Merge pull request #15 from dxw/create-infrastructure-network-acl

Create infrastructure network ACL
dxw · Nov 24, 2023 · 7a0aed4 · 7a0aed4
2 parents 453808d + 09ae509
commit 7a0aed4
Show file tree

Hide file tree

Showing 4 changed files with 281 additions and 21 deletions.
diff --git a/README.md b/README.md
@@ -25,6 +25,7 @@ This project creates and manages resources within an AWS account for infrastruct
 |------|------|
 | [aws_athena_workgroup.infrastructure_vpc_flow_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/athena_workgroup) | resource |
 | [aws_cloudwatch_log_group.infrastructure_vpc_flow_logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_default_network_acl.infrastructure](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/default_network_acl) | resource |
 | [aws_eip.infrastructure_nat](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource |
 | [aws_flow_log.infrastructure_vpc_flow_logs_cloudwatch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource |
 | [aws_flow_log.infrastructure_vpc_flow_logs_s3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/flow_log) | resource |
@@ -36,6 +37,18 @@ This project creates and manages resources within an AWS account for infrastruct
 | [aws_kms_alias.infrastructure](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
 | [aws_kms_key.infrastructure](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_nat_gateway.infrastructure](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/nat_gateway) | resource |
+| [aws_network_acl.infrastructure_private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource |
+| [aws_network_acl.infrastructure_public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource |
+| [aws_network_acl_association.infrastructure_private_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_association) | resource |
+| [aws_network_acl_association.infrastructure_public_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_association) | resource |
+| [aws_network_acl_rule.egress_allow_all_private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.egress_allow_all_public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.egress_private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.egress_public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.ingress_allow_all_private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.ingress_allow_all_public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.ingress_private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.ingress_public](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
 | [aws_route.infrustructure_public_internet_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
 | [aws_route.private_nat_gateway](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
 | [aws_route_table.infrastructure_private](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
@@ -74,6 +87,14 @@ This project creates and manages resources within an AWS account for infrastruct
 | <a name="input_infrastructure_vpc_flow_logs_s3_with_athena"></a> [infrastructure\_vpc\_flow\_logs\_s3\_with\_athena](#input\_infrastructure\_vpc\_flow\_logs\_s3\_with\_athena) | Enable VPC flow logs in infrastructure VPC to the S3 logs bucket. A compatible Glue table/database and Athena workgroup will also be created to allow querying the logs. | `bool` | n/a | yes |
 | <a name="input_infrastructure_vpc_flow_logs_traffic_type"></a> [infrastructure\_vpc\_flow\_logs\_traffic\_type](#input\_infrastructure\_vpc\_flow\_logs\_traffic\_type) | Infrastructure VPC flow logs traffic type | `string` | n/a | yes |
 | <a name="input_infrastructure_vpc_instance_tenancy"></a> [infrastructure\_vpc\_instance\_tenancy](#input\_infrastructure\_vpc\_instance\_tenancy) | Infrastructure VPC instance tenancy | `string` | n/a | yes |
+| <a name="input_infrastructure_vpc_network_acl_egress_custom_rules_private"></a> [infrastructure\_vpc\_network\_acl\_egress\_custom\_rules\_private](#input\_infrastructure\_vpc\_network\_acl\_egress\_custom\_rules\_private) | Infrastructure vpc egress custom rules for the private subnets. These will be evaluated before any automatically added rules. | <pre>list(object({<br>    protocol        = string<br>    from_port       = number<br>    to_port         = number<br>    action          = string<br>    cidr_block      = string<br>    ipv6_cidr_block = optional(string, null)<br>    icmp_type       = optional(number, null)<br>    icmp_code       = optional(number, null)<br>  }))</pre> | n/a | yes |
