Skip to content

GovTechSG/terraform-aws-firewall

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits

.github

.github

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

main.tf

main.tf

 
 

outputs.tf

outputs.tf

 
 

provider.tf

provider.tf

 
 

rules.tf

rules.tf

 
 

variables.tf

variables.tf

 
 

versions.tf

versions.tf

 
 

Repository files navigation

terraform-aws-firewall

Terraform module to create an AWS firewall

Usage

module "firewall" {
  name        = "my-firewall"
  description = "my firewall for this vpc"

  # Cannot use vpc dependency as vpc will also depend on this
  subnet_ids = [
   "subnet-1a",
   "subnet-1b",
   "subnet-1c"
  ]

  vpc_id = "vpc-xx"

  # the key name will be used in sid, only accept numeric :*
  blocked_ips = {
    "30092021": [
      "277.333.444.555/32", "333.444.555.666/32"
    ]
  }

  blocked_domains = {
    "my-blocked-domain-list": [
      "example.com"
    ]
  }
}

Requirements

Name Version
terraform >= 0.13

Providers

Name Version
aws n/a
random n/a

Modules

No modules.

Resources

Name Type
aws_cloudwatch_log_group.main resource
aws_kms_alias.main resource
aws_kms_key.main resource
aws_networkfirewall_firewall.main resource
aws_networkfirewall_firewall_policy.main resource
aws_networkfirewall_logging_configuration.main resource
aws_networkfirewall_rule_group.allow-ips resource
aws_networkfirewall_rule_group.block-domains resource
aws_networkfirewall_rule_group.block-everything resource
aws_networkfirewall_rule_group.block-ips resource
random_id.sid resource
aws_caller_identity.current data source

Inputs

Name Description Type Default Required
allowed_ips IPs to allow (both ingress & egress), note that keys can only be numeric, and maximum capacity across all rules is 30000 
map(object({
    capacity = number
    ips      = list(string)
  }))
 {} no
aws_region Region which resources will be created in string "ap-southeast-1" no
block_everything_capacity Number of rules this rule group will contain number 25 no
blocked_domains Domains to block (both ingress & egress), maximum capacity across all rules is 30000 
map(object({
    capacity = number
    domains  = list(string)
  }))
 {} no
blocked_ips Block all traffic from/to specific IPs, note that keys can only be numeric, and maximum capacity across all rules is 30000 
map(object({
    capacity = number
    ips      = list(string)
  }))
 {} no
cloudwatch_log_retention_in_days Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653, and 0. If you select 0, the events in the log group are always retained and never expire. number 180 no
create_network_firewall toggle for creation of network firewall, set to false if you only want to create the firewall policy with this module bool true no
egress_allowed_ips Destination IPs to allow for outgoing, note that keys can only be numeric, and maximum capacity across all rules is 30000 
map(object({
    capacity = number
    ips      = list(string)
  }))
 {} no
enable_block_everything_by_default Creates rule that will block all traffic by default, and you will have to whitelist routes specifically to allow internet traffic bool false no
name The name of the network firewall string n/a yes
subnet_ids Subnets used to create network firewall. set(string) [] no
tags A map of tags to add to all resources map(any) {} no
vpc_id n/a string "" no

Outputs

Name Description
firewall n/a
firewall_policy_arn n/a

About

Terraform module to create an AWS Network Firewall

Topics

aws terraform terraform-modules terraform-module

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

57 watching

Forks

0 forks
Report repository

Releases

8 tags

Packages

No packages published

Contributors 2

  •  
  •  

Languages