Ensono · ravisinghkr · Jun 13, 2024 · Feb 9, 2024 · Feb 12, 2024 · Feb 20, 2024
diff --git a/aws/modules/infrastructure_modules/eks/eks-cluster.tf b/aws/modules/infrastructure_modules/eks/eks-cluster.tf
@@ -29,26 +29,8 @@ module "eks" {
 
   cluster_security_group_additional_rules = var.cluster_security_group_additional_rules
 
-  node_security_group_additional_rules = {
-    ingress_self_all = {
-      description = "Node to node all ports/protocols"
-      protocol    = "-1"
-      from_port   = 0
-      to_port     = 0
-      type        = "ingress"
-      self        = true
-    }
-
-    egress_all = {
-      description      = "Node all egress"
-      protocol         = "-1"
-      from_port        = 0
-      to_port          = 0
-      type             = "egress"
-      cidr_blocks      = ["0.0.0.0/0"]
-      ipv6_cidr_blocks = ["::/0"]
-    }
-  }
+  node_security_group_additional_rules         = var.node_security_group_additional_rules
+  node_security_group_enable_recommended_rules = var.node_security_group_enable_recommended_rules
 
   cluster_enabled_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
 
@@ -68,14 +50,19 @@ module "eks" {
   create_aws_auth_configmap = false
   manage_aws_auth_configmap = false
 
+  create_kms_key = var.create_kms_key
+
   eks_managed_node_group_defaults = {
     disk_size = 50
+
     placement = {
       tenancy = var.eks_node_tenancy
     }
   }
 
