feat: new nacl module improved with Qoder

modules/networking/nacl/README.md

@@ -1,23 +1,73 @@
-# nacl module
+<!-- This readme file is generated with terraform-docs -->
-This module takes in list(list(string)) and construct NACL using dynamic block.
+## Example
 
-Example code in root module
 ```hcl
 module "nacl" {
-  source = "../../modules/networking/nacl"
+  source = "../"
 
+  # comma-separated values with this field definition
+  # protocol,from_port,to_port,source_cidr,action
   egress_rules = [
-    ["210", "-1", "0", "0", "10.29.0.0/16", "allow"],
+    "-1,0,0,10.29.0.0/16,allow",       # IPv4 - All traffic
-    ["220", "tcp", "443", "443", "10.35.32.0/22", "allow"],
+    "tcp,443,443,10.35.32.0/22,allow", # IPv4 - HTTPS
-    ["230", "udp", "53", "53", "10.35.67.0/24", "allow"]
+    "udp,53,53,10.35.67.0/24,allow"    # IPv4 - DNS
   ]
+  # comma-separated values with this field definition
+  # protocol,from_port,to_port,source_cidr,action
   ingress_rules = [
-    ["310", "-1", "0", "0", "10.29.0.0/16", "allow"],
+    "-1,0,0,10.29.0.0/16,allow",      # IPv4 - All traffic
-    ["320", "tcp", "80", "81", "10.35.32.0/22", "allow"],
+    "tcp,22,22,10.0.0.0/8,allow",     # IPv4 - SSH
-    ["330", "udp", "53", "53", "10.35.67.0/24", "allow"]
+    "tcp,443,443,2001:db8::/32,allow" # IPv6 - HTTPS
   ]
   subnet_ids = ["subnet-0927ba1b06ccfe6c5", "subnet-0551e96ffd016192a"]
   vpc_id     = "vpc-01a10b033169f89a8"
   acl_name   = "test-nacl"
 }
 ```
+
+# nacl module
+
+Code reviewed and improved with Qoder
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+| ---- | ------- |
+| aws | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+| ---- | ---- |
+| [aws_network_acl.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl) | resource |
+| [aws_network_acl_rule.egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+| [aws_network_acl_rule.ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_acl_rule) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+| ---- | ----------- | ---- | ------- | :------: |
+| acl\_name | ACL name tag | `string` | n/a | yes |
+| egress\_rules | Egress rules. See example | `list(string)` | n/a | yes |
+| ingress\_rules | Ingress rules. See example | `list(string)` | n/a | yes |
+| subnet\_ids | IDs of subnet to be associated with the nacl | `list(string)` | n/a | yes |
+| vpc\_id | VPC ID | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+| ---- | ----------- |
+| nacl\_arn | n/a |
+| nacl\_id | n/a |
+ 
+---
+## Authorship
+This module was developed by xpk.

modules/networking/nacl/example/main.tf

@@ -0,0 +1,21 @@
+module "nacl" {
+  source = "../"
+
+  # comma-separated values with this field definition
+  # protocol,from_port,to_port,source_cidr,action
+  egress_rules = [
+    "-1,0,0,10.29.0.0/16,allow",       # IPv4 - All traffic
+    "tcp,443,443,10.35.32.0/22,allow", # IPv4 - HTTPS
+    "udp,53,53,10.35.67.0/24,allow"    # IPv4 - DNS
+  ]
+  # comma-separated values with this field definition
+  # protocol,from_port,to_port,source_cidr,action
+  ingress_rules = [
+    "-1,0,0,10.29.0.0/16,allow",      # IPv4 - All traffic
+    "tcp,22,22,10.0.0.0/8,allow",     # IPv4 - SSH
+    "tcp,443,443,2001:db8::/32,allow" # IPv6 - HTTPS
+  ]
+  subnet_ids = ["subnet-0927ba1b06ccfe6c5", "subnet-0551e96ffd016192a"]
+  vpc_id     = "vpc-01a10b033169f89a8"
+  acl_name   = "test-nacl"
+}

