diff --git a/modules/networking/nacl/README.md b/modules/networking/nacl/README.md index 271275d..05cdd5a 100644 --- a/modules/networking/nacl/README.md +++ b/modules/networking/nacl/README.md @@ -1,23 +1,73 @@ -# nacl module -This module takes in list(list(string)) and construct NACL using dynamic block. + +## Example -Example code in root module ```hcl module "nacl" { - source = "../../modules/networking/nacl" + source = "../" + # comma-separated values with this field definition + # protocol,from_port,to_port,source_cidr,action egress_rules = [ - ["210", "-1", "0", "0", "10.29.0.0/16", "allow"], - ["220", "tcp", "443", "443", "10.35.32.0/22", "allow"], - ["230", "udp", "53", "53", "10.35.67.0/24", "allow"] + "-1,0,0,10.29.0.0/16,allow", # IPv4 - All traffic + "tcp,443,443,10.35.32.0/22,allow", # IPv4 - HTTPS + "udp,53,53,10.35.67.0/24,allow" # IPv4 - DNS ] + # comma-separated values with this field definition + # protocol,from_port,to_port,source_cidr,action ingress_rules = [ - ["310", "-1", "0", "0", "10.29.0.0/16", "allow"], - ["320", "tcp", "80", "81", "10.35.32.0/22", "allow"], - ["330", "udp", "53", "53", "10.35.67.0/24", "allow"] + "-1,0,0,10.29.0.0/16,allow", # IPv4 - All traffic + "tcp,22,22,10.0.0.0/8,allow", # IPv4 - SSH + "tcp,443,443,2001:db8::/32,allow" # IPv6 - HTTPS ] subnet_ids = ["subnet-0927ba1b06ccfe6c5", "subnet-0551e96ffd016192a"] vpc_id = "vpc-01a10b033169f89a8" acl_name = "test-nacl" } -``` \ No newline at end of file +``` + +# nacl module + +Code reviewed and improved with Qoder + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +| ---- | ------- | +| aws | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +| ---- | ---- | +| [aws_network_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource | +| [aws_network_acl_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | +| [aws_network_acl_rule.ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +| ---- | ----------- | ---- | ------- | :------: | +| acl\_name | ACL name tag | `string` | n/a | yes | +| egress\_rules | Egress rules. See example | `list(string)` | n/a | yes | +| ingress\_rules | Ingress rules. See example | `list(string)` | n/a | yes | +| subnet\_ids | IDs of subnet to be associated with the nacl | `list(string)` | n/a | yes | +| vpc\_id | VPC ID | `string` | n/a | yes | + +## Outputs + +| Name | Description | +| ---- | ----------- | +| nacl\_arn | n/a | +| nacl\_id | n/a | + +--- +## Authorship +This module was developed by xpk. \ No newline at end of file diff --git a/modules/networking/nacl/example/main.tf b/modules/networking/nacl/example/main.tf new file mode 100644 index 0000000..4a52ef5 --- /dev/null +++ b/modules/networking/nacl/example/main.tf @@ -0,0 +1,21 @@ +module "nacl" { + source = "../" + + # comma-separated values with this field definition + # protocol,from_port,to_port,source_cidr,action + egress_rules = [ + "-1,0,0,10.29.0.0/16,allow", # IPv4 - All traffic + "tcp,443,443,10.35.32.0/22,allow", # IPv4 - HTTPS + "udp,53,53,10.35.67.0/24,allow" # IPv4 - DNS + ] + # comma-separated values with this field definition + # protocol,from_port,to_port,source_cidr,action + ingress_rules = [ + "-1,0,0,10.29.0.0/16,allow", # IPv4 - All traffic + "tcp,22,22,10.0.0.0/8,allow", # IPv4 - SSH + "tcp,443,443,2001:db8::/32,allow" # IPv6 - HTTPS + ] + subnet_ids = ["subnet-0927ba1b06ccfe6c5", "subnet-0551e96ffd016192a"] + vpc_id = "vpc-01a10b033169f89a8" + acl_name = "test-nacl" +} \ No newline at end of file diff --git a/modules/networking/nacl/main.tf b/modules/networking/nacl/main.tf index fac21cd..31b6bc9 100644 --- a/modules/networking/nacl/main.tf +++ b/modules/networking/nacl/main.tf @@ -1,3 +1,8 @@ +/** +* # nacl module +* +* Code reviewed and improved with Qoder +*/ resource "aws_network_acl" "this" { vpc_id = var.vpc_id @@ -5,28 +10,33 @@ resource "aws_network_acl" "this" { tags = { Name = var.acl_name } - dynamic "ingress" { - for_each = var.ingress_rules - content { - rule_no = ingress.value[0] - protocol = ingress.value[1] - from_port = ingress.value[2] - to_port = ingress.value[3] - cidr_block = ingress.value[4] - action = ingress.value[5] - } - } +} - dynamic "egress" { - for_each = var.egress_rules - content { - rule_no = egress.value[0] - protocol = egress.value[1] - from_port = egress.value[2] - to_port = egress.value[3] - cidr_block = egress.value[4] - action = egress.value[5] - } - } +resource "aws_network_acl_rule" "ingress" { + for_each = { for k, v in var.ingress_rules : k => v } + network_acl_id = aws_network_acl.this.id + rule_number = 100 + tonumber(each.key) + egress = false + protocol = split(",", each.value)[0] + rule_action = split(",", each.value)[4] + # Support both IPv4 and IPv6 CIDR blocks + cidr_block = strcontains(split(",", each.value)[3], "::") ? null : split(",", each.value)[3] + ipv6_cidr_block = strcontains(split(",", each.value)[3], "::") ? split(",", each.value)[3] : null + from_port = tonumber(split(",", each.value)[1]) + to_port = tonumber(split(",", each.value)[2]) -} \ No newline at end of file +} + +resource "aws_network_acl_rule" "egress" { + for_each = { for k, v in var.egress_rules : k => v } + network_acl_id = aws_network_acl.this.id + rule_number = 100 + tonumber(each.key) + egress = true + protocol = split(",", each.value)[0] + rule_action = split(",", each.value)[4] + # Support both IPv4 and IPv6 CIDR blocks + cidr_block = strcontains(split(",", each.value)[3], "::") ? null : split(",", each.value)[3] + ipv6_cidr_block = strcontains(split(",", each.value)[3], "::") ? split(",", each.value)[3] : null + from_port = tonumber(split(",", each.value)[1]) + to_port = tonumber(split(",", each.value)[2]) +} diff --git a/modules/networking/nacl/outputs.tf b/modules/networking/nacl/outputs.tf new file mode 100644 index 0000000..7fe4254 --- /dev/null +++ b/modules/networking/nacl/outputs.tf @@ -0,0 +1,7 @@ + output "nacl_id" { + value = aws_network_acl.this.id + } + output "nacl_arn" { + value = aws_network_acl.this.arn + } + \ No newline at end of file diff --git a/modules/networking/nacl/provider.tf b/modules/networking/nacl/provider.tf deleted file mode 100644 index afeeedc..0000000 --- a/modules/networking/nacl/provider.tf +++ /dev/null @@ -1,9 +0,0 @@ -terraform { - required_version = "~> 1.3.0" - required_providers { - aws = { - source = "hashicorp/aws" - version = ">= 4.0" - } - } -} diff --git a/modules/networking/nacl/variables.tf b/modules/networking/nacl/variables.tf index 65ef716..1c5c388 100644 --- a/modules/networking/nacl/variables.tf +++ b/modules/networking/nacl/variables.tf @@ -1,19 +1,28 @@ -variable vpc_id { - type = string +variable "vpc_id" { + type = string + description = "VPC ID" } -variable subnet_ids { +variable "subnet_ids" { + type = list(string) + description = "IDs of subnet to be associated with the nacl" +} + +variable "ingress_rules" { type = list(string) + description = "Ingress rules. See example" + # description = <<-EOT + # List of ingress rules. Example: + # "tcp,443,443,10.35.32.0/22,allow" + # EOT } -variable ingress_rules { - type = list(list(string)) +variable "egress_rules" { + type = list(string) + description = "Egress rules. See example" } -variable egress_rules { - type = list(list(string)) -} - -variable acl_name { - type = string +variable "acl_name" { + type = string + description = "ACL name tag" } \ No newline at end of file