   eks_managed_node_groups = local.eks_managed_node_groups
 
+  kms_key_administrators = var.kms_key_administrators
+
   tags = var.tags
 }
diff --git a/aws/modules/infrastructure_modules/eks/variables.tf b/aws/modules/infrastructure_modules/eks/variables.tf
@@ -95,6 +95,7 @@ variable "eks_node_tenancy" {
     error_message = "Value must be one of 'default', 'dedicated', or 'host'."
   }
 }
+
 variable "enable_cis_bootstrap" {
   description = "Set to true to enable the CIS Boostrap, false to disable."
   type        = bool
@@ -139,3 +140,45 @@ variable "image_gc_low_threshold_percent" {
   type        = number
   default     = 80
 }
+
+variable "node_security_group_additional_rules" {
+  description = "List of additional security group rules to add to the node security group created. Set source_cluster_security_group = true inside rules to set the cluster_security_group as source"
+  type        = any
+  default = {
+    ingress_self_all = {
+      description = "Node to node all ports/protocols"
+      protocol    = "-1"
+      from_port   = 0
+      to_port     = 0
+      type        = "ingress"
+      self        = true
+    }
+    egress_all = {
+      description      = "Node all egress"
+      protocol         = "-1"
+      from_port        = 0
+      to_port          = 0
+      type             = "egress"
+      cidr_blocks      = ["0.0.0.0/0"]
+      ipv6_cidr_blocks = ["::/0"]
+    }
+  }
+}
+
+variable "node_security_group_enable_recommended_rules" {
+  description = "Determines whether to enable recommended security group rules for the node security group created. This includes node-to-node TCP ingress on ephemeral ports and allows all egress traffic"
+  type        = bool
+  default     = true
+}
+
+variable "create_kms_key" {
+  description = "Controls if a KMS key for cluster encryption should be created which is true by default, making it false will enable to pass custom kms key and policy"
+  type        = bool
+  default     = true
+}
+
+variable "kms_key_administrators" {
+  type        = list(string)
+  description = "KMS Key administrators for the keys which is used to encrypt data within the EKS Cluster"
+}
+
diff --git a/aws/modules/infrastructure_modules/vpc/network_acls.tf b/aws/modules/infrastructure_modules/vpc/network_acls.tf
@@ -0,0 +1,201 @@
+################################################################################
+# Public Subnet Network ACLs
+################################################################################
+
+resource "aws_network_acl" "public" {
+  count = var.create_public_dedicated_network_acl ? 1 : 0
+
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = aws_subnet.public[*].id
+
+  tags = merge(
+    { "Name" = "${var.vpc_name}-public-acl" },
+    var.tags
+  )
+}
+
+resource "aws_network_acl_rule" "public_inbound" {
+  count = var.create_public_dedicated_network_acl ? length(var.public_inbound_acl_rules) : 0
+
+  network_acl_id = aws_network_acl.public[0].id
+
+  egress          = false
+  rule_number     = var.public_inbound_acl_rules[count.index]["rule_number"]
+  rule_action     = var.public_inbound_acl_rules[count.index]["rule_action"]
+  protocol        = var.public_inbound_acl_rules[count.index]["protocol"]
+  from_port       = lookup(var.public_inbound_acl_rules[count.index], "from_port", null)
+  to_port         = lookup(var.public_inbound_acl_rules[count.index], "to_port", null)
+  icmp_code       = lookup(var.public_inbound_acl_rules[count.index], "icmp_code", null)
+  icmp_type       = lookup(var.public_inbound_acl_rules[count.index], "icmp_type", null)
+  cidr_block      = lookup(var.public_inbound_acl_rules[count.index], "cidr_block", null)
+  ipv6_cidr_block = lookup(var.public_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
+}
+
+resource "aws_network_acl_rule" "public_outbound" {
+  count = var.create_public_dedicated_network_acl ? length(var.public_outbound_acl_rules) : 0
+
+  network_acl_id = aws_network_acl.public[0].id
+
+  egress          = true
+  rule_number     = var.public_outbound_acl_rules[count.index]["rule_number"]
+  rule_action     = var.public_outbound_acl_rules[count.index]["rule_action"]
+  protocol        = var.public_outbound_acl_rules[count.index]["protocol"]
+  from_port       = lookup(var.public_outbound_acl_rules[count.index], "from_port", null)
+  to_port         = lookup(var.public_outbound_acl_rules[count.index], "to_port", null)
+  icmp_code       = lookup(var.public_outbound_acl_rules[count.index], "icmp_code", null)
+  icmp_type       = lookup(var.public_outbound_acl_rules[count.index], "icmp_type", null)
+  cidr_block      = lookup(var.public_outbound_acl_rules[count.index], "cidr_block", null)
+  ipv6_cidr_block = lookup(var.public_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
+}
+
+
+################################################################################
+# Private Subnet Network ACLs
+################################################################################
+
+resource "aws_network_acl" "private" {
+  count = var.create_private_dedicated_network_acl ? 1 : 0
+
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = module.vpc.private_subnets
+
+  tags = merge(
+    { "Name" = "${var.vpc_name}-private-acl" },
+    var.tags
+  )
+}
+
+resource "aws_network_acl_rule" "private_inbound" {
+  count = var.create_private_dedicated_network_acl ? length(var.private_inbound_acl_rules) : 0
+
+  network_acl_id = aws_network_acl.private[0].id
+
+  egress          = false
+  rule_number     = var.private_inbound_acl_rules[count.index]["rule_number"]
+  rule_action     = var.private_inbound_acl_rules[count.index]["rule_action"]
+  protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
+  from_port       = lookup(var.private_inbound_acl_rules[count.index], "from_port", null)
+  to_port         = lookup(var.private_inbound_acl_rules[count.index], "to_port", null)
+  icmp_code       = lookup(var.private_inbound_acl_rules[count.index], "icmp_code", null)
+  icmp_type       = lookup(var.private_inbound_acl_rules[count.index], "icmp_type", null)
+  cidr_block      = lookup(var.private_inbound_acl_rules[count.index], "cidr_block", null)
+  ipv6_cidr_block = lookup(var.private_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
+}
+
+resource "aws_network_acl_rule" "private_outbound" {
+  count = var.create_private_dedicated_network_acl ? length(var.private_outbound_acl_rules) : 0
+
+  network_acl_id = aws_network_acl.private[0].id
+
+  egress          = true
+  rule_number     = var.private_outbound_acl_rules[count.index]["rule_number"]
+  rule_action     = var.private_outbound_acl_rules[count.index]["rule_action"]