+| <a name="input_infrastructure_vpc_network_acl_egress_custom_rules_public"></a> [infrastructure\_vpc\_network\_acl\_egress\_custom\_rules\_public](#input\_infrastructure\_vpc\_network\_acl\_egress\_custom\_rules\_public) | Infrastructure vpc egress custom rules for the public subnets. These will be evaluated before any automatically added rules. | <pre>list(object({<br>    protocol        = string<br>    from_port       = number<br>    to_port         = number<br>    action          = string<br>    cidr_block      = string<br>    ipv6_cidr_block = optional(string, null)<br>    icmp_type       = optional(number, null)<br>    icmp_code       = optional(number, null)<br>  }))</pre> | n/a | yes |
+| <a name="input_infrastructure_vpc_network_acl_egress_lockdown_private"></a> [infrastructure\_vpc\_network\_acl\_egress\_lockdown\_private](#input\_infrastructure\_vpc\_network\_acl\_egress\_lockdown\_private) | Creates a network ACL for the private subnets which blocks all egress traffic, permitting only the ports required for resources deployed by this module and custom rules. | `bool` | n/a | yes |
+| <a name="input_infrastructure_vpc_network_acl_egress_lockdown_public"></a> [infrastructure\_vpc\_network\_acl\_egress\_lockdown\_public](#input\_infrastructure\_vpc\_network\_acl\_egress\_lockdown\_public) | Creates a network ACL for the public subnets which blocks all egress traffic, permitting only the ports required for resources deployed by this module and custom rules. | `bool` | n/a | yes |
+| <a name="input_infrastructure_vpc_network_acl_ingress_custom_rules_private"></a> [infrastructure\_vpc\_network\_acl\_ingress\_custom\_rules\_private](#input\_infrastructure\_vpc\_network\_acl\_ingress\_custom\_rules\_private) | Infrastructure vpc ingress custom rules for the private subnets. These will be evaluated before any automatically added rules. | <pre>list(object({<br>    protocol        = string<br>    from_port       = number<br>    to_port         = number<br>    action          = string<br>    cidr_block      = string<br>    ipv6_cidr_block = optional(string, null)<br>    icmp_type       = optional(number, null)<br>    icmp_code       = optional(number, null)<br>  }))</pre> | n/a | yes |
+| <a name="input_infrastructure_vpc_network_acl_ingress_custom_rules_public"></a> [infrastructure\_vpc\_network\_acl\_ingress\_custom\_rules\_public](#input\_infrastructure\_vpc\_network\_acl\_ingress\_custom\_rules\_public) | Infrastructure vpc ingress custom rules for the public subnets. These will be evaluated before any automatically added rules. | <pre>list(object({<br>    protocol        = string<br>    from_port       = number<br>    to_port         = number<br>    action          = string<br>    cidr_block      = string<br>    ipv6_cidr_block = optional(string, null)<br>    icmp_type       = optional(number, null)<br>    icmp_code       = optional(number, null)<br>  }))</pre> | n/a | yes |
+| <a name="input_infrastructure_vpc_network_acl_ingress_lockdown_private"></a> [infrastructure\_vpc\_network\_acl\_ingress\_lockdown\_private](#input\_infrastructure\_vpc\_network\_acl\_ingress\_lockdown\_private) | Creates a network ACL for the private subnets which blocks all ingress traffic, permitting only the ports required for resources deployed by this module and custom rules. | `bool` | n/a | yes |
+| <a name="input_infrastructure_vpc_network_acl_ingress_lockdown_public"></a> [infrastructure\_vpc\_network\_acl\_ingress\_lockdown\_public](#input\_infrastructure\_vpc\_network\_acl\_ingress\_lockdown\_public) | Creates a network ACL for the public subnets which blocks all ingress traffic, permitting only the ports required for resources deployed by this module and custom rules. | `bool` | n/a | yes |
 | <a name="input_infrastructure_vpc_network_availability_zones"></a> [infrastructure\_vpc\_network\_availability\_zones](#input\_infrastructure\_vpc\_network\_availability\_zones) | A list of availability zone characters (eg. ["a", "b", "c"]) | `list(string)` | n/a | yes |
 | <a name="input_infrastructure_vpc_network_enable_private"></a> [infrastructure\_vpc\_network\_enable\_private](#input\_infrastructure\_vpc\_network\_enable\_private) | Enable private networking on Infrastructure VPC. This will create subnets with a route to a NAT Gateway (If Public networking has been enabled) | `bool` | n/a | yes |
 | <a name="input_infrastructure_vpc_network_enable_public"></a> [infrastructure\_vpc\_network\_enable\_public](#input\_infrastructure\_vpc\_network\_enable\_public) | Enable public networking on Infrastructure VPC. This will create subnets with a route to an Internet Gateway | `bool` | n/a | yes |

diff --git a/locals.tf b/locals.tf
@@ -18,27 +18,35 @@ locals {
     local.infrastructure_vpc_flow_logs_s3_with_athena ? ["arn:aws:logs:${local.aws_region}:${local.aws_account_id}:*"] : [],
   )
 
-  infrastructure_vpc                                      = var.infrastructure_vpc
