support for mapping the "public in" on launch (#7)

RohitSquareops · web-flow · commit c0f4620c1df4 · 2023-05-31T17:17:19.000+05:30
enable auto_assign_public_ip to true for public subnet
diff --git a/IAM.md b/IAM.md
@@ -13,51 +13,53 @@ The Policy required to deploy this module is:
             "Action": [
                 "ec2:AllocateAddress",
                 "ec2:AssociateAddress",
+                "ec2:AssociateDhcpOptions",
                 "ec2:AssociateRouteTable",
+                "ec2:AssociateVpcCidrBlock",
                 "ec2:AttachInternetGateway",
-                "ec2:AttachVolume",
                 "ec2:AttachVpnGateway",
                 "ec2:AuthorizeSecurityGroupEgress",
                 "ec2:AuthorizeSecurityGroupIngress",
+                "ec2:CancelSpotInstanceRequests",
+                "ec2:CreateCustomerGateway",
+                "ec2:CreateDefaultVpc",
+                "ec2:CreateDhcpOptions",
+                "ec2:CreateEgressOnlyInternetGateway",
                 "ec2:CreateFlowLogs",
                 "ec2:CreateInternetGateway",
                 "ec2:CreateKeyPair",
                 "ec2:CreateNatGateway",
                 "ec2:CreateNetworkAcl",
                 "ec2:CreateNetworkAclEntry",
-                "ec2:CreateNetworkInterface",
-                "ec2:CreatePlacementGroup",
                 "ec2:CreateRoute",
                 "ec2:CreateRouteTable",
                 "ec2:CreateSecurityGroup",
                 "ec2:CreateSubnet",
                 "ec2:CreateTags",
                 "ec2:CreateVPC",
-                "ec2:CreateVolume",
-                "ec2:CreateVpcEndpoint",
                 "ec2:CreateVpnGateway",
+                "ec2:DeleteCustomerGateway",
+                "ec2:DeleteDhcpOptions",
+                "ec2:DeleteEgressOnlyInternetGateway",
                 "ec2:DeleteFlowLogs",
                 "ec2:DeleteInternetGateway",
                 "ec2:DeleteKeyPair",
                 "ec2:DeleteNatGateway",
                 "ec2:DeleteNetworkAcl",
                 "ec2:DeleteNetworkAclEntry",
-                "ec2:DeleteNetworkInterface",
-                "ec2:DeletePlacementGroup",
                 "ec2:DeleteRoute",
                 "ec2:DeleteRouteTable",
                 "ec2:DeleteSecurityGroup",
                 "ec2:DeleteSubnet",
                 "ec2:DeleteTags",
                 "ec2:DeleteVPC",
-                "ec2:DeleteVolume",
-                "ec2:DeleteVpcEndpoints",
                 "ec2:DeleteVpnGateway",
                 "ec2:DescribeAccountAttributes",
                 "ec2:DescribeAddresses",
-                "ec2:DescribeAvailabilityZones",
+                "ec2:DescribeCustomerGateways",
+                "ec2:DescribeDhcpOptions",
+                "ec2:DescribeEgressOnlyInternetGateways",
                 "ec2:DescribeFlowLogs",
-                "ec2:DescribeImages",
                 "ec2:DescribeInstanceAttribute",
                 "ec2:DescribeInstanceCreditSpecifications",
                 "ec2:DescribeInstanceTypes",
@@ -67,28 +69,27 @@ The Policy required to deploy this module is:
                 "ec2:DescribeNatGateways",
                 "ec2:DescribeNetworkAcls",
                 "ec2:DescribeNetworkInterfaces",
-                "ec2:DescribePlacementGroups",
-                "ec2:DescribePrefixLists",
                 "ec2:DescribeRouteTables",
                 "ec2:DescribeSecurityGroups",
+                "ec2:DescribeSpotInstanceRequests",
                 "ec2:DescribeSubnets",
                 "ec2:DescribeTags",
                 "ec2:DescribeVolumes",
                 "ec2:DescribeVpcAttribute",
-                "ec2:DescribeVpcEndpoints",
                 "ec2:DescribeVpcs",
                 "ec2:DescribeVpnGateways",
                 "ec2:DetachInternetGateway",
-                "ec2:DetachVolume",
                 "ec2:DetachVpnGateway",
+                "ec2:DisableVgwRoutePropagation",
                 "ec2:DisassociateAddress",
                 "ec2:DisassociateRouteTable",
+                "ec2:DisassociateVpcCidrBlock",
+                "ec2:EnableVgwRoutePropagation",
                 "ec2:ImportKeyPair",
                 "ec2:ModifyInstanceAttribute",
-                "ec2:ModifyVolume",
-                "ec2:ModifyVpcEndpoint",
                 "ec2:MonitorInstances",
                 "ec2:ReleaseAddress",
+                "ec2:RequestSpotInstances",
                 "ec2:RevokeSecurityGroupEgress",
                 "ec2:RevokeSecurityGroupIngress",
                 "ec2:RunInstances",
@@ -97,56 +98,66 @@ The Policy required to deploy this module is:
                 "ec2:TerminateInstances",
                 "ec2:UnmonitorInstances"
             ],
-            "Resource": "*"
+            "Resource": [
+                "*"
+            ]
         },
         {
             "Sid": "VisualEditor1",
             "Effect": "Allow",
             "Action": [
-                "iam:AddRoleToInstanceProfile",
+                "elasticache:AddTagsToResource",
+                "elasticache:CreateCacheSubnetGroup",
+                "elasticache:DeleteCacheSubnetGroup",
+                "elasticache:DescribeCacheSubnetGroups",
+                "elasticache:ListTagsForResource",
+                "elasticache:ModifyCacheSubnetGroup",
+                "elasticache:RemoveTagsFromResource"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Sid": "VisualEditor2",
+            "Effect": "Allow",
+            "Action": [
                 "iam:AttachRolePolicy",
-                "iam:CreateInstanceProfile",
