From d53a12a5655eecb6da65df4c87e12a89d672285e Mon Sep 17 00:00:00 2001 From: donovancade <33008451+donovancade@users.noreply.github.com> Date: Tue, 3 Sep 2019 03:45:19 -0600 Subject: [PATCH] Allow ICMP Network ACL rules (#252) * Allowing icmp_type and icmp_code for Network ACL rules. Also allowing from_port and to_port to be unset as would be logical in an ICMP rule. * Adding example Network ACLs to allow pinging from public to private subnets. * Added all subnets to support NACL --- .pre-commit-config.yaml | 4 +- examples/network-acls/main.tf | 53 ++++++++++++++++++++++++-- main.tf | 72 +++++++++++++++++++++++------------ 3 files changed, 99 insertions(+), 30 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 23497e143..6685b9617 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,10 +1,10 @@ repos: - repo: git://github.com/antonbabenko/pre-commit-terraform - rev: v1.11.0 + rev: v1.19.0 hooks: - id: terraform_fmt - id: terraform_docs - repo: git://github.com/pre-commit/pre-commit-hooks - rev: v2.2.3 + rev: v2.3.0 hooks: - id: check-merge-conflict diff --git a/examples/network-acls/main.tf b/examples/network-acls/main.tf index 0e3f6a29c..85dede49a 100644 --- a/examples/network-acls/main.tf +++ b/examples/network-acls/main.tf @@ -14,11 +14,13 @@ module "vpc" { public_subnets = ["10.0.101.0/24", "10.0.102.0/24", "10.0.103.0/24"] elasticache_subnets = ["10.0.201.0/24", "10.0.202.0/24", "10.0.203.0/24"] - public_dedicated_network_acl = true - public_inbound_acl_rules = "${concat(local.network_acls["default_inbound"], local.network_acls["public_inbound"])}" - public_outbound_acl_rules = "${concat(local.network_acls["default_outbound"], local.network_acls["public_outbound"])}" + public_dedicated_network_acl = true + public_inbound_acl_rules = "${concat(local.network_acls["default_inbound"], local.network_acls["public_inbound"])}" + public_outbound_acl_rules = "${concat(local.network_acls["default_outbound"], local.network_acls["public_outbound"])}" + elasticache_outbound_acl_rules = "${concat(local.network_acls["default_outbound"], local.network_acls["elasticache_outbound"])}" - private_dedicated_network_acl = true + private_dedicated_network_acl = true + elasticache_dedicated_network_acl = true assign_generated_ipv6_cidr_block = true @@ -96,6 +98,14 @@ locals { protocol = "tcp" cidr_block = "0.0.0.0/0" }, + { + rule_number = 140 + rule_action = "allow" + icmp_code = -1 + icmp_type = 0 + protocol = "icmp" + cidr_block = "10.0.0.0/22" + }, ] public_outbound = [ @@ -131,6 +141,41 @@ locals { protocol = "tcp" cidr_block = "10.0.100.0/22" }, + { + rule_number = 140 + rule_action = "allow" + icmp_code = -1 + icmp_type = 8 + protocol = "icmp" + cidr_block = "10.0.0.0/22" + }, + ] + + elasticache_outbound = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + }, + { + rule_number = 110 + rule_action = "allow" + from_port = 443 + to_port = 443 + protocol = "tcp" + cidr_block = "0.0.0.0/0" + }, + { + rule_number = 140 + rule_action = "allow" + icmp_code = -1 + icmp_type = 12 + protocol = "icmp" + cidr_block = "10.0.0.0/22" + }, ] } } diff --git a/main.tf b/main.tf index 940004e77..fb2ae9b0c 100644 --- a/main.tf +++ b/main.tf @@ -323,10 +323,12 @@ resource "aws_network_acl_rule" "public_inbound" { egress = false rule_number = "${lookup(var.public_inbound_acl_rules[count.index], "rule_number")}" rule_action = "${lookup(var.public_inbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.public_inbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.public_inbound_acl_rules[count.index], "to_port")}" + from_port = "${lookup(var.public_inbound_acl_rules[count.index], "from_port", "-1")}" + to_port = "${lookup(var.public_inbound_acl_rules[count.index], "to_port", "-1")}" protocol = "${lookup(var.public_inbound_acl_rules[count.index], "protocol")}" cidr_block = "${lookup(var.public_inbound_acl_rules[count.index], "cidr_block")}" + icmp_type = "${lookup(var.public_inbound_acl_rules[count.index], "icmp_type", "-1")}" + icmp_code = "${lookup(var.public_inbound_acl_rules[count.index], "icmp_code", "-1")}" } resource "aws_network_acl_rule" "public_outbound" { @@ -337,10 +339,12 @@ resource "aws_network_acl_rule" "public_outbound" { egress = true rule_number = "${lookup(var.public_outbound_acl_rules[count.index], "rule_number")}" rule_action = "${lookup(var.public_outbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.public_outbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.public_outbound_acl_rules[count.index], "to_port")}" + from_port = "${lookup(var.public_outbound_acl_rules[count.index], "from_port", "-1")}" + to_port = "${lookup(var.public_outbound_acl_rules[count.index], "to_port", "-1")}" protocol = "${lookup(var.public_outbound_acl_rules[count.index], "protocol")}" cidr_block = "${lookup(var.public_outbound_acl_rules[count.index], "cidr_block")}" + icmp_type = "${lookup(var.public_outbound_acl_rules[count.index], "icmp_type", "-1")}" + icmp_code = "${lookup(var.public_outbound_acl_rules[count.index], "icmp_code", "-1")}" } ####################### @@ -363,10 +367,12 @@ resource "aws_network_acl_rule" "private_inbound" { egress = false rule_number = "${lookup(var.private_inbound_acl_rules[count.index], "rule_number")}" rule_action = "${lookup(var.private_inbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.private_inbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.private_inbound_acl_rules[count.index], "to_port")}" + from_port = "${lookup(var.private_inbound_acl_rules[count.index], "from_port", "-1")}" + to_port = "${lookup(var.private_inbound_acl_rules[count.index], "to_port", "-1")}" protocol = "${lookup(var.private_inbound_acl_rules[count.index], "protocol")}" cidr_block = "${lookup(var.private_inbound_acl_rules[count.index], "cidr_block")}" + icmp_type = "${lookup(var.private_inbound_acl_rules[count.index], "icmp_type", "-1")}" + icmp_code = "${lookup(var.private_inbound_acl_rules[count.index], "icmp_code", "-1")}" } resource "aws_network_acl_rule" "private_outbound" { @@ -377,10 +383,12 @@ resource "aws_network_acl_rule" "private_outbound" { egress = true rule_number = "${lookup(var.private_outbound_acl_rules[count.index], "rule_number")}" rule_action = "${lookup(var.private_outbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.private_outbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.private_outbound_acl_rules[count.index], "to_port")}" + from_port = "${lookup(var.private_outbound_acl_rules[count.index], "from_port", "-1")}" + to_port = "${lookup(var.private_outbound_acl_rules[count.index], "to_port", "-1")}" protocol = "${lookup(var.private_outbound_acl_rules[count.index], "protocol")}" cidr_block = "${lookup(var.private_outbound_acl_rules[count.index], "cidr_block")}" + icmp_type = "${lookup(var.private_outbound_acl_rules[count.index], "icmp_type", "-1")}" + icmp_code = "${lookup(var.private_outbound_acl_rules[count.index], "icmp_code", "-1")}" } ######################## @@ -403,10 +411,12 @@ resource "aws_network_acl_rule" "intra_inbound" { egress = false rule_number = "${lookup(var.intra_inbound_acl_rules[count.index], "rule_number")}" rule_action = "${lookup(var.intra_inbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.intra_inbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.intra_inbound_acl_rules[count.index], "to_port")}" + from_port = "${lookup(var.intra_inbound_acl_rules[count.index], "from_port", "-1")}" + to_port = "${lookup(var.intra_inbound_acl_rules[count.index], "to_port", "-1")}" protocol = "${lookup(var.intra_inbound_acl_rules[count.index], "protocol")}" cidr_block = "${lookup(var.intra_inbound_acl_rules[count.index], "cidr_block")}" + icmp_type = "${lookup(var.intra_inbound_acl_rules[count.index], "icmp_type", "-1")}" + icmp_code = "${lookup(var.intra_inbound_acl_rules[count.index], "icmp_code", "-1")}" } resource "aws_network_acl_rule" "intra_outbound" { @@ -417,10 +427,12 @@ resource "aws_network_acl_rule" "intra_outbound" { egress = true rule_number = "${lookup(var.intra_outbound_acl_rules[count.index], "rule_number")}" rule_action = "${lookup(var.intra_outbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.intra_outbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.intra_outbound_acl_rules[count.index], "to_port")}" + from_port = "${lookup(var.intra_outbound_acl_rules[count.index], "from_port", "-1")}" + to_port = "${lookup(var.intra_outbound_acl_rules[count.index], "to_port", "-1")}" protocol = "${lookup(var.intra_outbound_acl_rules[count.index], "protocol")}" cidr_block = "${lookup(var.intra_outbound_acl_rules[count.index], "cidr_block")}" + icmp_type = "${lookup(var.intra_outbound_acl_rules[count.index], "icmp_type", "-1")}" + icmp_code = "${lookup(var.intra_outbound_acl_rules[count.index], "icmp_code", "-1")}" } ######################## @@ -443,10 +455,12 @@ resource "aws_network_acl_rule" "database_inbound" { egress = false rule_number = "${lookup(var.database_inbound_acl_rules[count.index], "rule_number")}" rule_action = "${lookup(var.database_inbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.database_inbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.database_inbound_acl_rules[count.index], "to_port")}" + from_port = "${lookup(var.database_inbound_acl_rules[count.index], "from_port", "-1")}" + to_port = "${lookup(var.database_inbound_acl_rules[count.index], "to_port", "-1")}" protocol = "${lookup(var.database_inbound_acl_rules[count.index], "protocol")}" cidr_block = "${lookup(var.database_inbound_acl_rules[count.index], "cidr_block")}" + icmp_type = "${lookup(var.database_inbound_acl_rules[count.index], "icmp_type", "-1")}" + icmp_code = "${lookup(var.database_inbound_acl_rules[count.index], "icmp_code", "-1")}" } resource "aws_network_acl_rule" "database_outbound" { @@ -457,10 +471,12 @@ resource "aws_network_acl_rule" "database_outbound" { egress = true rule_number = "${lookup(var.database_outbound_acl_rules[count.index], "rule_number")}" rule_action = "${lookup(var.database_outbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.database_outbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.database_outbound_acl_rules[count.index], "to_port")}" + from_port = "${lookup(var.database_outbound_acl_rules[count.index], "from_port", "-1")}" + to_port = "${lookup(var.database_outbound_acl_rules[count.index], "to_port", "-1")}" protocol = "${lookup(var.database_outbound_acl_rules[count.index], "protocol")}" cidr_block = "${lookup(var.database_outbound_acl_rules[count.index], "cidr_block")}" + icmp_type = "${lookup(var.database_outbound_acl_rules[count.index], "icmp_type", "-1")}" + icmp_code = "${lookup(var.database_outbound_acl_rules[count.index], "icmp_code", "-1")}" } ######################## @@ -483,10 +499,12 @@ resource "aws_network_acl_rule" "redshift_inbound" { egress = false rule_number = "${lookup(var.redshift_inbound_acl_rules[count.index], "rule_number")}" rule_action = "${lookup(var.redshift_inbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.redshift_inbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.redshift_inbound_acl_rules[count.index], "to_port")}" + from_port = "${lookup(var.redshift_inbound_acl_rules[count.index], "from_port", "-1")}" + to_port = "${lookup(var.redshift_inbound_acl_rules[count.index], "to_port", "-1")}" protocol = "${lookup(var.redshift_inbound_acl_rules[count.index], "protocol")}" cidr_block = "${lookup(var.redshift_inbound_acl_rules[count.index], "cidr_block")}" + icmp_type = "${lookup(var.redshift_inbound_acl_rules[count.index], "icmp_type", "-1")}" + icmp_code = "${lookup(var.redshift_inbound_acl_rules[count.index], "icmp_code", "-1")}" } resource "aws_network_acl_rule" "redshift_outbound" { @@ -497,10 +515,12 @@ resource "aws_network_acl_rule" "redshift_outbound" { egress = true rule_number = "${lookup(var.redshift_outbound_acl_rules[count.index], "rule_number")}" rule_action = "${lookup(var.redshift_outbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.redshift_outbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.redshift_outbound_acl_rules[count.index], "to_port")}" + from_port = "${lookup(var.redshift_outbound_acl_rules[count.index], "from_port", "-1")}" + to_port = "${lookup(var.redshift_outbound_acl_rules[count.index], "to_port", "-1")}" protocol = "${lookup(var.redshift_outbound_acl_rules[count.index], "protocol")}" cidr_block = "${lookup(var.redshift_outbound_acl_rules[count.index], "cidr_block")}" + icmp_type = "${lookup(var.redshift_outbound_acl_rules[count.index], "icmp_type", "-1")}" + icmp_code = "${lookup(var.redshift_outbound_acl_rules[count.index], "icmp_code", "-1")}" } ########################### @@ -523,10 +543,12 @@ resource "aws_network_acl_rule" "elasticache_inbound" { egress = false rule_number = "${lookup(var.elasticache_inbound_acl_rules[count.index], "rule_number")}" rule_action = "${lookup(var.elasticache_inbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.elasticache_inbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.elasticache_inbound_acl_rules[count.index], "to_port")}" + from_port = "${lookup(var.elasticache_inbound_acl_rules[count.index], "from_port", "-1")}" + to_port = "${lookup(var.elasticache_inbound_acl_rules[count.index], "to_port", "-1")}" protocol = "${lookup(var.elasticache_inbound_acl_rules[count.index], "protocol")}" cidr_block = "${lookup(var.elasticache_inbound_acl_rules[count.index], "cidr_block")}" + icmp_type = "${lookup(var.elasticache_inbound_acl_rules[count.index], "icmp_type", "-1")}" + icmp_code = "${lookup(var.elasticache_inbound_acl_rules[count.index], "icmp_code", "-1")}" } resource "aws_network_acl_rule" "elasticache_outbound" { @@ -537,10 +559,12 @@ resource "aws_network_acl_rule" "elasticache_outbound" { egress = true rule_number = "${lookup(var.elasticache_outbound_acl_rules[count.index], "rule_number")}" rule_action = "${lookup(var.elasticache_outbound_acl_rules[count.index], "rule_action")}" - from_port = "${lookup(var.elasticache_outbound_acl_rules[count.index], "from_port")}" - to_port = "${lookup(var.elasticache_outbound_acl_rules[count.index], "to_port")}" + from_port = "${lookup(var.elasticache_outbound_acl_rules[count.index], "from_port", "-1")}" + to_port = "${lookup(var.elasticache_outbound_acl_rules[count.index], "to_port", "-1")}" protocol = "${lookup(var.elasticache_outbound_acl_rules[count.index], "protocol")}" cidr_block = "${lookup(var.elasticache_outbound_acl_rules[count.index], "cidr_block")}" + icmp_type = "${lookup(var.elasticache_outbound_acl_rules[count.index], "icmp_type", "-1")}" + icmp_code = "${lookup(var.elasticache_outbound_acl_rules[count.index], "icmp_code", "-1")}" } ##############