From d66d33d79bedbab33d5d06c65c14602659692f3f Mon Sep 17 00:00:00 2001 From: Ryan Goh <1871494+ryanoolala@users.noreply.github.com> Date: Fri, 26 Jul 2024 16:52:59 +0800 Subject: [PATCH] feat: add ability to not use the default nacl from this module passthrough nacl input variables to original module --- main.tf | 18 ++++- nacl.tf | 194 +++++++++++++++++++++++++-------------------------- outputs.tf | 8 +-- variables.tf | 184 ++++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 302 insertions(+), 102 deletions(-) diff --git a/main.tf b/main.tf index 032f956..8658e2d 100644 --- a/main.tf +++ b/main.tf @@ -24,7 +24,7 @@ resource "aws_eip" "nat" { # virtual private cloud creator module "vpc" { - source = "github.com/GovTechSG/terraform-aws-vpc-forked?ref=v4.0.0" + source = "github.com/GovTechSG/terraform-aws-vpc-forked?ref=v4.0.4" # meta data name = var.vpc_name @@ -54,6 +54,22 @@ module "vpc" { firewall_inbound_acl_rules = var.firewall_inbound_acl_rules firewall_outbound_acl_rules = var.firewall_outbound_acl_rules + public_dedicated_network_acl = var.public_dedicated_network_acl + public_inbound_acl_rules = var.public_inbound_acl_rules + public_outbound_acl_rules = var.public_outbound_acl_rules + + private_dedicated_network_acl = var.private_dedicated_network_acl + private_inbound_acl_rules = var.private_inbound_acl_rules + private_outbound_acl_rules = var.private_outbound_acl_rules + + intra_dedicated_network_acl = var.intra_dedicated_network_acl + intra_inbound_acl_rules = var.intra_inbound_acl_rules + intra_outbound_acl_rules = var.intra_outbound_acl_rules + + database_dedicated_network_acl = var.database_dedicated_network_acl + database_inbound_acl_rules = var.database_inbound_acl_rules + database_outbound_acl_rules = var.database_outbound_acl_rules + private_subnets = var.private_subnets private_subnet_tags = merge( diff --git a/nacl.tf b/nacl.tf index 7ea3dea..7f98cb0 100644 --- a/nacl.tf +++ b/nacl.tf @@ -27,28 +27,28 @@ data "aws_network_acls" "default" { } resource "aws_network_acl" "private" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 vpc_id = module.vpc.vpc_id subnet_ids = module.vpc.private_subnets tags = merge({ "Name" = "${var.vpc_name}-private" }, var.tags, local.tags, var.folder) } resource "aws_network_acl" "public" { - count = local.create_public ? 1 : 0 + count = local.create_public && !var.public_dedicated_network_acl ? 1 : 0 vpc_id = module.vpc.vpc_id subnet_ids = module.vpc.public_subnets tags = merge({ "Name" = "${var.vpc_name}-public" }, var.tags, local.tags, var.folder) } resource "aws_network_acl" "intra" { - count = local.create_intranet ? 1 : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? 1 : 0 vpc_id = module.vpc.vpc_id subnet_ids = module.vpc.intra_subnets tags = merge({ "Name" = "${var.vpc_name}-intra" }, var.tags, local.tags, var.folder) } resource "aws_network_acl" "database" { - count = local.create_database ? 1 : 0 + count = local.create_database && !var.database_dedicated_network_acl ? 1 : 0 vpc_id = module.vpc.vpc_id subnet_ids = module.vpc.database_subnets tags = merge({ "Name" = "${var.vpc_name}-database" }, var.tags, local.tags, var.folder) @@ -60,7 +60,7 @@ resource "aws_network_acl" "database" { ########################### resource "aws_network_acl_rule" "public_inbound_rdp_rule_deny" { - count = local.create_public ? 1 : 0 + count = local.create_public && !var.public_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.public[0].id cidr_block = "0.0.0.0/0" rule_number = 110 @@ -71,7 +71,7 @@ resource "aws_network_acl_rule" "public_inbound_rdp_rule_deny" { } resource "aws_network_acl_rule" "public_outbound_rdp_rule_deny" { - count = local.create_public ? 1 : 0 + count = local.create_public && !var.public_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.public[0].id rule_number = 110 cidr_block = "0.0.0.0/0" @@ -83,7 +83,7 @@ resource "aws_network_acl_rule" "public_outbound_rdp_rule_deny" { } resource "aws_network_acl_rule" "public_inbound_rdp_rule_deny_udp" { - count = local.create_public ? 1 : 0 + count = local.create_public && !var.public_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.public[0].id cidr_block = "0.0.0.0/0" rule_number = 120 @@ -94,7 +94,7 @@ resource "aws_network_acl_rule" "public_inbound_rdp_rule_deny_udp" { } resource "aws_network_acl_rule" "public_outbound_rdp_rule_deny_udp" { - count = local.create_public ? 1 : 0 + count = local.create_public && !var.public_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.public[0].id rule_number = 120 cidr_block = "0.0.0.0/0" @@ -106,7 +106,7 @@ resource "aws_network_acl_rule" "public_outbound_rdp_rule_deny_udp" { } resource "aws_network_acl_rule" "public_inbound_ssh_rule" { - count = local.create_public ? 