AWS Network Firewall Module which creates
- Stateful Firewall rule group with 5-tuple option
- Stateful Firewall rule group domain option
- Stateful firewall rule group with Suricta Compatible IPS rules option
- Statelless Firewall rule group
- Firewall Policy with attached above rule group
- Firewall Network
module "network_firewall" {
source = "mattyait/network-firewall/aws"
version = "0.1.2"
firewall_name = "example"
vpc_id = "vpc-27517c40"
prefix = "test"
#Passing Individual Subnet ID to have required endpoint
subnet_mapping = [
"subnet-da6b7ebd",
"subnet-a256d2fa"
]
fivetuple_stateful_rule_group = [
{
capacity = 100
name = "stateful"
description = "Stateful rule example1 with 5 tuple option"
rule_config = [{
description = "Pass All Rule"
protocol = "TCP"
source_ipaddress = "1.2.3.4/32"
source_port = 443
destination_ipaddress = "124.1.1.5/32"
destination_port = 443
direction = "any"
sid = 1
actions = {
type = "pass"
}
}]
},
]
# Stateless Rule Group
stateless_rule_group = [
{
capacity = 100
name = "stateless"
description = "Stateless rule example1"
rule_config = [{
priority = 1
protocols_number = [6]
source_ipaddress = "1.2.3.4/32"
source_from_port = 443
source_to_port = 443
destination_ipaddress = "124.1.1.5/32"
destination_from_port = 443
destination_to_port = 443
tcp_flag = {
flags = ["SYN"]
masks = ["SYN", "ACK"]
}
actions = {
type = "pass"
}
}]
}]
tags = {
Name = "example"
Environment = "Test"
Created_By = "Terraform"
}
}| Name | Version |
|---|---|
| terraform | >=1.0.3 |
| aws | >= 4.50 |
| Name | Version |
|---|---|
| aws | >= 4.50 |
No modules.
| Name | Type |
|---|---|
| aws_cloudwatch_log_group.nfw | resource |
| aws_networkfirewall_firewall.this | resource |
| aws_networkfirewall_firewall_policy.this | resource |
| aws_networkfirewall_logging_configuration.this | resource |
| aws_networkfirewall_rule_group.domain_stateful_group | resource |
| aws_networkfirewall_rule_group.fivetuple_stateful_group | resource |
| aws_networkfirewall_rule_group.stateless_group | resource |
| aws_networkfirewall_rule_group.suricata_stateful_group | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aws_managed_rule_group | List of AWS managed rule group arn | list(any) |
[] |
no |
| description | Description for the resources | string |
"" |
no |
| domain_stateful_rule_group | Config for domain type stateful rule group | any |
[] |
no |
| firewall_name | firewall name | string |
"example" |
no |
| firewall_policy_change_protection | (Option) A boolean flag indicating whether it is possible to change the associated firewall policy | string |
false |
no |
| fivetuple_stateful_rule_group | Config for 5-tuple type stateful rule group | any |
[] |
no |
| logging_config | logging config for cloudwatch logs created for network firewall | map(any) |
{} |
no |
| prefix | The descriptio for each environment, ie: bin-dev | string |
n/a | yes |
| stateless_default_actions | Default stateless Action | string |
"forward_to_sfe" |
no |
| stateless_fragment_default_actions | Default Stateless action for fragmented packets | string |
"forward_to_sfe" |
no |
| stateless_rule_group | Config for stateless rule group | any |
n/a | yes |
| subnet_change_protection | (Optional) A boolean flag indicating whether it is possible to change the associated subnet(s) | string |
false |
no |
| subnet_mapping | Subnet ids mapping to have individual firewall endpoint | list(string) |
n/a | yes |
| suricata_stateful_rule_group | Config for Suricata type stateful rule group | any |
[] |
no |
| tags | The tags for the resources | map(any) |
{} |
no |
| vpc_id | VPC ID | string |
n/a | yes |
| Name | Description |
|---|---|
| arn | Created Network Firewall ARN from network_firewall module |
| endpoint_id | Created Network Firewall endpoint id |
| endpoint_id_az | Map value with Availability Zone and Firewall endpoint id |
| id | Created Network Firewall ID from network_firewall module |
| subnet_id | Created Network Firewall subnet id |
| sync_states | Created Network Firewall states |