Added support for ICMP rules in Network ACL (#286)

* Added icmp_code and icmp_type values to non default acl rules.

* Added support for both ICMP and non-ICMP rules in NACL

Author: t11n

examples/network-acls/README.md

@@ -1,13 +1,10 @@
 # Simple VPC with Network ACLs
 
-Configuration in this directory creates set of VPC resources along with network ACLs for public subnets.
-
-There is a public and private subnet created per availability zone in addition to single NAT Gateway shared between all 3 availability zones.
+Configuration in this directory creates set of VPC resources along with network ACLs for several subnets.
 
 Network ACL rules for inbound and outbound traffic are defined as the following:
-1. Public subnets will have network ACL rules provided
+1. Public and elasticache subnets will have network ACL rules provided
 1. Private subnets will be associated with the default network ACL rules (IPV4-only ingress and egress is open for all)
-1. Elasticache subnets will use the default network ACL (created and managed by AWS)
 
 ## Usage
 
@@ -28,6 +25,7 @@ Note that this example may create resources which can cost money (AWS Elastic IP
 |------|-------------|
 | default\_network\_acl\_id | The ID of the default network ACL |
 | elasticache\_network\_acl\_id | ID of the elasticache network ACL |
+| module\_vpc | Module VPC |
 | nat\_public\_ips | List of public Elastic IPs created for AWS NAT Gateway |
 | private\_network\_acl\_id | ID of the private network ACL |
 | private\_subnets | List of IDs of private subnets |

examples/network-acls/main.tf

@@ -23,8 +23,13 @@ module "vpc" {
     local.network_acls["default_outbound"],
     local.network_acls["public_outbound"],
   )
+  elasticache_outbound_acl_rules = concat(
+    local.network_acls["default_outbound"],
+    local.network_acls["elasticache_outbound"],
+  )
 
-  private_dedicated_network_acl = true
+  private_dedicated_network_acl     = true
+  elasticache_dedicated_network_acl = true
 
   enable_ipv6 = true
 
@@ -134,6 +139,40 @@ locals {
         protocol    = "tcp"
         cidr_block  = "10.0.100.0/22"
       },
+      {
+        rule_number = 140
+        rule_action = "allow"
+        icmp_code   = -1
+        icmp_type   = 8
+        protocol    = "icmp"
+        cidr_block  = "10.0.0.0/22"
+      },
+    ]
+    elasticache_outbound = [
+      {
+        rule_number = 100
+        rule_action = "allow"
+        from_port   = 80
+        to_port     = 80
+        protocol    = "tcp"
+        cidr_block  = "0.0.0.0/0"
+      },
+      {
+        rule_number = 110
+        rule_action = "allow"
+        from_port   = 443
+        to_port     = 443
+        protocol    = "tcp"
+        cidr_block  = "0.0.0.0/0"
+      },
+      {
+        rule_number = 140
+        rule_action = "allow"
+        icmp_code   = -1
+        icmp_type   = 12
+        protocol    = "icmp"
+        cidr_block  = "10.0.0.0/22"
+      },
     ]
   }
 }

examples/network-acls/outputs.tf

@@ -53,3 +53,7 @@ output "default_network_acl_id" {
   value       = module.vpc.default_network_acl_id
 }
 
+output "module_vpc" {
+  description = "Module VPC"
+  value       = module.vpc
+}

