inspec · soumyo13 · Nov 17, 2021 · Sep 3, 2021 · Sep 16, 2021 · Nov 16, 2021
@@ -0,0 +1,99 @@
+---
+title: About the aws_network_firewall_firewall Resource
+platform: aws
+---
+
+# aws_network_firewall_firewall
+
+Use the `aws_network_firewall_firewall` InSpec audit resource to test properties of a single specific AWS Network Firewall firewall.
+
+The firewall defines the configuration settings for an AWS Network Firewall firewall. The settings include the firewall policy, the subnets in your VPC to use for the firewall endpoints, and any tags that are attached to the firewall AWS resource.
+
+## Syntax
+
+Ensure that the firewall exists.
+
+    describe aws_network_firewall_firewall(firewall_name: "FIREWALL_NAME") do
+      it { should exist }
+    end
+
+## Parameters
+
+`firewall_name` _(required)_
+
+The descriptive name of the firewall.
+
+For additional information, see the [AWS documentation on AWS Network Firewall Firewall](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-firewall.html).
+
+## Properties
+
+| Property | Description |
+| --- | --- |
+| firewall.firewall_name | The descriptive name of the firewall. |
+| firewall.firewall_arn | The Amazon Resource Name (ARN) of the firewall. |
+| firewall.firewall_policy_arn | The Amazon Resource Name (ARN) of the firewall policy. |
+| firewall.vpc_id | The unique identifier of the VPC where the firewall is in use. |
+| firewall.subnet_mappings | The public subnets that Network Firewall is using for the firewall. |
+| firewall.subnet_mappings.first.subnet_id | The unique identifier for the subnet. |
+| firewall.delete_protection | A flag indicating whether it is possible to delete the firewall. |
+| firewall.subnet_change_protection | A setting indicating whether the firewall is protected against changes to the subnet associations. Use this setting to protect against accidentally modifying the subnet associations for a firewall that is in use.  |
+| firewall.firewall_policy_change_protection | A setting indicating whether the firewall is protected against a change to the firewall policy association. Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use.  |
+| firewall.description | A description of the firewall. |
+| firewall.firewall_id | The unique identifier for the firewall. |
+| firewall.tags | A key:value pair associated with an AWS resource. |
+| firewall_status.status | The readiness of the configured firewall to handle network traffic across all of the Availability Zones where you've configured it. |
+| firewall_status.configuration_sync_state_summary | The configuration sync state for the firewall. |
+| firewall_status.sync_states | The subnets that you've configured for use by the Network Firewall firewall. |
+| firewall_status.sync_states["AvailabilityZone"].attachment.subnet_id | The unique identifier of the subnet that you've specified to be used for a firewall endpoint. |
+| firewall_status.sync_states["AvailabilityZone"].attachment.endpoint_id | The identifier of the firewall endpoint that Network Firewall has instantiated in the subnet. |
+| firewall_status.sync_states["AvailabilityZone"].attachment.status | The current status of the firewall endpoint in the subnet. |
+| firewall_status.sync_states["AvailabilityZone"].config | The configuration status of the firewall endpoint in a single VPC subnet. |
+| firewall_status.sync_states["AvailabilityZone"].config["ResourceName"].sync_status | Indicates whether this object is in sync with the version indicated in the update token. |
+| firewall_status.sync_states["AvailabilityZone"].config["ResourceName"].update_token | The current version of the object that is either in sync or pending synchronization. |
+
+
+## Examples
+
+### Ensure a firewall name is available.
+
+    describe aws_network_firewall_firewall(firewall_name: "FIREWALL_NAME") do
+      its('firewall.firewall_name') { should eq 'IAMFleetRole' }
+    end
+
+### Ensure that the status is `READY`.
+
+    describe aws_network_firewall_firewall(firewall_name: "FIREWALL_NAME") do
+        its('firewall_status.status') { should eq 'READY' }
+    end
+
+## Matchers
+
+This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+The controls will pass if the `describe` method returns at least one result.
+
+### exist
+
+Use `should` to test that the entity exists.
+
+    describe aws_network_firewall_firewall(firewall_name: "FIREWALL_NAME") do
+      it { should exist }
+    end
+
+Use `should_not` to test the entity does not exist.
+
+    describe aws_network_firewall_firewall(firewall_name: 'dummy') do
+      it { should_not exist }
+    end
+
+### be_available
+
+Use `should` to check if the entity is available.
