@@ -11,20 +11,222 @@ To run this example you need to execute:
1111 terraform init
1212 terraform plan
1313
14- ## Requirements
14+ ## Module Reference Usage
1515
16- | Name | Version |
17- | ------| ---------|
18- | terraform | >= 0.14.4 |
16+ module "network_firewall" {
17+ source = "mattyait/network-firewall/aws"
18+ version = "0.1.2"
19+ firewall_name = "example"
20+ vpc_id = "vpc-27517c40"
21+ prefix = "test"
1922
20- ## Inputs
23+ #Passing Individual Subnet ID to have required endpoint
24+ subnet_mapping = [
25+ "subnet-da6b7ebd",
26+ "subnet-a256d2fa"
27+ ]
2128
22- No input.
29+ #Suricate Firewall Rule Group
30+ suricata_stateful_rule_group = [
31+ {
32+ capacity = 100
33+ name = "SURICTASFEXAMPLE1"
34+ description = "Stateful rule example1 with suricta type including rule_variables"
35+ rules_file = "./example.rules"
36+ # Rule Variables example with ip_sets and port_sets
37+ rule_variables = {
38+ ip_sets = [{
39+ key = "WEBSERVERS_HOSTS"
40+ ip_set = ["10.0.0.0/16", "10.0.1.0/24", "192.168.0.0/16"]
41+ },
42+ {
43+ key = "EXTERNAL_HOST"
44+ ip_set = ["0.0.0.0/0"]
45+ }
46+ ]
47+ port_sets = [{
48+ key = "HTTP_PORTS"
49+ port_sets = ["443", "80"]
50+ }
51+ ]
52+ }
2353
24- ## Outputs
54+ },
55+ {
56+ capacity = 150
57+ name = "SURICTASFEXAMPLE2"
58+ description = "Stateful rule example2 with suricta type"
59+ rules_file = "./example.rules"
60+ },
61+ ]
2562
26- | Name | Description |
27- | ------| -------------|
28- | this_aws_network_firewall_id| The ID of AWS Network firewall |
29- | this_aws_network_firewall_arn | The ARN of the AWS Network firewall |
30- | this_aws_network_firewall_endpoint | Endpoint for AWS Network firewall |
63+ #Domain Firewall Rule Group
64+ domain_stateful_rule_group = [
65+ {
66+ capacity = 100
67+ name = "DOMAINSFEXAMPLE1"
68+ description = "Stateful rule example1 with domain list option"
69+ domain_list = ["test.example.com", "test1.example.com"]
70+ actions = "DENYLIST"
71+ protocols = ["HTTP_HOST", "TLS_SNI"]
72+ },
73+ {
74+ capacity = 150
75+ name = "DOMAINSFEXAMPLE2"
76+ description = "Stateful rule example2 with domain list option"
77+ domain_list = ["sample.example.com"]
78+ actions = "ALLOWLIST"
79+ protocols = ["HTTP_HOST"]
80+ },
81+ ]
82+
83+ #5 Tuple Firewall Rule Group
84+ fivetuple_stateful_rule_group = [
85+ {
86+ capacity = 100
87+ name = "5TUPLESFEXAMPLE1"
88+ description = "Stateful rule example1 with 5 tuple option multiple rules"
89+ rule_config = [{
90+ description = "Pass All Rule"
91+ protocol = "TCP"
92+ source_ipaddress = "1.2.3.4/32"
93+ source_port = 443
94+ destination_ipaddress = "124.1.1.5/32"
95+ destination_port = 443
96+ direction = "any"
97+ sid = 1
98+ actions = {
99+ type = "pass"
100+ }
101+ },
102+ {
103+ description = "Drop 80 Rule"
104+ protocol = "IP"
105+ source_ipaddress = "10.2.0.0/16"
106+ source_port = "any"
107+ destination_ipaddress = "10.1.0.0/16"
108+ destination_port = 80
109+ direction = "forward"
110+ sid = 2
111+ actions = {
112+ type = "drop"
113+ }
114+ }]
115+ },
116+ {
117+ capacity = 100
118+ name = "5TUPLESFEXAMPLE2"
119+ description = "Stateful rule example2 with 5 tuple option and rule_variables"
120+ rule_config = [{
121+ description = "Pass All Rule"
122+ protocol = "TCP"
123+ source_ipaddress = "1.2.3.4/32"
124+ source_port = 443
125+ destination_ipaddress = "124.1.1.5/32"
126+ destination_port = 443
127+ direction = "any"
128+ sid = 1
129+ actions = {
130+ type = "pass"
131+ }
132+ }]
133+ # Rule Variables example with ip_sets and port_sets
134+ rule_variables = {
135+ ip_sets = [{
136+ key = "WEBSERVERS_HOSTS"
137+ ip_set = ["10.0.0.0/16", "10.0.1.0/24", "192.168.0.0/16"]
138+ },
139+ {
140+ key = "EXTERNAL_HOST"
141+ ip_set = ["0.0.0.0/0"]
142+ }
143+ ]
144+ port_sets = [{
145+ key = "HTTP_PORTS"
146+ port_sets = ["443", "80"]
147+ }]
148+ }
149+ }]
150+
151+ # Stateless Rule Group
152+ stateless_rule_group = [
153+ {
154+ capacity = 100
155+ name = "SLEXAMPLE1"
156+ description = "Stateless example1 with TCP and ICMP rule"
157+ rule_config = [{
158+ priority = 1
159+ protocols_number = [6]
160+ source_ipaddress = "1.2.3.4/32"
161+ source_from_port = 443
162+ source_to_port = 443
163+ destination_ipaddress = "124.1.1.5/32"
164+ destination_from_port = 443
165+ destination_to_port = 443
166+ tcp_flag = {
167+ flags = ["SYN"]
168+ masks = ["SYN", "ACK"]
169+ }
170+ actions = {
171+ type = "pass"
172+ }
173+ },
174+ {
175+ priority = 2
176+ protocols_number = [6] #TCP
177+ source_ipaddress = "1.2.3.5/32"
178+ source_from_port = 22
179+ source_to_port = 22
180+ destination_ipaddress = "124.1.1.6/32"
181+ destination_from_port = 22
182+ destination_to_port = 22
183+ tcp_flag = {
184+ flags = ["SYN"]
185+ masks = ["SYN", "ACK"]
186+ }
187+ actions = {
188+ type = "drop"
189+ }
190+ },
191+ {
192+ priority = 3
193+ protocols_number = [1] #ICMP
194+ source_ipaddress = "0.0.0.0/0"
195+ destination_ipaddress = "0.0.0.0/0"
196+ actions = {
197+ type = "drop"
198+ }
199+ }]
200+ },
201+ {
202+ capacity = 100
203+ name = "SLEXAMPLE2"
204+ description = "Stateless rule example1"
205+ rule_config = [{
206+ priority = 1
207+ protocols_number = [6]
208+ source_ipaddress = "1.2.3.7/32"
209+ source_from_port = 8080
210+ source_to_port = 8080
211+ destination_ipaddress = "124.1.1.8/32"
212+ destination_from_port = 8080
213+ destination_to_port = 8080
214+ tcp_flag = {
215+ flags = ["SYN"]
216+ masks = ["SYN", "ACK"]
217+ }
218+ actions = {
219+ type = "drop"
220+ }
221+ }]
222+
223+ }
224+ ]
225+
226+
227+ tags = {
228+ Name = "example"
229+ Environment = "Test"
230+ Created_By = "Terraform"
231+ }
232+ }
0 commit comments