Allow network ACL management exclusion for given subnets

[samuel-phan]

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.

• Yes ✅: AWS provider v3+ (I think)

Is your request related to a problem? Please describe.

We would like to test an AZ failure for Business Continuity Plan (BCP) or Chaos engineering.

To simulate an AZ failure, a solution is to flip the network ACL for all the subnets in an AZ and set DENY traffic to all.

Describe the solution you'd like.

We could introduce an input variable to exclude network ACL management for some given subnets.

module "vpc" {
  source = "terraform-aws-modules/vpc/aws"

  private_dedicated_network_acl = true
  private_acl_excluded_subnets  = ["subnet-123456789"]

  # ...
}

resource "aws_network_acl" "block_all" {
  vpc_id     = module.vpc.vpc.id
  subnet_ids = ["subnet-123456789"]

  ingress {
    rule_no    = 1
    protocol   = "all"
    from_port  = 0
    to_port    = 0
    cidr_block = "0.0.0.0/0"
    action     = "deny"
  }

  ingress {
    rule_no         = 2
    protocol        = "all"
    from_port       = 0
    to_port         = 0
    ipv6_cidr_block = "::/0"
    action          = "deny"
  }

  egress {
    rule_no    = 1
    protocol   = "all"
    from_port  = 0
    to_port    = 0
    cidr_block = "0.0.0.0/0"
    action     = "deny"
  }

  egress {
    rule_no         = 2
    protocol        = "all"
    from_port       = 0
    to_port         = 0
    ipv6_cidr_block = "::/0"
    action          = "deny"
  }
}

Describe alternatives you've considered.

I don't see any other alternative.

Additional context

Current:

BCP test with one AZ failure simulation:

[bryantbiggs]

This module already supports NACLs so you would just update the NACL rules - or am I missing something?

[samuel-phan]

But how would I have a custom NACL only for 1 subnet like in the diagram above?

[bryantbiggs]

If you want it specifically for one subnet, I think the route you show above is the correct route (where you provide the NACL and associate it with the subnet(s) of interest). I don't think adding this into the module makes a lot of sense at this time

[samuel-phan]

What I showed above is not what is implemented, but a suggestion of what I'd like.

[bryantbiggs]

What I showed above is not what is implemented, but a suggestion of what I'd like.

Understood - and I am suggesting that this is an implementation detail left to users, not the module

[samuel-phan]

The part that needs to be part of the module is this one:

  private_acl_excluded_subnets  = ["subnet-123456789"]

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions]

This issue was automatically closed because of stale in 10 days

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.