AWS Network Firewall Module

AWS Network Firewall Module which creates

• Stateful Firewall rule group with 5-tuple option
• Stateful Firewall rule group domain option
• Stateful firewall rule group with Suricta Compatible IPS rules option
• Statelless Firewall rule group
• Firewall Policy with attached above rule group
• Firewall Network

Usage

module "network_firewall" {
    source  = "mattyait/network-firewall/aws"
    version = "0.1.0"
    firewall_name = "example"
    vpc_id        = "vpc-27517c40"

    #Passing Individual Subnet ID to have required endpoint
    subnet_mapping = [
        { subnet_id : subnet-da6b7ebd },
        { subnet_id : subnet-a256d2fa }
    ]

    fivetuple_stateful_rule_group = [
        {
        capacity    = 100
        name        = "stateful"
        description = "Stateful rule example1 with 5 tuple option"
        rule_config = [{
            protocol              = "TCP"
            source_ipaddress      = "1.2.3.4/32"
            source_port           = 443
            destination_ipaddress = "124.1.1.5/32"
            destination_port      = 443
            direction             = "any"
            actions = {
            type = "pass"
            }
        }]
        },
    ]

    # Stateless Rule Group
    stateless_rule_group = [
        {
        capacity    = 100
        name        = "stateless"
        description = "Stateless rule example1"
        rule_config = [{
            priority              = 1
            protocols_number      = [6]
            source_ipaddress      = "1.2.3.4/32"
            source_from_port      = 443
            source_to_port        = 443
            destination_ipaddress = "124.1.1.5/32"
            destination_from_port = 443
            destination_to_port   = 443
            tcp_flag = {
            flags = ["SYN"]
            masks = ["SYN", "ACK"]
            }
            actions = {
            type = "pass"
            }
        }]
        }]

    tags = {
        Name        = "example"
        Environment = "Test"
        Created_By  = "Terraform"
    }
}

Requirements

Name	Version
aws	~> 4.31.0

Providers

Name	Version
aws	~> 4.31.0

Modules

No modules.

Resources

Name	Type
aws_networkfirewall_firewall.this	resource
aws_networkfirewall_firewall_policy.this	resource
aws_networkfirewall_rule_group.domain_stateful_group	resource
aws_networkfirewall_rule_group.fivetuple_stateful_group	resource
aws_networkfirewall_rule_group.stateless_group	resource
aws_networkfirewall_rule_group.suricata_stateful_group	resource

Inputs

Name	Description	Type	Default	Required
description	n/a	string	""	no
domain_stateful_rule_group	Config for domain type stateful rule group	list(any)	[]	no
firewall_policy_change_protection	(optional) we set false because we apply gitops for this	string	false	no
fivetuple_stateful_rule_group	Config for 5-tuple type stateful rule group	list(any)	[]	no
nfw_name	firewall name	string	"example"	no
prefix	The descriptio for each environment, ie: bin-dev	string	n/a	yes
stateless_default_actions	Default stateless Action	string	"forward_to_sfe"	no
stateless_fragment_default_actions	Default Stateless action for fragmented packets	string	"forward_to_sfe"	no
stateless_rule_group	Config for stateless rule group	list(any)	n/a	yes
subnet_change_protection	(optional) we set false because we apply gitops for this	string	false	no
subnet_mapping	Subnet ids mapping to have individual firewall endpoint	any	n/a	yes
suricata_stateful_rule_group	Config for Suricata type stateful rule group	list(any)	[]	no
tags	The tags for the resources	map(any)	{}	no
vpc_id	VPC ID	string	n/a	yes

Outputs

Name	Description
arn	Created Network Firewall ARN from network_firewall module
endpoint_id	Created Network Firewall endpoint id
id	Created Network Firewall ID from network_firewall module