                 "iam:CreatePolicy",
                 "iam:CreateRole",
-                "iam:DeleteInstanceProfile",
                 "iam:DeletePolicy",
                 "iam:DeleteRole",
                 "iam:DeleteRolePermissionsBoundary",
                 "iam:DetachRolePolicy",
-                "iam:GetInstanceProfile",
                 "iam:GetPolicy",
                 "iam:GetPolicyVersion",
                 "iam:GetRole",
                 "iam:ListAttachedRolePolicies",
                 "iam:ListInstanceProfilesForRole",
-                "iam:ListPolicies",
                 "iam:ListPolicyVersions",
                 "iam:ListRolePolicies",
                 "iam:PassRole",
                 "iam:PutRolePermissionsBoundary",
-                "iam:RemoveRoleFromInstanceProfile",
                 "iam:TagPolicy",
                 "iam:TagRole",
                 "iam:UntagPolicy"
             ],
-            "Resource": "*"
+            "Resource": [
+                "*"
+            ]
         },
         {
-            "Sid": "VisualEditor2",
+            "Sid": "VisualEditor3",
             "Effect": "Allow",
             "Action": [
-                "kms:CreateKey",
-                "kms:Decrypt",
-                "kms:DescribeKey",
-                "kms:GetKeyPolicy",
-                "kms:GetKeyRotationStatus",
-                "kms:ListResourceTags",
-                "kms:ScheduleKeyDeletion"
+                "kms:Decrypt"
             ],
-            "Resource": "*"
+            "Resource": [
+                "*"
+            ]
         },
         {
-            "Sid": "VisualEditor3",
+            "Sid": "VisualEditor4",
             "Effect": "Allow",
             "Action": [
                 "logs:AssociateKmsKey",
@@ -160,10 +171,12 @@ The Policy required to deploy this module is:
                 "logs:TagLogGroup",
                 "logs:UntagLogGroup"
             ],
-            "Resource": "*"
+            "Resource": [
+                "*"
+            ]
         },
         {
-            "Sid": "VisualEditor4",
+            "Sid": "VisualEditor5",
             "Effect": "Allow",
             "Action": [
                 "rds:AddTagsToResource",
@@ -173,27 +186,40 @@ The Policy required to deploy this module is:
                 "rds:ListTagsForResource",
                 "rds:RemoveTagsFromResource"
             ],
-            "Resource": "*"
+            "Resource": [
+                "*"
+            ]
         },
         {
-            "Sid": "VisualEditor5",
+            "Sid": "VisualEditor6",
+            "Effect": "Allow",
+            "Action": [
+                "redshift:CreateClusterSubnetGroup",
+                "redshift:CreateTags",
+                "redshift:DeleteClusterSubnetGroup",
+                "redshift:DeleteTags",
+                "redshift:DescribeClusterSubnetGroups",
+                "redshift:ModifyClusterSubnetGroup"
+            ],
+            "Resource": [
+                "*"
+            ]
+        },
+        {
+            "Sid": "VisualEditor7",
             "Effect": "Allow",
             "Action": [
                 "ssm:AddTagsToResource",
-                "ssm:CreateDocument",
-                "ssm:DeleteDocument",
                 "ssm:DeleteParameter",
-                "ssm:DescribeDocument",
-                "ssm:DescribeDocumentPermission",
                 "ssm:DescribeParameters",
-                "ssm:GetDocument",
                 "ssm:GetParameter",
                 "ssm:GetParameters",
                 "ssm:ListTagsForResource",
-                "ssm:PutParameter",
-                "ssm:UpdateDocument"
+                "ssm:PutParameter"
             ],
-            "Resource": "*"
+            "Resource": [
+                "*"
+            ]
         }
     ]
 }
diff --git a/README.md b/README.md
@@ -31,6 +31,7 @@ module "vpc" {
   availability_zones                              = 2
   vpn_server_enabled                              = false
   intra_subnet_enabled                            = true
+  auto_assign_public_ip                           = true
   public_subnet_enabled                           = true
   private_subnet_enabled                          = true
   one_nat_gateway_per_az                          = true
@@ -149,6 +150,7 @@ In this module, we have implemented the following CIS Compliance checks for VPC:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_auto_assign_public_ip"></a> [auto\_assign\_public\_ip](#input\_auto\_assign\_public\_ip) | Specify true to indicate that instances launched into the subnet should be assigned a public IP address. | `bool` | `false` | no |
 | <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | Number of Availability Zone to be used by VPC Subnets | `number` | `2` | no |
 | <a name="input_database_subnet_cidrs"></a> [database\_subnet\_cidrs](#input\_database\_subnet\_cidrs) | Database Tier subnet CIDRs to be created | `list(any)` | `[]` | no |
 | <a name="input_database_subnet_enabled"></a> [database\_subnet\_enabled](#input\_database\_subnet\_enabled) | Set true to enable database subnets | `bool` | `false` | no |
diff --git a/examples/complete-vpc-with-vpn/README.md b/examples/complete-vpc-with-vpn/README.md
@@ -32,7 +32,7 @@ No providers.
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_key_pair_vpn"></a> [key\_pair\_vpn](#module\_key\_pair\_vpn) | squareops/keypair/aws | n/a |
-| <a name="module_vpc"></a> [vpc](#module\_vpc) | squareops/vpc/aws | n/a |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | ../../ | n/a |
 