+
+    describe aws_network_firewall_firewall(firewall_name: "FIREWALL_NAME") do
+      it { should be_available }
+    end
+
+## AWS Permissions
+
+Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `NetworkFirewall:Client:DescribeFirewallResponse` action with `Effect` set to `Allow`.
@@ -0,0 +1,75 @@
+---
+title: About the aws_network_firewall_firewalls Resource
+platform: aws
+---
+
+# aws_network_firewall_firewalls
+
+Use the `aws_network_firewall_firewalls` InSpec audit resource to test properties of multiple AWS Network Firewall firewalls.
+
+The firewall defines the configuration settings for an AWS Network Firewall firewall. The settings include the firewall policy, the subnets in your VPC to use for the firewall endpoints, and any tags that are attached to the firewall AWS resource.
+
+## Syntax
+
+Ensure that the firewall exists.
+
+    describe aws_network_firewall_firewalls do
+      it { should exist }
+    end
+
+## Parameters
+
+For additional information, see the [AWS documentation on AWS Network Firewall Firewall](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-networkfirewall-firewall.html).
+
+## Properties
+
+| Property | Description | Field |
+| --- | --- | --- |
+| firewall_names | The descriptive name of the firewall. | firewall_name |
+| firewall_arns | The Amazon Resource Name (ARN) of the firewall. | firewall_arn |
+
+## Examples
+
+### Ensure a firewall name is available.
+
+    describe aws_network_firewall_firewalls do
+      its('firewall_names') { should include 'FIREWALL_NAME' }
+    end
+
+### Ensure that the firewall ARN is `FIREWALL_ARN`.
+
+    describe aws_network_firewall_firewalls do
+        its('firewall_arns') { should include 'FIREWALL_ARN' }
+    end
+
+## Matchers
+
+This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+The controls will pass if the `describe` method returns at least one result.
+
+### exist
+
+Use `should` to test that the entity exists.
+
+    describe aws_network_firewall_firewalls do
+      it { should exist }
+    end
+
+Use `should_not` to test the entity does not exist.
+
+    describe aws_network_firewall_firewalls do
+      it { should_not exist }
+    end
+
+### be_available
+
+Use `should` to check if the entity is available.
+
+    describe aws_network_firewall_firewalls do
+      it { should be_available }
+    end
+
+## AWS Permissions
+
+Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `NetworkFirewall:Client:DescribeFirewallResponse` action with `Effect` set to `Allow`.
diff --git a/libraries/aws_backend.rb b/libraries/aws_backend.rb
@@ -48,6 +48,7 @@
 require 'aws-sdk-states'
 require 'aws-sdk-ram'
 require 'aws-sdk-secretsmanager'
+require 'aws-sdk-networkfirewall'
 
 # AWS Inspec Backend Classes
 #
@@ -276,6 +277,10 @@ def route53resolver_client
   def secretsmanager_client
     aws_client(Aws::SecretsManager::Client)
   end
+
+  def network_firewall_client
+    aws_client(Aws::NetworkFirewall::Client)
+  end
 end
 
 # Base class for AWS resources

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+require 'aws_backend'
+
+class AWSNetworkFirewallFirewall < AwsResourceBase
+  name 'aws_network_firewall_firewall'
+  desc 'Returns the data objects for the specified firewall.'
+
+  example "
+    describe aws_network_firewall_firewall(firewall_name: 'FirewallName') do
+      it { should exist }
+    end
+  "
+
+  def initialize(opts = {})
+    opts = { firewall_name: opts } if opts.is_a?(String)
+    super(opts)
+    validate_parameters(required: [:firewall_name])
+    raise ArgumentError, "#{@__resource_name__}: firewall_name must be provided" unless opts[:firewall_name] && !opts[:firewall_name].empty?
+    @display_name = opts[:firewall_name]
+    catch_aws_errors do
+      resp = @aws.network_firewall_client.describe_firewall({ firewall_name: opts[:firewall_name] })
+      @res = resp.to_h
+      create_resource_methods(@res)
+    end
+  end
+
+  def firewall_name
+    return nil unless exists?
+    @res[:firewall_name]
+  end
+
+  def exists?
+    !@res.nil? && !@res.empty?