1 : 0 + count = local.create_public && !var.public_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.public[0].id rule_number = 130 cidr_block = module.vpc.vpc_cidr_block @@ -117,7 +117,7 @@ resource "aws_network_acl_rule" "public_inbound_ssh_rule" { } resource "aws_network_acl_rule" "public_outbound_ssh_rule" { - count = local.create_public ? 1 : 0 + count = local.create_public && !var.public_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.public[0].id rule_number = 130 cidr_block = module.vpc.vpc_cidr_block @@ -129,7 +129,7 @@ resource "aws_network_acl_rule" "public_outbound_ssh_rule" { } resource "aws_network_acl_rule" "public_inbound_ssh_rule_secondary_cidr" { - count = local.create_public ? length(var.secondary_cidr_blocks) : 0 + count = local.create_public && !var.public_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.public[0].id rule_number = 140 + count.index cidr_block = var.secondary_cidr_blocks[count.index] @@ -140,7 +140,7 @@ resource "aws_network_acl_rule" "public_inbound_ssh_rule_secondary_cidr" { } resource "aws_network_acl_rule" "public_outbound_ssh_rule_secondary_cidr" { - count = local.create_public ? length(var.secondary_cidr_blocks) : 0 + count = local.create_public && !var.public_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.public[0].id rule_number = 140 + count.index cidr_block = var.secondary_cidr_blocks[count.index] @@ -152,7 +152,7 @@ resource "aws_network_acl_rule" "public_outbound_ssh_rule_secondary_cidr" { } resource "aws_network_acl_rule" "public_inbound_ssh_rule_deny" { - count = local.create_public ? 1 : 0 + count = local.create_public && !var.public_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.public[0].id cidr_block = "0.0.0.0/0" rule_number = 150 @@ -163,7 +163,7 @@ resource "aws_network_acl_rule" "public_inbound_ssh_rule_deny" { } resource "aws_network_acl_rule" "public_outbound_ssh_rule_deny" { - count = local.create_public ? 1 : 0 + count = local.create_public && !var.public_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.public[0].id rule_number = 150 cidr_block = "0.0.0.0/0" @@ -175,7 +175,7 @@ resource "aws_network_acl_rule" "public_outbound_ssh_rule_deny" { } resource "aws_network_acl_rule" "public_inbound_allow_all_rule" { - count = local.create_public ? 1 : 0 + count = local.create_public && !var.public_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.public[0].id rule_number = 160 cidr_block = "0.0.0.0/0" @@ -186,7 +186,7 @@ resource "aws_network_acl_rule" "public_inbound_allow_all_rule" { } resource "aws_network_acl_rule" "public_outbound_allow_all_rule" { - count = local.create_public ? 1 : 0 + count = local.create_public && !var.public_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.public[0].id rule_number = 160 cidr_block = "0.0.0.0/0" @@ -201,7 +201,7 @@ resource "aws_network_acl_rule" "public_outbound_allow_all_rule" { # Private subnet ACL ########################### resource "aws_network_acl_rule" "private_inbound_rdp_rule_deny" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id cidr_block = "0.0.0.0/0" rule_number = 110 @@ -212,7 +212,7 @@ resource "aws_network_acl_rule" "private_inbound_rdp_rule_deny" { } resource "aws_network_acl_rule" "private_outbound_rdp_rule_deny" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 110 cidr_block = "0.0.0.0/0" @@ -224,7 +224,7 @@ resource "aws_network_acl_rule" "private_outbound_rdp_rule_deny" { } resource "aws_network_acl_rule" "private_inbound_rdp_rule_deny_udp" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id cidr_block = "0.0.0.0/0" rule_number = 120 @@ -235,7 +235,7 @@ resource "aws_network_acl_rule" "private_inbound_rdp_rule_deny_udp" { } resource "aws_network_acl_rule" "private_outbound_rdp_rule_deny_udp" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 120 cidr_block = "0.0.0.0/0" @@ -247,7 +247,7 @@ resource "aws_network_acl_rule" "private_outbound_rdp_rule_deny_udp" { } resource "aws_network_acl_rule" "private_inbound_allow_80_rule" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 200 cidr_block = "0.0.0.0/0" @@ -258,7 +258,7 @@ resource "aws_network_acl_rule" "private_inbound_allow_80_rule" { } resource "aws_network_acl_rule" "private_outbound_allow_80_rule" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 200 cidr_block = "0.0.0.0/0" @@ -270,7 +270,7 @@ resource "aws_network_acl_rule" "private_outbound_allow_80_rule" { } resource "aws_network_acl_rule" "private_inbound_allow_443_rule" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 210 cidr_block = "0.0.0.0/0" @@ -281,7 +281,7 @@ resource "aws_network_acl_rule" "private_inbound_allow_443_rule" { } resource "aws_network_acl_rule" "private_outbound_allow_443_rule" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 