Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow ICMP Network ACL rules #252

Merged
merged 4 commits into from Sep 3, 2019
Merged

Allow ICMP Network ACL rules #252

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5a0b49f
Allowing icmp_type and icmp_code for Network ACL rules. Also allowin…
May 3, 2019
becdba7
Adding example Network ACLs to allow pinging from public to private s…
May 6, 2019
236361f
Added all subnets to support NACL
antonbabenko Sep 3, 2019
bfc5688
Merge remote-tracking branch 'origin/terraform011' into vpc_allow_icmp
antonbabenko Sep 3, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 2 additions & 2 deletions .pre-commit-config.yaml
View file
Open in desktop
@@ -1,10 +1,10 @@
repos:
- repo: git://github.com/antonbabenko/pre-commit-terraform
rev: v1.11.0
rev: v1.19.0
hooks:
- id: terraform_fmt
- id: terraform_docs
- repo: git://github.com/pre-commit/pre-commit-hooks
rev: v2.2.3
rev: v2.3.0
hooks:
- id: check-merge-conflict
53 changes: 49 additions & 4 deletions examples/network-acls/main.tf
View file
Open in desktop
Expand Up @@ -14,11 +14,13 @@ module "vpc" {
public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
elasticache_subnets = ["10.0.201.0/24", "10.0.202.0/24", "10.0.203.0/24"]

public_dedicated_network_acl = true
public_inbound_acl_rules = "${concat(local.network_acls["default_inbound"], local.network_acls["public_inbound"])}"
public_outbound_acl_rules = "${concat(local.network_acls["default_outbound"], local.network_acls["public_outbound"])}"
public_dedicated_network_acl = true
public_inbound_acl_rules = "${concat(local.network_acls["default_inbound"], local.network_acls["public_inbound"])}"
public_outbound_acl_rules = "${concat(local.network_acls["default_outbound"], local.network_acls["public_outbound"])}"
elasticache_outbound_acl_rules = "${concat(local.network_acls["default_outbound"], local.network_acls["elasticache_outbound"])}"

private_dedicated_network_acl = true
private_dedicated_network_acl = true
elasticache_dedicated_network_acl = true

assign_generated_ipv6_cidr_block = true

Expand Down Expand Up @@ -96,6 +98,14 @@ locals {
protocol = "tcp"
cidr_block = "0.0.0.0/0"
},
{
rule_number = 140
rule_action = "allow"
icmp_code = -1
icmp_type = 0
protocol = "icmp"
cidr_block = "10.0.0.0/22"
},
]

public_outbound = [
Expand Down Expand Up @@ -131,6 +141,41 @@ locals {
protocol = "tcp"
cidr_block = "10.0.100.0/22"
},
{
rule_number = 140
rule_action = "allow"
icmp_code = -1
icmp_type = 8
protocol = "icmp"
cidr_block = "10.0.0.0/22"
},
]

elasticache_outbound = [
{
rule_number = 100
rule_action = "allow"
from_port = 80
to_port = 80
protocol = "tcp"
cidr_block = "0.0.0.0/0"
},
{
rule_number = 110
rule_action = "allow"
from_port = 443
to_port = 443
protocol = "tcp"
cidr_block = "0.0.0.0/0"
},
{
rule_number = 140
rule_action = "allow"
icmp_code = -1
icmp_type = 12
protocol = "icmp"
cidr_block = "10.0.0.0/22"
},
]
}
}
72 changes: 48 additions & 24 deletions main.tf
View file
Open in desktop
Expand Up @@ -323,10 +323,12 @@ resource "aws_network_acl_rule" "public_inbound" {
egress = false
rule_number = "${lookup(var.public_inbound_acl_rules[count.index], "rule_number")}"
rule_action = "${lookup(var.public_inbound_acl_rules[count.index], "rule_action")}"
from_port = "${lookup(var.public_inbound_acl_rules[count.index], "from_port")}"
to_port = "${lookup(var.public_inbound_acl_rules[count.index], "to_port")}"
from_port = "${lookup(var.public_inbound_acl_rules[count.index], "from_port", "-1")}"
to_port = "${lookup(var.public_inbound_acl_rules[count.index], "to_port", "-1")}"
protocol = "${lookup(var.public_inbound_acl_rules[count.index], "protocol")}"
cidr_block = "${lookup(var.public_inbound_acl_rules[count.index], "cidr_block")}"
icmp_type = "${lookup(var.public_inbound_acl_rules[count.index], "icmp_type", "-1")}"
icmp_code = "${lookup(var.public_inbound_acl_rules[count.index], "icmp_code", "-1")}"
}

