terraform-provider-aws icon indicating copy to clipboard operation
terraform-provider-aws copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

[New Resource]: Network Firewall Rule Group Reference

Open azbpa opened this issue 2 years ago • 1 comments

Description

Resource aws_networkfirewall_firewall_policy allows to reference networkfirewall_rule_groups using firewall_policy.stateful_rule_group_reference and firewall_policy.stateless_rule_group_reference blocks.

This works fine if the aws_networkfirewall_firewall_policy and the networkfirewall_rule_groups are created at the same time. However, if you have an existing aws_networkfirewall_firewall_policy (e.g. fetched using a the corresponding Data Source) it is not possible to reference created networkfirewall_rule_group.

Therefore, the request would be to implement a new resource that handles references in a decoupled manner.

Requested Resource(s) and/or Data Source(s)

  • aws_networkfirewall_rule_group_reference

Potential Terraform Configuration

data "aws_networkfirewall_firewall_policy" "example" {
  name = var.firewall_policy_name
}

resource "aws_networkfirewall_rule_group" "stateful_example" {
  capacity = 100
  name     = "stateful-example"
  type     = "STATEFUL"
  rules    = file("example-stateful.rules")
}

resource "aws_networkfirewall_rule_group" "stateless_example" {
  description = "Stateless Rate Limiting Rule"
  capacity    = 100
  name        = "example"
  type        = "STATELESS"
  rule_group {
    rules_source {
      stateless_rules_and_custom_actions {
        custom_action {
          action_definition {
            publish_metric_action {
              dimension {
                value = "2"
              }
            }
          }
          action_name = "ExampleMetricsAction"
        }
        stateless_rule {
          priority = 1
          rule_definition {
            actions = ["aws:pass", "ExampleMetricsAction"]
            match_attributes {
              source {
                address_definition = "1.2.3.4/32"
              }
              source_port {
                from_port = 443
                to_port   = 443
              }
              destination {
                address_definition = "124.1.1.5/32"
              }
              destination_port {
                from_port = 443
                to_port   = 443
              }
              protocols = [6]
              tcp_flag {
                flags = ["SYN"]
                masks = ["SYN", "ACK"]
              }
            }
          }
        }
      }
    }
  }

  tags = {
    Tag1 = "Value1"
    Tag2 = "Value2"
  }
}

resource "aws_networkfirewall_rule_group_reference" "example_stateful" {
  firewall_policy_arn = data.aws_networkfirewall_firewall_policy.example.arn
  rule_group_arn      = aws_networkfirewall_rule_group.stateful_example.arn
  priority            = 1
}

resource "aws_networkfirewall_rule_group_reference" "example_stateful_managed" {
  firewall_policy_arn = data.aws_networkfirewall_firewall_policy.example.arn
  rule_group_arn      = "arn:aws:network-firewall:eu-central-1:aws-managed:stateful-rulegroup/MalwareDomainsStrictOrder"
  priority            = 2
  override            = {
    action = "DROP_TO_ALERT"
  }
}

resource "aws_networkfirewall_rule_group_reference" "example_stateless" {
  firewall_policy_arn = data.aws_networkfirewall_firewall_policy.example.arn
  rule_group_arn      = aws_networkfirewall_rule_group.stateless_example.arn
  priority            = 1
}

References

No response

Would you like to implement a fix?

No

azbpa avatar Nov 30 '22 17:11 azbpa

Community Note

Voting for Prioritization

  • Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
  • Please see our prioritization guide for information on how we prioritize.
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

  • If you are interested in working on this issue, please leave a comment.
  • If this would be your first contribution, please review the contribution guide.

github-actions[bot] avatar Nov 30 '22 17:11 github-actions[bot]

I am are also very much interested in a separate association resource. I want to create rules in a separate repository and am unable to with the current set of TF resources.

simon-wessel avatar Oct 16 '23 09:10 simon-wessel

Looking at the API briefly, it appears that the way this is done through the API is to get the current policy object, modify it, and then call the update operation, specifying the new configuration and the update token indicating the previous state. Would that flow, the fact that the way it’s done is to modify an external resource (perhaps one not, itself, managed by Terraform), be a blocker when it comes to implementing this? (Trying to figure out the comparison to e.g. security groups, route tables, IAM roles/policies, etc. which have both inline and separate-resource creation options — with the inline in such situations, is the Terraform resource actually just creating and managing multiple resources behind the scenes?)

Michagogo avatar Jan 04 '24 19:01 Michagogo