modules/networking/nacl/main.tf

@@ -1,3 +1,8 @@
+/**
+* # nacl module
+*
+* Code reviewed and improved with Qoder
+*/
 
 resource "aws_network_acl" "this" {
   vpc_id     = var.vpc_id
@@ -5,28 +10,33 @@ resource "aws_network_acl" "this" {
   tags = {
     Name = var.acl_name
   }
-  dynamic "ingress" {
+}
-    for_each = var.ingress_rules
-    content {
-      rule_no    = ingress.value[0]
-      protocol   = ingress.value[1]
-      from_port  = ingress.value[2]
-      to_port    = ingress.value[3]
-      cidr_block = ingress.value[4]
-      action     = ingress.value[5]
-    }
-  }
 
-  dynamic "egress" {
+resource "aws_network_acl_rule" "ingress" {
-    for_each = var.egress_rules
+  for_each       = { for k, v in var.ingress_rules : k => v }
-    content {
+  network_acl_id = aws_network_acl.this.id
-      rule_no    = egress.value[0]
+  rule_number    = 100 + tonumber(each.key)
-      protocol   = egress.value[1]
+  egress         = false
-      from_port  = egress.value[2]
+  protocol       = split(",", each.value)[0]
-      to_port    = egress.value[3]
+  rule_action    = split(",", each.value)[4]
-      cidr_block = egress.value[4]
+  # Support both IPv4 and IPv6 CIDR blocks
-      action     = egress.value[5]
+  cidr_block      = strcontains(split(",", each.value)[3], "::") ? null : split(",", each.value)[3]
-    }
+  ipv6_cidr_block = strcontains(split(",", each.value)[3], "::") ? split(",", each.value)[3] : null
-  }
+  from_port       = tonumber(split(",", each.value)[1])
+  to_port         = tonumber(split(",", each.value)[2])
 
 }
+
+resource "aws_network_acl_rule" "egress" {
+  for_each       = { for k, v in var.egress_rules : k => v }
+  network_acl_id = aws_network_acl.this.id
+  rule_number    = 100 + tonumber(each.key)
+  egress         = true
+  protocol       = split(",", each.value)[0]
+  rule_action    = split(",", each.value)[4]
+  # Support both IPv4 and IPv6 CIDR blocks
+  cidr_block      = strcontains(split(",", each.value)[3], "::") ? null : split(",", each.value)[3]
+  ipv6_cidr_block = strcontains(split(",", each.value)[3], "::") ? split(",", each.value)[3] : null
+  from_port       = tonumber(split(",", each.value)[1])
+  to_port         = tonumber(split(",", each.value)[2])
+}

modules/networking/nacl/outputs.tf

@@ -0,0 +1,7 @@
+   output "nacl_id" {
+     value = aws_network_acl.this.id
+   }
+   output "nacl_arn" {
+     value = aws_network_acl.this.arn
+   }
+   

modules/networking/nacl/provider.tf

@@ -1,9 +0,0 @@
-terraform {
-  required_version = "~> 1.3.0"
-  required_providers {
-    aws = {
-      source  = "hashicorp/aws"
-      version = ">= 4.0"
-    }
-  }
-}

modules/networking/nacl/variables.tf

@@ -1,19 +1,28 @@
-variable vpc_id {
+variable "vpc_id" {
-  type = string
+  type        = string
+  description = "VPC ID"
 }
 
-variable subnet_ids {
+variable "subnet_ids" {
+  type        = list(string)
+  description = "IDs of subnet to be associated with the nacl"
+}
+
+variable "ingress_rules" {
   type = list(string)
+  description = "Ingress rules. See example"
+  # description = <<-EOT
+  #   List of ingress rules. Example:
+  #   "tcp,443,443,10.35.32.0/22,allow"
+  # EOT
 }
 
-variable ingress_rules {
+variable "egress_rules" {
-  type = list(list(string))
+  type        = list(string)
+  description = "Egress rules. See example"
 }
 
-variable egress_rules {
+variable "acl_name" {
-  type = list(list(string))
+  type        = string
-}
+  description = "ACL name tag"
-
-variable acl_name {
-  type = string
 }