Allow ICMP Network ACL rules (#252)

* Allowing icmp_type and icmp_code for Network ACL rules. Also allowing from_port and to_port to be unset as would be logical in an ICMP rule. * Adding example Network ACLs to allow pinging from public to private subnets. * Added all subnets to support NACL
terraform-aws-modules · Sep 3, 2019 · d53a12a · d53a12a
1 parent 58aad07
commit d53a12a
Show file tree

Hide file tree

Showing 3 changed files with 99 additions and 30 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,10 +1,10 @@
 repos:
 - repo: git://github.com/antonbabenko/pre-commit-terraform
-  rev: v1.11.0
+  rev: v1.19.0
   hooks:
     - id: terraform_fmt
     - id: terraform_docs
 - repo: git://github.com/pre-commit/pre-commit-hooks
-  rev: v2.2.3
+  rev: v2.3.0
   hooks:
     - id: check-merge-conflict
diff --git a/examples/network-acls/main.tf b/examples/network-acls/main.tf
@@ -14,11 +14,13 @@ module "vpc" {
   public_subnets      = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"]
   elasticache_subnets = ["10.0.201.0/24", "10.0.202.0/24", "10.0.203.0/24"]
 
-  public_dedicated_network_acl = true
-  public_inbound_acl_rules     = "${concat(local.network_acls["default_inbound"], local.network_acls["public_inbound"])}"
-  public_outbound_acl_rules    = "${concat(local.network_acls["default_outbound"], local.network_acls["public_outbound"])}"
+  public_dedicated_network_acl   = true
+  public_inbound_acl_rules       = "${concat(local.network_acls["default_inbound"], local.network_acls["public_inbound"])}"
+  public_outbound_acl_rules      = "${concat(local.network_acls["default_outbound"], local.network_acls["public_outbound"])}"
+  elasticache_outbound_acl_rules = "${concat(local.network_acls["default_outbound"], local.network_acls["elasticache_outbound"])}"
 
-  private_dedicated_network_acl = true
+  private_dedicated_network_acl     = true
+  elasticache_dedicated_network_acl = true
 
   assign_generated_ipv6_cidr_block = true
 
@@ -96,6 +98,14 @@ locals {
         protocol    = "tcp"
         cidr_block  = "0.0.0.0/0"
       },
+      {
+        rule_number = 140
+        rule_action = "allow"
+        icmp_code   = -1
+        icmp_type   = 0
+        protocol    = "icmp"
+        cidr_block  = "10.0.0.0/22"
+      },
     ]
 
     public_outbound = [
@@ -131,6 +141,41 @@ locals {
         protocol    = "tcp"
         cidr_block  = "10.0.100.0/22"
       },
+      {
+        rule_number = 140
+        rule_action = "allow"
+        icmp_code   = -1
+        icmp_type   = 8
+        protocol    = "icmp"
+        cidr_block  = "10.0.0.0/22"
+      },
+    ]
+
+    elasticache_outbound = [
+      {
+        rule_number = 100
+        rule_action = "allow"
+        from_port   = 80
+        to_port     = 80
+        protocol    = "tcp"
+        cidr_block  = "0.0.0.0/0"
+      },
+      {
+        rule_number = 110
+        rule_action = "allow"
+        from_port   = 443
+        to_port     = 443
+        protocol    = "tcp"
+        cidr_block  = "0.0.0.0/0"
+      },
+      {
+        rule_number = 140
+        rule_action = "allow"
+        icmp_code   = -1
+        icmp_type   = 12
+        protocol    = "icmp"
+        cidr_block  = "10.0.0.0/22"
+      },
     ]
   }
 }
diff --git a/main.tf b/main.tf
@@ -323,10 +323,12 @@ resource "aws_network_acl_rule" "public_inbound" {
   egress      = false
   rule_number = "${lookup(var.public_inbound_acl_rules[count.index], "rule_number")}"
   rule_action = "${lookup(var.public_inbound_acl_rules[count.index], "rule_action")}"
-  from_port   = "${lookup(var.public_inbound_acl_rules[count.index], "from_port")}"
-  to_port     = "${lookup(var.public_inbound_acl_rules[count.index], "to_port")}"
+  from_port   = "${lookup(var.public_inbound_acl_rules[count.index], "from_port", "-1")}"
+  to_port     = "${lookup(var.public_inbound_acl_rules[count.index], "to_port", "-1")}"
   protocol    = "${lookup(var.public_inbound_acl_rules[count.index], "protocol")}"
   cidr_block  = "${lookup(var.public_inbound_acl_rules[count.index], "cidr_block")}"
+  icmp_type   = "${lookup(var.public_inbound_acl_rules[count.index], "icmp_type", "-1")}"
+  icmp_code   = "${lookup(var.public_inbound_acl_rules[count.index], "icmp_code", "-1")}"
 }
 
