[DEPRECATED] VPC-Mgmt Network ACLs Terraform Module
The vpc-mgmt
module is now deprecated. The main difference between vpc-mgmt
and vpc-app
was that vpc-app
had three tiers of subnets (public, private-app, private-persistence) and vpc-mgmt
had two (public, private). As of
v0.12.1
, vpc-app
allows you to disable any of the subnet tiers using the create_public_subnets
,
create_private_app_subnets
, and create_private_persistence_subnets
input variables, respectively, so it can now
support 1, 2, or 3 tiers of subnets, as needed. Therefore, we recommend using vpc-app
for all your VPCs in the
future. If you're already using vpc-mgmt
, we will continue to maintain it for a little while longer, but please be
aware that, in a future release, once we feel the new functionality in vpc-app
is fully baked, we will remove
vpc-mgmt
entirely.
This Terraform Module adds a default set of Network ACLs to a VPC created using the vpc-mgmt module. The ACLs enforce the following security settings (based on A Reference VPC Architecture):
- Public subnet: Allow all requests.
- Private subnet: Allow all requests to/from the public subnets. Allow all outbound TCP requests plus return traffic from any IP for those TCP requests on ephemeral ports.
What's a VPC?
A VPC or Virtual Private Cloud is a logically isolated section of your AWS cloud. Each VPC defines a virtual network within which you run your AWS resources, as well as rules for what can go in and out of that network. This includes subnets, route tables that tell those subnets how to route inbound and outbound traffic, security groups, access controls lists for the network (NACLs), and any other network components such as VPN connections.
What's a Network ACL?
Network ACLs provide an extra layer of network security, similar to a security group. Whereas a security group controls what inbound and outbound traffic is allowed for a specific resource (e.g. a single EC2 instance), a network ACL controls what inbound and outbound traffic is allowed for an entire subnet.
Sample Usage
- Terraform
- Terragrunt
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S VPC-MGMT-NETWORK-ACLS MODULE
# ------------------------------------------------------------------------------------------------------
module "vpc_mgmt_network_acls" {
source = "git::git@github.com:gruntwork-io/terraform-aws-vpc.git//modules/vpc-mgmt-network-acls?ref=v0.28.1"
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The number of each type of subnet (public, private) created in this VPC.
# Typically, this is equal to the number of availability zones in the current
# region.
num_subnets = <number>
# A list of CIDR blocks used by the private subnets in the VPC
private_subnet_cidr_blocks = <list(string)>
# A list of IDs of the private subnets in the VPC
private_subnet_ids = <list(string)>
# A list of CIDR blocks used by the public subnets in the VPC
public_subnet_cidr_blocks = <list(string)>
# A list of IDs of the public subnets in the VPC
public_subnet_ids = <list(string)>
# The id of the VPC
vpc_id = <string>
# The name of the VPC (e.g. mgmt)
vpc_name = <string>
# Use this variable to ensure the Network ACL does not get created until the
# VPC is ready. This can help to work around a Terraform or AWS issue where
# trying to create certain resources, such as Network ACLs, before the VPC's
# Gateway and NATs are ready, leads to a huge variety of eventual consistency
# bugs. You should typically point this variable at the vpc_ready output from
# the Gruntwork VPCs.
vpc_ready = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# If you set this variable to false, this module will not create any
# resources. This is used as a workaround because Terraform does not allow you
# to use the 'count' parameter on modules. By using this parameter, you can
# optionally create or not create the resources within this module.
create_resources = true
# A map of tags to apply to the Network ACLs created by this module. The key
# is the tag name and the value is the tag value. Note that the tag 'Name' is
# automatically added by this module but may be optionally overwritten by this
# variable.
custom_tags = {}
# The list of ports to exclude from the inbound allow all rules. This is
# useful for adhering to certain compliance standards like CIS that explicitly
# deny any allow rule for administrative ports.
exclude_ports_from_inbound_all = []
# The number to use for the first rule that is created by this module. All
# rules in this module will be inserted after this number. This is useful to
# provide additional head room for your NACL rules that should take precedence
# over the initial rule.
initial_nacl_rule_number = 100
}
# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S VPC-MGMT-NETWORK-ACLS MODULE
# ------------------------------------------------------------------------------------------------------
terraform {
source = "git::git@github.com:gruntwork-io/terraform-aws-vpc.git//modules/vpc-mgmt-network-acls?ref=v0.28.1"
