Merge branch 'kral2:22-add-default-sl-lockdown-switch'

hyder · hyder · commit 749cc030bbff · 2021-02-04T14:48:22.000+11:00
diff --git a/CHANGELOG.adoc b/CHANGELOG.adoc
@@ -9,6 +9,7 @@ The format is based on {uri-changelog}[Keep a Changelog].
 
 == unreleased
 * changed input region to be optional (fixes #18)
+* added a new parameter to lockdown the VCN Default Security List and option to revert to original state (fixes #22)
 
 == v1.0.3 (July 13,2020)
 
diff --git a/CONTRIBUTORS.adoc b/CONTRIBUTORS.adoc
@@ -9,3 +9,4 @@ CONTRIBUTORS
 
 - @karthicgit
 - @difu
+- @kral2
diff --git a/README.adoc b/README.adoc
@@ -77,7 +77,7 @@ Learn how to {uri-contribute}[contribute].
 
 == License
 
-Copyright &copy; 2019 Oracle and/or its associates. All rights reserved.
+Copyright &copy; 2019, 2021, Oracle and/or its associates.
 
 Licensed under the {uri-license}[Universal Permissive License 1.0] as shown at 
 {uri-canonical-license}[https://oss.oracle.com/licenses/upl].
diff --git a/README.md b/README.md
@@ -1,31 +1,5 @@
 # Terraform VCN for Oracle Cloud Infrastructure
 
-[changelog]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/CHANGELOG.adoc
-[contributing]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/CONTRIBUTING.adoc
-[contributors]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/CONTRIBUTORS.adoc
-[docs]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/tree/master/docs
-
-[license]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/LICENSE
-[canonical_license]: https://oss.oracle.com/licenses/upl/
-
-[oci]: https://cloud.oracle.com/cloud-infrastructure
-[oci_documentation]: https://docs.cloud.oracle.com/iaas/Content/home.htm
-
-[oracle]: https://www.oracle.com
-[prerequisites]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/docs/prerequisites.adoc
-
-[quickstart]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/docs/quickstart.adoc
-[repo]: https://github.com/oracle/terraform-oci-vcn
-[reuse]: https://github.com/oracle/terraform-oci-vcn/examples/db
-[subnets]: https://erikberg.com/notes/networks.html
-[terraform]: https://www.terraform.io
-[terraform_cidr_subnet]: http://blog.itsjustcode.net/blog/2017/11/18/terraform-cidrsubnet-deconstructed/
-[terraform_hashircorp_examples]: https://github.com/hashicorp/terraform-guides/tree/master/infrastructure-as-code/terraform-0.12-examples
-[terraform_oci]: https://www.terraform.io/docs/providers/oci/index.html
-[terraform_options]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/docs/terraformoptions.adoc
-[terraform_oci_examples]: https://github.com/terraform-providers/terraform-provider-oci/tree/master/examples
-[terraform_oci_oke]: https://github.com/oracle-terraform-modules/terraform-oci-oke
-
 The [Terraform VCN][repo] for [Oracle Cloud Infrastructure][OCI] provides a reusable [Terraform][terraform] module that provisions a minimal VCN on OCI.
 
 It creates the following resources:
@@ -35,22 +9,26 @@ It creates the following resources:
 * An optional NAT gateway
 * An optional service gateway
 
-This module is primarily meant to be reusable to create more advanced infrastructure on {uri-oci}[OCI] either manually in the OCI Console or by extending the Terraform code.
+It also controls the Default Security List, with a *Lockdown mode* that can be enabled or disabled.
+
+This module is primarily meant to be reusable to create more advanced infrastructure on [OCI][OCI] either manually in the OCI Console or by extending the Terraform code.
 
 ## [Documentation][docs]
 
 ### [Pre-requisites][prerequisites]
 
 #### Instructions
-- [Quickstart][quickstart]
-- [Reusing as a Terraform module][reuse]
-- [Terraform Options][terraform_options]
+
+* [Quickstart][quickstart]
+* [Reusing as a Terraform module][reuse]
+* [Terraform Options][terraform_options]
 
 ## Related Documentation, Blog
-- [Oracle Cloud Infrastructure Documentation][oci_documentation]
-- [Terraform OCI Provider Documentation][terraform_oci]
-- [Erik Berg on Networks, Subnets and CIDR][subnets]
-- [Lisa Hagemann on Terraform cidrsubnet Deconstructed][terraform_cidr_subnet]
+
+* [Oracle Cloud Infrastructure Documentation][oci_documentation]
+* [Terraform OCI Provider Documentation][terraform_oci]
+* [Erik Berg on Networks, Subnets and CIDR][subnets]
+* [Lisa Hagemann on Terraform cidrsubnet Deconstructed][terraform_cidr_subnet]
 
 ## Projects using this module
 
@@ -70,7 +48,35 @@ Learn how to [contribute][contributing].
 
