Skip to main content
VPC Modules 0.27.0Last updated in version 0.27.0

[DEPRECATED] VPC-Mgmt Network ACLs Terraform Module

View Source Release Notes

The vpc-mgmt module is now deprecated. The main difference between vpc-mgmt and vpc-app was that vpc-app had three tiers of subnets (public, private-app, private-persistence) and vpc-mgmt had two (public, private). As of v0.12.1, vpc-app allows you to disable any of the subnet tiers using the create_public_subnets, create_private_app_subnets, and create_private_persistence_subnets input variables, respectively, so it can now support 1, 2, or 3 tiers of subnets, as needed. Therefore, we recommend using vpc-app for all your VPCs in the future. If you're already using vpc-mgmt, we will continue to maintain it for a little while longer, but please be aware that, in a future release, once we feel the new functionality in vpc-app is fully baked, we will remove vpc-mgmt entirely.

This Terraform Module adds a default set of Network ACLs to a VPC created using the vpc-mgmt module. The ACLs enforce the following security settings (based on A Reference VPC Architecture):

  • Public subnet: Allow all requests.
  • Private subnet: Allow all requests to/from the public subnets. Allow all outbound TCP requests plus return traffic from any IP for those TCP requests on ephemeral ports.

What's a VPC?

A VPC or Virtual Private Cloud is a logically isolated section of your AWS cloud. Each VPC defines a virtual network within which you run your AWS resources, as well as rules for what can go in and out of that network. This includes subnets, route tables that tell those subnets how to route inbound and outbound traffic, security groups, access controls lists for the network (NACLs), and any other network components such as VPN connections.

What's a Network ACL?

Network ACLs provide an extra layer of network security, similar to a security group. Whereas a security group controls what inbound and outbound traffic is allowed for a specific resource (e.g. a single EC2 instance), a network ACL controls what inbound and outbound traffic is allowed for an entire subnet.

Sample Usage

main.tf

# ------------------------------------------------------------------------------------------------------
# DEPLOY GRUNTWORK'S VPC-MGMT-NETWORK-ACLS MODULE
# ------------------------------------------------------------------------------------------------------

module "vpc_mgmt_network_acls" {

  source = "git::git@github.com:gruntwork-io/terraform-aws-vpc.git//modules/vpc-mgmt-network-acls?ref=v0.27.0"

  # ----------------------------------------------------------------------------------------------------
  # REQUIRED VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # The number of each type of subnet (public, private) created in this VPC.
  # Typically, this is equal to the number of availability zones in the current
  # region.
  num_subnets = <number>

  # A list of CIDR blocks used by the private subnets in the VPC
  private_subnet_cidr_blocks = <list(string)>

  # A list of IDs of the private subnets in the VPC
  private_subnet_ids = <list(string)>

  # A list of CIDR blocks used by the public subnets in the VPC
  public_subnet_cidr_blocks = <list(string)>

  # A list of IDs of the public subnets in the VPC
  public_subnet_ids = <list(string)>

  # The id of the VPC
  vpc_id = <string>

  # The name of the VPC (e.g. mgmt)
  vpc_name = <string>

  # Use this variable to ensure the Network ACL does not get created until the
  # VPC is ready. This can help to work around a Terraform or AWS issue where
  # trying to create certain resources, such as Network ACLs, before the VPC's
  # Gateway and NATs are ready, leads to a huge variety of eventual consistency
  # bugs. You should typically point this variable at the vpc_ready output from
  # the Gruntwork VPCs.
  vpc_ready = <string>

  # ----------------------------------------------------------------------------------------------------
  # OPTIONAL VARIABLES
  # ----------------------------------------------------------------------------------------------------

  # If you set this variable to false, this module will not create any
  # resources. This is used as a workaround because Terraform does not allow you
  # to use the 'count' parameter on modules. By using this parameter, you can
  # optionally create or not create the resources within this module.
  create_resources = true

  # A map of tags to apply to the Network ACLs created by this module. The key
  # is the tag name and the value is the tag value. Note that the tag 'Name' is
  # automatically added by this module but may be optionally overwritten by this
  # variable.
  custom_tags = {}

  # The list of ports to exclude from the inbound allow all rules. This is
  # useful for adhering to certain compliance standards like CIS that explicitly
  # deny any allow rule for administrative ports.
  exclude_ports_from_inbound_all = []

  # The number to use for the first rule that is created by this module. All
  # rules in this module will be inserted after this number. This is useful to
  # provide additional head room for your NACL rules that should take precedence
  # over the initial rule.
  initial_nacl_rule_number = 100

}


Reference

Required

num_subnetsnumberrequired

The number of each type of subnet (public, private) created in this VPC. Typically, this is equal to the number of availability zones in the current region.

private_subnet_cidr_blockslist(string)required

A list of CIDR blocks used by the private subnets in the VPC

private_subnet_idslist(string)required

A list of IDs of the private subnets in the VPC

public_subnet_cidr_blockslist(string)required

A list of CIDR blocks used by the public subnets in the VPC

public_subnet_idslist(string)required

A list of IDs of the public subnets in the VPC

vpc_idstringrequired

The id of the VPC

vpc_namestringrequired

The name of the VPC (e.g. mgmt)

vpc_readystringrequired

Use this variable to ensure the Network ACL does not get created until the VPC is ready. This can help to work around a Terraform or AWS issue where trying to create certain resources, such as Network ACLs, before the VPC's Gateway and NATs are ready, leads to a huge variety of eventual consistency bugs. You should typically point this variable at the vpc_ready output from the Gruntwork VPCs.

Optional

create_resourcesbooloptional

If you set this variable to false, this module will not create any resources. This is used as a workaround because Terraform does not allow you to use the 'count' parameter on modules. By using this parameter, you can optionally create or not create the resources within this module.

true
custom_tagsmap(string)optional

A map of tags to apply to the Network ACLs created by this module. The key is the tag name and the value is the tag value. Note that the tag 'Name' is automatically added by this module but may be optionally overwritten by this variable.

{}
exclude_ports_from_inbound_alllist(number)optional

The list of ports to exclude from the inbound allow all rules. This is useful for adhering to certain compliance standards like CIS that explicitly deny any allow rule for administrative ports.

[]

The number to use for the first rule that is created by this module. All rules in this module will be inserted after this number. This is useful to provide additional head room for your NACL rules that should take precedence over the initial rule.

100