Allow public and secure connection (#57)

* Allow public and secure connection

* terraform-docs: automated update action

---------

Co-authored-by: adenot <[email protected]>

Author: adenot

README.md

@@ -68,11 +68,12 @@ module "network" {
 | create\_dbsubgroup\_private | Create Private Subgroup | `bool` | `false` | no |
 | create\_dbsubgroup\_public | Create Public Subgroup | `bool` | `false` | no |
 | create\_dbsubgroup\_secure | Create Secure Subgroup | `bool` | `true` | no |
+| db\_subnet\_group\_secure\_name\_compat | Use previous DB subnet group name (<name>-dbsubnet) for backwards compability (secure only) | `bool` | `false` | no |
 | eip\_allocation\_ids | User-specified primary or secondary private IP address to associate with the Elastic IP address | `list(string)` | `[]` | no |
 | enable\_firewall\_default\_rule | Enable or disable the default stateful rule. | `bool` | `true` | no |
 | firewall\_custom\_rule\_arn | The stateful rule group arn created outside the module | `list(string)` | `[]` | no |
 | firewall\_custom\_rules | The stateful rule group rules specifications in Suricata file format, with one rule per line | `list(string)` | `[]` | no |
-| firewall\_domain\_list | List the domain names you want to take action on. | `list(any)` | <pre>[<br> ".amazonaws.com",<br> ".github.com"<br>]</pre> | no |
+| firewall\_domain\_list | List the domain names you want to take action on. | `list(any)` | <pre>[<br>  ".amazonaws.com",<br>  ".github.com"<br>]</pre> | no |
 | firewall\_netnum\_offset | Start with this subnet for secure ones, plus number of AZs | `number` | `14` | no |
 | kms\_key\_arn | The ARN of the KMS Key to use when encrypting log data. | `string` | `""` | no |
 | kubernetes\_clusters | List of kubernetes cluster names to creates tags in public and private subnets of this VPC | `list(string)` | `[]` | no |
@@ -93,6 +94,7 @@ module "network" {
 | public\_nacl\_outbound\_tcp\_ports | TCP Ports to allow outbound to external services (use [0] to allow all ports) | `list(string)` | <pre>[<br>  "0"<br>]</pre> | no |
 | public\_nacl\_outbound\_udp\_ports | UDP Ports to allow outbound to external services (use [0] to allow all ports) | `list(string)` | <pre>[<br>  "0"<br>]</pre> | no |
 | public\_netnum\_offset | Start with this subnet for public ones, plus number of AZs | `number` | `0` | no |
+| secure\_nacl\_allow\_public | Allow traffic between public and secure | `bool` | `false` | no |
 | secure\_netnum\_offset | Start with this subnet for secure ones, plus number of AZs | `number` | `10` | no |
 | tags | Extra tags to attach to resources | `map(string)` | `{}` | no |
 | transit\_nacl\_inbound\_tcp\_ports | TCP Ports to allow inbound on transit subnet via NACLs (this list cannot be empty) | `list(string)` | <pre>[<br>  "1194"<br>]</pre> | no |
@@ -103,8 +105,15 @@ module "network" {
 | vpc\_cidr\_summ | Define cidr used to summarize subnets by tier | `string` | `"/0"` | no |
 | vpc\_endpoint\_dynamodb\_gateway | Enable or disable VPC Endpoint for DynamoDB (Gateway) | `bool` | `true` | no |
 | vpc\_endpoint\_s3\_gateway | Enable or disable VPC Endpoint for S3 Gateway | `bool` | `true` | no |
-| vpc\_endpoint\_s3\_policy | A policy to attach to the endpoint that controls access to the service | `string` |<pre>{ "Statement": <br> [<br>  {<br>   "Action": <br>     "\*\",<br>   "Effect\": <br>     "Allow\",<br>   "Resource\":<br>     "\*\",<br>   "Principal\":<br>     \"*\" <br>  } <br> ] <br>}</pre> | no |
-| vpc\_endpoints | AWS services to create a VPC endpoint on private subnets for (e.g: ssm, ec2, ecr.dkr) |<pre>list(object(<br>{<br>name = string<br>policy = <br> optional(string)<br>allowed_cidrs =<br> optional(list<br>     (string))<br>}<br>))</pre> | `[]` | no |
+| vpc\_endpoint\_s3\_policy | A policy to attach to the endpoint that controls access to the service | `string` | `"    {
+        \"Statement\": [
+            {
+                \"Action\": \"*\",\"Effect\": \"Allow\",\"Resource\": \"*\",\"Principal\": \"*\"
+            }
+        ]
+    }
+"` | no |
+| vpc\_endpoints | AWS services to create a VPC endpoint on private subnets for (e.g: ssm, ec2, ecr.dkr) | <pre>list(object(<br>    {<br>      name          = string<br>      policy        = optional(string)<br>      allowed_cidrs = optional(list(string))<br>    }<br>  ))</pre> | `[]` | no |
 | vpc\_flow\_logs | Enable or disable VPC Flow Logs | `bool` | `true` | no |
 | vpc\_flow\_logs\_retention | Retention in days for VPC Flow Logs CloudWatch Log Group | `number` | `365` | no |
 