 ## Resources
 
diff --git a/examples/complete-vpc-with-vpn/main.tf b/examples/complete-vpc-with-vpn/main.tf
@@ -28,6 +28,7 @@ module "vpc" {
   vpn_server_enabled                              = false
   intra_subnet_enabled                            = true
   public_subnet_enabled                           = true
+  auto_assign_public_ip                           = true
   private_subnet_enabled                          = true
   one_nat_gateway_per_az                          = true
   database_subnet_enabled                         = true
diff --git a/examples/simple-vpc/main.tf b/examples/simple-vpc/main.tf
@@ -17,4 +17,5 @@ module "vpc" {
   environment           = local.environment
   availability_zones    = 2
   public_subnet_enabled = true
+  auto_assign_public_ip = true
 }
diff --git a/examples/vpc-with-private-subnet/main.tf b/examples/vpc-with-private-subnet/main.tf
@@ -18,5 +18,6 @@ module "vpc" {
   availability_zones     = 2
   public_subnet_enabled  = true
   private_subnet_enabled = true
+  auto_assign_public_ip  = true
 
 }
diff --git a/main.tf b/main.tf
@@ -40,6 +40,7 @@ module "vpc" {
   enable_dns_hostnames                            = true
   flow_log_traffic_type                           = "ALL"
   one_nat_gateway_per_az                          = var.one_nat_gateway_per_az
+  map_public_ip_on_launch                         = var.auto_assign_public_ip
   flow_log_destination_type                       = "cloud-watch-logs"
   manage_default_network_acl                      = true
   default_network_acl_ingress                     = concat(local.nacl_allow_vpc_access_rule, var.default_network_acl_ingress)
diff --git a/variables.tf b/variables.tf
@@ -152,3 +152,9 @@ variable "flow_log_max_aggregation_interval" {
   type        = number
   default     = 60
 }
+
+variable "auto_assign_public_ip" {
+  description = "Specify true to indicate that instances launched into the subnet should be assigned a public IP address."
+  type        = bool
+  default     = false
+}

Original file line number	Diff line number	Diff line change
`@@ -17,4 +17,5 @@ module "vpc" {`
`17`	`17`	`environment = local.environment`
`18`	`18`	`availability_zones = 2`
`19`	`19`	`public_subnet_enabled = true`
	`20`	`+ auto_assign_public_ip = true`
`20`	`21`	`}`
Original file line number	Diff line number	Diff line change
`@@ -18,5 +18,6 @@ module "vpc" {`
`18`	`18`	`availability_zones = 2`
`19`	`19`	`public_subnet_enabled = true`
`20`	`20`	`private_subnet_enabled = true`
	`21`	`+ auto_assign_public_ip = true`
`21`	`22`
`22`	`23`	`}`