Skip to content

mattyait/terraform-aws-network-firewall

1 Branch7 Tags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

semantic-release-botsemantic-release-bot
chore(release): version 0.2.1 [skip ci]
Feb 20, 2023
3252c53 · Feb 20, 2023

History

24 Commits
.github/workflows
.github/workflows
Oct 11, 2022
examples
examples
Jan 17, 2023
.editorconfig
.editorconfig
Oct 11, 2022
.gitignore
.gitignore
Oct 11, 2022
.pre-commit-config.yaml
.pre-commit-config.yaml
Oct 11, 2022
.releaserc.json
.releaserc.json
Oct 11, 2022
CHANGELOG.md
CHANGELOG.md
Feb 20, 2023
CONTRIBUTING.md
CONTRIBUTING.md
Oct 11, 2022
LICENSE
LICENSE
Oct 11, 2022
README.md
README.md
Feb 20, 2023
locals.tf
locals.tf
Jan 17, 2023
main.tf
main.tf
Oct 9, 2022
outputs.tf
outputs.tf
Feb 20, 2023
variables.tf
variables.tf
Jan 17, 2023
versions.tf
versions.tf
Jan 17, 2023

Repository files navigation

AWS Network Firewall Module

AWS Network Firewall Module which creates

  • Stateful Firewall rule group with 5-tuple option
  • Stateful Firewall rule group domain option
  • Stateful firewall rule group with Suricta Compatible IPS rules option
  • Statelless Firewall rule group
  • Firewall Policy with attached above rule group
  • Firewall Network

Usage

module "network_firewall" {
    source  = "mattyait/network-firewall/aws"
    version = "0.1.2"
    firewall_name = "example"
    vpc_id        = "vpc-27517c40"
    prefix        = "test"

    #Passing Individual Subnet ID to have required endpoint
    subnet_mapping = [
        "subnet-da6b7ebd",
        "subnet-a256d2fa"
    ]

    fivetuple_stateful_rule_group = [
        {
        capacity    = 100
        name        = "stateful"
        description = "Stateful rule example1 with 5 tuple option"
        rule_config = [{
            description           = "Pass All Rule"
            protocol              = "TCP"
            source_ipaddress      = "1.2.3.4/32"
            source_port           = 443
            destination_ipaddress = "124.1.1.5/32"
            destination_port      = 443
            direction             = "any"
            sid                   = 1
            actions = {
            type = "pass"
            }
        }]
        },
    ]

    # Stateless Rule Group
    stateless_rule_group = [
        {
        capacity    = 100
        name        = "stateless"
        description = "Stateless rule example1"
        rule_config = [{
            priority              = 1
            protocols_number      = [6]
            source_ipaddress      = "1.2.3.4/32"
            source_from_port      = 443
            source_to_port        = 443
            destination_ipaddress = "124.1.1.5/32"
            destination_from_port = 443
            destination_to_port   = 443
            tcp_flag = {
            flags = ["SYN"]
            masks = ["SYN", "ACK"]
            }
            actions = {
            type = "pass"
            }
        }]
        }]

    tags = {
        Name        = "example"
        Environment = "Test"
        Created_By  = "Terraform"
    }
}

Requirements

Name Version
terraform >=1.0.3
aws ~> 4.50.0

Providers

Name Version
aws ~> 4.50.0

Modules

No modules.

Resources

Name Type
aws_cloudwatch_log_group.nfw resource
aws_networkfirewall_firewall.this resource
aws_networkfirewall_firewall_policy.this resource
aws_networkfirewall_logging_configuration.this resource
aws_networkfirewall_rule_group.domain_stateful_group resource
aws_networkfirewall_rule_group.fivetuple_stateful_group resource
aws_networkfirewall_rule_group.stateless_group resource
aws_networkfirewall_rule_group.suricata_stateful_group resource

Inputs

Name Description Type Default Required
aws_managed_rule_group List of AWS managed rule group arn list(any) [] no
description Description for the resources string "" no
domain_stateful_rule_group Config for domain type stateful rule group any [] no
firewall_name firewall name string "example" no
firewall_policy_change_protection (Option) A boolean flag indicating whether it is possible to change the associated firewall policy string false no
fivetuple_stateful_rule_group Config for 5-tuple type stateful rule group any [] no
logging_config logging config for cloudwatch logs created for network firewall map(any) {} no
prefix The descriptio for each environment, ie: bin-dev string n/a yes
stateless_default_actions Default stateless Action string "forward_to_sfe" no
stateless_fragment_default_actions Default Stateless action for fragmented packets string "forward_to_sfe" no
stateless_rule_group Config for stateless rule group any n/a yes
subnet_change_protection (Optional) A boolean flag indicating whether it is possible to change the associated subnet(s) string false no
subnet_mapping Subnet ids mapping to have individual firewall endpoint list(string) n/a yes
suricata_stateful_rule_group Config for Suricata type stateful rule group any [] no
tags The tags for the resources map(any) {} no
vpc_id VPC ID string n/a yes

Outputs

Name Description
arn Created Network Firewall ARN from network_firewall module
endpoint_id Created Network Firewall endpoint id
endpoint_id_az Map value with Availability Zone and Firewall endpoint id
id Created Network Firewall ID from network_firewall module
subnet_id Created Network Firewall subnet id
sync_states Created Network Firewall states

About

Terraform module for AWS Network Firewall

registry.terraform.io/modules/mattyait/network-firewall/aws/latest

Topics

aws network terraform firewall network-firewall terraform-module aws-network-firewall networkfirewall aws-firewall

Resources

Readme

License

View license
Activity

Stars

21 stars

Watchers

5 watching

Forks

21 forks
Report repository

Releases 5

v0.3.0 Latest
Feb 1, 2024
+ 4 releases

Packages

No packages published

Contributors 6

Languages