Dynamically create Private NACL with public cidr blocks as source ip

vinothav · July 8, 2020, 5:14pm

I am creating a terraform module to automate the creation of VPC, with 1 public and private subnet in every AZ available for the region. I was successfully able to create a NACL for the public subnet allowing 80,443,22 inbound and outbound by getting them as input (map of the rules).

the terraform block for public_acl_rule:

resource "aws_network_acl" "public_acl" {
  vpc_id = aws_vpc.main_vpc.id
  subnet_ids = aws_subnet.public_subnet[*].id

  tags = {
    Name = "${var.cluster_name}_public_nacl"
    environment = var.cluster_name
  }
}

resource "aws_network_acl_rule" "public_inbound_acl_rule" {
  count = var.create_public_acl && length(aws_subnet.public_subnet) > 0 ? length(var.public_inbound_acl_rules) : 0

  network_acl_id = aws_network_acl.public_acl.id

  egress = false
  protocol = var.public_inbound_acl_rules[count.index]["protocol"]
  rule_action = var.public_inbound_acl_rules[count.index]["rule_action"]
  rule_number = var.public_inbound_acl_rules[count.index]["rule_number"]
  from_port = lookup(var.public_inbound_acl_rules[count.index], "from_port", null)
  to_port = lookup(var.public_inbound_acl_rules[count.index], "to_port", null)
  icmp_code = lookup(var.public_inbound_acl_rules[count.index], "icmp_code", null)
  icmp_type = lookup(var.public_inbound_acl_rules[count.index], "icmp_type", null)
  cidr_block = lookup(var.public_inbound_acl_rules[count.index], "cidr_block", null)

}

resource "aws_network_acl_rule" "public_outbound_acl_rule" {
  count = var.create_public_acl && length(aws_subnet.public_subnet) > 0 ? length(var.public_outbound_acl_rules) : 0

  network_acl_id = aws_network_acl.public_acl.id

  egress = true
  protocol = var.public_outbound_acl_rules[count.index]["protocol"]
  rule_action = var.public_outbound_acl_rules[count.index]["rule_action"]
  rule_number = var.public_outbound_acl_rules[count.index]["rule_number"]
  from_port = lookup(var.public_outbound_acl_rules[count.index], "from_port", null)
  to_port = lookup(var.public_outbound_acl_rules[count.index], "to_port", null)
  icmp_code = lookup(var.public_outbound_acl_rules[count.index], "icmp_code", null)
  icmp_type = lookup(var.public_outbound_acl_rules[count.index], "icmp_type", null)
  cidr_block = lookup(var.public_outbound_acl_rules[count.index], "cidr_block", null)

}

I am trying the below block for private acl

resource "aws_network_acl" "private_acl" {
  vpc_id = aws_vpc.main_vpc.id
  subnet_ids = aws_subnet.private_subnet[*].id

  for_each = aws_subnet.private_subnet

  ingress {
    count = length(var.private_inbound_acl_rules)
    protocol = var.private_inbound_acl_rules[count.index]["protocol"]
    rule_action = var.private_inbound_acl_rules[count.index]["rule_action"]
    rule_number = var.private_inbound_acl_rules[count.index]["rule_number"]
    from_port = lookup(var.private_inbound_acl_rules[count.index], "from_port", null)
    to_port = lookup(var.private_inbound_acl_rules[count.index], "to_port", null)
    cidr_block = aws_subnet.public_subnet.cidr_block
  }

  tags = {
    Name = "${var.cluster_name}_private_nacl"
    environment = var.cluster_name
  }
}

the cidr_block is asking for a reference for private_inbound_acl_rule as it is mentioned in the count and by using aws_network_acl_rule I am unable to use for along with count.

Any idea on how to dynamically input the public cidr_block as source and also input the acl rule for private nacl as user input? Is it even possible to achieve it ? Kindly share some ideas.

vinothav · July 8, 2020, 8:46pm

For the above I came up with the below plan for setting the NACL with every public cidr created by using the for_each loop. But now I want to get the input for setting the NACL rule as below:
To add the rule only if enable_private_ssh is set to true:

resource “aws_network_acl_rule” “private_inbound_ssh_rule” {

network_acl_id = aws_network_acl.private_acl.id
for_each = var.enable_private_ssh ? toset(aws_subnet.public_subnet.cidr_block) : {}

egress = false
protocol = var.private_inbound_ssh_rules[“protocol”]
rule_action = var.private_inbound_ssh_rules[“rule_action”]
rule_number = var.private_inbound_ssh_rules[“rule_number”]+tonumber(substr(each.value, 5, 1))
from_port = lookup(var.private_inbound_ssh_rules, “from_port”, null)
to_port = lookup(var.private_inbound_ssh_rules, “to_port”, null)
cidr_block = each.value
}

I get the type constraint for true and false expressions as there are set of strings and object respectively. How can I overcome this and specify more rules to be created as needed with the input given?

vinothav · July 9, 2020, 7:06am

I fixed the issue by using [ ], for the false expression and now I can dynamically add NACL rules for private subnet with true, false condition.