+  end
+
+  def to_s
+    "Firewall Name: #{@display_name}"
+  end
+end
@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+require 'aws_backend'
+
+class AWSNetworkFirewallFirewalls < AwsResourceBase
+  name 'aws_network_firewall_firewalls'
+  desc 'Retrieves the metadata for the firewalls that you have defined.'
+
+  example "
+    describe aws_network_firewall_firewalls do
+      it { should exist }
+    end
+  "
+
+  attr_reader :table
+
+  FilterTable.create
+             .register_column(:firewall_names, field: :firewall_name)
+             .register_column(:firewall_arns, field: :firewall_arn)
+             .install_filter_methods_on_resource(self, :table)
+
+  def initialize(opts = {})
+    super(opts)
+    validate_parameters
+    @table = fetch_data
+  end
+
+  def fetch_data
+    pagination_options = {}
+    rows = []
+    pagination_options[:max_results] = 100
+    loop do
+      catch_aws_errors do
+        @api_response = @aws.network_firewall_client.list_firewalls(pagination_options)
+      end
+      return rows if !@api_response || @api_response.empty?
+      @api_response.firewalls.each do |resp|
+        rows += [{ firewall_name: resp.firewall_name,
+                   firewall_arn: resp.firewall_arn }]
+      end
+      break unless @api_response.next_token
+      pagination_options[:next_token] = @api_response.next_token
+    end
+    rows
+  end
+end
@@ -3888,4 +3888,94 @@ resource "aws_lambda_permission" "allow_cloudwatch" {
   function_name = aws_lambda_function.test_lambda.function_name
   principal     = "sqs.amazonaws.com"
   source_arn    = aws_sqs_queue.terraform_queue.arn
+}
+
+resource "aws_networkfirewall_firewall" "aws_networkfirewall_firewall_test" {
+  name                = "example"
+  firewall_policy_arn = aws_networkfirewall_firewall_policy.aws_networkfirewall_firewall_policy_test.arn
+  vpc_id              = aws_vpc.aws_vpc_firewall_test.id
+  subnet_mapping {
+    subnet_id = aws_subnet.aws_subnet_firewall_test.id
+  }
+
+  tags = {
+    Tag1 = "Value1"
+    Tag2 = "Value2"
+  }
+}
+
+resource "aws_vpc" "aws_vpc_firewall_test" {
+  cidr_block = "10.0.0.0/16"
+}
+
+resource "aws_subnet" "aws_subnet_firewall_test" {
+  vpc_id     = aws_vpc.aws_vpc_firewall_test.id
+  cidr_block = "10.0.1.0/24"
+
+  tags = {
+    Name = "Main"
+  }
+}
+
+resource "aws_networkfirewall_firewall_policy" "aws_networkfirewall_firewall_policy_test" {
+  name = "example"
+
+  firewall_policy {
+    stateless_default_actions          = ["aws:pass"]
+    stateless_fragment_default_actions = ["aws:drop"]
+    stateless_custom_action {
+      action_definition {
+        publish_metric_action {
+          dimension {
+            value = "1"
+          }
+        }
+      }
+      action_name = "ExampleCustomAction"
+    }
+  }
+}
+
+resource "aws_networkfirewall_logging_configuration" "aws_networkfirewall_logging_configuration_test" {
+  firewall_arn = aws_networkfirewall_firewall.aws_networkfirewall_firewall_test.arn
+  logging_configuration {
+    log_destination_config {
+      log_destination = {
+        bucketName = aws_s3_bucket.example.bucket
+        prefix     = "/example"
+      }
+      log_destination_type = "S3"
+      log_type             = "FLOW"
+    }
+  }
+}
+
+resource "aws_s3_bucket" "example" {
+  bucket = "aws-bucket-public-test1"
+  acl    = "public-read"
+
+  tags = {
+    Name        = "My bucket123"
+    Environment = "Dev"
+  }
+}
+
+resource "aws_networkfirewall_rule_group" "aws_networkfirewall_rule_group_test" {
+  capacity = 100
+  name     = "example"
+  type     = "STATEFUL"
+  rule_group {
+    rules_source {
+      rules_source_list {
+        generated_rules_type = "DENYLIST"
+        target_types         = ["HTTP_HOST"]
+        targets              = ["test.example.com"]
+      }
+    }
+  }
+
+  tags = {
+    Tag1 = "Value1"
+    Tag2 = "Value2"
+  }
 }