210 cidr_block = "0.0.0.0/0" @@ -293,7 +293,7 @@ resource "aws_network_acl_rule" "private_outbound_allow_443_rule" { } resource "aws_network_acl_rule" "private_inbound_nfs_111_rule" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 220 cidr_block = module.vpc.vpc_cidr_block @@ -304,7 +304,7 @@ resource "aws_network_acl_rule" "private_inbound_nfs_111_rule" { } resource "aws_network_acl_rule" "private_outbound_nfs_111_rule" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 220 cidr_block = module.vpc.vpc_cidr_block @@ -316,7 +316,7 @@ resource "aws_network_acl_rule" "private_outbound_nfs_111_rule" { } resource "aws_network_acl_rule" "private_inbound_nfs_111_rule_secondary_cidr" { - count = local.create_private ? length(var.secondary_cidr_blocks) : 0 + count = local.create_private && !var.private_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 230 + count.index cidr_block = var.secondary_cidr_blocks[count.index] @@ -327,7 +327,7 @@ resource "aws_network_acl_rule" "private_inbound_nfs_111_rule_secondary_cidr" { } resource "aws_network_acl_rule" "private_outbound_nfs_111_rule_secondary_cidr" { - count = local.create_private ? length(var.secondary_cidr_blocks) : 0 + count = local.create_private && !var.private_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 230 + count.index cidr_block = var.secondary_cidr_blocks[count.index] @@ -339,7 +339,7 @@ resource "aws_network_acl_rule" "private_outbound_nfs_111_rule_secondary_cidr" { } resource "aws_network_acl_rule" "private_inbound_ssh_rule" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 240 cidr_block = module.vpc.vpc_cidr_block @@ -350,7 +350,7 @@ resource "aws_network_acl_rule" "private_inbound_ssh_rule" { } resource "aws_network_acl_rule" "private_outbound_ssh_rule" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 240 cidr_block = module.vpc.vpc_cidr_block @@ -362,7 +362,7 @@ resource "aws_network_acl_rule" "private_outbound_ssh_rule" { } resource "aws_network_acl_rule" "private_inbound_ssh_rule_secondary_cidr" { - count = local.create_private ? length(var.secondary_cidr_blocks) : 0 + count = local.create_private && !var.private_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 250 + count.index cidr_block = var.secondary_cidr_blocks[count.index] @@ -373,7 +373,7 @@ resource "aws_network_acl_rule" "private_inbound_ssh_rule_secondary_cidr" { } resource "aws_network_acl_rule" "private_outbound_ssh_rule_secondary_cidr" { - count = local.create_private ? length(var.secondary_cidr_blocks) : 0 + count = local.create_private && !var.private_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 250 + count.index cidr_block = var.secondary_cidr_blocks[count.index] @@ -385,7 +385,7 @@ resource "aws_network_acl_rule" "private_outbound_ssh_rule_secondary_cidr" { } resource "aws_network_acl_rule" "private_inbound_ldap_rule" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 260 cidr_block = module.vpc.vpc_cidr_block @@ -396,7 +396,7 @@ resource "aws_network_acl_rule" "private_inbound_ldap_rule" { } resource "aws_network_acl_rule" "private_outbound_ldap_rule" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 260 cidr_block = module.vpc.vpc_cidr_block @@ -408,7 +408,7 @@ resource "aws_network_acl_rule" "private_outbound_ldap_rule" { } resource "aws_network_acl_rule" "private_inbound_ldap_rule_secondary_cidr" { - count = local.create_private ? length(var.secondary_cidr_blocks) : 0 + count = local.create_private && !var.private_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 270 + count.index cidr_block = var.secondary_cidr_blocks[count.index] @@ -419,7 +419,7 @@ resource "aws_network_acl_rule" "private_inbound_ldap_rule_secondary_cidr" { } resource "aws_network_acl_rule" "private_outbound_ldap_rule_secondary_cidr" { - count = local.create_private ? length(var.secondary_cidr_blocks) : 0 + count = local.create_private && !var.private_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 270 + count.index cidr_block = var.secondary_cidr_blocks[count.index] @@ -431,7 +431,7 @@ resource "aws_network_acl_rule" "private_outbound_ldap_rule_secondary_cidr" { } resource "aws_network_acl_rule" "private_inbound_openvpn_rule" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 280 cidr_block = module.vpc.vpc_cidr_block @@ -442,7 +442,7 @@ resource "aws_network_acl_rule" "private_inbound_openvpn_rule" { } resource "aws_network_acl_rule" "private_outbound_openvpn_rule" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 280 cidr_block = module.vpc.vpc_cidr_block @@ -454,7 +454,7 @@ resource "aws_network_acl_rule" "private_outbound_openvpn_rule" { } resource "aws_network_acl_rule" "private_inbound_openvpn_rule_secondary_cidr" { - count = local.create_private ? length(var.secondary_cidr_blocks) : 0 + count = local.create_private && !var.private_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 290 + count.index cidr_block = var.secondary_cidr_blocks[count.index] @@ -465,7 +465,7 @@ resource "aws_network_acl_rule" "private_inbound_openvpn_rule_secondary_cidr" { } resource "aws_network_acl_rule" "private_outbound_openvpn_rule_secondary_cidr" { - count = local.create_private ? length(var.secondary_cidr_blocks) : 0 + count = local.create_private && !var.private_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 290 + count.index cidr_block = var.secondary_cidr_blocks[count.index] @@ -477,7 +477,7 @@ resource "aws_network_acl_rule" "private_outbound_openvpn_rule_secondary_cidr" { } resource "aws_network_acl_rule" "private_inbound_ssh_rule_deny" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id cidr_block = "0.0.0.0/0" rule_number = 300 @@ -488,7 +488,7 @@ resource "aws_network_acl_rule" "private_inbound_ssh_rule_deny" { } resource "aws_network_acl_rule" "private_outbound_ssh_rule_deny" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 300 cidr_block = "0.0.0.0/0" @@ -500,7 +500,7 @@ resource "aws_network_acl_rule" "private_outbound_ssh_rule_deny" { } resource "aws_network_acl_rule" "private_inbound_allow_smtp_rule" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 900 cidr_block = "0.0.0.0/0" @@ -511,7 +511,7 @@ resource "aws_network_acl_rule" "private_inbound_allow_smtp_rule" { } resource "aws_network_acl_rule" "private_outbound_allow_smtp_rule" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 900 cidr_block = "0.0.0.0/0" @@ -523,7 +523,7 @@ resource "aws_network_acl_rule" "private_outbound_allow_smtp_rule" { } resource "aws_network_acl_rule" "private_inbound_allow_bgp_179_rule" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 910 cidr_block = module.vpc.vpc_cidr_block @@ -534,7 +534,7 @@ resource "aws_network_acl_rule" "private_inbound_allow_bgp_179_rule" { } resource "aws_network_acl_rule" "private_outbound_allow_bgp_179_rule" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 910 cidr_block = module.vpc.vpc_cidr_block @@ -546,7 +546,7 @@ resource "aws_network_acl_rule" "private_outbound_allow_bgp_179_rule" { } resource "aws_network_acl_rule" "private_inbound_allow_bgp_179_secondary_cidr" { - count = local.create_private ? length(var.secondary_cidr_blocks) : 0 + count = local.create_private && !var.private_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 920 + count.index cidr_block = var.secondary_cidr_blocks[count.index] @@ -557,7 +557,7 @@ resource "aws_network_acl_rule" "private_inbound_allow_bgp_179_secondary_cidr" { } resource "aws_network_acl_rule" "private_outbound_allow_bgp_179_secondary_cidr" { - count = local.create_private ? length(var.secondary_cidr_blocks) : 0 + count = local.create_private && !var.private_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 920 + count.index cidr_block = var.secondary_cidr_blocks[count.index] @@ -569,7 +569,7 @@ resource "aws_network_acl_rule" "private_outbound_allow_bgp_179_secondary_cidr" } resource "aws_network_acl_rule" "private_inbound_allow_all_ephemeral_rule" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 1100 cidr_block = "0.0.0.0/0" @@ -580,7 +580,7 @@ resource "aws_network_acl_rule" "private_inbound_allow_all_ephemeral_rule" { } resource "aws_network_acl_rule" "private_outbound_allow_all_ephemeral_rule" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 1100 cidr_block = module.vpc.vpc_cidr_block @@ -592,7 +592,7 @@ resource "aws_network_acl_rule" "private_outbound_allow_all_ephemeral_rule" { } resource "aws_network_acl_rule" "private_outbound_allow_all_ephemeral_rule_secondary_cidr" { - count = local.create_private ? length(var.secondary_cidr_blocks) : 0 + count = local.create_private && !var.private_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 1110 + count.index cidr_block = var.secondary_cidr_blocks[count.index] @@ -604,7 +604,7 @@ resource "aws_network_acl_rule" "private_outbound_allow_all_ephemeral_rule_secon } resource "aws_network_acl_rule" "private_inbound_allow_all_udp" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 1000 cidr_block = module.vpc.vpc_cidr_block @@ -615,7 +615,7 @@ resource "aws_network_acl_rule" "private_inbound_allow_all_udp" { } resource "aws_network_acl_rule" "private_outbound_allow_all_udp" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 1000 cidr_block = module.vpc.vpc_cidr_block @@ -627,9 +627,9 @@ resource "aws_network_acl_rule" "private_outbound_allow_all_udp" { } resource "aws_network_acl_rule" "private_inbound_allow_all_udp_secondary_cidr" { - count = local.create_private ? length(var.secondary_cidr_blocks) : 0 + count = local.create_private && !var.private_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.private[0].id - rule_number = 1100 + count.index + rule_number = 1101 + count.index cidr_block = var.secondary_cidr_blocks[count.index] protocol = "udp" from_port = 1 @@ -638,9 +638,9 @@ resource "aws_network_acl_rule" "private_inbound_allow_all_udp_secondary_cidr" { } resource "aws_network_acl_rule" "private_outbound_allow_all_udp_secondary_cidr" { - count = local.create_private ? length(var.secondary_cidr_blocks) : 0 + count = local.create_private && !var.private_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.private[0].id - rule_number = 1100 + count.index + rule_number = 1101 + count.index cidr_block = var.secondary_cidr_blocks[count.index] protocol = "udp" from_port = 1 @@ -650,7 +650,7 @@ resource "aws_network_acl_rule" "private_outbound_allow_all_udp_secondary_cidr" } resource "aws_network_acl_rule" "private_inbound_allow_tcp_dns" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 1200 cidr_block = "0.0.0.0/0" @@ -661,7 +661,7 @@ resource "aws_network_acl_rule" "private_inbound_allow_tcp_dns" { } resource "aws_network_acl_rule" "private_outbound_allow_tcp_dns" { - count = local.create_private ? 1 : 0 + count = local.create_private && !var.private_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.private[0].id rule_number = 1200 cidr_block = "0.0.0.0/0" @@ -677,7 +677,7 @@ resource "aws_network_acl_rule" "private_outbound_allow_tcp_dns" { ########################### resource "aws_network_acl_rule" "intra_inbound_rdp_rule_deny" { - count = local.create_intranet ? 1 : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.intra[0].id cidr_block = "0.0.0.0/0" rule_number = 110 @@ -688,7 +688,7 @@ resource "aws_network_acl_rule" "intra_inbound_rdp_rule_deny" { } resource "aws_network_acl_rule" "intra_outbound_rdp_rule_deny" { - count = local.create_intranet ? 1 : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 110 cidr_block = "0.0.0.0/0" @@ -700,7 +700,7 @@ resource "aws_network_acl_rule" "intra_outbound_rdp_rule_deny" { } resource "aws_network_acl_rule" "intranet_inbound_allow_443_rule" { - count = local.create_intranet ? 1 : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 200 cidr_block = "0.0.0.0/0" @@ -711,7 +711,7 @@ resource "aws_network_acl_rule" "intranet_inbound_allow_443_rule" { } resource "aws_network_acl_rule" "intranet_outbound_allow_443_rule" { - count = local.create_intranet ? 1 : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 200 cidr_block = "0.0.0.0/0" @@ -723,7 +723,7 @@ resource "aws_network_acl_rule" "intranet_outbound_allow_443_rule" { } resource "aws_network_acl_rule" "intranet_inbound_nfs_111_rule" { - count = local.create_intranet ? 1 : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 210 cidr_block = module.vpc.vpc_cidr_block @@ -734,7 +734,7 @@ resource "aws_network_acl_rule" "intranet_inbound_nfs_111_rule" { } resource "aws_network_acl_rule" "intranet_outbound_nfs_111_rule" { - count = local.create_intranet ? 1 : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 210 cidr_block = module.vpc.vpc_cidr_block @@ -746,7 +746,7 @@ resource "aws_network_acl_rule" "intranet_outbound_nfs_111_rule" { } resource "aws_network_acl_rule" "intranet_inbound_nfs_111_rule_secondary_cidr" { - count = local.create_intranet ? length(var.secondary_cidr_blocks) : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 220 + count.index cidr_block = var.secondary_cidr_blocks[count.index] @@ -757,7 +757,7 @@ resource "aws_network_acl_rule" "intranet_inbound_nfs_111_rule_secondary_cidr" { } resource "aws_network_acl_rule" "intranet_outbound_nfs_111_rule_secondary_cidr" { - count = local.create_intranet ? length(var.secondary_cidr_blocks) : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 220 + count.index cidr_block = var.secondary_cidr_blocks[count.index] @@ -769,7 +769,7 @@ resource "aws_network_acl_rule" "intranet_outbound_nfs_111_rule_secondary_cidr" } resource "aws_network_acl_rule" "intranet_inbound_ssh_rule" { - count = local.create_intranet ? 1 : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 230 cidr_block = module.vpc.vpc_cidr_block @@ -780,7 +780,7 @@ resource "aws_network_acl_rule" "intranet_inbound_ssh_rule" { } resource "aws_network_acl_rule" "intranet_outbound_ssh_rule" { - count = local.create_intranet ? 