}
inputs = {
# ----------------------------------------------------------------------------------------------------
# REQUIRED VARIABLES
# ----------------------------------------------------------------------------------------------------
# The number of each type of subnet (public, private) created in this VPC.
# Typically, this is equal to the number of availability zones in the current
# region.
num_subnets = <number>
# A list of CIDR blocks used by the private subnets in the VPC
private_subnet_cidr_blocks = <list(string)>
# A list of IDs of the private subnets in the VPC
private_subnet_ids = <list(string)>
# A list of CIDR blocks used by the public subnets in the VPC
public_subnet_cidr_blocks = <list(string)>
# A list of IDs of the public subnets in the VPC
public_subnet_ids = <list(string)>
# The id of the VPC
vpc_id = <string>
# The name of the VPC (e.g. mgmt)
vpc_name = <string>
# Use this variable to ensure the Network ACL does not get created until the
# VPC is ready. This can help to work around a Terraform or AWS issue where
# trying to create certain resources, such as Network ACLs, before the VPC's
# Gateway and NATs are ready, leads to a huge variety of eventual consistency
# bugs. You should typically point this variable at the vpc_ready output from
# the Gruntwork VPCs.
vpc_ready = <string>
# ----------------------------------------------------------------------------------------------------
# OPTIONAL VARIABLES
# ----------------------------------------------------------------------------------------------------
# If you set this variable to false, this module will not create any
# resources. This is used as a workaround because Terraform does not allow you
# to use the 'count' parameter on modules. By using this parameter, you can
# optionally create or not create the resources within this module.
create_resources = true
# A map of tags to apply to the Network ACLs created by this module. The key
# is the tag name and the value is the tag value. Note that the tag 'Name' is
# automatically added by this module but may be optionally overwritten by this
# variable.
custom_tags = {}
# The list of ports to exclude from the inbound allow all rules. This is
# useful for adhering to certain compliance standards like CIS that explicitly
# deny any allow rule for administrative ports.
exclude_ports_from_inbound_all = []
# The number to use for the first rule that is created by this module. All
# rules in this module will be inserted after this number. This is useful to
# provide additional head room for your NACL rules that should take precedence
# over the initial rule.
initial_nacl_rule_number = 100
}
Reference
- Inputs
- Outputs
Required
num_subnets
numberThe number of each type of subnet (public, private) created in this VPC. Typically, this is equal to the number of availability zones in the current region.
private_subnet_cidr_blocks
list(string)A list of CIDR blocks used by the private subnets in the VPC
private_subnet_ids
list(string)A list of IDs of the private subnets in the VPC
public_subnet_cidr_blocks
list(string)A list of CIDR blocks used by the public subnets in the VPC
public_subnet_ids
list(string)A list of IDs of the public subnets in the VPC
vpc_id
stringThe id of the VPC
vpc_name
stringThe name of the VPC (e.g. mgmt)
vpc_ready
stringUse this variable to ensure the Network ACL does not get created until the VPC is ready. This can help to work around a Terraform or AWS issue where trying to create certain resources, such as Network ACLs, before the VPC's Gateway and NATs are ready, leads to a huge variety of eventual consistency bugs. You should typically point this variable at the vpc_ready output from the Gruntwork VPCs.
Optional
create_resources
boolIf you set this variable to false, this module will not create any resources. This is used as a workaround because Terraform does not allow you to use the 'count' parameter on modules. By using this parameter, you can optionally create or not create the resources within this module.
true
custom_tags
map(string)A map of tags to apply to the Network ACLs created by this module. The key is the tag name and the value is the tag value. Note that the tag 'Name' is automatically added by this module but may be optionally overwritten by this variable.
{}
exclude_ports_from_inbound_all
list(number)The list of ports to exclude from the inbound allow all rules. This is useful for adhering to certain compliance standards like CIS that explicitly deny any allow rule for administrative ports.
[]
initial_nacl_rule_number
numberThe number to use for the first rule that is created by this module. All rules in this module will be inserted after this number. This is useful to provide additional head room for your NACL rules that should take precedence over the initial rule.
100