 resource "aws_network_acl_rule" "public_outbound" {
@@ -337,10 +339,12 @@ resource "aws_network_acl_rule" "public_outbound" {
   egress      = true
   rule_number = "${lookup(var.public_outbound_acl_rules[count.index], "rule_number")}"
   rule_action = "${lookup(var.public_outbound_acl_rules[count.index], "rule_action")}"
-  from_port   = "${lookup(var.public_outbound_acl_rules[count.index], "from_port")}"
-  to_port     = "${lookup(var.public_outbound_acl_rules[count.index], "to_port")}"
+  from_port   = "${lookup(var.public_outbound_acl_rules[count.index], "from_port", "-1")}"
+  to_port     = "${lookup(var.public_outbound_acl_rules[count.index], "to_port", "-1")}"
   protocol    = "${lookup(var.public_outbound_acl_rules[count.index], "protocol")}"
   cidr_block  = "${lookup(var.public_outbound_acl_rules[count.index], "cidr_block")}"
+  icmp_type   = "${lookup(var.public_outbound_acl_rules[count.index], "icmp_type", "-1")}"
+  icmp_code   = "${lookup(var.public_outbound_acl_rules[count.index], "icmp_code", "-1")}"
 }
 
 #######################
@@ -363,10 +367,12 @@ resource "aws_network_acl_rule" "private_inbound" {
   egress      = false
   rule_number = "${lookup(var.private_inbound_acl_rules[count.index], "rule_number")}"
   rule_action = "${lookup(var.private_inbound_acl_rules[count.index], "rule_action")}"
-  from_port   = "${lookup(var.private_inbound_acl_rules[count.index], "from_port")}"
-  to_port     = "${lookup(var.private_inbound_acl_rules[count.index], "to_port")}"
+  from_port   = "${lookup(var.private_inbound_acl_rules[count.index], "from_port", "-1")}"
+  to_port     = "${lookup(var.private_inbound_acl_rules[count.index], "to_port", "-1")}"
   protocol    = "${lookup(var.private_inbound_acl_rules[count.index], "protocol")}"
   cidr_block  = "${lookup(var.private_inbound_acl_rules[count.index], "cidr_block")}"
+  icmp_type   = "${lookup(var.private_inbound_acl_rules[count.index], "icmp_type", "-1")}"
+  icmp_code   = "${lookup(var.private_inbound_acl_rules[count.index], "icmp_code", "-1")}"
 }
 
 resource "aws_network_acl_rule" "private_outbound" {
@@ -377,10 +383,12 @@ resource "aws_network_acl_rule" "private_outbound" {
   egress      = true
   rule_number = "${lookup(var.private_outbound_acl_rules[count.index], "rule_number")}"
   rule_action = "${lookup(var.private_outbound_acl_rules[count.index], "rule_action")}"
-  from_port   = "${lookup(var.private_outbound_acl_rules[count.index], "from_port")}"
-  to_port     = "${lookup(var.private_outbound_acl_rules[count.index], "to_port")}"
+  from_port   = "${lookup(var.private_outbound_acl_rules[count.index], "from_port", "-1")}"
+  to_port     = "${lookup(var.private_outbound_acl_rules[count.index], "to_port", "-1")}"
   protocol    = "${lookup(var.private_outbound_acl_rules[count.index], "protocol")}"
   cidr_block  = "${lookup(var.private_outbound_acl_rules[count.index], "cidr_block")}"
+  icmp_type   = "${lookup(var.private_outbound_acl_rules[count.index], "icmp_type", "-1")}"
+  icmp_code   = "${lookup(var.private_outbound_acl_rules[count.index], "icmp_code", "-1")}"
 }
 
 ########################
@@ -403,10 +411,12 @@ resource "aws_network_acl_rule" "intra_inbound" {
   egress      = false
   rule_number = "${lookup(var.intra_inbound_acl_rules[count.index], "rule_number")}"
   rule_action = "${lookup(var.intra_inbound_acl_rules[count.index], "rule_action")}"
-  from_port   = "${lookup(var.intra_inbound_acl_rules[count.index], "from_port")}"
-  to_port     = "${lookup(var.intra_inbound_acl_rules[count.index], "to_port")}"
+  from_port   = "${lookup(var.intra_inbound_acl_rules[count.index], "from_port", "-1")}"
+  to_port     = "${lookup(var.intra_inbound_acl_rules[count.index], "to_port", "-1")}"
   protocol    = "${lookup(var.intra_inbound_acl_rules[count.index], "protocol")}"
   cidr_block  = "${lookup(var.intra_inbound_acl_rules[count.index], "cidr_block")}"
+  icmp_type   = "${lookup(var.intra_inbound_acl_rules[count.index], "icmp_type", "-1")}"
+  icmp_code   = "${lookup(var.intra_inbound_acl_rules[count.index], "icmp_code", "-1")}"
 }
 
