Minor cleanups

cloudpossebot · Nuru · commit 370c550549fb · 2022-05-06T19:24:48.000-07:00
diff --git a/README.md b/README.md
@@ -286,7 +286,7 @@ Available targets:
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.13.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.71.0 |
 
 ## Modules
 
@@ -430,12 +430,12 @@ Available targets:
 | <a name="output_nat_instance_ami_id"></a> [nat\_instance\_ami\_id](#output\_nat\_instance\_ami\_id) | ID of AMI used by NAT instance |
 | <a name="output_nat_instance_ids"></a> [nat\_instance\_ids](#output\_nat\_instance\_ids) | IDs of the NAT Instances created |
 | <a name="output_nat_ips"></a> [nat\_ips](#output\_nat\_ips) | IP Addresses in use by NAT |
-| <a name="output_private_network_acl"></a> [private\_network\_acl](#output\_private\_network\_acl) | n/a |
+| <a name="output_private_network_acl"></a> [private\_network\_acl](#output\_private\_network\_acl) | ID of the Network ACL created for private subnets |
 | <a name="output_private_route_table_ids"></a> [private\_route\_table\_ids](#output\_private\_route\_table\_ids) | IDs of the created private route tables |
 | <a name="output_private_subnet_cidrs"></a> [private\_subnet\_cidrs](#output\_private\_subnet\_cidrs) | IPv4 CIDR blocks of the created private subnets |
 | <a name="output_private_subnet_ids"></a> [private\_subnet\_ids](#output\_private\_subnet\_ids) | IDs of the created private subnets |
 | <a name="output_private_subnet_ipv6_cidrs"></a> [private\_subnet\_ipv6\_cidrs](#output\_private\_subnet\_ipv6\_cidrs) | IPv6 CIDR blocks of the created private subnets |
-| <a name="output_public_network_acl"></a> [public\_network\_acl](#output\_public\_network\_acl) | n/a |
+| <a name="output_public_network_acl"></a> [public\_network\_acl](#output\_public\_network\_acl) | ID of the Network ACL created for public subnets |
 | <a name="output_public_route_table_ids"></a> [public\_route\_table\_ids](#output\_public\_route\_table\_ids) | IDs of the created public route tables |
 | <a name="output_public_subnet_cidrs"></a> [public\_subnet\_cidrs](#output\_public\_subnet\_cidrs) | IPv4 CIDR blocks of the created public subnets |
 | <a name="output_public_subnet_ids"></a> [public\_subnet\_ids](#output\_public\_subnet\_ids) | IDs of the created public subnets |
diff --git a/docs/terraform.md b/docs/terraform.md
@@ -10,7 +10,7 @@
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.13.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.71.0 |
 
 ## Modules
 
@@ -154,12 +154,12 @@
 | <a name="output_nat_instance_ami_id"></a> [nat\_instance\_ami\_id](#output\_nat\_instance\_ami\_id) | ID of AMI used by NAT instance |
 | <a name="output_nat_instance_ids"></a> [nat\_instance\_ids](#output\_nat\_instance\_ids) | IDs of the NAT Instances created |
 | <a name="output_nat_ips"></a> [nat\_ips](#output\_nat\_ips) | IP Addresses in use by NAT |
-| <a name="output_private_network_acl"></a> [private\_network\_acl](#output\_private\_network\_acl) | n/a |
+| <a name="output_private_network_acl"></a> [private\_network\_acl](#output\_private\_network\_acl) | ID of the Network ACL created for private subnets |
 | <a name="output_private_route_table_ids"></a> [private\_route\_table\_ids](#output\_private\_route\_table\_ids) | IDs of the created private route tables |
 | <a name="output_private_subnet_cidrs"></a> [private\_subnet\_cidrs](#output\_private\_subnet\_cidrs) | IPv4 CIDR blocks of the created private subnets |
 | <a name="output_private_subnet_ids"></a> [private\_subnet\_ids](#output\_private\_subnet\_ids) | IDs of the created private subnets |
 | <a name="output_private_subnet_ipv6_cidrs"></a> [private\_subnet\_ipv6\_cidrs](#output\_private\_subnet\_ipv6\_cidrs) | IPv6 CIDR blocks of the created private subnets |
-| <a name="output_public_network_acl"></a> [public\_network\_acl](#output\_public\_network\_acl) | n/a |
+| <a name="output_public_network_acl"></a> [public\_network\_acl](#output\_public\_network\_acl) | ID of the Network ACL created for public subnets |
 | <a name="output_public_route_table_ids"></a> [public\_route\_table\_ids](#output\_public\_route\_table\_ids) | IDs of the created public route tables |
 | <a name="output_public_subnet_cidrs"></a> [public\_subnet\_cidrs](#output\_public\_subnet\_cidrs) | IPv4 CIDR blocks of the created public subnets |
 | <a name="output_public_subnet_ids"></a> [public\_subnet\_ids](#output\_public\_subnet\_ids) | IDs of the created public subnets |
diff --git a/examples/existing-ips/main.tf b/examples/existing-ips/main.tf
@@ -25,9 +25,9 @@ module "subnets" {
 
   availability_zones   = var.availability_zones
   vpc_id               = module.vpc.vpc_id
-  igw_id               = module.vpc.igw_id
-  cidr_block           = module.vpc.vpc_cidr_block
-  nat_elastic_ips      = [for az, eip in aws_eip.nat_ips : eip.public_ip]
+  igw_id               = [module.vpc.igw_id]
+  cidr_block           = [module.vpc.vpc_cidr_block]
+  nat_elastic_ips      = aws_eip.nat_ips.*.public_ip
   nat_gateway_enabled  = true
   nat_instance_enabled = false
 
diff --git a/main.tf b/main.tf
@@ -201,6 +201,7 @@ resource "aws_eip" "default" {
   lifecycle {
     create_before_destroy = true
   }
+  #bridgecrew:skip=BC_AWS_NETWORKING_48: Skipping requirement for EIPs to be attached to EC2 instances because we are attaching to NAT Gateway.
 }
 
 module "utils" {
diff --git a/nat-instance.tf b/nat-instance.tf
@@ -93,6 +93,7 @@ resource "aws_instance" "nat_instance" {
 
