Add ICMP NACL rules on a VPC deployed with VPC module from CIS Service Catalog
Hi all, I am trying to find out howto enable ICMP NACL rules for given network ranges on a VPC created by VPC module of the [CIS catalog](https://github.com/gruntwork-io/terraform-aws-cis-service-catalog). Possible variables are `nacl_ingress_rules`, `nacl_egress_rules` for the wrapped VPC module or `app_allow_inbound_ports_from_cidr` (CIS NACL module) but the most recent one does not handle egress NACLs. Currently I am not sure what would be the best option and which priority numbers I should use without interfering with the already deployed NACLs.
Thanks for the clarification! You can allow inbound traffic to private subnets with input variable `private_app_allow_inbound_ports_from_cidr` in the `terraform-aws-cis-service-catalog/vpc` module, e.g.: ``` private_app_allow_inbound_ports_from_cidr = { allow_icmp_from_onprem = { client_cidr_block = "10.20.30.40/32" rule_number = 50 protocol = "icmp" from_port = -1 to_port = -1 } } ``` Keep the the `rule_number` below 100 to ensure it get higher precedence over the default `vpc` module rules. The CIS Service Catalog rules are all sub 100, but none of the extra CIS rules interfere or overlap with this rule. WRT to the `egress` configuration, the wrapped `terraform-aws-vpc/vpc-app-network-acls` does not support custom `egress` rules. However, you can use [`terraform-aws-vpc/network-acl-outbound`](https://github.com/gruntwork-io/terraform-aws-vpc/tree/master/modules/network-acl-outbound) to create a custom rule. You can also file a feature request to support extra `egress` rules in `vpc-app-network-acls`.