{"id":15652593,"url":"https://github.com/mattyait/terraform-aws-network-firewall","last_synced_at":"2025-09-06T08:34:08.380Z","repository":{"id":81852568,"uuid":"331822548","full_name":"mattyait/terraform-aws-network-firewall","owner":"mattyait","description":"Terraform module for AWS Network Firewall","archived":false,"fork":false,"pushed_at":"2024-02-01T23:40:23.000Z","size":41,"stargazers_count":21,"open_issues_count":0,"forks_count":21,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-05-01T14:53:50.341Z","etag":null,"topics":["aws","aws-firewall","aws-network-firewall","firewall","network","network-firewall","networkfirewall","terraform","terraform-module"],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/modules/mattyait/network-firewall/aws/latest","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mattyait.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-01-22T03:11:42.000Z","updated_at":"2024-02-19T04:29:49.000Z","dependencies_parsed_at":"2024-02-02T00:46:05.081Z","dependency_job_id":null,"html_url":"https://github.com/mattyait/terraform-aws-network-firewall","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mattyait%2Fterraform-aws-network-firewall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mattyait%2Fterraform-aws-network-firewall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mattyait%2Fterraform-aws-network-firewall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mattyait%2Fterraform-aws-network-firewall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mattyait","download_url":"https://codeload.github.com/mattyait/terraform-aws-network-firewall/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251895424,"owners_count":21661342,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws","aws-firewall","aws-network-firewall","firewall","network","network-firewall","networkfirewall","terraform","terraform-module"],"created_at":"2024-10-03T12:42:47.834Z","updated_at":"2025-05-01T14:53:57.149Z","avatar_url":"https://github.com/mattyait.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"#  AWS Network Firewall Module\n\nAWS Network Firewall Module which creates\n\n-  Stateful Firewall rule group with 5-tuple option\n-  Stateful Firewall rule group domain option\n-  Stateful firewall rule group with Suricta Compatible IPS rules option\n- Statelless Firewall rule group\n- Firewall Policy with attached above rule group\n- Firewall Network\n\n## Usage\n```hcl\nmodule \"network_firewall\" {\n    source  = \"mattyait/network-firewall/aws\"\n    version = \"0.1.2\"\n    firewall_name = \"example\"\n    vpc_id        = \"vpc-27517c40\"\n    prefix        = \"test\"\n\n    #Passing Individual Subnet ID to have required endpoint\n    subnet_mapping = [\n        \"subnet-da6b7ebd\",\n        \"subnet-a256d2fa\"\n    ]\n\n    fivetuple_stateful_rule_group = [\n        {\n        capacity    = 100\n        name        = \"stateful\"\n        description = \"Stateful rule example1 with 5 tuple option\"\n        rule_config = [{\n            description           = \"Pass All Rule\"\n            protocol              = \"TCP\"\n            source_ipaddress      = \"1.2.3.4/32\"\n            source_port           = 443\n            destination_ipaddress = \"124.1.1.5/32\"\n            destination_port      = 443\n            direction             = \"any\"\n            sid                   = 1\n            actions = {\n            type = \"pass\"\n            }\n        }]\n        },\n    ]\n\n    # Stateless Rule Group\n    stateless_rule_group = [\n        {\n        capacity    = 100\n        name        = \"stateless\"\n        description = \"Stateless rule example1\"\n        rule_config = [{\n            priority              = 1\n            protocols_number      = [6]\n            source_ipaddress      = \"1.2.3.4/32\"\n            source_from_port      = 443\n            source_to_port        = 443\n            destination_ipaddress = \"124.1.1.5/32\"\n            destination_from_port = 443\n            destination_to_port   = 443\n            tcp_flag = {\n            flags = [\"SYN\"]\n            masks = [\"SYN\", \"ACK\"]\n            }\n            actions = {\n            type = \"pass\"\n            }\n        }]\n        }]\n\n    tags = {\n        Name        = \"example\"\n        Environment = \"Test\"\n        Created_By  = \"Terraform\"\n    }\n}\n```\n\n\u003c!-- BEGIN_TF_DOCS --\u003e\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e=1.0.3 |\n| \u003ca name=\"requirement_aws\"\u003e\u003c/a\u003e [aws](#requirement\\_aws) | \u003e= 4.50 |\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | \u003e= 4.50 |\n\n## Modules\n\nNo modules.\n\n## Resources\n\n| Name | Type |\n|------|------|\n| [aws_cloudwatch_log_group.nfw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |\n| [aws_networkfirewall_firewall.