Create new AWS NWFW rule group / policy prior to migration

[dms1981]

User Story

As a Modernisation Platform Engineer I want to prepare a simple rule group & policy for our AWS Network Firewall So that I have a minimally restrictive policy I can apply as part of a migration

User Type(s)

Modernisation Platform Engineer Modernisation Platform Customer

Value

By creating simple rule groups that allow all traffic on a stateless basis, and all traffic on a stateful basis, we can associate these with a firewall policy. That policy can, as part of a migration, replace the existing firewall policy associated with our AWS Network Firewall.

Questions / Assumptions / Hypothesis

Assumption: Stateless rules provide minimal value over network ACLs that we already control, so we can ignore these safely. Assumption: Transit Gateway attachments to AWS NWFW inspection VPC are set to appliance mode to ensure stateful routing of traffic. Assumption: Strict rule-order checking is configured and will ensure that rules are processed in an easily comprehensible fashion. Assumption: Open stateful rules are sufficient in the context of the initial migration; security groups also exist to secure instances.

Definition of done

• [ ] migration rule groups & policy created
• [ ] migration rule groups associated with migration policy
• [ ] rules have been created with consideration for future additions

Reference

How to write good user stories Getting started with AWS Network Firewall

[dms1981]

As part of this, we should consider the configuration we have in place for logging.

[davidkelliott]

https://docs.google.com/document/d/1SAyfQyK6pcNQYjPIpZBtGtNEhmjM2y4So0IxSghr0rc/edit

[SteveLinden]

Got a for_each set up and variables populated with the values from the json. Have built a very simple stateful firewall statement using the new variables although it complained about the variables not being strings so they current settings might need to change.