-  infrastructure_vpc_cidr_block                           = var.infrastructure_vpc_cidr_block
-  infrastructure_vpc_enable_dns_support                   = var.infrastructure_vpc_enable_dns_support
-  infrastructure_vpc_enable_dns_hostnames                 = var.infrastructure_vpc_enable_dns_hostnames
-  infrastructure_vpc_instance_tenancy                     = var.infrastructure_vpc_instance_tenancy
-  infrastructure_vpc_enable_network_address_usage_metrics = var.infrastructure_vpc_enable_network_address_usage_metrics
-  infrastructure_vpc_assign_generated_ipv6_cidr_block     = var.infrastructure_vpc_assign_generated_ipv6_cidr_block
-  infrastructure_vpc_network_enable_public                = local.infrastructure_vpc && var.infrastructure_vpc_network_enable_public
-  infrastructure_vpc_network_enable_private               = local.infrastructure_vpc && var.infrastructure_vpc_network_enable_private
-  infrastructure_vpc_network_availability_zones           = toset(sort(var.infrastructure_vpc_network_availability_zones))
-  infrastructure_vpc_network_public_cidr                  = cidrsubnet(local.infrastructure_vpc_cidr_block, 1, 0)
-  infrastructure_vpc_network_public_cidr_prefix           = basename(local.infrastructure_vpc_network_public_cidr)
-  infrastructure_vpc_network_public_cidr_newbits          = 24 - local.infrastructure_vpc_network_public_cidr_prefix
-  infrastructure_vpc_network_private_cidr                 = cidrsubnet(local.infrastructure_vpc_cidr_block, 1, 1)
-  infrastructure_vpc_network_private_cidr_prefix          = basename(local.infrastructure_vpc_network_private_cidr)
-  infrastructure_vpc_network_private_cidr_newbits         = 24 - local.infrastructure_vpc_network_private_cidr_prefix
-  infrastructure_vpc_flow_logs_cloudwatch_logs            = var.infrastructure_vpc_flow_logs_cloudwatch_logs && local.infrastructure_vpc
-  infrastructure_vpc_flow_logs_s3_with_athena             = var.infrastructure_vpc_flow_logs_s3_with_athena && local.infrastructure_vpc
-  infrastructure_vpc_flow_logs_s3_key_prefix              = trim(var.infrastructure_vpc_flow_logs_s3_key_prefix, "/")
-  infrastructure_vpc_flow_logs_retention                  = var.infrastructure_vpc_flow_logs_retention
-  infrastructure_vpc_flow_logs_traffic_type               = var.infrastructure_vpc_flow_logs_traffic_type
+  infrastructure_vpc                                          = var.infrastructure_vpc
+  infrastructure_vpc_cidr_block                               = var.infrastructure_vpc_cidr_block
+  infrastructure_vpc_enable_dns_support                       = var.infrastructure_vpc_enable_dns_support
+  infrastructure_vpc_enable_dns_hostnames                     = var.infrastructure_vpc_enable_dns_hostnames
+  infrastructure_vpc_instance_tenancy                         = var.infrastructure_vpc_instance_tenancy
+  infrastructure_vpc_enable_network_address_usage_metrics     = var.infrastructure_vpc_enable_network_address_usage_metrics
+  infrastructure_vpc_assign_generated_ipv6_cidr_block         = var.infrastructure_vpc_assign_generated_ipv6_cidr_block
+  infrastructure_vpc_network_enable_public                    = local.infrastructure_vpc && var.infrastructure_vpc_network_enable_public
+  infrastructure_vpc_network_enable_private                   = local.infrastructure_vpc && var.infrastructure_vpc_network_enable_private
+  infrastructure_vpc_network_availability_zones               = toset(sort(var.infrastructure_vpc_network_availability_zones))
+  infrastructure_vpc_network_public_cidr                      = cidrsubnet(local.infrastructure_vpc_cidr_block, 1, 0)
+  infrastructure_vpc_network_public_cidr_prefix               = basename(local.infrastructure_vpc_network_public_cidr)
+  infrastructure_vpc_network_public_cidr_newbits              = 24 - local.infrastructure_vpc_network_public_cidr_prefix
+  infrastructure_vpc_network_private_cidr                     = cidrsubnet(local.infrastructure_vpc_cidr_block, 1, 1)
+  infrastructure_vpc_network_private_cidr_prefix              = basename(local.infrastructure_vpc_network_private_cidr)
+  infrastructure_vpc_network_private_cidr_newbits             = 24 - local.infrastructure_vpc_network_private_cidr_prefix
+  infrastructure_vpc_network_acl_egress_lockdown_private      = var.infrastructure_vpc_network_acl_egress_lockdown_private
+  infrastructure_vpc_network_acl_egress_custom_rules_private  = var.infrastructure_vpc_network_acl_egress_custom_rules_private
+  infrastructure_vpc_network_acl_ingress_lockdown_private     = var.infrastructure_vpc_network_acl_ingress_lockdown_private
+  infrastructure_vpc_network_acl_ingress_custom_rules_private = var.infrastructure_vpc_network_acl_ingress_custom_rules_private