   #bridgecrew:skip=BC_AWS_PUBLIC_12: Skipping `EC2 Should Not Have Public IPs` check. NAT instance requires public IP.
   #bridgecrew:skip=BC_AWS_GENERAL_31: Skipping `Ensure Instance Metadata Service Version 1 is not enabled` check until BridgeCrew support condition evaluation. See https://github.com/bridgecrewio/checkov/issues/793
+  #bridgecrew:skip=BC_AWS_LOGGING_26: Skipping requirement for detailed monitoring of NAT instance.
   associate_public_ip_address = true #tfsec:ignore:AWS012
 
   lifecycle {
@@ -116,6 +117,8 @@ resource "aws_instance" "nat_instance" {
       cpu_credits = var.nat_instance_cpu_credits_override
     }
   }
+
+  ebs_optimized = true
 }
 
 resource "aws_eip_association" "nat_instance" {
diff --git a/outputs.tf b/outputs.tf
@@ -51,11 +51,13 @@ output "private_route_table_ids" {
 }
 
 output "public_network_acl" {
-  value = local.public_open_network_acl_enabled ? aws_network_acl.public[0].id : null
+  description = "ID of the Network ACL created for public subnets"
+  value       = local.public_open_network_acl_enabled ? aws_network_acl.public[0].id : null
 }
 
 output "private_network_acl" {
-  value = local.private_open_network_acl_enabled ? aws_network_acl.private[0].id : null
+  description = "ID of the Network ACL created for private subnets"
+  value       = local.private_open_network_acl_enabled ? aws_network_acl.private[0].id : null
 }
 
 output "nat_gateway_ids" {
diff --git a/public.tf b/public.tf
@@ -23,7 +23,7 @@ resource "aws_subnet" "public" {
   ipv6_cidr_block = local.ipv6_enabled ? element(local.ipv6_public_subnet_cidrs, count.index) : null
   ipv6_native     = local.ipv6_enabled && !local.ipv4_enabled
 
-
+  #bridgecrew:skip=BC_AWS_NETWORKING_53:Public VPCs should be allowed to default to public IPs
   map_public_ip_on_launch = local.ipv4_enabled ? var.map_public_ip_on_launch : null
 
   assign_ipv6_address_on_creation = local.ipv6_enabled ? var.public_assign_ipv6_address_on_creation : null

Original file line number	Diff line number	Diff line change
`@@ -201,6 +201,7 @@ resource "aws_eip" "default" {`
`201`	`201`	`lifecycle {`
`202`	`202`	`create_before_destroy = true`
`203`	`203`	`}`
	`204`	`+ #bridgecrew:skip=BC_AWS_NETWORKING_48: Skipping requirement for EIPs to be attached to EC2 instances because we are attaching to NAT Gateway.`
`204`	`205`	`}`
`205`	`206`
`206`	`207`	`module "utils" {`
Original file line number	Diff line number	Diff line change
`@@ -93,6 +93,7 @@ resource "aws_instance" "nat_instance" {`
`93`	`93`
`94`	`94`	#bridgecrew:skip=BC_AWS_PUBLIC_12: Skipping `EC2 Should Not Have Public IPs` check. NAT instance requires public IP.
`95`	`95`	#bridgecrew:skip=BC_AWS_GENERAL_31: Skipping `Ensure Instance Metadata Service Version 1 is not enabled` check until BridgeCrew support condition evaluation. See https://github.com/bridgecrewio/checkov/issues/793
	`96`	`+ #bridgecrew:skip=BC_AWS_LOGGING_26: Skipping requirement for detailed monitoring of NAT instance.`
`96`	`97`	`associate_public_ip_address = true #tfsec:ignore:AWS012`
`97`	`98`
`98`	`99`	`lifecycle {`
`@@ -116,6 +117,8 @@ resource "aws_instance" "nat_instance" {`
`116`	`117`	`cpu_credits = var.nat_instance_cpu_credits_override`
`117`	`118`	`}`
`118`	`119`	`}`
	`120`	`+`
	`121`	`+ ebs_optimized = true`
`119`	`122`	`}`
`120`	`123`
`121`	`124`	`resource "aws_eip_association" "nat_instance" {`
Original file line number	Diff line number	Diff line change
`@@ -51,11 +51,13 @@ output "private_route_table_ids" {`
`51`	`51`	`}`
`52`	`52`
`53`	`53`	`output "public_network_acl" {`
`54`		`- value = local.public_open_network_acl_enabled ? aws_network_acl.public[0].id : null`
	`54`	`+ description = "ID of the Network ACL created for public subnets"`
	`55`	`+ value = local.public_open_network_acl_enabled ? aws_network_acl.public[0].id : null`
`55`	`56`	`}`
`56`	`57`
`57`	`58`	`output "private_network_acl" {`
`58`		`- value = local.private_open_network_acl_enabled ? aws_network_acl.private[0].id : null`
	`59`	`+ description = "ID of the Network ACL created for private subnets"`
	`60`	`+ value = local.private_open_network_acl_enabled ? aws_network_acl.private[0].id : null`
`59`	`61`	`}`
`60`	`62`
`61`	`63`	`output "nat_gateway_ids" {`