_variables.tf

@@ -144,6 +144,12 @@ variable "transit_nacl_inbound_udp_ports" {
   description = "UDP Ports to allow inbound on transit subnet via NACLs (this list cannot be empty)"
 }
 
+variable "secure_nacl_allow_public" {
+  type        = bool
+  default     = false
+  description = "Allow traffic between public and secure"
+}
+
 variable "vpc_flow_logs" {
   type        = bool
   default     = true
@@ -270,6 +276,12 @@ variable "create_dbsubgroup_private" {
   description = "Create Private Subgroup"
 }
 
+variable "db_subnet_group_secure_name_compat" {
+  type        = bool
+  default     = false
+  description = "Use previous DB subnet group name (<name>-dbsubnet) for backwards compability (secure only)"
+}
+
 locals {
   kubernetes_clusters = zipmap(
     formatlist("kubernetes.io/cluster/%s", var.kubernetes_clusters),

cf-exports.tf

@@ -3,19 +3,19 @@ resource "aws_cloudformation_stack" "tf_exports" {
   template_body = templatefile("${path.module}/cf-exports.yml", {
     "name" = var.cf_export_name != "" ? var.cf_export_name : var.name
     "vars" = {
-      "VpcId"              = aws_vpc.default.id,
-      "CidrBlock"          = aws_vpc.default.cidr_block,
-      "InternetGatewayId"  = aws_internet_gateway.default.id,
-      "PublicSubnetIds"    = join(",", aws_subnet.public.*.id),
-      "PublicSubnetCidrs"  = join(",", aws_subnet.public.*.cidr_block),
-      "PrivateSubnetIds"   = join(",", aws_subnet.private.*.id),
-      "PrivateSubnetCidrs" = join(",", aws_subnet.private.*.cidr_block),
-      "SecureSubnetIds"    = join(",", aws_subnet.secure.*.id),
-      "SecureSubnetCidrs"  = join(",", aws_subnet.secure.*.cidr_block),
-      "NatGatewayIds"      = var.nat ? join(",", aws_nat_gateway.nat_gw.*.id) : "undefined",
-      "DbSubnetGroupId"    = aws_db_subnet_group.secure[0].id,
-      "DbSubnetPrivateGroupId" = try(aws_db_subnet_group.private[0].id,"")
-      "DbSubnetPublicGroupId"  = try(aws_db_subnet_group.public[0].id,"")
+      "VpcId"                  = aws_vpc.default.id,
+      "CidrBlock"              = aws_vpc.default.cidr_block,
+      "InternetGatewayId"      = aws_internet_gateway.default.id,
+      "PublicSubnetIds"        = join(",", aws_subnet.public.*.id),
+      "PublicSubnetCidrs"      = join(",", aws_subnet.public.*.cidr_block),
+      "PrivateSubnetIds"       = join(",", aws_subnet.private.*.id),
+      "PrivateSubnetCidrs"     = join(",", aws_subnet.private.*.cidr_block),
+      "SecureSubnetIds"        = join(",", aws_subnet.secure.*.id),
+      "SecureSubnetCidrs"      = join(",", aws_subnet.secure.*.cidr_block),
+      "NatGatewayIds"          = var.nat ? join(",", aws_nat_gateway.nat_gw.*.id) : "undefined",
+      "DbSubnetGroupId"        = try(aws_db_subnet_group.secure[0].id, "undefined")
+      "DbSubnetPrivateGroupId" = try(aws_db_subnet_group.private[0].id, "undefined")
+      "DbSubnetPublicGroupId"  = try(aws_db_subnet_group.public[0].id, "undefined")
     }
   })
-}
+}

