I am creating a terraform module to automate the creation of VPC, with 1 public and private subnet in every AZ available for the region. I was successfully able to create a NACL for the public subnet allowing 80,443,22 inbound and outbound by getting them as input (map of the rules).
the terraform block for public_acl_rule:
resource "aws_network_acl" "public_acl" {
vpc_id = aws_vpc.main_vpc.id
subnet_ids = aws_subnet.public_subnet[*].id
tags = {
Name = "${var.cluster_name}_public_nacl"
environment = var.cluster_name
}
}
resource "aws_network_acl_rule" "public_inbound_acl_rule" {
count = var.create_public_acl && length(aws_subnet.public_subnet) > 0 ? length(var.public_inbound_acl_rules) : 0
network_acl_id = aws_network_acl.public_acl.id
egress = false
protocol = var.public_inbound_acl_rules[count.index]["protocol"]
rule_action = var.public_inbound_acl_rules[count.index]["rule_action"]
rule_number = var.public_inbound_acl_rules[count.index]["rule_number"]
from_port = lookup(var.public_inbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.public_inbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.public_inbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.public_inbound_acl_rules[count.index], "icmp_type", null)
cidr_block = lookup(var.public_inbound_acl_rules[count.index], "cidr_block", null)
}
resource "aws_network_acl_rule" "public_outbound_acl_rule" {
count = var.create_public_acl && length(aws_subnet.public_subnet) > 0 ? length(var.public_outbound_acl_rules) : 0
network_acl_id = aws_network_acl.public_acl.id
egress = true
protocol = var.public_outbound_acl_rules[count.index]["protocol"]
rule_action = var.public_outbound_acl_rules[count.index]["rule_action"]
rule_number = var.public_outbound_acl_rules[count.index]["rule_number"]
from_port = lookup(var.public_outbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.public_outbound_acl_rules[count.index], "to_port", null)
icmp_code = lookup(var.public_outbound_acl_rules[count.index], "icmp_code", null)
icmp_type = lookup(var.public_outbound_acl_rules[count.index], "icmp_type", null)
cidr_block = lookup(var.public_outbound_acl_rules[count.index], "cidr_block", null)
}
I am trying the below block for private acl
resource "aws_network_acl" "private_acl" {
vpc_id = aws_vpc.main_vpc.id
subnet_ids = aws_subnet.private_subnet[*].id
for_each = aws_subnet.private_subnet
ingress {
count = length(var.private_inbound_acl_rules)
protocol = var.private_inbound_acl_rules[count.index]["protocol"]
rule_action = var.private_inbound_acl_rules[count.index]["rule_action"]
rule_number = var.private_inbound_acl_rules[count.index]["rule_number"]
from_port = lookup(var.private_inbound_acl_rules[count.index], "from_port", null)
to_port = lookup(var.private_inbound_acl_rules[count.index], "to_port", null)
cidr_block = aws_subnet.public_subnet.cidr_block
}
tags = {
Name = "${var.cluster_name}_private_nacl"
environment = var.cluster_name
}
}
the cidr_block is asking for a reference for private_inbound_acl_rule as it is mentioned in the count and by using aws_network_acl_rule I am unable to use for along with count.
Any idea on how to dynamically input the public cidr_block as source and also input the acl rule for private nacl as user input? Is it even possible to achieve it ? Kindly share some ideas.