main.tf

@@ -548,8 +548,10 @@ resource "aws_network_acl_rule" "public_inbound" {
   egress      = false
   rule_number = var.public_inbound_acl_rules[count.index]["rule_number"]
   rule_action = var.public_inbound_acl_rules[count.index]["rule_action"]
-  from_port   = var.public_inbound_acl_rules[count.index]["from_port"]
-  to_port     = var.public_inbound_acl_rules[count.index]["to_port"]
+  from_port   = lookup(var.public_inbound_acl_rules[count.index], "from_port", null)
+  to_port     = lookup(var.public_inbound_acl_rules[count.index], "to_port", null)
+  icmp_code   = lookup(var.public_inbound_acl_rules[count.index], "icmp_code", null)
+  icmp_type   = lookup(var.public_inbound_acl_rules[count.index], "icmp_type", null)
   protocol    = var.public_inbound_acl_rules[count.index]["protocol"]
   cidr_block  = var.public_inbound_acl_rules[count.index]["cidr_block"]
 }
@@ -562,8 +564,10 @@ resource "aws_network_acl_rule" "public_outbound" {
   egress      = true
   rule_number = var.public_outbound_acl_rules[count.index]["rule_number"]
   rule_action = var.public_outbound_acl_rules[count.index]["rule_action"]
-  from_port   = var.public_outbound_acl_rules[count.index]["from_port"]
-  to_port     = var.public_outbound_acl_rules[count.index]["to_port"]
+  from_port   = lookup(var.public_outbound_acl_rules[count.index], "from_port", null)
+  to_port     = lookup(var.public_outbound_acl_rules[count.index], "to_port", null)
+  icmp_code   = lookup(var.public_outbound_acl_rules[count.index], "icmp_code", null)
+  icmp_type   = lookup(var.public_outbound_acl_rules[count.index], "icmp_type", null)
   protocol    = var.public_outbound_acl_rules[count.index]["protocol"]
   cidr_block  = var.public_outbound_acl_rules[count.index]["cidr_block"]
 }
@@ -594,8 +598,10 @@ resource "aws_network_acl_rule" "private_inbound" {
   egress      = false
   rule_number = var.private_inbound_acl_rules[count.index]["rule_number"]
   rule_action = var.private_inbound_acl_rules[count.index]["rule_action"]
-  from_port   = var.private_inbound_acl_rules[count.index]["from_port"]
-  to_port     = var.private_inbound_acl_rules[count.index]["to_port"]
+  from_port   = lookup(var.private_inbound_acl_rules[count.index], "from_port", null)
+  to_port     = lookup(var.private_inbound_acl_rules[count.index], "to_port", null)
+  icmp_code   = lookup(var.private_inbound_acl_rules[count.index], "icmp_code", null)
+  icmp_type   = lookup(var.private_inbound_acl_rules[count.index], "icmp_type", null)
   protocol    = var.private_inbound_acl_rules[count.index]["protocol"]
   cidr_block  = var.private_inbound_acl_rules[count.index]["cidr_block"]
 }
@@ -608,8 +614,10 @@ resource "aws_network_acl_rule" "private_outbound" {
   egress      = true
   rule_number = var.private_outbound_acl_rules[count.index]["rule_number"]
   rule_action = var.private_outbound_acl_rules[count.index]["rule_action"]
-  from_port   = var.private_outbound_acl_rules[count.index]["from_port"]
-  to_port     = var.private_outbound_acl_rules[count.index]["to_port"]
+  from_port   = lookup(var.private_outbound_acl_rules[count.index], "from_port", null)
+  to_port     = lookup(var.private_outbound_acl_rules[count.index], "to_port", null)
+  icmp_code   = lookup(var.private_outbound_acl_rules[count.index], "icmp_code", null)
+  icmp_type   = lookup(var.private_outbound_acl_rules[count.index], "icmp_type", null)
   protocol    = var.private_outbound_acl_rules[count.index]["protocol"]
   cidr_block  = var.private_outbound_acl_rules[count.index]["cidr_block"]
 }
@@ -640,8 +648,10 @@ resource "aws_network_acl_rule" "intra_inbound" {
