-
Notifications
You must be signed in to change notification settings - Fork 7
/
dynamic_acl_rules.tf
85 lines (80 loc) · 2.69 KB
/
dynamic_acl_rules.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
##############################################################################
# Create Subnet ACL Rules
##############################################################################
module allow_control_plane_ip {
source = "./control_pane_ips"
region = var.region
}
locals {
# Allow inbound and outbound traffic from each subnet
subnet_allow_rules = flatten([
# For each zone in subnets
for zone in keys(var.subnets):
[
# For each subnet in that zone, create an allow inbound and allow outbound rule
for subnet in var.subnets[zone]:
[
{
name = "allow-inbound-${var.prefix}-${subnet.name}"
action = "allow"
direction = "inbound"
destination = "0.0.0.0/0"
source = subnet.cidr
tcp = null
udp = null
icmp = null
},
{
name = "allow-outbound-${var.prefix}-${subnet.name}"
action = "allow"
direction = "outbound"
destination = subnet.cidr
source = "0.0.0.0/0"
tcp = null
udp = null
icmp = null
}
]
]
])
# Create rules to allow clusters to work
cluster_allow_rules = [
# Cluster Rules
{
name = "roks-create-worker-nodes-inbound"
action = "allow"
source = "161.26.0.0/16"
destination = "0.0.0.0/0"
direction = "inbound"
},
{
name = "roks-create-worker-nodes-outbound"
action = "allow"
destination = "161.26.0.0/16"
source = "0.0.0.0/0"
direction = "outbound"
},
{
name = "roks-nodes-to-service-inbound"
action = "allow"
source = "166.8.0.0/14"
destination = "0.0.0.0/0"
direction = "inbound"
},
{
name = "roks-nodes-to-service-outbound"
action = "allow"
destination = "166.8.0.0/14"
source = "0.0.0.0/0"
direction = "outbound"
}
]
# Combine rules
all_acl_rules = flatten([
local.cluster_allow_rules,
local.subnet_allow_rules,
module.allow_control_plane_ip.rules,
var.acl_rules
])
}
##############################################################################