 resource "aws_network_acl_rule" "intra_outbound" {
@@ -417,10 +427,12 @@ resource "aws_network_acl_rule" "intra_outbound" {
   egress      = true
   rule_number = "${lookup(var.intra_outbound_acl_rules[count.index], "rule_number")}"
   rule_action = "${lookup(var.intra_outbound_acl_rules[count.index], "rule_action")}"
-  from_port   = "${lookup(var.intra_outbound_acl_rules[count.index], "from_port")}"
-  to_port     = "${lookup(var.intra_outbound_acl_rules[count.index], "to_port")}"
+  from_port   = "${lookup(var.intra_outbound_acl_rules[count.index], "from_port", "-1")}"
+  to_port     = "${lookup(var.intra_outbound_acl_rules[count.index], "to_port", "-1")}"
   protocol    = "${lookup(var.intra_outbound_acl_rules[count.index], "protocol")}"
   cidr_block  = "${lookup(var.intra_outbound_acl_rules[count.index], "cidr_block")}"
+  icmp_type   = "${lookup(var.intra_outbound_acl_rules[count.index], "icmp_type", "-1")}"
+  icmp_code   = "${lookup(var.intra_outbound_acl_rules[count.index], "icmp_code", "-1")}"
 }
 
 ########################
@@ -443,10 +455,12 @@ resource "aws_network_acl_rule" "database_inbound" {
   egress      = false
   rule_number = "${lookup(var.database_inbound_acl_rules[count.index], "rule_number")}"
   rule_action = "${lookup(var.database_inbound_acl_rules[count.index], "rule_action")}"
-  from_port   = "${lookup(var.database_inbound_acl_rules[count.index], "from_port")}"
-  to_port     = "${lookup(var.database_inbound_acl_rules[count.index], "to_port")}"
+  from_port   = "${lookup(var.database_inbound_acl_rules[count.index], "from_port", "-1")}"
+  to_port     = "${lookup(var.database_inbound_acl_rules[count.index], "to_port", "-1")}"
   protocol    = "${lookup(var.database_inbound_acl_rules[count.index], "protocol")}"
   cidr_block  = "${lookup(var.database_inbound_acl_rules[count.index], "cidr_block")}"
+  icmp_type   = "${lookup(var.database_inbound_acl_rules[count.index], "icmp_type", "-1")}"
+  icmp_code   = "${lookup(var.database_inbound_acl_rules[count.index], "icmp_code", "-1")}"
 }
 
 resource "aws_network_acl_rule" "database_outbound" {
@@ -457,10 +471,12 @@ resource "aws_network_acl_rule" "database_outbound" {
   egress      = true
   rule_number = "${lookup(var.database_outbound_acl_rules[count.index], "rule_number")}"
   rule_action = "${lookup(var.database_outbound_acl_rules[count.index], "rule_action")}"
-  from_port   = "${lookup(var.database_outbound_acl_rules[count.index], "from_port")}"
-  to_port     = "${lookup(var.database_outbound_acl_rules[count.index], "to_port")}"
+  from_port   = "${lookup(var.database_outbound_acl_rules[count.index], "from_port", "-1")}"
+  to_port     = "${lookup(var.database_outbound_acl_rules[count.index], "to_port", "-1")}"
   protocol    = "${lookup(var.database_outbound_acl_rules[count.index], "protocol")}"
   cidr_block  = "${lookup(var.database_outbound_acl_rules[count.index], "cidr_block")}"
+  icmp_type   = "${lookup(var.database_outbound_acl_rules[count.index], "icmp_type", "-1")}"
+  icmp_code   = "${lookup(var.database_outbound_acl_rules[count.index], "icmp_code", "-1")}"
 }
 
