Skip to content

jankal13/terraform-aws-network-firewall

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

60 Commits

.chglog

.chglog

 
 

.circleci

.circleci

 
 

.github

.github

 
 

examples

examples

 
 

figures

figures

 
 

tests

tests

 
 

.gitignore

.gitignore

 
 

.pre-commit-config.yaml

.pre-commit-config.yaml

 
 

CHANGELOG.md

CHANGELOG.md

 
 

LICENSE

LICENSE

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

main.tf

main.tf

 
 

outputs.tf

outputs.tf

 
 

variables.tf

variables.tf

 
 

Repository files navigation

binbash
leverage

terraform-aws-network-firewall

Overview

This mdule creates AWS Network firewall resources, which includes:

  • Network Firewall
  • Network Firewall Policy
  • Network Firewall Stateless groups and rules
  • Network Firewall Stateful groups and rules

Example

Deny domain access

module "firewall" {

  source = "github.com/binbashar/terraform-aws-network-firewall.git"

  name        = "firewall"
  description = "AWS Network Firewall example"
  vpc_id      = "vpc-12345678910111213"

  subnet_mapping = {
    us-east-1a = "subnet-23456780101112131"
    us-east-1b = "subnet-13121110987654321"
  }

  # Stateless rule groups
  stateless_rule_groups = {
    stateless-group-1 = {
      description = "Stateless rules"
      priority    = 1
      capacity    = 100
      # stateless-group-1 rules
      rules = [
        {
          priority  = 2
          actions   = ["aws:drop"]
          protocols = [1]
          source = {
            address = "0.0.0.0/0"
          }
          destination = {
            address = "0.0.0.0/0"
          }
        },
        {
          priority = 10
          actions  = ["aws:forward_to_sfe"]
          source = {
            address = "0.0.0.0/0"
          }
          destination = {
            address = "0.0.0.0/0"
          }
        },
      ]
    }
  }

  # Stateful rules
  stateful_rule_groups = {
    # rules_source_list examples
    stateful-group-1 = {
      description = "Stateful Inspection for denying access to domains"
      capacity    = 100
      #rule_variables = {}
      rules_source_list = {
        generated_rules_type = "DENYLIST"
        target_types         = ["TLS_SNI", "HTTP_HOST"]
        targets              = [".bad-omain.org", ".evil-domain.com"]
      }
    }
  }
}

You can check the complete example for other usages.

Requirements

No requirements.

Providers

Name Version
aws n/a

Modules

No modules.

Resources

Name Type
aws_networkfirewall_firewall.firewall resource
aws_networkfirewall_firewall_policy.policy resource
aws_networkfirewall_rule_group.stateful_rule_group resource
aws_networkfirewall_rule_group.stateless_rule_group resource

Inputs

Name Description Type Default Required
create_network_firewall Set to false if you just want to create the security policy, stateless and stateful rules bool true no
delete_protection A boolean flag indicating whether it is possible to delete the firewall. bool false no
description A friendly description of the firewall. string null no
enabled Change to false to avoid deploying AWS Network Firewall resources. bool true no
firewall_policy_change_protection A boolean flag indicating whether it is possible to change the associated firewall policy. bool false no
firewall_policy_name A friendly name of the firewall policy. string null no
name A friendly name of the firewall. string n/a yes
stateful_rule_groups Map of stateful rules groups. any {} no
stateless_default_actions Set of actions to take on a packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop, aws:pass, or aws:forward_to_sfe. In addition, you can specify custom actions that are compatible with your standard action choice. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe. list(any) 
[
  "aws:drop"
]
 no
stateless_fragment_default_actions Set of actions to take on a fragmented packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop, aws:pass, or aws:forward_to_sfe. In addition, you can specify custom actions that are compatible with your standard action choice. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe. list(any) 
[
  "aws:drop"
]
 no
stateless_rule_groups Map of stateless rules groups. any {} no
subnet_change_protection A boolean flag indicating whether it is possible to change the associated subnet(s). bool false no
subnet_mapping Subnets map. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet. map(any) n/a yes
tags Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. map(string) {} no
vpc_id The unique identifier of the VPC where AWS Network Firewall should create the firewall string n/a yes

Outputs

Name Description
arn The Amazon Resource Name (ARN) that identifies the firewall.
id The ID that identifies the firewall.
network_firewall_policy The Firewall Network policy created
network_firewall_stateful_group Map of stateful group rules
network_firewall_stateless_group Map of stateless group rules
network_firewall_status Nested list of information about the current status of the firewall.

About

Terraform module for creating AWS Network Firewall resources

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

4 tags

Packages

No packages published

Languages

  • HCL 77.8%
  • Go 15.9%
  • Makefile 6.3%