-
Notifications
You must be signed in to change notification settings - Fork 1
/
firewall.tf
32 lines (32 loc) · 1.07 KB
/
firewall.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
resource "aws_networkfirewall_firewall_policy" "test-firewall-policy" {
name = "test-aws-network-firewall-policy"
firewall_policy {
stateless_default_actions = ["aws:forward_to_sfe"]
stateless_fragment_default_actions = ["aws:pass"]
stateless_rule_group_reference {
priority = 20
resource_arn = aws_networkfirewall_rule_group.allow-local.arn
}
stateful_rule_group_reference {
resource_arn = aws_networkfirewall_rule_group.deny-http.arn
}
stateful_rule_group_reference {
resource_arn = aws_networkfirewall_rule_group.deny-https-domains.arn
}
stateful_rule_group_reference {
resource_arn = aws_networkfirewall_rule_group.deny-ssh.arn
}
}
}
resource "aws_networkfirewall_firewall" "example" {
firewall_policy_arn = aws_networkfirewall_firewall_policy.test-firewall-policy.arn
name = var.firewall-name
vpc_id = aws_vpc.default.id
subnet_mapping {
subnet_id = aws_subnet.firewall.id
}
tags = {
Name = "aws-network-firewall"
}
depends_on = [aws_vpc.default]
}