 ########################
@@ -483,10 +499,12 @@ resource "aws_network_acl_rule" "redshift_inbound" {
   egress      = false
   rule_number = "${lookup(var.redshift_inbound_acl_rules[count.index], "rule_number")}"
   rule_action = "${lookup(var.redshift_inbound_acl_rules[count.index], "rule_action")}"
-  from_port   = "${lookup(var.redshift_inbound_acl_rules[count.index], "from_port")}"
-  to_port     = "${lookup(var.redshift_inbound_acl_rules[count.index], "to_port")}"
+  from_port   = "${lookup(var.redshift_inbound_acl_rules[count.index], "from_port", "-1")}"
+  to_port     = "${lookup(var.redshift_inbound_acl_rules[count.index], "to_port", "-1")}"
   protocol    = "${lookup(var.redshift_inbound_acl_rules[count.index], "protocol")}"
   cidr_block  = "${lookup(var.redshift_inbound_acl_rules[count.index], "cidr_block")}"
+  icmp_type   = "${lookup(var.redshift_inbound_acl_rules[count.index], "icmp_type", "-1")}"
+  icmp_code   = "${lookup(var.redshift_inbound_acl_rules[count.index], "icmp_code", "-1")}"
 }
 
 resource "aws_network_acl_rule" "redshift_outbound" {
@@ -497,10 +515,12 @@ resource "aws_network_acl_rule" "redshift_outbound" {
   egress      = true
   rule_number = "${lookup(var.redshift_outbound_acl_rules[count.index], "rule_number")}"
   rule_action = "${lookup(var.redshift_outbound_acl_rules[count.index], "rule_action")}"
-  from_port   = "${lookup(var.redshift_outbound_acl_rules[count.index], "from_port")}"
-  to_port     = "${lookup(var.redshift_outbound_acl_rules[count.index], "to_port")}"
+  from_port   = "${lookup(var.redshift_outbound_acl_rules[count.index], "from_port", "-1")}"
+  to_port     = "${lookup(var.redshift_outbound_acl_rules[count.index], "to_port", "-1")}"
   protocol    = "${lookup(var.redshift_outbound_acl_rules[count.index], "protocol")}"
   cidr_block  = "${lookup(var.redshift_outbound_acl_rules[count.index], "cidr_block")}"
+  icmp_type   = "${lookup(var.redshift_outbound_acl_rules[count.index], "icmp_type", "-1")}"
+  icmp_code   = "${lookup(var.redshift_outbound_acl_rules[count.index], "icmp_code", "-1")}"
 }
 
 ###########################
@@ -523,10 +543,12 @@ resource "aws_network_acl_rule" "elasticache_inbound" {
   egress      = false
   rule_number = "${lookup(var.elasticache_inbound_acl_rules[count.index], "rule_number")}"
   rule_action = "${lookup(var.elasticache_inbound_acl_rules[count.index], "rule_action")}"
-  from_port   = "${lookup(var.elasticache_inbound_acl_rules[count.index], "from_port")}"
-  to_port     = "${lookup(var.elasticache_inbound_acl_rules[count.index], "to_port")}"
+  from_port   = "${lookup(var.elasticache_inbound_acl_rules[count.index], "from_port", "-1")}"
+  to_port     = "${lookup(var.elasticache_inbound_acl_rules[count.index], "to_port", "-1")}"
   protocol    = "${lookup(var.elasticache_inbound_acl_rules[count.index], "protocol")}"
   cidr_block  = "${lookup(var.elasticache_inbound_acl_rules[count.index], "cidr_block")}"
+  icmp_type   = "${lookup(var.elasticache_inbound_acl_rules[count.index], "icmp_type", "-1")}"
+  icmp_code   = "${lookup(var.elasticache_inbound_acl_rules[count.index], "icmp_code", "-1")}"
 }
 
 resource "aws_network_acl_rule" "elasticache_outbound" {
@@ -537,10 +559,12 @@ resource "aws_network_acl_rule" "elasticache_outbound" {
   egress      = true
   rule_number = "${lookup(var.elasticache_outbound_acl_rules[count.index], "rule_number")}"
   rule_action = "${lookup(var.elasticache_outbound_acl_rules[count.index], "rule_action")}"
-  from_port   = "${lookup(var.elasticache_outbound_acl_rules[count.index], "from_port")}"
-  to_port     = "${lookup(var.elasticache_outbound_acl_rules[count.index], "to_port")}"
+  from_port   = "${lookup(var.elasticache_outbound_acl_rules[count.index], "from_port", "-1")}"
+  to_port     = "${lookup(var.elasticache_outbound_acl_rules[count.index], "to_port", "-1")}"
   protocol    = "${lookup(var.elasticache_outbound_acl_rules[count.index], "protocol")}"
   cidr_block  = "${lookup(var.elasticache_outbound_acl_rules[count.index], "cidr_block")}"
+  icmp_type   = "${lookup(var.elasticache_outbound_acl_rules[count.index], "icmp_type", "-1")}"
+  icmp_code   = "${lookup(var.elasticache_outbound_acl_rules[count.index], "icmp_code", "-1")}"
 }
 
 ##############