db-subnet.tf

@@ -1,6 +1,6 @@
 resource "aws_db_subnet_group" "secure" {
   count      = var.create_dbsubgroup_secure ? 1 : 0
-  name       = lower("${format(local.names[var.name_pattern].db_subnet, var.name, local.name_suffix)}-secure")
+  name       = var.db_subnet_group_secure_name_compat ? lower("${var.name}-dbsubnet") : lower("${format(local.names[var.name_pattern].db_subnet, var.name, local.name_suffix)}-secure")
   subnet_ids = aws_subnet.secure.*.id
 
   tags = merge(

nacl-public.tf

@@ -167,3 +167,15 @@ resource "aws_network_acl_rule" "in_public_from_private" {
   from_port      = 0
   to_port        = 0
 }
+
+resource "aws_network_acl_rule" "in_public_from_secure" {
+  count          = var.secure_nacl_allow_public ? var.vpc_cidr_summ != "/0" ? 1 : length(aws_subnet.secure[*].cidr_block) : 0
+  network_acl_id = aws_network_acl.public.id
+  rule_number    = count.index + 701
+  egress         = false
+  protocol       = -1
+  rule_action    = "allow"
+  cidr_block     = var.vpc_cidr_summ != "/0" ? local.secure_subnet_summary : aws_subnet.secure[count.index].cidr_block
+  from_port      = 0
+  to_port        = 0
+}

nacl-secure.tf

@@ -76,6 +76,26 @@ resource "aws_network_acl_rule" "out_secure_to_transit" {
   cidr_block     = var.vpc_cidr_summ != "/0" ? local.transit_subnet_summary : aws_subnet.transit[count.index].cidr_block
 }
 
+resource "aws_network_acl_rule" "in_secure_from_public" {
+  count          = var.secure_nacl_allow_public ? var.vpc_cidr_summ != "/0" ? 1 : length(aws_subnet.public[*].cidr_block) : 0
+  network_acl_id = aws_network_acl.secure.id
+  rule_number    = count.index + 301
+  egress         = false
+  protocol       = -1
+  rule_action    = "allow"
+  cidr_block     = var.vpc_cidr_summ != "/0" ? local.public_subnet_summary : aws_subnet.public[count.index].cidr_block
+}
+
+resource "aws_network_acl_rule" "out_secure_to_public" {
+  count          = var.secure_nacl_allow_public ? var.vpc_cidr_summ != "/0" ? 1 : length(aws_subnet.public[*].cidr_block) : 0
+  network_acl_id = aws_network_acl.secure.id
+  rule_number    = count.index + 301
+  egress         = true
+  protocol       = -1
+  rule_action    = "allow"
+  cidr_block     = var.vpc_cidr_summ != "/0" ? local.public_subnet_summary : aws_subnet.public[count.index].cidr_block
+}
+
 #############
 # S3 Endpoint
 #############