Add a custom list of cidrs to allow on each NACL table (#58)

adenot · web-flow · commit 3cb319c87935 · 2025-01-29T09:06:35.000+10:00
* Add a custom list of cidrs to allow on each NACL table

* terraform-docs: automated update action

---------

Co-authored-by: adenot &lt;adenot@users.noreply.github.com&gt;
diff --git a/README.md b/README.md
@@ -87,13 +87,16 @@ module "network" {
 | nat | Deploy NAT instance(s) | `bool` | `true` | no |
 | network\_firewall | Enable or disable VPC Network Firewall | `bool` | `false` | no |
 | newbits | Number of bits to add to the vpc cidr when building subnets | `number` | `5` | no |
+| private\_nacl\_allow\_cidrs | CIDRs to allow traffic from private subnet | `list(string)` | `[]` | no |
 | private\_netnum\_offset | Start with this subnet for private ones, plus number of AZs | `number` | `5` | no |
+| public\_nacl\_allow\_cidrs | CIDRs to allow traffic from public subnet | `list(string)` | `[]` | no |
 | public\_nacl\_icmp | Allows ICMP traffic to and from the public subnet | `bool` | `true` | no |
 | public\_nacl\_inbound\_tcp\_ports | TCP Ports to allow inbound on public subnet via NACLs (this list cannot be empty) | `list(string)` | <pre>[<br>  "80",<br>  "443",<br>  "22",<br>  "1194"<br>]</pre> | no |
 | public\_nacl\_inbound\_udp\_ports | UDP Ports to allow inbound on public subnet via NACLs (this list cannot be empty) | `list(string)` | `[]` | no |
 | public\_nacl\_outbound\_tcp\_ports | TCP Ports to allow outbound to external services (use [0] to allow all ports) | `list(string)` | <pre>[<br>  "0"<br>]</pre> | no |
 | public\_nacl\_outbound\_udp\_ports | UDP Ports to allow outbound to external services (use [0] to allow all ports) | `list(string)` | <pre>[<br>  "0"<br>]</pre> | no |
 | public\_netnum\_offset | Start with this subnet for public ones, plus number of AZs | `number` | `0` | no |
+| secure\_nacl\_allow\_cidrs | CIDRs to allow traffic from secure subnet | `list(string)` | `[]` | no |
 | secure\_nacl\_allow\_public | Allow traffic between public and secure | `bool` | `false` | no |
 | secure\_netnum\_offset | Start with this subnet for secure ones, plus number of AZs | `number` | `10` | no |
 | tags | Extra tags to attach to resources | `map(string)` | `{}` | no |
diff --git a/_variables.tf b/_variables.tf
@@ -150,6 +150,24 @@ variable "secure_nacl_allow_public" {
   description = "Allow traffic between public and secure"
 }
 
+variable "public_nacl_allow_cidrs" {
+  type        = list(string)
+  default     = []
+  description = "CIDRs to allow traffic from public subnet"
+}
+
+variable "private_nacl_allow_cidrs" {
+  type        = list(string)
+  default     = []
+  description = "CIDRs to allow traffic from private subnet"
+}
+
+variable "secure_nacl_allow_cidrs" {
+  type        = list(string)
+  default     = []
+  description = "CIDRs to allow traffic from secure subnet"
+}
+
 variable "vpc_flow_logs" {
   type        = bool
   default     = true
diff --git a/nacl-private.tf b/nacl-private.tf
@@ -158,3 +158,28 @@ resource "aws_network_acl_rule" "out_private_from_secure" {
   from_port      = 0
   to_port        = 0
 }
+
+
+resource "aws_network_acl_rule" "in_private_from_allowed_cidrs" {
+  count          = length(var.private_nacl_allow_cidrs)
+  network_acl_id = aws_network_acl.private.id
+  rule_number    = count.index + 601
+  egress         = false
+  protocol       = -1
+  rule_action    = "allow"
+  cidr_block     = var.private_nacl_allow_cidrs[count.index]
+  from_port      = 0
+  to_port        = 0
+}
+
+resource "aws_network_acl_rule" "out_private_from_allowed_cidrs" {
+  count          = length(var.private_nacl_allow_cidrs)
+  network_acl_id = aws_network_acl.private.id
+  rule_number    = count.index + 601
+  egress         = true
+  protocol       = -1
+  rule_action    = "allow"
+  cidr_block     = var.private_nacl_allow_cidrs[count.index]
+  from_port      = 0
+  to_port        = 0
+}
diff --git a/nacl-public.tf b/nacl-public.tf
@@ -179,3 +179,28 @@ resource "aws_network_acl_rule" "in_public_from_secure" {
   from_port      = 0
   to_port        = 0
 }
+
+
+resource "aws_network_acl_rule" "in_public_from_allowed_cidrs" {
+  count          = length(var.public_nacl_allow_cidrs)
+  network_acl_id = aws_network_acl.public.id
+  rule_number    = count.index + 801
+  egress         = false
+  protocol       = -1
+  rule_action    = "allow"
+  cidr_block     = var.public_nacl_allow_cidrs[count.index]
+  from_port      = 0
+  to_port        = 0
+}
+
+resource "aws_network_acl_rule" "out_public_from_allowed_cidrs" {
+  count          = length(var.public_nacl_allow_cidrs)
+  network_acl_id = aws_network_acl.public.id
+  rule_number    = count.index + 801
+  egress         = true
+  protocol       = -1
+  rule_action    = "allow"
+  cidr_block     = var.public_nacl_allow_cidrs[count.index]
+  from_port      = 0
+  to_port        = 0
+}
diff --git a/nacl-secure.tf b/nacl-secure.tf
@@ -149,3 +149,27 @@ resource "aws_network_acl_rule" "out_secure_to_dynamodb" {
   from_port      = 0
   to_port        = 0
 }
+
+resource "aws_network_acl_rule" "in_secure_from_allowed_cidrs" {
+  count          = length(var.secure_nacl_allow_cidrs)
+  network_acl_id = aws_network_acl.secure.id
+  rule_number    = count.index + 801
+  egress         = false
+  protocol       = -1
+  rule_action    = "allow"
+  cidr_block     = var.secure_nacl_allow_cidrs[count.index]
+  from_port      = 0
+  to_port        = 0
+}
+
+resource "aws_network_acl_rule" "out_secure_from_allowed_cidrs" {
+  count          = length(var.secure_nacl_allow_cidrs)
+  network_acl_id = aws_network_acl.secure.id
+  rule_number    = count.index + 801
+  egress         = true
+  protocol       = -1
+  rule_action    = "allow"
+  cidr_block     = var.secure_nacl_allow_cidrs[count.index]
+  from_port      = 0
+  to_port        = 0
+}
