Merge pull request #42 from DNXLabs/feature/network_summary

🔧 Add vpc_cidr_summ variable to reduce the number of NACL rules used

Author: RaphaelMacedonio

README.md

@@ -89,6 +89,7 @@ module "network" {
 | transit\_netnum\_offset | Start with this subnet for secure ones, plus number of AZs | `number` | `15` | no |
 | transit\_subnet | Create a transit subnet for VPC peering (only central account) | `bool` | `false` | no |
 | vpc\_cidr | Network CIDR for the VPC | `any` | n/a | yes |
+| vpc\_cidr\_summ | Define cidr used to summarize subnets by tier | `string` | `"/0"` | no |
 | vpc\_cidr\_transit | Network CIDR for Transit subnets | `string` | `"10.255.255.0/24"` | no |
 | vpc\_endpoint\_dynamodb\_gateway | Enable or disable VPC Endpoint for DynamoDB (Gateway) | `bool` | `true` | no |
 | vpc\_endpoint\_dynamodb\_policy | A policy to attach to the endpoint that controls access to the service | `string` | `"    {

_variables.tf

@@ -40,6 +40,12 @@ variable "newbits" {
   description = "Number of bits to add to the vpc cidr when building subnets"
 }
 
+variable "vpc_cidr_summ" {
+  type        = string
+  default     = "/0"
+  description = "Define cidr used to summarize subnets by tier"
+}
+
 variable "tags" {
   type        = map(string)
   default     = {}

nacl-private.tf

@@ -1,3 +1,8 @@
+locals {
+  private_subnet_ip      = split("/", element(aws_subnet.private.*.cidr_block, length(aws_subnet.private.*.cidr_block) - 1))[0]
+  private_subnet_summary = var.vpc_cidr_summ != "/0" ? "${cidrhost("${local.private_subnet_ip}${var.vpc_cidr_summ}", 0)}${var.vpc_cidr_summ}" : aws_vpc.default.cidr_block
+}
+
 resource "aws_network_acl" "private" {
   vpc_id     = aws_vpc.default.id
   subnet_ids = aws_subnet.private.*.id
@@ -83,73 +88,73 @@ resource "aws_network_acl_rule" "out_private_from_world_icmp" {
 }
 
 resource "aws_network_acl_rule" "in_private_from_private" {
-  count          = length(aws_subnet.private.*.cidr_block)
+  count          = var.vpc_cidr_summ != "/0" ? 1 : length(aws_subnet.private.*.cidr_block)
   network_acl_id = aws_network_acl.private.id
   rule_number    = count.index + 301
   egress         = false
   protocol       = -1
   rule_action    = "allow"
-  cidr_block     = aws_subnet.private[count.index].cidr_block
+  cidr_block     = var.vpc_cidr_summ != "/0" ? local.private_subnet_summary : aws_subnet.private[count.index].cidr_block
   from_port      = 0
   to_port        = 0
 }
 
 resource "aws_network_acl_rule" "out_private_from_private" {
-  count          = length(aws_subnet.private.*.cidr_block)
+  count          = var.vpc_cidr_summ != "/0" ? 1 : length(aws_subnet.private.*.cidr_block)
   network_acl_id = aws_network_acl.private.id
   rule_number    = count.index + 301
   egress         = true
   protocol       = -1
   rule_action    = "allow"
-  cidr_block     = aws_subnet.private[count.index].cidr_block
+  cidr_block     = var.vpc_cidr_summ != "/0" ? local.private_subnet_summary : aws_subnet.private[count.index].cidr_block
   from_port      = 0
   to_port        = 0
 }
 
 resource "aws_network_acl_rule" "in_private_from_public" {
-  count          = length(aws_subnet.public.*.cidr_block)
+  count          = var.vpc_cidr_summ != "/0" ? 1 : length(aws_subnet.public.*.cidr_block)
   network_acl_id = aws_network_acl.private.id
   rule_number    = count.index + 401
   egress         = false
   protocol       = -1
   rule_action    = "allow"
-  cidr_block     = aws_subnet.public[count.index].cidr_block
+  cidr_block     = var.vpc_cidr_summ != "/0" ? local.public_subnet_summary : aws_subnet.public[count.index].cidr_block
   from_port      = 0
   to_port        = 0
 }
 
 resource "aws_network_acl_rule" "out_private_from_public" {
-  count          = length(aws_subnet.public.*.cidr_block)
+  count          = var.vpc_cidr_summ != "/0" ? 1 : length(aws_subnet.public.*.cidr_block)
   network_acl_id = aws_network_acl.private.id
   rule_number    = count.index + 401
   egress         = true
   protocol       = -1
   rule_action    = "allow"
-  cidr_block     = aws_subnet.public[count.index].cidr_block
+  cidr_block     = var.vpc_cidr_summ != "/0" ? local.public_subnet_summary : aws_subnet.public[count.index].cidr_block
   from_port      = 0
   to_port        = 0
 }
 
