diff --git a/README.md b/README.md index 643423b..00007e3 100644 --- a/README.md +++ b/README.md @@ -68,11 +68,12 @@ module "network" { | create\_dbsubgroup\_private | Create Private Subgroup | `bool` | `false` | no | | create\_dbsubgroup\_public | Create Public Subgroup | `bool` | `false` | no | | create\_dbsubgroup\_secure | Create Secure Subgroup | `bool` | `true` | no | +| db\_subnet\_group\_secure\_name\_compat | Use previous DB subnet group name (-dbsubnet) for backwards compability (secure only) | `bool` | `false` | no | | eip\_allocation\_ids | User-specified primary or secondary private IP address to associate with the Elastic IP address | `list(string)` | `[]` | no | | enable\_firewall\_default\_rule | Enable or disable the default stateful rule. | `bool` | `true` | no | | firewall\_custom\_rule\_arn | The stateful rule group arn created outside the module | `list(string)` | `[]` | no | | firewall\_custom\_rules | The stateful rule group rules specifications in Suricata file format, with one rule per line | `list(string)` | `[]` | no | -| firewall\_domain\_list | List the domain names you want to take action on. | `list(any)` | 
[
 ".amazonaws.com",
 ".github.com"
]
| no | +| firewall\_domain\_list | List the domain names you want to take action on. | `list(any)` | 
[
  ".amazonaws.com",
  ".github.com"
]
| no | | firewall\_netnum\_offset | Start with this subnet for secure ones, plus number of AZs | `number` | `14` | no | | kms\_key\_arn | The ARN of the KMS Key to use when encrypting log data. | `string` | `""` | no | | kubernetes\_clusters | List of kubernetes cluster names to creates tags in public and private subnets of this VPC | `list(string)` | `[]` | no | @@ -93,6 +94,7 @@ module "network" { | public\_nacl\_outbound\_tcp\_ports | TCP Ports to allow outbound to external services (use [0] to allow all ports) | `list(string)` | 
[
  "0"
]
| no | | public\_nacl\_outbound\_udp\_ports | UDP Ports to allow outbound to external services (use [0] to allow all ports) | `list(string)` | 
[
  "0"
]
| no | | public\_netnum\_offset | Start with this subnet for public ones, plus number of AZs | `number` | `0` | no | +| secure\_nacl\_allow\_public | Allow traffic between public and secure | `bool` | `false` | no | | secure\_netnum\_offset | Start with this subnet for secure ones, plus number of AZs | `number` | `10` | no | | tags | Extra tags to attach to resources | `map(string)` | `{}` | no | | transit\_nacl\_inbound\_tcp\_ports | TCP Ports to allow inbound on transit subnet via NACLs (this list cannot be empty) | `list(string)` | 
[
  "1194"
]
| no | @@ -103,8 +105,15 @@ module "network" { | vpc\_cidr\_summ | Define cidr used to summarize subnets by tier | `string` | `"/0"` | no | | vpc\_endpoint\_dynamodb\_gateway | Enable or disable VPC Endpoint for DynamoDB (Gateway) | `bool` | `true` | no | | vpc\_endpoint\_s3\_gateway | Enable or disable VPC Endpoint for S3 Gateway | `bool` | `true` | no | -| vpc\_endpoint\_s3\_policy | A policy to attach to the endpoint that controls access to the service | `string` |
{ "Statement": 
 [
  {
   "Action": 
     "\*\",
   "Effect\": 
     "Allow\",
   "Resource\":
     "\*\",
   "Principal\":
     \"*\" 
  } 
 ] 
}
| no | -| vpc\_endpoints | AWS services to create a VPC endpoint on private subnets for (e.g: ssm, ec2, ecr.dkr) |
list(object(
{
name = string
policy = 
 optional(string)
allowed_cidrs =
 optional(list
     (string))
}
))
| `[]` | no | +| vpc\_endpoint\_s3\_policy | A policy to attach to the endpoint that controls access to the service | `string` | `" { + \"Statement\": [ + { + \"Action\": \"*\",\"Effect\": \"Allow\",\"Resource\": \"*\",\"Principal\": \"*\" + } + ] + } +"` | no | +| vpc\_endpoints | AWS services to create a VPC endpoint on private subnets for (e.g: ssm, ec2, ecr.dkr) | 
list(object(
    {
      name          = string
      policy        = optional(string)
      allowed_cidrs = optional(list(string))
    }
  ))
| `[]` | no | | vpc\_flow\_logs | Enable or disable VPC Flow Logs | `bool` | `true` | no | | vpc\_flow\_logs\_retention | Retention in days for VPC Flow Logs CloudWatch Log Group | `number` | `365` | no | diff --git a/_variables.tf b/_variables.tf index b1e5844..7f750ee 100644 --- a/_variables.tf +++ b/_variables.tf @@ -144,6 +144,12 @@ variable "transit_nacl_inbound_udp_ports" { description = "UDP Ports to allow inbound on transit subnet via NACLs (this list cannot be empty)" } +variable "secure_nacl_allow_public" { + type = bool + default = false + description = "Allow traffic between public and secure" +} + variable "vpc_flow_logs" { type = bool default = true @@ -270,6 +276,12 @@ variable "create_dbsubgroup_private" { description = "Create Private