port = 0
to_port = 0
action = "allow"
cidr_block = "0.0.0.0/0"
rule_no = length(local.infrastructure_vpc_network_acl_ingress_custom_rules) + 1
}
}

tags = {
Name = "${local.resource_prefix}-infrastructure"
}
}

0 comments on commit 2f373ef

Please sign in to comment.