 resource "aws_network_acl_rule" "in_private_from_secure" {
-  count          = length(aws_subnet.secure.*.cidr_block)
+  count          = var.vpc_cidr_summ != "/0" ? 1 : length(aws_subnet.secure.*.cidr_block)
   network_acl_id = aws_network_acl.private.id
   rule_number    = count.index + 501
   egress         = false
   protocol       = -1
   rule_action    = "allow"
-  cidr_block     = aws_subnet.secure[count.index].cidr_block
+  cidr_block     = var.vpc_cidr_summ != "/0" ? local.secure_subnet_summary : aws_subnet.secure[count.index].cidr_block
   from_port      = 0
   to_port        = 0
 }
 
 resource "aws_network_acl_rule" "out_private_from_secure" {
-  count          = length(aws_subnet.secure.*.cidr_block)
+  count          = var.vpc_cidr_summ != "/0" ? 1 : length(aws_subnet.secure.*.cidr_block)
   network_acl_id = aws_network_acl.private.id
   rule_number    = count.index + 501
   egress         = true
   protocol       = -1
   rule_action    = "allow"
-  cidr_block     = aws_subnet.secure[count.index].cidr_block
+  cidr_block     = var.vpc_cidr_summ != "/0" ? local.secure_subnet_summary : aws_subnet.secure[count.index].cidr_block
   from_port      = 0
   to_port        = 0
 }

nacl-public.tf

@@ -1,3 +1,7 @@
+locals {
+  public_subnet_ip      = split("/", element(aws_subnet.public.*.cidr_block, length(aws_subnet.public.*.cidr_block) - 1))[0]
+  public_subnet_summary = var.vpc_cidr_summ != "/0" ? "${cidrhost("${local.public_subnet_ip}${var.vpc_cidr_summ}", 0)}${var.vpc_cidr_summ}" : aws_vpc.default.cidr_block
+}
 resource "aws_network_acl" "public" {
   vpc_id     = aws_vpc.default.id
   subnet_ids = aws_subnet.public.*.id
@@ -153,13 +157,13 @@ resource "aws_network_acl_rule" "out_public_icmp" {
 }
 
 resource "aws_network_acl_rule" "in_public_from_private" {
-  count          = length(aws_subnet.private.*.cidr_block)
+  count          = var.vpc_cidr_summ != "/0" ? 1 : length(aws_subnet.private.*.cidr_block)
   network_acl_id = aws_network_acl.public.id
   rule_number    = count.index + 601
   egress         = false
   protocol       = -1
   rule_action    = "allow"
-  cidr_block     = aws_subnet.private[count.index].cidr_block
+  cidr_block     = var.vpc_cidr_summ != "/0" ? local.private_subnet_summary : aws_subnet.private[count.index].cidr_block
   from_port      = 0
   to_port        = 0
 }

nacl-secure.tf

@@ -1,3 +1,7 @@
+locals {
+  secure_subnet_ip      = split("/", element(aws_subnet.secure.*.cidr_block, length(aws_subnet.secure.*.cidr_block) - 1))[0]
+  secure_subnet_summary = var.vpc_cidr_summ != "/0" ? "${cidrhost("${local.secure_subnet_ip}${var.vpc_cidr_summ}", 0)}${var.vpc_cidr_summ}" : aws_vpc.default.cidr_block
+}
 resource "aws_network_acl" "secure" {
   vpc_id     = aws_vpc.default.id
   subnet_ids = aws_subnet.secure.*.id
@@ -13,63 +17,63 @@ resource "aws_network_acl" "secure" {
 }
 
 resource "aws_network_acl_rule" "in_secure_from_secure" {
-  count          = length(aws_subnet.secure.*.cidr_block)
+  count          = var.vpc_cidr_summ != "/0" ? 1 : length(aws_subnet.secure.*.cidr_block)
   network_acl_id = aws_network_acl.secure.id
   rule_number    = count.index + 101
   egress         = false
   protocol       = -1
   rule_action    = "allow"
-  cidr_block     = aws_subnet.secure[count.index].cidr_block
+  cidr_block     = var.vpc_cidr_summ != "/0" ? local.secure_subnet_summary : aws_subnet.secure[count.index].cidr_block
 }
 
 resource "aws_network_acl_rule" "out_secure_to_secure" {
-  count          = length(aws_subnet.secure.*.cidr_block)
+  count          = var.vpc_cidr_summ != "/0" ? 1 : length(aws_subnet.secure.*.cidr_block)
   network_acl_id = aws_network_acl.secure.id
   rule_number    = count.index + 1
   egress         = true
   protocol       = -1
   rule_action    = "allow"
-  cidr_block     = aws_subnet.secure[count.index].cidr_block
+  cidr_block     = var.vpc_cidr_summ != "/0" ? local.secure_subnet_summary : aws_subnet.secure[count.index].cidr_block
 }
 