Subgroup" } +variable "db_subnet_group_secure_name_compat" { + type = bool + default = false + description = "Use previous DB subnet group name (-dbsubnet) for backwards compability (secure only)" +} + locals { kubernetes_clusters = zipmap( formatlist("kubernetes.io/cluster/%s", var.kubernetes_clusters), diff --git a/cf-exports.tf b/cf-exports.tf index b707994..e3ba1cc 100644 --- a/cf-exports.tf +++ b/cf-exports.tf @@ -3,19 +3,19 @@ resource "aws_cloudformation_stack" "tf_exports" { template_body = templatefile("${path.module}/cf-exports.yml", { "name" = var.cf_export_name != "" ? var.cf_export_name : var.name "vars" = { - "VpcId" = aws_vpc.default.id, - "CidrBlock" = aws_vpc.default.cidr_block, - "InternetGatewayId" = aws_internet_gateway.default.id, - "PublicSubnetIds" = join(",", aws_subnet.public.*.id), - "PublicSubnetCidrs" = join(",", aws_subnet.public.*.cidr_block), - "PrivateSubnetIds" = join(",", aws_subnet.private.*.id), - "PrivateSubnetCidrs" = join(",", aws_subnet.private.*.cidr_block), - "SecureSubnetIds" = join(",", aws_subnet.secure.*.id), - "SecureSubnetCidrs" = join(",", aws_subnet.secure.*.cidr_block), - "NatGatewayIds" = var.nat ? join(",", aws_nat_gateway.nat_gw.*.id) : "undefined", - "DbSubnetGroupId" = aws_db_subnet_group.secure[0].id, - "DbSubnetPrivateGroupId" = try(aws_db_subnet_group.private[0].id,"") - "DbSubnetPublicGroupId" = try(aws_db_subnet_group.public[0].id,"") + "VpcId" = aws_vpc.default.id, + "CidrBlock" = aws_vpc.default.cidr_block, + "InternetGatewayId" = aws_internet_gateway.default.id, + "PublicSubnetIds" = join(",", aws_subnet.public.*.id), + "PublicSubnetCidrs" = join(",", aws_subnet.public.*.cidr_block), + "PrivateSubnetIds" = join(",", aws_subnet.private.*.id), + "PrivateSubnetCidrs" = join(",", aws_subnet.private.*.cidr_block), + "SecureSubnetIds" = join(",", aws_subnet.secure.*.id), + "SecureSubnetCidrs" = join(",", aws_subnet.secure.*.cidr_block), + "NatGatewayIds" = var.nat ? join(",", aws_nat_gateway.nat_gw.*.id) : "undefined", + "DbSubnetGroupId" = try(aws_db_subnet_group.secure[0].id, "undefined") + "DbSubnetPrivateGroupId" = try(aws_db_subnet_group.private[0].id, "undefined") + "DbSubnetPublicGroupId" = try(aws_db_subnet_group.public[0].id, "undefined") } }) -} \ No newline at end of file +} diff --git a/db-subnet.tf b/db-subnet.tf index 6c67796..b6fd14f 100644 --- a/db-subnet.tf +++ b/db-subnet.tf @@ -1,6 +1,6 @@ resource "aws_db_subnet_group" "secure" { count = var.create_dbsubgroup_secure ? 1 : 0 - name = lower("${format(local.names[var.name_pattern].db_subnet, var.name, local.name_suffix)}-secure") + name = var.db_subnet_group_secure_name_compat ? lower("${var.name}-dbsubnet") : lower("${format(local.names[var.name_pattern].db_subnet, var.name, local.name_suffix)}-secure") subnet_ids = aws_subnet.secure.*.id tags = merge( diff --git a/nacl-public.tf b/nacl-public.tf index 953d0df..3a5d174 100644 --- a/nacl-public.tf +++ b/nacl-public.tf @@ -167,3 +167,15 @@ resource "aws_network_acl_rule" "in_public_from_private" { from_port = 0 to_port = 0 } + +resource "aws_network_acl_rule" "in_public_from_secure" { + count = var.secure_nacl_allow_public ? var.vpc_cidr_summ != "/0" ? 1 : length(aws_subnet.secure[*].cidr_block) : 0 + network_acl_id = aws_network_acl.public.id + rule_number = count.index + 701 + egress = false + protocol = -1 + rule_action = "allow" + cidr_block = var.vpc_cidr_summ != "/0" ? local.secure_subnet_summary : aws_subnet.secure[count.index].cidr_block + from_port = 0 + to_port = 0 +} diff --git a/nacl-secure.tf b/nacl-secure.tf index 67e1a35..2adfa79 100644 --- a/nacl-secure.tf +++ b/nacl-secure.tf @@ -76,6 +76,26 @@ resource "aws_network_acl_rule" "out_secure_to_transit" { cidr_block = var.vpc_cidr_summ != "/0" ? local.transit_subnet_summary : aws_subnet.transit[count.index].cidr_block } +resource "aws_network_acl_rule" "in_secure_from_public" { + count = var.secure_nacl_allow_public ? var.vpc_cidr_summ != "/0" ? 1 : length(aws_subnet.public[*].cidr_block) : 0 + network_acl_id = aws_network_acl.secure.id + rule_number = count.index + 301 + egress = false + protocol = -1 + rule_action = "allow" + cidr_block = var.vpc_cidr_summ != "/0" ? local.public_subnet_summary : aws_subnet.public[count.index].cidr_block +} + +resource "aws_network_acl_rule" "out_secure_to_public" { + count = var.secure_nacl_allow_public ? var.vpc_cidr_summ != "/0" ? 1 : length(aws_subnet.public[*].cidr_block) : 0 + network_acl_id = aws_network_acl.secure.id + rule_number = count.index + 301 + egress = true + protocol = -1 + rule_action = "allow" + cidr_block = var.vpc_cidr_summ != "/0" ? local.public_subnet_summary : aws_subnet.public[count.index].cidr_block +} + ############# # S3 Endpoint #############