This mdule creates AWS Network firewall resources, which includes:
- Network Firewall
- Network Firewall Policy
- Network Firewall Stateless groups and rules
- Network Firewall Stateful groups and rules
Deny domain access
module "firewall" {
source = "github.com/binbashar/terraform-aws-network-firewall.git"
name = "firewall"
description = "AWS Network Firewall example"
vpc_id = "vpc-12345678910111213"
subnet_mapping = {
us-east-1a = "subnet-23456780101112131"
us-east-1b = "subnet-13121110987654321"
}
# Stateless rule groups
stateless_rule_groups = {
stateless-group-1 = {
description = "Stateless rules"
priority = 1
capacity = 100
# stateless-group-1 rules
rules = [
{
priority = 2
actions = ["aws:drop"]
protocols = [1]
source = {
address = "0.0.0.0/0"
}
destination = {
address = "0.0.0.0/0"
}
},
{
priority = 10
actions = ["aws:forward_to_sfe"]
source = {
address = "0.0.0.0/0"
}
destination = {
address = "0.0.0.0/0"
}
},
]
}
}
# Stateful rules
stateful_rule_groups = {
# rules_source_list examples
stateful-group-1 = {
description = "Stateful Inspection for denying access to domains"
capacity = 100
#rule_variables = {}
rules_source_list = {
generated_rules_type = "DENYLIST"
target_types = ["TLS_SNI", "HTTP_HOST"]
targets = [".bad-omain.org", ".evil-domain.com"]
}
}
}
}
You can check the complete example for other usages.
No requirements.
Name | Version |
---|---|
aws | n/a |
No modules.
Name | Type |
---|---|
aws_networkfirewall_firewall.firewall | resource |
aws_networkfirewall_firewall_policy.policy | resource |
aws_networkfirewall_rule_group.stateful_rule_group | resource |
aws_networkfirewall_rule_group.stateless_rule_group | resource |
Name | Description | Type | Default | Required |
---|---|---|---|---|
create_network_firewall | Set to false if you just want to create the security policy, stateless and stateful rules | bool |
true |
no |
delete_protection | A boolean flag indicating whether it is possible to delete the firewall. | bool |
false |
no |
description | A friendly description of the firewall. | string |
null |
no |
enabled | Change to false to avoid deploying AWS Network Firewall resources. | bool |
true |
no |
firewall_policy_change_protection | A boolean flag indicating whether it is possible to change the associated firewall policy. | bool |
false |
no |
firewall_policy_name | A friendly name of the firewall policy. | string |
null |
no |
name | A friendly name of the firewall. | string |
n/a | yes |
stateful_rule_groups | Map of stateful rules groups. | any |
{} |
no |
stateless_default_actions | Set of actions to take on a packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop , aws:pass , or aws:forward_to_sf e. In addition, you can specify custom actions that are compatible with your standard action choice. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe . |
list(any) |
[ |
no |
stateless_fragment_default_actions | Set of actions to take on a fragmented packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop , aws:pass , or aws:forward_to_sf e. In addition, you can specify custom actions that are compatible with your standard action choice. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe . |
list(any) |
[ |
no |
stateless_rule_groups | Map of stateless rules groups. | any |
{} |
no |
subnet_change_protection | A boolean flag indicating whether it is possible to change the associated subnet(s). | bool |
false |
no |
subnet_mapping | Subnets map. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet. | map(any) |
n/a | yes |
tags | Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. | map(string) |
{} |
no |
vpc_id | The unique identifier of the VPC where AWS Network Firewall should create the firewall | string |
n/a | yes |
Name | Description |
---|---|
arn | The Amazon Resource Name (ARN) that identifies the firewall. |
id | The ID that identifies the firewall. |
network_firewall_policy | The Firewall Network policy created |
network_firewall_stateful_group | Map of stateful group rules |
network_firewall_stateless_group | Map of stateless group rules |
network_firewall_status | Nested list of information about the current status of the firewall. |