 ## License
 
-Copyright (c) 2019, 2020 Oracle and/or its associates. All rights reserved.
+Copyright (c) 2019, 2021 Oracle and/or its associates.
+
+Licensed under the [Universal Permissive License 1.0][license] as shown at
+[https://oss.oracle.com/licenses/upl][canonical_license].
+
+<!-- Links reference section -->
+[changelog]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/CHANGELOG.adoc
+[contributing]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/CONTRIBUTING.adoc
+[contributors]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/CONTRIBUTORS.adoc
+[docs]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/tree/master/docs
+
+[license]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/LICENSE
+[canonical_license]: https://oss.oracle.com/licenses/upl/
 
-Licensed under the [Universal Permissive License 1.0][license] as shown at 
-[https://oss.oracle.com/licenses/upl][canonical_license].
+[oci]: https://cloud.oracle.com/cloud-infrastructure
+[oci_documentation]: https://docs.cloud.oracle.com/iaas/Content/home.htm
+
+[oracle]: https://www.oracle.com
+[prerequisites]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/docs/prerequisites.adoc
+
+[quickstart]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/docs/quickstart.adoc
+[repo]: https://github.com/oracle/terraform-oci-vcn
+[reuse]: https://github.com/oracle/terraform-oci-vcn/examples/db
+[subnets]: https://erikberg.com/notes/networks.html
+[terraform]: https://www.terraform.io
+[terraform_cidr_subnet]: http://blog.itsjustcode.net/blog/2017/11/18/terraform-cidrsubnet-deconstructed/
+[terraform_hashircorp_examples]: https://github.com/hashicorp/terraform-guides/tree/master/infrastructure-as-code/terraform-0.12-examples
+[terraform_oci]: https://www.terraform.io/docs/providers/oci/index.html
+[terraform_options]: https://github.com/oracle-terraform-modules/terraform-oci-vcn/blob/master/docs/terraformoptions.adoc
+[terraform_oci_examples]: https://github.com/terraform-providers/terraform-provider-oci/tree/master/examples
+[terraform_oci_oke]: https://github.com/oracle-terraform-modules/terraform-oci-oke
+<!-- Links reference section -->
diff --git a/docs/terraformoptions.adoc b/docs/terraformoptions.adoc
@@ -86,6 +86,11 @@ tags = {
 |true/false
 |false
 