resource "aws_network_acl_rule" "public_outbound" {
Expand All @@ -337,10 +339,12 @@ resource "aws_network_acl_rule" "public_outbound" {
egress = true
rule_number = "${lookup(var.public_outbound_acl_rules[count.index], "rule_number")}"
rule_action = "${lookup(var.public_outbound_acl_rules[count.index], "rule_action")}"
from_port = "${lookup(var.public_outbound_acl_rules[count.index], "from_port")}"
to_port = "${lookup(var.public_outbound_acl_rules[count.index], "to_port")}"
from_port = "${lookup(var.public_outbound_acl_rules[count.index], "from_port", "-1")}"
to_port = "${lookup(var.public_outbound_acl_rules[count.index], "to_port", "-1")}"
protocol = "${lookup(var.public_outbound_acl_rules[count.index], "protocol")}"
cidr_block = "${lookup(var.public_outbound_acl_rules[count.index], "cidr_block")}"
icmp_type = "${lookup(var.public_outbound_acl_rules[count.index], "icmp_type", "-1")}"
icmp_code = "${lookup(var.public_outbound_acl_rules[count.index], "icmp_code", "-1")}"
}

#######################
Expand All @@ -363,10 +367,12 @@ resource "aws_network_acl_rule" "private_inbound" {
egress = false
rule_number = "${lookup(var.private_inbound_acl_rules[count.index], "rule_number")}"
rule_action = "${lookup(var.private_inbound_acl_rules[count.index], "rule_action")}"
from_port = "${lookup(var.private_inbound_acl_rules[count.index], "from_port")}"
to_port = "${lookup(var.private_inbound_acl_rules[count.index], "to_port")}"
from_port = "${lookup(var.private_inbound_acl_rules[count.index], "from_port", "-1")}"
to_port = "${lookup(var.private_inbound_acl_rules[count.index], "to_port", "-1")}"
protocol = "${lookup(var.private_inbound_acl_rules[count.index], "protocol")}"
cidr_block = "${lookup(var.private_inbound_acl_rules[count.index], "cidr_block")}"
icmp_type = "${lookup(var.private_inbound_acl_rules[count.index], "icmp_type", "-1")}"
icmp_code = "${lookup(var.private_inbound_acl_rules[count.index], "icmp_code", "-1")}"
}

resource "aws_network_acl_rule" "private_outbound" {
Expand All @@ -377,10 +383,12 @@ resource "aws_network_acl_rule" "private_outbound" {
egress = true
rule_number = "${lookup(var.private_outbound_acl_rules[count.index], "rule_number")}"
rule_action = "${lookup(var.private_outbound_acl_rules[count.index], "rule_action")}"
from_port = "${lookup(var.private_outbound_acl_rules[count.index], "from_port")}"
to_port = "${lookup(var.private_outbound_acl_rules[count.index], "to_port")}"
from_port = "${lookup(var.private_outbound_acl_rules[count.index], "from_port", "-1")}"
to_port = "${lookup(var.private_outbound_acl_rules[count.index], "to_port", "-1")}"
protocol = "${lookup(var.private_outbound_acl_rules[count.index], "protocol")}"
cidr_block = "${lookup(var.private_outbound_acl_rules[count.index], "cidr_block")}"
icmp_type = "${lookup(var.private_outbound_acl_rules[count.index], "icmp_type", "-1")}"
icmp_code = "${lookup(var.private_outbound_acl_rules[count.index], "icmp_code", "-1")}"
}

########################
Expand All @@ -403,10 +411,12 @@ resource "aws_network_acl_rule" "intra_inbound" {
egress = false
rule_number = "${lookup(var.intra_inbound_acl_rules[count.index], "rule_number")}"
rule_action = "${lookup(var.intra_inbound_acl_rules[count.index], "rule_action")}"
from_port = "${lookup(var.intra_inbound_acl_rules[count.index], "from_port")}"
to_port = "${lookup(var.intra_inbound_acl_rules[count.index], "to_port")}"
from_port = "${lookup(var.intra_inbound_acl_rules[count.index], "from_port", "-1")}"
to_port = "${lookup(var.intra_inbound_acl_rules[count.index], "to_port", "-1")}"
protocol = "${lookup(var.intra_inbound_acl_rules[count.index], "protocol")}"
cidr_block = "${lookup(var.intra_inbound_acl_rules[count.index], "cidr_block")}"
icmp_type = "${lookup(var.intra_inbound_acl_rules[count.index], "icmp_type", "-1")}"
icmp_code = "${lookup(var.intra_inbound_acl_rules[count.index], "icmp_code", "-1")}"
}