1 : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 230 cidr_block = module.vpc.vpc_cidr_block @@ -792,7 +792,7 @@ resource "aws_network_acl_rule" "intranet_outbound_ssh_rule" { } resource "aws_network_acl_rule" "intranet_inbound_ssh_rule_secondary_cidr" { - count = local.create_intranet ? length(var.secondary_cidr_blocks) : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 240 + count.index cidr_block = var.secondary_cidr_blocks[count.index] @@ -803,7 +803,7 @@ resource "aws_network_acl_rule" "intranet_inbound_ssh_rule_secondary_cidr" { } resource "aws_network_acl_rule" "intranet_outbound_ssh_rule_secondary_cidr" { - count = local.create_intranet ? length(var.secondary_cidr_blocks) : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 240 + count.index cidr_block = var.secondary_cidr_blocks[count.index] @@ -815,7 +815,7 @@ resource "aws_network_acl_rule" "intranet_outbound_ssh_rule_secondary_cidr" { } resource "aws_network_acl_rule" "intra_inbound_ssh_rule_deny" { - count = local.create_intranet ? 1 : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 250 cidr_block = "0.0.0.0/0" @@ -826,7 +826,7 @@ resource "aws_network_acl_rule" "intra_inbound_ssh_rule_deny" { } resource "aws_network_acl_rule" "intra_outbound_ssh_rule_deny" { - count = local.create_intranet ? 1 : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 250 cidr_block = "0.0.0.0/0" @@ -838,7 +838,7 @@ resource "aws_network_acl_rule" "intra_outbound_ssh_rule_deny" { } resource "aws_network_acl_rule" "intranet_inbound_bgp_179_rule" { - count = local.create_intranet ? 1 : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 910 cidr_block = module.vpc.vpc_cidr_block @@ -849,7 +849,7 @@ resource "aws_network_acl_rule" "intranet_inbound_bgp_179_rule" { } resource "aws_network_acl_rule" "intranet_outbound_bgp_179_rule" { - count = local.create_intranet ? 1 : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 910 cidr_block = module.vpc.vpc_cidr_block @@ -861,7 +861,7 @@ resource "aws_network_acl_rule" "intranet_outbound_bgp_179_rule" { } resource "aws_network_acl_rule" "intranet_inbound_bgp_179_rule_secondary_cidr" { - count = local.create_intranet ? length(var.secondary_cidr_blocks) : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 920 + count.index cidr_block = var.secondary_cidr_blocks[count.index] @@ -872,7 +872,7 @@ resource "aws_network_acl_rule" "intranet_inbound_bgp_179_rule_secondary_cidr" { } resource "aws_network_acl_rule" "intranet_outbound_bgp_179_rule_secondary_cidr" { - count = local.create_intranet ? length(var.secondary_cidr_blocks) : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 920 + count.index cidr_block = var.secondary_cidr_blocks[count.index] @@ -884,7 +884,7 @@ resource "aws_network_acl_rule" "intranet_outbound_bgp_179_rule_secondary_cidr" } resource "aws_network_acl_rule" "intra_inbound_allow_all_udp" { - count = local.create_intranet ? 1 : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 1000 cidr_block = module.vpc.vpc_cidr_block @@ -895,7 +895,7 @@ resource "aws_network_acl_rule" "intra_inbound_allow_all_udp" { } resource "aws_network_acl_rule" "intra_outbound_allow_all_udp" { - count = local.create_intranet ? 1 : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 1000 cidr_block = module.vpc.vpc_cidr_block @@ -907,7 +907,7 @@ resource "aws_network_acl_rule" "intra_outbound_allow_all_udp" { } resource "aws_network_acl_rule" "intra_inbound_allow_all_udp_secondary_cidr" { - count = local.create_intranet ? length(var.secondary_cidr_blocks) : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 1010 + count.index cidr_block = var.secondary_cidr_blocks[count.index] @@ -918,7 +918,7 @@ resource "aws_network_acl_rule" "intra_inbound_allow_all_udp_secondary_cidr" { } resource "aws_network_acl_rule" "intra_outbound_allow_all_udp_secondary_cidr" { - count = local.create_intranet ? length(var.secondary_cidr_blocks) : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 1010 + count.index cidr_block = var.secondary_cidr_blocks[count.index] @@ -930,7 +930,7 @@ resource "aws_network_acl_rule" "intra_outbound_allow_all_udp_secondary_cidr" { } resource "aws_network_acl_rule" "intra_inbound_allow_all_ephemeral_rule" { - count = local.create_intranet ? 1 : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 1100 cidr_block = "0.0.0.0/0" @@ -941,7 +941,7 @@ resource "aws_network_acl_rule" "intra_inbound_allow_all_ephemeral_rule" { } resource "aws_network_acl_rule" "intra_outbound_allow_all_ephemeral_rule" { - count = local.create_intranet ? 1 : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 1100 cidr_block = module.vpc.vpc_cidr_block @@ -953,7 +953,7 @@ resource "aws_network_acl_rule" "intra_outbound_allow_all_ephemeral_rule" { } resource "aws_network_acl_rule" "intra_outbound_allow_all_ephemeral_rule_secondary_cidr" { - count = local.create_intranet ? length(var.secondary_cidr_blocks) : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 1110 + count.index cidr_block = var.secondary_cidr_blocks[count.index] @@ -973,7 +973,7 @@ resource "aws_network_acl_rule" "intra_outbound_allow_all_ephemeral_rule_seconda # Appliance mode allows you to deploy virtual appliances for functions like routing, # firewalling etc across connected VPCs. resource "aws_network_acl_rule" "intra_outbound_allow_all_ephemeral_rule_tgw" { - count = local.create_intranet ? 