 resource "aws_network_acl_rule" "in_secure_from_private" {
-  count          = length(aws_subnet.private.*.cidr_block)
+  count          = var.vpc_cidr_summ != "/0" ? 1 : length(aws_subnet.private.*.cidr_block)
   network_acl_id = aws_network_acl.secure.id
   rule_number    = count.index + 201
   egress         = false
   protocol       = -1
   rule_action    = "allow"
-  cidr_block     = aws_subnet.private[count.index].cidr_block
+  cidr_block     = var.vpc_cidr_summ != "/0" ? local.private_subnet_summary : aws_subnet.private[count.index].cidr_block
 }
 
 resource "aws_network_acl_rule" "out_secure_to_private" {
-  count          = length(aws_subnet.private.*.cidr_block)
+  count          = var.vpc_cidr_summ != "/0" ? 1 : length(aws_subnet.private.*.cidr_block)
   network_acl_id = aws_network_acl.secure.id
   rule_number    = count.index + 101
   egress         = true
   protocol       = -1
   rule_action    = "allow"
-  cidr_block     = aws_subnet.private[count.index].cidr_block
+  cidr_block     = var.vpc_cidr_summ != "/0" ? local.private_subnet_summary : aws_subnet.private[count.index].cidr_block
 }
 
 resource "aws_network_acl_rule" "in_secure_from_transit" {
-  count          = var.transit_subnet ? length(aws_subnet.transit.*.cidr_block) : 0
+  count          = var.transit_subnet ? var.vpc_cidr_summ != "/0" ? 1 : length(aws_subnet.transit.*.cidr_block) : 0
   network_acl_id = aws_network_acl.secure.id
   rule_number    = count.index + 301
   egress         = false
   protocol       = -1
   rule_action    = "allow"
-  cidr_block     = aws_subnet.transit[count.index].cidr_block
+  cidr_block     = var.vpc_cidr_summ != "/0" ? local.transit_subnet_summary : aws_subnet.transit[count.index].cidr_block
 }
 
 resource "aws_network_acl_rule" "out_secure_to_transit" {
-  count          = var.transit_subnet ? length(aws_subnet.transit.*.cidr_block) : 0
+  count          = var.transit_subnet ? var.vpc_cidr_summ != "/0" ? 1 : length(aws_subnet.transit.*.cidr_block) : 0
   network_acl_id = aws_network_acl.secure.id
   rule_number    = count.index + 201
   egress         = true
   protocol       = -1
   rule_action    = "allow"
-  cidr_block     = aws_subnet.transit[count.index].cidr_block
+  cidr_block     = var.vpc_cidr_summ != "/0" ? local.transit_subnet_summary : aws_subnet.transit[count.index].cidr_block
 }
 
 #############

nacl-transit.tf

@@ -1,3 +1,7 @@
+locals {
+  transit_subnet_ip      = split("/", try(element(aws_subnet.transit.*.cidr_block, length(aws_subnet.transit.*.cidr_block) - 1), "0.0.0.0/0"))[0]
+  transit_subnet_summary = var.vpc_cidr_summ != "/0" ? "${cidrhost("${local.transit_subnet_ip}${var.vpc_cidr_summ}", 0)}${var.vpc_cidr_summ}" : aws_vpc.default.cidr_block
+}
 resource "aws_network_acl" "transit" {
   count      = var.transit_subnet ? 1 : 0
   vpc_id     = aws_vpc.default.id
@@ -117,25 +121,25 @@ resource "aws_network_acl_rule" "in_transit_icmp" {
 }
 
 resource "aws_network_acl_rule" "in_transit_from_private" {
-  count          = var.transit_subnet ? length(aws_subnet.private.*.cidr_block) : 0
+  count          = var.transit_subnet ? var.vpc_cidr_summ != "/0" ? 1 : length(aws_subnet.private.*.cidr_block) : 0
   network_acl_id = aws_network_acl.transit[0].id
   rule_number    = count.index + 601
   egress         = false
   protocol       = -1
   rule_action    = "allow"
-  cidr_block     = aws_subnet.private.*.cidr_block[count.index]
+  cidr_block     = var.vpc_cidr_summ != "/0" ? local.private_subnet_summary : aws_subnet.private[count.index].cidr_block
   from_port      = 0
   to_port        = 0
 }
 
 resource "aws_network_acl_rule" "in_transit_from_secure" {
-  count          = var.transit_subnet ? length(aws_subnet.secure.*.cidr_block) : 0
+  count          = var.transit_subnet ? var.vpc_cidr_summ != "/0" ? 1 : length(aws_subnet.secure.*.cidr_block) : 0
   network_acl_id = aws_network_acl.transit[0].id
   rule_number    = count.index + 701
   egress         = false
   protocol       = -1
   rule_action    = "allow"
-  cidr_block     = aws_subnet.secure.*.cidr_block[count.index]
+  cidr_block     = var.vpc_cidr_summ != "/0" ? local.secure_subnet_summary : aws_subnet.secure[count.index].cidr_block
   from_port      = 0
   to_port        = 0
 }