+  infrastructure_vpc_network_acl_egress_lockdown_public       = var.infrastructure_vpc_network_acl_egress_lockdown_public
+  infrastructure_vpc_network_acl_egress_custom_rules_public   = var.infrastructure_vpc_network_acl_egress_custom_rules_public
+  infrastructure_vpc_network_acl_ingress_lockdown_public      = var.infrastructure_vpc_network_acl_ingress_lockdown_public
+  infrastructure_vpc_network_acl_ingress_custom_rules_public  = var.infrastructure_vpc_network_acl_ingress_custom_rules_public
+  infrastructure_vpc_flow_logs_cloudwatch_logs                = var.infrastructure_vpc_flow_logs_cloudwatch_logs && local.infrastructure_vpc
+  infrastructure_vpc_flow_logs_s3_with_athena                 = var.infrastructure_vpc_flow_logs_s3_with_athena && local.infrastructure_vpc
+  infrastructure_vpc_flow_logs_s3_key_prefix                  = trim(var.infrastructure_vpc_flow_logs_s3_key_prefix, "/")
+  infrastructure_vpc_flow_logs_retention                      = var.infrastructure_vpc_flow_logs_retention
+  infrastructure_vpc_flow_logs_traffic_type                   = var.infrastructure_vpc_flow_logs_traffic_type
   infrastructure_vpc_flow_logs_glue_table_columns = {
     version             = "int",
     account_id          = "string",

diff --git a/variables.tf b/variables.tf
@@ -102,3 +102,79 @@ variable "infrastructure_vpc_network_availability_zones" {
   description = "A list of availability zone characters (eg. [\"a\", \"b\", \"c\"])"
   type        = list(string)
 }
+
+variable "infrastructure_vpc_network_acl_egress_lockdown_private" {
+  description = "Creates a network ACL for the private subnets which blocks all egress traffic, permitting only the ports required for resources deployed by this module and custom rules."
+  type        = bool
+}
+
+variable "infrastructure_vpc_network_acl_egress_custom_rules_private" {
+  description = "Infrastructure vpc egress custom rules for the private subnets. These will be evaluated before any automatically added rules."
+  type = list(object({
+    protocol        = string
+    from_port       = number
+    to_port         = number
+    action          = string
+    cidr_block      = string
+    ipv6_cidr_block = optional(string, null)
+    icmp_type       = optional(number, null)
+    icmp_code       = optional(number, null)
+  }))
+}
+
+variable "infrastructure_vpc_network_acl_egress_lockdown_public" {
+  description = "Creates a network ACL for the public subnets which blocks all egress traffic, permitting only the ports required for resources deployed by this module and custom rules."
+  type        = bool
+}
+
+variable "infrastructure_vpc_network_acl_egress_custom_rules_public" {
+  description = "Infrastructure vpc egress custom rules for the public subnets. These will be evaluated before any automatically added rules."
+  type = list(object({
+    protocol        = string
+    from_port       = number
+    to_port         = number
+    action          = string
+    cidr_block      = string
+    ipv6_cidr_block = optional(string, null)
+    icmp_type       = optional(number, null)
+    icmp_code       = optional(number, null)
+  }))
+}
+
+variable "infrastructure_vpc_network_acl_ingress_lockdown_private" {
+  description = "Creates a network ACL for the private subnets which blocks all ingress traffic, permitting only the ports required for resources deployed by this module and custom rules."
+  type        = bool
+}
+
+variable "infrastructure_vpc_network_acl_ingress_custom_rules_private" {
+  description = "Infrastructure vpc ingress custom rules for the private subnets. These will be evaluated before any automatically added rules."
+  type = list(object({
+    protocol        = string
+    from_port       = number
+    to_port         = number
+    action          = string
+    cidr_block      = string
+    ipv6_cidr_block = optional(string, null)
+    icmp_type       = optional(number, null)
+    icmp_code       = optional(number, null)
+  }))
+}
+
+variable "infrastructure_vpc_network_acl_ingress_lockdown_public" {
+  description = "Creates a network ACL for the public subnets which blocks all ingress traffic, permitting only the ports required for resources deployed by this module and custom rules."
+  type        = bool
+}
+
+variable "infrastructure_vpc_network_acl_ingress_custom_rules_public" {
+  description = "Infrastructure vpc ingress custom rules for the public subnets. These will be evaluated before any automatically added rules."
+  type = list(object({
+    protocol        = string
+    from_port       = number
+    to_port         = number
+    action          = string
+    cidr_block      = string
+    ipv6_cidr_block = optional(string, null)
+    icmp_type       = optional(number, null)
+    icmp_code       = optional(number, null)
+  }))
+}