   egress      = false
   rule_number = var.intra_inbound_acl_rules[count.index]["rule_number"]
   rule_action = var.intra_inbound_acl_rules[count.index]["rule_action"]
-  from_port   = var.intra_inbound_acl_rules[count.index]["from_port"]
-  to_port     = var.intra_inbound_acl_rules[count.index]["to_port"]
+  from_port   = lookup(var.intra_inbound_acl_rules[count.index], "from_port", null)
+  to_port     = lookup(var.intra_inbound_acl_rules[count.index], "to_port", null)
+  icmp_code   = lookup(var.intra_inbound_acl_rules[count.index], "icmp_code", null)
+  icmp_type   = lookup(var.intra_inbound_acl_rules[count.index], "icmp_type", null)
   protocol    = var.intra_inbound_acl_rules[count.index]["protocol"]
   cidr_block  = var.intra_inbound_acl_rules[count.index]["cidr_block"]
 }
@@ -654,8 +664,10 @@ resource "aws_network_acl_rule" "intra_outbound" {
   egress      = true
   rule_number = var.intra_outbound_acl_rules[count.index]["rule_number"]
   rule_action = var.intra_outbound_acl_rules[count.index]["rule_action"]
-  from_port   = var.intra_outbound_acl_rules[count.index]["from_port"]
-  to_port     = var.intra_outbound_acl_rules[count.index]["to_port"]
+  from_port   = lookup(var.intra_outbound_acl_rules[count.index], "from_port", null)
+  to_port     = lookup(var.intra_outbound_acl_rules[count.index], "to_port", null)
+  icmp_code   = lookup(var.intra_outbound_acl_rules[count.index], "icmp_code", null)
+  icmp_type   = lookup(var.intra_outbound_acl_rules[count.index], "icmp_type", null)
   protocol    = var.intra_outbound_acl_rules[count.index]["protocol"]
   cidr_block  = var.intra_outbound_acl_rules[count.index]["cidr_block"]
 }
@@ -686,8 +698,10 @@ resource "aws_network_acl_rule" "database_inbound" {
   egress      = false
   rule_number = var.database_inbound_acl_rules[count.index]["rule_number"]
   rule_action = var.database_inbound_acl_rules[count.index]["rule_action"]
-  from_port   = var.database_inbound_acl_rules[count.index]["from_port"]
-  to_port     = var.database_inbound_acl_rules[count.index]["to_port"]
+  from_port   = lookup(var.database_inbound_acl_rules[count.index], "from_port", null)
+  to_port     = lookup(var.database_inbound_acl_rules[count.index], "to_port", null)
+  icmp_code   = lookup(var.database_inbound_acl_rules[count.index], "icmp_code", null)
+  icmp_type   = lookup(var.database_inbound_acl_rules[count.index], "icmp_type", null)
   protocol    = var.database_inbound_acl_rules[count.index]["protocol"]
   cidr_block  = var.database_inbound_acl_rules[count.index]["cidr_block"]
 }
@@ -700,8 +714,10 @@ resource "aws_network_acl_rule" "database_outbound" {
   egress      = true
   rule_number = var.database_outbound_acl_rules[count.index]["rule_number"]
   rule_action = var.database_outbound_acl_rules[count.index]["rule_action"]
-  from_port   = var.database_outbound_acl_rules[count.index]["from_port"]
-  to_port     = var.database_outbound_acl_rules[count.index]["to_port"]
+  from_port   = lookup(var.database_outbound_acl_rules[count.index], "from_port", null)
+  to_port     = lookup(var.database_outbound_acl_rules[count.index], "to_port", null)
+  icmp_code   = lookup(var.database_outbound_acl_rules[count.index], "icmp_code", null)
+  icmp_type   = lookup(var.database_outbound_acl_rules[count.index], "icmp_type", null)
   protocol    = var.database_outbound_acl_rules[count.index]["protocol"]
   cidr_block  = var.database_outbound_acl_rules[count.index]["cidr_block"]
 }
@@ -732,8 +748,10 @@ resource "aws_network_acl_rule" "redshift_inbound" {