+  protocol        = var.private_outbound_acl_rules[count.index]["protocol"]
+  from_port       = lookup(var.private_outbound_acl_rules[count.index], "from_port", null)
+  to_port         = lookup(var.private_outbound_acl_rules[count.index], "to_port", null)
+  icmp_code       = lookup(var.private_outbound_acl_rules[count.index], "icmp_code", null)
+  icmp_type       = lookup(var.private_outbound_acl_rules[count.index], "icmp_type", null)
+  cidr_block      = lookup(var.private_outbound_acl_rules[count.index], "cidr_block", null)
+  ipv6_cidr_block = lookup(var.private_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
+}
+
+################################################################################
+# Database Subnet Network ACLs
+################################################################################
+
+resource "aws_network_acl" "database" {
+  count = var.create_database_dedicated_network_acl ? 1 : 0
+
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = module.vpc.database_subnets
+
+  tags = merge(
+    { "Name" = "${var.vpc_name}-database-acl" },
+    var.tags
+  )
+}
+
+resource "aws_network_acl_rule" "database_inbound" {
+  count = var.create_database_dedicated_network_acl ? length(var.database_inbound_acl_rules) : 0
+
+  network_acl_id = aws_network_acl.database[0].id
+
+  egress          = false
+  rule_number     = var.database_inbound_acl_rules[count.index]["rule_number"]
+  rule_action     = var.private_inbound_acl_rules[count.index]["rule_action"]
+  protocol        = var.private_inbound_acl_rules[count.index]["protocol"]
+  from_port       = lookup(var.private_inbound_acl_rules[count.index], "from_port", null)
+  to_port         = lookup(var.private_inbound_acl_rules[count.index], "to_port", null)
+  icmp_code       = lookup(var.private_inbound_acl_rules[count.index], "icmp_code", null)
+  icmp_type       = lookup(var.private_inbound_acl_rules[count.index], "icmp_type", null)
+  cidr_block      = lookup(var.private_inbound_acl_rules[count.index], "cidr_block", null)
+  ipv6_cidr_block = lookup(var.private_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
+}
+
+resource "aws_network_acl_rule" "database_outbound" {
+  count = var.create_database_dedicated_network_acl ? length(var.database_outbound_acl_rules) : 0
+
+  network_acl_id = aws_network_acl.database[0].id
+
+  egress          = true
+  rule_number     = var.database_outbound_acl_rules[count.index]["rule_number"]
+  rule_action     = var.database_outbound_acl_rules[count.index]["rule_action"]
+  protocol        = var.database_outbound_acl_rules[count.index]["protocol"]
+  from_port       = lookup(var.database_outbound_acl_rules[count.index], "from_port", null)
+  to_port         = lookup(var.database_outbound_acl_rules[count.index], "to_port", null)
+  icmp_code       = lookup(var.database_outbound_acl_rules[count.index], "icmp_code", null)
+  icmp_type       = lookup(var.database_outbound_acl_rules[count.index], "icmp_type", null)
+  cidr_block      = lookup(var.database_outbound_acl_rules[count.index], "cidr_block", null)
+  ipv6_cidr_block = lookup(var.database_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
+}
+
+
+################################################################################
+# Network Firewall Subnet Network ACLs
+################################################################################
+
+resource "aws_network_acl" "network_firewall" {
+  count = var.create_network_firewall_dedicated_network_acl ? 1 : 0
+
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = aws_subnet.network_firewall[*].id
+
+  tags = merge(
+    { "Name" = "${var.vpc_name}-network-firewall-acl" },
+    var.tags
+  )
+}
+
+resource "aws_network_acl_rule" "network_firewall_inbound" {
+  count = var.create_network_firewall_dedicated_network_acl ? length(var.network_firewall_inbound_acl_rules) : 0
+
+  network_acl_id = aws_network_acl.network_firewall[0].id
+
+  egress          = false
+  rule_number     = var.network_firewall_inbound_acl_rules[count.index]["rule_number"]
+  rule_action     = var.network_firewall_inbound_acl_rules[count.index]["rule_action"]
+  protocol        = var.network_firewall_inbound_acl_rules[count.index]["protocol"]
+  from_port       = lookup(var.network_firewall_inbound_acl_rules[count.index], "from_port", null)
+  to_port         = lookup(var.network_firewall_inbound_acl_rules[count.index], "to_port", null)
+  icmp_code       = lookup(var.network_firewall_inbound_acl_rules[count.index], "icmp_code", null)
+  icmp_type       = lookup(var.network_firewall_inbound_acl_rules[count.index], "icmp_type", null)
+  cidr_block      = lookup(var.network_firewall_inbound_acl_rules[count.index], "cidr_block", null)
+  ipv6_cidr_block = lookup(var.network_firewall_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
+}
+
+resource "aws_network_acl_rule" "firewall_outbound" {
+  count = var.create_network_firewall_dedicated_network_acl ? length(var.network_firewall_outbound_acl_rules) : 0
+
+  network_acl_id = aws_network_acl.network_firewall[0].id
+
+  egress          = true
+  rule_number     = var.network_firewall_outbound_acl_rules[count.index]["rule_number"]
+  rule_action     = var.network_firewall_outbound_acl_rules[count.index]["rule_action"]
+  protocol        = var.network_firewall_outbound_acl_rules[count.index]["protocol"]
+  from_port       = lookup(var.network_firewall_outbound_acl_rules[count.index], "from_port", null)
+  to_port         = lookup(var.network_firewall_outbound_acl_rules[count.index], "to_port", null)
+  icmp_code       = lookup(var.network_firewall_outbound_acl_rules[count.index], "icmp_code", null)
+  icmp_type       = lookup(var.network_firewall_outbound_acl_rules[count.index], "icmp_type", null)
+  cidr_block      = lookup(var.network_firewall_outbound_acl_rules[count.index], "cidr_block", null)
+  ipv6_cidr_block = lookup(var.network_firewall_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
+}
diff --git a/aws/modules/infrastructure_modules/vpc/outputs.tf b/aws/modules/infrastructure_modules/vpc/outputs.tf
@@ -17,3 +17,13 @@ output "private_route_table_ids" {
   description = "The IDs of the private routing tables"
   value       = module.vpc.private_route_table_ids
 }
+
+output "private_subnet_cidrs" {
+  description = "The IDs of the public subnets created by this module."
+  value       = module.vpc.private_subnets_cidr_blocks
+}
+
+output "public_subnet_cidrs" {
+  description = "The IDs of the public subnets created by this module."
+  value       = [for k, v in data.aws_availability_zones.available.names : aws_subnet.public[k].cidr_block]
+}