AWS Network Firewall Module
AWS Network Firewall Module which creates
- Stateful Firewall rule group with 5-tuple option
- Stateful Firewall rule group domain option
- Stateful firewall rule group with Suricta Compatible IPS rules option
- Statelless Firewall rule group
- Firewall Policy with attached above rule group
- Firewall Network
Usage
module "network_firewall" {
source = "mattyait/network-firewall/aws"
version = "0.1.2"
firewall_name = "example"
vpc_id = "vpc-27517c40"
prefix = "test"
#Passing Individual Subnet ID to have required endpoint
subnet_mapping = [
"subnet-da6b7ebd",
"subnet-a256d2fa"
]
fivetuple_stateful_rule_group = [
{
capacity = 100
name = "stateful"
description = "Stateful rule example1 with 5 tuple option"
rule_config = [{
description = "Pass All Rule"
protocol = "TCP"
source_ipaddress = "1.2.3.4/32"
source_port = 443
destination_ipaddress = "124.1.1.5/32"
destination_port = 443
direction = "any"
sid = 1
actions = {
type = "pass"
}
}]
},
]
# Stateless Rule Group
stateless_rule_group = [
{
capacity = 100
name = "stateless"
description = "Stateless rule example1"
rule_config = [{
priority = 1
protocols_number = [6]
source_ipaddress = "1.2.3.4/32"
source_from_port = 443
source_to_port = 443
destination_ipaddress = "124.1.1.5/32"
destination_from_port = 443
destination_to_port = 443
tcp_flag = {
flags = ["SYN"]
masks = ["SYN", "ACK"]
}
actions = {
type = "pass"
}
}]
}]
tags = {
Name = "example"
Environment = "Test"
Created_By = "Terraform"
}
}
Requirements
| Name |
Version |
| terraform |
>=1.0.3 |
| aws |
>= 4.50 |
Providers
Modules
No modules.
Resources
Inputs
| Name |
Description |
Type |
Default |
Required |
| aws_managed_rule_group |
List of AWS managed rule group arn |
list(any) |
[] |
no |
| description |
Description for the resources |
string |
"" |
no |
| domain_stateful_rule_group |
Config for domain type stateful rule group |
any |
[] |
no |
| firewall_name |
firewall name |
string |
"example" |
no |
| firewall_policy_change_protection |
(Option) A boolean flag indicating whether it is possible to change the associated firewall policy |
string |
false |
no |
| fivetuple_stateful_rule_group |
Config for 5-tuple type stateful rule group |
any |
[] |
no |
| logging_config |
logging config for cloudwatch logs created for network firewall |
map(any) |
{} |
no |
| prefix |
The descriptio for each environment, ie: bin-dev |
string |
n/a |
yes |
| stateless_default_actions |
Default stateless Action |
string |
"forward_to_sfe" |
no |
| stateless_fragment_default_actions |
Default Stateless action for fragmented packets |
string |
"forward_to_sfe" |
no |
| stateless_rule_group |
Config for stateless rule group |
any |
n/a |
yes |
| subnet_change_protection |
(Optional) A boolean flag indicating whether it is possible to change the associated subnet(s) |
string |
false |
no |
| subnet_mapping |
Subnet ids mapping to have individual firewall endpoint |
list(string) |
n/a |
yes |
| suricata_stateful_rule_group |
Config for Suricata type stateful rule group |
any |
[] |
no |
| tags |
The tags for the resources |
map(any) |
{} |
no |
| vpc_id |
VPC ID |
string |
n/a |
yes |
Outputs
| Name |
Description |
| arn |
Created Network Firewall ARN from network_firewall module |
| endpoint_id |
Created Network Firewall endpoint id |
| endpoint_id_az |
Map value with Availability Zone and Firewall endpoint id |
| id |
Created Network Firewall ID from network_firewall module |
| subnet_id |
Created Network Firewall subnet id |
| sync_states |
Created Network Firewall states |
terraform-aws-network-firewall copied to clipboard
mattyait
mattyait