   egress      = false
   rule_number = var.redshift_inbound_acl_rules[count.index]["rule_number"]
   rule_action = var.redshift_inbound_acl_rules[count.index]["rule_action"]
-  from_port   = var.redshift_inbound_acl_rules[count.index]["from_port"]
-  to_port     = var.redshift_inbound_acl_rules[count.index]["to_port"]
+  from_port   = lookup(var.redshift_inbound_acl_rules[count.index], "from_port", null)
+  to_port     = lookup(var.redshift_inbound_acl_rules[count.index], "to_port", null)
+  icmp_code   = lookup(var.redshift_inbound_acl_rules[count.index], "icmp_code", null)
+  icmp_type   = lookup(var.redshift_inbound_acl_rules[count.index], "icmp_type", null)
   protocol    = var.redshift_inbound_acl_rules[count.index]["protocol"]
   cidr_block  = var.redshift_inbound_acl_rules[count.index]["cidr_block"]
 }
@@ -746,8 +764,10 @@ resource "aws_network_acl_rule" "redshift_outbound" {
   egress      = true
   rule_number = var.redshift_outbound_acl_rules[count.index]["rule_number"]
   rule_action = var.redshift_outbound_acl_rules[count.index]["rule_action"]
-  from_port   = var.redshift_outbound_acl_rules[count.index]["from_port"]
-  to_port     = var.redshift_outbound_acl_rules[count.index]["to_port"]
+  from_port   = lookup(var.redshift_outbound_acl_rules[count.index], "from_port", null)
+  to_port     = lookup(var.redshift_outbound_acl_rules[count.index], "to_port", null)
+  icmp_code   = lookup(var.redshift_outbound_acl_rules[count.index], "icmp_code", null)
+  icmp_type   = lookup(var.redshift_outbound_acl_rules[count.index], "icmp_type", null)
   protocol    = var.redshift_outbound_acl_rules[count.index]["protocol"]
   cidr_block  = var.redshift_outbound_acl_rules[count.index]["cidr_block"]
 }
@@ -778,8 +798,10 @@ resource "aws_network_acl_rule" "elasticache_inbound" {
   egress      = false
   rule_number = var.elasticache_inbound_acl_rules[count.index]["rule_number"]
   rule_action = var.elasticache_inbound_acl_rules[count.index]["rule_action"]
-  from_port   = var.elasticache_inbound_acl_rules[count.index]["from_port"]
-  to_port     = var.elasticache_inbound_acl_rules[count.index]["to_port"]
+  from_port   = lookup(var.elasticache_inbound_acl_rules[count.index], "from_port", null)
+  to_port     = lookup(var.elasticache_inbound_acl_rules[count.index], "to_port", null)
+  icmp_code   = lookup(var.elasticache_inbound_acl_rules[count.index], "icmp_code", null)
+  icmp_type   = lookup(var.elasticache_inbound_acl_rules[count.index], "icmp_type", null)
   protocol    = var.elasticache_inbound_acl_rules[count.index]["protocol"]
   cidr_block  = var.elasticache_inbound_acl_rules[count.index]["cidr_block"]
 }
@@ -792,8 +814,10 @@ resource "aws_network_acl_rule" "elasticache_outbound" {
   egress      = true
   rule_number = var.elasticache_outbound_acl_rules[count.index]["rule_number"]
   rule_action = var.elasticache_outbound_acl_rules[count.index]["rule_action"]
-  from_port   = var.elasticache_outbound_acl_rules[count.index]["from_port"]
-  to_port     = var.elasticache_outbound_acl_rules[count.index]["to_port"]
+  from_port   = lookup(var.elasticache_outbound_acl_rules[count.index], "from_port", null)
+  to_port     = lookup(var.elasticache_outbound_acl_rules[count.index], "to_port", null)
+  icmp_code   = lookup(var.elasticache_outbound_acl_rules[count.index], "icmp_code", null)
+  icmp_type   = lookup(var.elasticache_outbound_acl_rules[count.index], "icmp_type", null)
   protocol    = var.elasticache_outbound_acl_rules[count.index]["protocol"]
   cidr_block  = var.elasticache_outbound_acl_rules[count.index]["cidr_block"]
 }