resource "aws_network_acl_rule" "intra_outbound" {
Expand All @@ -417,10 +427,12 @@ resource "aws_network_acl_rule" "intra_outbound" {
egress = true
rule_number = "${lookup(var.intra_outbound_acl_rules[count.index], "rule_number")}"
rule_action = "${lookup(var.intra_outbound_acl_rules[count.index], "rule_action")}"
from_port = "${lookup(var.intra_outbound_acl_rules[count.index], "from_port")}"
to_port = "${lookup(var.intra_outbound_acl_rules[count.index], "to_port")}"
from_port = "${lookup(var.intra_outbound_acl_rules[count.index], "from_port", "-1")}"
to_port = "${lookup(var.intra_outbound_acl_rules[count.index], "to_port", "-1")}"
protocol = "${lookup(var.intra_outbound_acl_rules[count.index], "protocol")}"
cidr_block = "${lookup(var.intra_outbound_acl_rules[count.index], "cidr_block")}"
icmp_type = "${lookup(var.intra_outbound_acl_rules[count.index], "icmp_type", "-1")}"
icmp_code = "${lookup(var.intra_outbound_acl_rules[count.index], "icmp_code", "-1")}"
}

########################
Expand All @@ -443,10 +455,12 @@ resource "aws_network_acl_rule" "database_inbound" {
egress = false
rule_number = "${lookup(var.database_inbound_acl_rules[count.index], "rule_number")}"
rule_action = "${lookup(var.database_inbound_acl_rules[count.index], "rule_action")}"
from_port = "${lookup(var.database_inbound_acl_rules[count.index], "from_port")}"
to_port = "${lookup(var.database_inbound_acl_rules[count.index], "to_port")}"
from_port = "${lookup(var.database_inbound_acl_rules[count.index], "from_port", "-1")}"
to_port = "${lookup(var.database_inbound_acl_rules[count.index], "to_port", "-1")}"
protocol = "${lookup(var.database_inbound_acl_rules[count.index], "protocol")}"
cidr_block = "${lookup(var.database_inbound_acl_rules[count.index], "cidr_block")}"
icmp_type = "${lookup(var.database_inbound_acl_rules[count.index], "icmp_type", "-1")}"
icmp_code = "${lookup(var.database_inbound_acl_rules[count.index], "icmp_code", "-1")}"
}

resource "aws_network_acl_rule" "database_outbound" {
Expand All @@ -457,10 +471,12 @@ resource "aws_network_acl_rule" "database_outbound" {
egress = true
rule_number = "${lookup(var.database_outbound_acl_rules[count.index], "rule_number")}"
rule_action = "${lookup(var.database_outbound_acl_rules[count.index], "rule_action")}"
from_port = "${lookup(var.database_outbound_acl_rules[count.index], "from_port")}"
to_port = "${lookup(var.database_outbound_acl_rules[count.index], "to_port")}"
from_port = "${lookup(var.database_outbound_acl_rules[count.index], "from_port", "-1")}"
to_port = "${lookup(var.database_outbound_acl_rules[count.index], "to_port", "-1")}"
protocol = "${lookup(var.database_outbound_acl_rules[count.index], "protocol")}"
cidr_block = "${lookup(var.database_outbound_acl_rules[count.index], "cidr_block")}"
icmp_type = "${lookup(var.database_outbound_acl_rules[count.index], "icmp_type", "-1")}"
icmp_code = "${lookup(var.database_outbound_acl_rules[count.index], "icmp_code", "-1")}"
}