+|`lockdown_default_seclist`
+|whether to remove all default security rules from the VCN Default Security List
+|true/false
+|true
+
 |`nat_gateway_enabled`
 |Whether to create a NAT gateway. 
 |true/false
diff --git a/examples/README.md b/examples/README.md
@@ -78,6 +78,7 @@ module "vcn" {
   vcn_cidr                 = var.vcn_cidr
   vcn_dns_label            = var.vcn_dns_label
   vcn_name                 = var.vcn_name
+  lockdown_default_seclist = var.lockdown_default_seclist
 }
 ```
 
diff --git a/examples/main.tf b/examples/main.tf
@@ -1,4 +1,4 @@
-# Copyright (c) 2019, 2020 Oracle Corporation and/or affiliates.  All rights reserved.
+# Copyright (c) 2019, 2021, Oracle Corporation and/or affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
 
 module "vcn" {
@@ -15,6 +15,8 @@ module "vcn" {
   # vcn parameters
   internet_gateway_enabled = false
 
+  lockdown_default_seclist = true
+
   nat_gateway_enabled = false
 
   service_gateway_enabled = false
diff --git a/examples/variables.tf b/examples/variables.tf
@@ -1,4 +1,4 @@
-# Copyright (c) 2019, 2020 Oracle Corporation and/or affiliates.  All rights reserved.
+# Copyright (c) 2019, 2021, Oracle Corporation and/or affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl
 
 # provider identity parameters
@@ -82,3 +82,9 @@ variable "vcn_name" {
   description = "user-friendly name of to use for the vcn to be appended to the label_prefix"
   type        = string
 }
+
+variable "lockdown_default_seclist" {
+  description = "whether to remove all default security rules from the VCN Default Security List"
+  default     = true
+  type        = bool
+}
diff --git a/nat.tf b/nat.tf
diff --git a/schema.yaml b/schema.yaml
@@ -9,8 +9,8 @@ groupings:
     - vcn_cidr
     - vcn_name
     - vcn_dns_label
-    
- 
+    - lockdown_default_seclist
+
 variables:
   region:
     type: oci:identity:region:name
@@ -49,6 +49,12 @@ variables:
     required: true
     default: vcn
 
+  lockdown_default_seclist:
+    title: Enable VCN Default Security List Lockdown
+    type: string
+    required: false
+    default: true
+
   tags:
     type: map
     visible: false
diff --git a/servicegateway.tf b/servicegateway.tf
diff --git a/variables.tf b/variables.tf
@@ -30,6 +30,12 @@ variable "internet_gateway_enabled" {
   type        = bool
 }
 
+variable "lockdown_default_seclist" {
+  description = "whether to remove all default security rules from the VCN Default Security List"
+  default     = true
+  type        = bool
+}
+
 variable "nat_gateway_enabled" {
   description = "whether to create a nat gateway in the vcn"
   default     = false
diff --git a/vcn.tf b/vcn.tf
@@ -1,4 +1,4 @@
-# Copyright (c) 2019, 2020 Oracle Corporation and/or affiliates.  All rights reserved.
+# Copyright (c) 2019, 2021, Oracle Corporation and/or affiliates.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
 
 resource "oci_core_vcn" "vcn" {
@@ -9,30 +9,3 @@ resource "oci_core_vcn" "vcn" {
 
   freeform_tags = var.tags
 }
-
-resource "oci_core_internet_gateway" "ig" {
-  compartment_id = var.compartment_id
-  display_name   = var.label_prefix == "none" ? "internet-gateway" : "${var.label_prefix}-internet-gateway"
-
-  freeform_tags = var.tags
-
-  vcn_id = oci_core_vcn.vcn.id
-
-  count = var.internet_gateway_enabled == true ? 1 : 0
-}
-
-resource "oci_core_route_table" "ig" {
-  compartment_id = var.compartment_id
-  display_name   = var.label_prefix == "none" ? "internet-route" : "${var.label_prefix}-internet-route"
-
-  freeform_tags = var.tags
-
-  route_rules {
-    destination       = local.anywhere
-    network_entity_id = oci_core_internet_gateway.ig[0].id
-  }
-
-  vcn_id = oci_core_vcn.vcn.id
-
-  count = var.internet_gateway_enabled == true ? 1 : 0
-}
diff --git a/vcn_defaultresources.tf b/vcn_defaultresources.tf
@@ -0,0 +1,55 @@
+# Copyright (c) 2021, Oracle Corporation and/or affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
+
+# VCN default Security List Lockdown
+// See Issue #22 for the reasoning
+resource "oci_core_default_security_list" "lockdown" {
+  // If variable is true, removes all rules from default security list
+  manage_default_resource_id = oci_core_vcn.vcn.default_security_list_id
+
+  count = var.lockdown_default_seclist == true ? 1 : 0
+}
+
+resource "oci_core_default_security_list" "restore_default" {
+  // If variable is false, restore all default rules to default security list
+  manage_default_resource_id = oci_core_vcn.vcn.default_security_list_id
+
+  egress_security_rules {
+    // allow all egress traffic
+    destination = "0.0.0.0/0"
+    protocol    = "all"
+  }
+
+  ingress_security_rules {
+    // allow all SSH
+    protocol = "6"
+    source   = "0.0.0.0/0"
+    tcp_options {
+      min = 22
+      max = 22
+    }
+  }
+
+  ingress_security_rules {
+    // allow ICMP for all type 3 code 4
+    protocol = "1"
+    source   = "0.0.0.0/0"
+
+    icmp_options {
+      type = "3"
+      code = "4"
+    }
+  }
+
+  ingress_security_rules {
+    //allow all ICMP from VCN
+    protocol = "1"
+    source   = var.vcn_cidr
+
+    icmp_options {
+      type = "3"
+    }
+  }
+
+  count = var.lockdown_default_seclist == false ? 1 : 0
+}
diff --git a/vcn_gateways.tf b/vcn_gateways.tf

Original file line number	Diff line number	Diff line change
`@@ -9,3 +9,4 @@ CONTRIBUTORS`
`9`	`9`
`10`	`10`	`- @karthicgit`
`11`	`11`	`- @difu`
	`12`	`+- @kral2`
Original file line number	Diff line number	Diff line change
`@@ -78,6 +78,7 @@ module "vcn" {`
`78`	`78`	`vcn_cidr = var.vcn_cidr`
`79`	`79`	`vcn_dns_label = var.vcn_dns_label`
`80`	`80`	`vcn_name = var.vcn_name`
	`81`	`+ lockdown_default_seclist = var.lockdown_default_seclist`
`81`	`82`	`}`
`82`	`83`	```
`83`	`84`