1 : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 1150 cidr_block = "0.0.0.0/0" @@ -985,7 +985,7 @@ resource "aws_network_acl_rule" "intra_outbound_allow_all_ephemeral_rule_tgw" { } resource "aws_network_acl_rule" "intra_inbound_allow_tcp_dns" { - count = local.create_intranet ? 1 : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 1200 cidr_block = "0.0.0.0/0" @@ -996,7 +996,7 @@ resource "aws_network_acl_rule" "intra_inbound_allow_tcp_dns" { } resource "aws_network_acl_rule" "intra_outbound_allow_tcp_dns" { - count = local.create_intranet ? 1 : 0 + count = local.create_intranet && !var.intra_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.intra[0].id rule_number = 1200 cidr_block = "0.0.0.0/0" @@ -1011,7 +1011,7 @@ resource "aws_network_acl_rule" "intra_outbound_allow_tcp_dns" { # Database subnet ACL ########################### resource "aws_network_acl_rule" "database_inbound_rdp_rule_deny" { - count = local.create_database ? 1 : 0 + count = local.create_database && !var.database_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.database[0].id cidr_block = "0.0.0.0/0" rule_number = 110 @@ -1022,7 +1022,7 @@ resource "aws_network_acl_rule" "database_inbound_rdp_rule_deny" { } resource "aws_network_acl_rule" "database_outbound_rdp_rule_deny" { - count = local.create_database ? 1 : 0 + count = local.create_database && !var.database_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.database[0].id rule_number = 110 cidr_block = "0.0.0.0/0" @@ -1034,7 +1034,7 @@ resource "aws_network_acl_rule" "database_outbound_rdp_rule_deny" { } resource "aws_network_acl_rule" "database_inbound_ssh_rule_deny" { - count = local.create_database ? 1 : 0 + count = local.create_database && !var.database_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.database[0].id cidr_block = "0.0.0.0/0" rule_number = 120 @@ -1045,7 +1045,7 @@ resource "aws_network_acl_rule" "database_inbound_ssh_rule_deny" { } resource "aws_network_acl_rule" "database_outbound_ssh_rule_deny" { - count = local.create_database ? 1 : 0 + count = local.create_database && !var.database_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.database[0].id rule_number = 120 cidr_block = "0.0.0.0/0" @@ -1057,7 +1057,7 @@ resource "aws_network_acl_rule" "database_outbound_ssh_rule_deny" { } resource "aws_network_acl_rule" "database_inbound_allow_443_rule" { - count = local.create_database ? 1 : 0 + count = local.create_database && !var.database_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.database[0].id rule_number = 200 cidr_block = "0.0.0.0/0" @@ -1068,7 +1068,7 @@ resource "aws_network_acl_rule" "database_inbound_allow_443_rule" { } resource "aws_network_acl_rule" "database_outbound_allow_443_rule" { - count = local.create_database ? 1 : 0 + count = local.create_database && !var.database_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.database[0].id rule_number = 200 cidr_block = "0.0.0.0/0" @@ -1080,7 +1080,7 @@ resource "aws_network_acl_rule" "database_outbound_allow_443_rule" { } resource "aws_network_acl_rule" "database_inbound_allow_all_ephemeral_rule" { - count = local.create_database ? 1 : 0 + count = local.create_database && !var.database_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.database[0].id rule_number = 1000 cidr_block = module.vpc.vpc_cidr_block @@ -1091,7 +1091,7 @@ resource "aws_network_acl_rule" "database_inbound_allow_all_ephemeral_rule" { } resource "aws_network_acl_rule" "database_outbound_allow_all_ephemeral_rule" { - count = local.create_database ? 1 : 0 + count = local.create_database && !var.database_dedicated_network_acl ? 1 : 0 network_acl_id = aws_network_acl.database[0].id rule_number = 1000 cidr_block = module.vpc.vpc_cidr_block @@ -1103,7 +1103,7 @@ resource "aws_network_acl_rule" "database_outbound_allow_all_ephemeral_rule" { } resource "aws_network_acl_rule" "database_inbound_allow_all_ephemeral_rule_secondary_cidr" { - count = local.create_database ? length(var.secondary_cidr_blocks) : 0 + count = local.create_database && !var.database_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.database[0].id rule_number = 1010 + count.index cidr_block = var.secondary_cidr_blocks[count.index] @@ -1114,7 +1114,7 @@ resource "aws_network_acl_rule" "database_inbound_allow_all_ephemeral_rule_secon } resource "aws_network_acl_rule" "database_outbound_allow_all_ephemeral_rule_secondary_cidr" { - count = local.create_database ? length(var.secondary_cidr_blocks) : 