-
-
Notifications
You must be signed in to change notification settings - Fork 166
/
Copy pathpublic.tf
160 lines (121 loc) · 5.31 KB
/
public.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
module "public_label" {
source = "cloudposse/label/null"
version = "0.25.0"
attributes = [var.public_label]
tags = merge(
var.public_subnets_additional_tags,
var.subnet_type_tag_key != null && var.subnet_type_tag_value_format != null ? { (var.subnet_type_tag_key) = format(var.subnet_type_tag_value_format, var.public_label) } : {}
)
context = module.this.context
}
resource "aws_subnet" "public" {
count = local.public_enabled ? local.subnet_az_count : 0
vpc_id = local.vpc_id
availability_zone = local.subnet_availability_zones[count.index]
# When provisioning both public and private subnets, the public subnets get the second set of CIDRs.
# Use element()'s wrap-around behavior to handle the case where we are only provisioning public subnets.
cidr_block = local.public4_enabled ? element(local.ipv4_public_subnet_cidrs, count.index) : null
ipv6_cidr_block = local.public6_enabled ? element(local.ipv6_public_subnet_cidrs, count.index) : null
ipv6_native = local.public6_enabled && !local.public4_enabled
#bridgecrew:skip=BC_AWS_NETWORKING_53:Public VPCs should be allowed to default to public IPs
map_public_ip_on_launch = local.public4_enabled ? var.map_public_ip_on_launch : null
assign_ipv6_address_on_creation = local.public6_enabled ? var.public_assign_ipv6_address_on_creation : null
enable_dns64 = local.public6_enabled ? local.public_dns64_enabled : null
enable_resource_name_dns_a_record_on_launch = local.public4_enabled ? var.ipv4_public_instance_hostnames_enabled : null
enable_resource_name_dns_aaaa_record_on_launch = local.public6_enabled ? var.ipv6_public_instance_hostnames_enabled || !local.public4_enabled : null
private_dns_hostname_type_on_launch = local.public4_enabled ? var.ipv4_public_instance_hostname_type : null
tags = merge(
module.public_label.tags,
{
"Name" = format("%s%s%s", module.public_label.id, local.delimiter, local.subnet_az_abbreviations[count.index])
}
)
lifecycle {
ignore_changes = [tags.kubernetes, tags.SubnetType]
}
timeouts {
create = var.subnet_create_timeout
delete = var.subnet_delete_timeout
}
}
resource "aws_route_table" "public" {
# May need 1 table or 1 per AZ
count = local.create_public_route_tables ? local.public_route_table_count : 0
vpc_id = local.vpc_id
tags = module.public_label.tags
}
resource "aws_route" "public" {
count = local.public4_enabled && local.igw_configured ? local.public_route_table_count : 0
route_table_id = local.public_route_table_ids[count.index]
destination_cidr_block = "0.0.0.0/0"
gateway_id = var.igw_id[0]
timeouts {
create = var.aws_route_create_timeout
delete = var.aws_route_delete_timeout
}
}
resource "aws_route" "public6" {
count = local.public6_enabled && local.igw_configured ? local.public_route_table_count : 0
route_table_id = local.public_route_table_ids[count.index]
destination_ipv6_cidr_block = "::/0"
gateway_id = var.igw_id[0]
timeouts {
create = var.aws_route_create_timeout
delete = var.aws_route_delete_timeout
}
}
resource "aws_route_table_association" "public" {
count = local.public_route_table_enabled ? local.subnet_az_count : 0
subnet_id = aws_subnet.public[count.index].id
route_table_id = element(local.public_route_table_ids, count.index)
}
resource "aws_network_acl" "public" {
count = local.public_open_network_acl_enabled ? 1 : 0
vpc_id = local.vpc_id
subnet_ids = aws_subnet.public[*].id
tags = module.public_label.tags
}
resource "aws_network_acl_rule" "public4_ingress" {
count = local.public_open_network_acl_enabled && local.public4_enabled ? 1 : 0
network_acl_id = aws_network_acl.public[0].id
rule_action = "allow"
rule_number = var.open_network_acl_ipv4_rule_number
egress = false
cidr_block = "0.0.0.0/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
from_port = 0
to_port = 0
protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
}
resource "aws_network_acl_rule" "public4_egress" {
count = local.public_open_network_acl_enabled && local.public4_enabled ? 1 : 0
network_acl_id = aws_network_acl.public[0].id
rule_action = "allow"
rule_number = var.open_network_acl_ipv4_rule_number
egress = true
cidr_block = "0.0.0.0/0"
from_port = 0
to_port = 0
protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
}
resource "aws_network_acl_rule" "public6_ingress" {
count = local.public_open_network_acl_enabled && local.public6_enabled ? 1 : 0
network_acl_id = aws_network_acl.public[0].id
rule_action = "allow"
rule_number = var.open_network_acl_ipv6_rule_number
egress = false
ipv6_cidr_block = "::/0" #tfsec:ignore:aws-ec2-no-public-ingress-acl
from_port = 0
to_port = 0
protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
}
resource "aws_network_acl_rule" "public6_egress" {
count = local.public_open_network_acl_enabled && local.public6_enabled ? 1 : 0
network_acl_id = aws_network_acl.public[0].id
rule_action = "allow"
rule_number = var.open_network_acl_ipv6_rule_number
egress = true
ipv6_cidr_block = "::/0"
from_port = 0
to_port = 0
protocol = "-1" #tfsec:ignore:aws-ec2-no-excessive-port-access
}