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall) | resource |\n| [aws_networkfirewall_firewall_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy) | resource |\n| [aws_networkfirewall_logging_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_logging_configuration) | resource |\n| [aws_networkfirewall_rule_group.domain_stateful_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |\n| [aws_networkfirewall_rule_group.fivetuple_stateful_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |\n| [aws_networkfirewall_rule_group.stateless_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |\n| [aws_networkfirewall_rule_group.suricata_stateful_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_aws_managed_rule_group\"\u003e\u003c/a\u003e [aws\\_managed\\_rule\\_group](#input\\_aws\\_managed\\_rule\\_group) | List of AWS managed rule group arn | `list(any)` | `[]` | no |\n| \u003ca name=\"input_description\"\u003e\u003c/a\u003e [description](#input\\_description) | Description for the resources | `string` | `\"\"` | no |\n| \u003ca name=\"input_domain_stateful_rule_group\"\u003e\u003c/a\u003e [domain\\_stateful\\_rule\\_group](#input\\_domain\\_stateful\\_rule\\_group) | Config for domain type stateful rule group | `any` | `[]` | no |\n| \u003ca name=\"input_firewall_name\"\u003e\u003c/a\u003e [firewall\\_name](#input\\_firewall\\_name) | firewall name | `string` | `\"example\"` | no |\n| \u003ca name=\"input_firewall_policy_change_protection\"\u003e\u003c/a\u003e [firewall\\_policy\\_change\\_protection](#input\\_firewall\\_policy\\_change\\_protection) | (Option) A boolean flag indicating whether it is possible to change the associated firewall policy | `string` | `false` | no |\n| \u003ca name=\"input_fivetuple_stateful_rule_group\"\u003e\u003c/a\u003e [fivetuple\\_stateful\\_rule\\_group](#input\\_fivetuple\\_stateful\\_rule\\_group) | Config for 5-tuple type stateful rule group | `any` | `[]` | no |\n| \u003ca name=\"input_logging_config\"\u003e\u003c/a\u003e [logging\\_config](#input\\_logging\\_config) | logging config for cloudwatch logs created for network firewall | `map(any)` | `{}` | no |\n| \u003ca name=\"input_prefix\"\u003e\u003c/a\u003e [prefix](#input\\_prefix) | The descriptio for each environment, ie: bin-dev | `string` | n/a | yes |\n| \u003ca name=\"input_stateless_default_actions\"\u003e\u003c/a\u003e [stateless\\_default\\_actions](#input\\_stateless\\_default\\_actions) | Default stateless Action | `string` | `\"forward_to_sfe\"` | no |\n| \u003ca name=\"input_stateless_fragment_default_actions\"\u003e\u003c/a\u003e [stateless\\_fragment\\_default\\_actions](#input\\_stateless\\_fragment\\_default\\_actions) | Default Stateless action for fragmented packets | `string` | `\"forward_to_sfe\"` | no |\n| \u003ca name=\"input_stateless_rule_group\"\u003e\u003c/a\u003e [stateless\\_rule\\_group](#input\\_stateless\\_rule\\_group) | Config for stateless rule group | `any` | n/a | yes |\n| \u003ca name=\"input_subnet_change_protection\"\u003e\u003c/a\u003e [subnet\\_change\\_protection](#input\\_subnet\\_change\\_protection) | (Optional) A boolean flag indicating whether it is possible to change the associated subnet(s) | `string` | `false` | no |\n| \u003ca name=\"input_subnet_mapping\"\u003e\u003c/a\u003e [subnet\\_mapping](#input\\_subnet\\_mapping) | Subnet ids mapping to have individual firewall endpoint | `list(string)` | n/a | yes |\n| \u003ca name=\"input_suricata_stateful_rule_group\"\u003e\u003c/a\u003e [suricata\\_stateful\\_rule\\_group](#input\\_suricata\\_stateful\\_rule\\_group) | Config for Suricata type stateful rule group | `any` | `[]` | no |\n| \u003ca name=\"input_tags\"\u003e\u003c/a\u003e [tags](#input\\_tags) | The tags for the resources | `map(any)` | `{}` | no |\n| \u003ca name=\"input_vpc_id\"\u003e\u003c/a\u003e [vpc\\_id](#input\\_vpc\\_id) | VPC ID | `string` | n/a | yes |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_arn\"\u003e\u003c/a\u003e [arn](#output\\_arn) | Created Network Firewall ARN from network\\_firewall module |\n| \u003ca name=\"output_endpoint_id\"\u003e\u003c/a\u003e [endpoint\\_id](#output\\_endpoint\\_id) | Created Network Firewall endpoint id |\n| \u003ca name=\"output_endpoint_id_az\"\u003e\u003c/a\u003e [endpoint\\_id\\_az](#output\\_endpoint\\_id\\_az) | Map value with Availability Zone and Firewall endpoint id |\n| \u003ca name=\"output_id\"\u003e\u003c/a\u003e [id](#output\\_id) | Created Network Firewall ID from network\\_firewall module |\n| \u003ca name=\"output_subnet_id\"\u003e\u003c/a\u003e [subnet\\_id](#output\\_subnet\\_id) | Created Network Firewall subnet id |\n| \u003ca name=\"output_sync_states\"\u003e\u003c/a\u003e [sync\\_states](#output\\_sync\\_states) | Created Network Firewall states |\n\u003c!-- END_TF_DOCS --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmattyait%2Fterraform-aws-network-firewall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmattyait%2Fterraform-aws-network-firewall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmattyait%2Fterraform-aws-network-firewall/lists"}