0 + count = local.create_database && !var.database_dedicated_network_acl ? length(var.secondary_cidr_blocks) : 0 network_acl_id = aws_network_acl.database[0].id rule_number = 1010 + count.index cidr_block = var.secondary_cidr_blocks[count.index] diff --git a/outputs.tf b/outputs.tf index a7d5b5e..62e5f4a 100644 --- a/outputs.tf +++ b/outputs.tf @@ -194,22 +194,22 @@ output "https_security_group_id" { output "public_network_acl_id" { description = "The ID of the public network ACL" - value = local.create_public ? aws_network_acl.public[0].id : "" + value = local.create_public && !var.public_dedicated_network_acl ? aws_network_acl.public[0].id : "" } output "intranet_network_acl_id" { description = "The ID of the intra network ACL" - value = local.create_intranet ? aws_network_acl.intra[0].id : "" + value = local.create_intranet && !var.intra_dedicated_network_acl ? aws_network_acl.intra[0].id : "" } output "private_network_acl_id" { description = "The ID of the privatenetwork ACL" - value = local.create_private ? aws_network_acl.private[0].id : "" + value = local.create_private && !var.private_dedicated_network_acl ? aws_network_acl.private[0].id : "" } output "database_network_acl_id" { description = "The ID of the database network ACL" - value = local.create_database ? aws_network_acl.database[0].id : "" + value = local.create_database && !var.database_dedicated_network_acl ? aws_network_acl.database[0].id : "" } output "firewall_network_acl_id" { diff --git a/variables.tf b/variables.tf index 1359d7a..e128cf3 100644 --- a/variables.tf +++ b/variables.tf @@ -403,3 +403,187 @@ variable "default_route_table_tags" { type = map(string) default = {} } + +################################################################################ +# Public Network ACLs +################################################################################ + +variable "public_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for public subnets" + type = bool + default = false +} + +variable "public_inbound_acl_rules" { + description = "Public subnets inbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "public_outbound_acl_rules" { + description = "Public subnets outbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "public_acl_tags" { + description = "Additional tags for the public subnets network ACL" + type = map(string) + default = {} +} + +################################################################################ +# Private Network ACLs +################################################################################ + +variable "private_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for private subnets" + type = bool + default = false +} + +variable "private_inbound_acl_rules" { + description = "Private subnets inbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "private_outbound_acl_rules" { + description = "Private subnets outbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "private_acl_tags" { + description = "Additional tags for the private subnets network ACL" + type = map(string) + default = {} +} + +################################################################################ +# Database Network ACLs +################################################################################ + +variable "database_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for database subnets" + type = bool + default = false +} + +variable "database_inbound_acl_rules" { + description = "Database subnets inbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "database_outbound_acl_rules" { + description = "Database subnets outbound network ACL rules" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "database_acl_tags" { + description = "Additional tags for the database subnets network ACL" + type = map(string) + default = {} +} + +################################################################################ +# Intra Network ACLs +################################################################################ + +variable "intra_dedicated_network_acl" { + description = "Whether to use dedicated network ACL (not default) and custom rules for intra subnets" + type = bool + default = false +} + +variable "intra_inbound_acl_rules" { + description = "Intra subnets inbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "intra_outbound_acl_rules" { + description = "Intra subnets outbound network ACLs" + type = list(map(string)) + default = [ + { + rule_number = 100 + rule_action = "allow" + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_block = "0.0.0.0/0" + }, + ] +} + +variable "intra_acl_tags" { + description = "Additional tags for the intra subnets network ACL" + type = map(string) + default = {} +}