########################
Expand All @@ -483,10 +499,12 @@ resource "aws_network_acl_rule" "redshift_inbound" {
egress = false
rule_number = "${lookup(var.redshift_inbound_acl_rules[count.index], "rule_number")}"
rule_action = "${lookup(var.redshift_inbound_acl_rules[count.index], "rule_action")}"
from_port = "${lookup(var.redshift_inbound_acl_rules[count.index], "from_port")}"
to_port = "${lookup(var.redshift_inbound_acl_rules[count.index], "to_port")}"
from_port = "${lookup(var.redshift_inbound_acl_rules[count.index], "from_port", "-1")}"
to_port = "${lookup(var.redshift_inbound_acl_rules[count.index], "to_port", "-1")}"
protocol = "${lookup(var.redshift_inbound_acl_rules[count.index], "protocol")}"
cidr_block = "${lookup(var.redshift_inbound_acl_rules[count.index], "cidr_block")}"
icmp_type = "${lookup(var.redshift_inbound_acl_rules[count.index], "icmp_type", "-1")}"
icmp_code = "${lookup(var.redshift_inbound_acl_rules[count.index], "icmp_code", "-1")}"
}

resource "aws_network_acl_rule" "redshift_outbound" {
Expand All @@ -497,10 +515,12 @@ resource "aws_network_acl_rule" "redshift_outbound" {
egress = true
rule_number = "${lookup(var.redshift_outbound_acl_rules[count.index], "rule_number")}"
rule_action = "${lookup(var.redshift_outbound_acl_rules[count.index], "rule_action")}"
from_port = "${lookup(var.redshift_outbound_acl_rules[count.index], "from_port")}"
to_port = "${lookup(var.redshift_outbound_acl_rules[count.index], "to_port")}"
from_port = "${lookup(var.redshift_outbound_acl_rules[count.index], "from_port", "-1")}"
to_port = "${lookup(var.redshift_outbound_acl_rules[count.index], "to_port", "-1")}"
protocol = "${lookup(var.redshift_outbound_acl_rules[count.index], "protocol")}"
cidr_block = "${lookup(var.redshift_outbound_acl_rules[count.index], "cidr_block")}"
icmp_type = "${lookup(var.redshift_outbound_acl_rules[count.index], "icmp_type", "-1")}"
icmp_code = "${lookup(var.redshift_outbound_acl_rules[count.index], "icmp_code", "-1")}"
}

###########################
Expand All @@ -523,10 +543,12 @@ resource "aws_network_acl_rule" "elasticache_inbound" {
egress = false
rule_number = "${lookup(var.elasticache_inbound_acl_rules[count.index], "rule_number")}"
rule_action = "${lookup(var.elasticache_inbound_acl_rules[count.index], "rule_action")}"
from_port = "${lookup(var.elasticache_inbound_acl_rules[count.index], "from_port")}"
to_port = "${lookup(var.elasticache_inbound_acl_rules[count.index], "to_port")}"
from_port = "${lookup(var.elasticache_inbound_acl_rules[count.index], "from_port", "-1")}"
to_port = "${lookup(var.elasticache_inbound_acl_rules[count.index], "to_port", "-1")}"
protocol = "${lookup(var.elasticache_inbound_acl_rules[count.index], "protocol")}"
cidr_block = "${lookup(var.elasticache_inbound_acl_rules[count.index], "cidr_block")}"
icmp_type = "${lookup(var.elasticache_inbound_acl_rules[count.index], "icmp_type", "-1")}"
icmp_code = "${lookup(var.elasticache_inbound_acl_rules[count.index], "icmp_code", "-1")}"
}

resource "aws_network_acl_rule" "elasticache_outbound" {
Expand All @@ -537,10 +559,12 @@ resource "aws_network_acl_rule" "elasticache_outbound" {
egress = true
rule_number = "${lookup(var.elasticache_outbound_acl_rules[count.index], "rule_number")}"
rule_action = "${lookup(var.elasticache_outbound_acl_rules[count.index], "rule_action")}"
from_port = "${lookup(var.elasticache_outbound_acl_rules[count.index], "from_port")}"
to_port = "${lookup(var.elasticache_outbound_acl_rules[count.index], "to_port")}"
from_port = "${lookup(var.elasticache_outbound_acl_rules[count.index], "from_port", "-1")}"
to_port = "${lookup(var.elasticache_outbound_acl_rules[count.index], "to_port", "-1")}"
protocol = "${lookup(var.elasticache_outbound_acl_rules[count.index], "protocol")}"
cidr_block = "${lookup(var.elasticache_outbound_acl_rules[count.index], "cidr_block")}"
icmp_type = "${lookup(var.elasticache_outbound_acl_rules[count.index], "icmp_type", "-1")}"
icmp_code = "${lookup(var.elasticache_outbound_acl_rules[count.index], "icmp_code", "-1")}"
}

##############
Expand Down