{"id":14957931,"url":"https://github.com/terraform-aws-modules/terraform-aws-network-firewall","last_synced_at":"2026-01-08T21:16:16.892Z","repository":{"id":182867607,"uuid":"668822136","full_name":"terraform-aws-modules/terraform-aws-network-firewall","owner":"terraform-aws-modules","description":"Terraform module to create AWS Network Firewall resources πŸ‡ΊπŸ‡¦","archived":false,"fork":false,"pushed_at":"2024-10-11T16:09:59.000Z","size":74,"stargazers_count":16,"open_issues_count":4,"forks_count":14,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-01-31T01:14:43.208Z","etag":null,"topics":["aws-network-firewall","network-firewall","terraform","terraform-module","terraform-modules"],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/modules/terraform-aws-modules/network-firewall/aws","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/terraform-aws-modules.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2023-07-20T17:06:19.000Z","updated_at":"2025-01-18T17:55:13.000Z","dependencies_parsed_at":"2024-03-09T04:00:54.285Z","dependency_job_id":null,"html_url":"https://github.com/terraform-aws-modules/terraform-aws-network-firewall","commit_stats":null,"previous_names":["clowdhaus/terraform-aws-network-firewall","terraform-aws-modules/terraform-aws-network-firewall"],"tags_count":2,"template":false,"template_full_name":"clowdhaus/terraform-aws-module-template","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/terraform-aws-modules%2Fterraform-aws-network-firewall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/terraform-aws-modules%2Fterraform-aws-network-firewall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/terraform-aws-modules%2Fterraform-aws-network-firewall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/terraform-aws-modules%2Fterraform-aws-network-firewall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/terraform-aws-modules","download_url":"https://codeload.github.com/terraform-aws-modules/terraform-aws-network-firewall/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":237964582,"owners_count":19394423,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aws-network-firewall","network-firewall","terraform","terraform-module","terraform-modules"],"created_at":"2024-09-24T13:15:50.824Z","updated_at":"2025-10-24T12:31:16.236Z","avatar_url":"https://github.com/terraform-aws-modules.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# AWS Network Firewall Terraform module\n\nTerraform module which creates AWS network firewall resources.\n\n[![SWUbanner](https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/banner2-direct.svg)](https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md)\n\n## Usage\n\nThis project supports creating resources through individual sub-modules for better support for RAM resource sharing, or through a single module that creates both the firewall and firewall policy resources.\nSee the respective sub-module directory for more details and example usage.\n\n```hcl\nmodule \"network_firewall\" {\n source = \"terraform-aws-modules/network-firewall/aws\"\n\n # Firewall\n name = \"example\"\n description = \"Example network firewall\"\n\n vpc_id = \"vpc-1234556abcdef\"\n subnet_mapping = {\n subnet1 = {\n subnet_id = \"subnet-abcde012\"\n ip_address_type = \"IPV4\"\n }\n subnet2 = {\n subnet_id = \"subnet-bcde012a\"\n ip_address_type = \"IPV4\"\n }\n subnet2 = {\n subnet_id = \"subnet-fghi345a\"\n ip_address_type = \"IPV4\"\n }\n }\n\n # Logging configuration\n create_logging_configuration = true\n logging_configuration_destination_config = [\n {\n log_destination = {\n logGroup = \"/aws/network-firewall/example\"\n }\n log_destination_type = \"CloudWatchLogs\"\n log_type = \"ALERT\"\n },\n {\n log_destination = {\n bucketName = \"s3-example-bucket-firewall-flow-logs\"\n prefix = \"example\"\n }\n log_destination_type = \"S3\"\n log_type = \"FLOW\"\n }\n ]\n\n # Policy\n policy_name = \"example\"\n policy_description = \"Example network firewall policy\"\n\n policy_stateful_rule_group_reference = {\n one = {\n priority = 0\n resource_arn = \"arn:aws:network-firewall:us-east-1:1234567890:stateful-rulegroup/example\"\n }\n }\n\n policy_stateless_default_actions = [\"aws:pass\"]\n policy_stateless_fragment_default_actions = [\"aws:drop\"]\n policy_stateless_rule_group_reference = {\n one = {\n priority = 0\n resource_arn = \"arn:aws:network-firewall:us-east-1:1234567890:stateless-rulegroup/example\"\n }\n }\n\n tags = {\n Terraform = \"true\"\n Environment = \"dev\"\n }\n}\n```\n\n\n## Examples\n\nExamples codified under the [`examples`](https://github.com/terraform-aws-modules/terraform-aws-network-firewall/tree/master/examples) are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!\n\n- [Complete](https://github.com/terraform-aws-modules/terraform-aws-network-firewall/tree/master/examples/complete)\n- [Separate](https://github.com/terraform-aws-modules/terraform-aws-network-firewall/tree/master/examples/separate)\n\n\u003c!-- BEGIN_TF_DOCS --\u003e\n## Requirements\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"requirement_terraform\"\u003e\u003c/a\u003e [terraform](#requirement\\_terraform) | \u003e= 1.5.7 |\n\n## Providers\n\nNo providers.\n\n## Modules\n\n| Name | Source | Version |\n|------|--------|---------|\n| \u003ca name=\"module_firewall\"\u003e\u003c/a\u003e [firewall](#module\\_firewall) | ./modules/firewall | n/a |\n| \u003ca name=\"module_policy\"\u003e\u003c/a\u003e [policy](#module\\_policy) | ./modules/policy | n/a |\n\n## Resources\n\nNo resources.\n\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_availability_zone_change_protection\"\u003e\u003c/a\u003e [availability\\_zone\\_change\\_protection](#input\\_availability\\_zone\\_change\\_protection) | A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. When set to true, you must first disable this protection before adding or removing Availability Zones | `bool` | `null` | no |\n| \u003ca name=\"input_availability_zone_mapping\"\u003e\u003c/a\u003e [availability\\_zone\\_mapping](#input\\_availability\\_zone\\_mapping) | Required when creating a transit gateway-attached firewall. Set of configuration blocks describing the avaiability availability where you want to create firewall endpoints for a transit gateway-attached firewall | \u003cpre\u003elist(object({\u003cbr/\u003e availability_zone_id = string\u003cbr/\u003e }))\u003c/pre\u003e | `null` | no |\n| \u003ca name=\"input_create\"\u003e\u003c/a\u003e [create](#input\\_create) | Controls if resources should be created | `bool` | `true` | no |\n| \u003ca name=\"input_create_logging_configuration\"\u003e\u003c/a\u003e [create\\_logging\\_configuration](#input\\_create\\_logging\\_configuration) | Controls if a Logging Configuration should be created | `bool` | `null` | no |\n| \u003ca name=\"input_create_policy\"\u003e\u003c/a\u003e [create\\_policy](#input\\_create\\_policy) | Controls if policy should be created | `bool` | `true` | no |\n| \u003ca name=\"input_create_policy_resource_policy\"\u003e\u003c/a\u003e [create\\_policy\\_resource\\_policy](#input\\_create\\_policy\\_resource\\_policy) | Controls if a resource policy should be created | `bool` | `null` | no |\n| \u003ca name=\"input_delete_protection\"\u003e\u003c/a\u003e [delete\\_protection](#input\\_delete\\_protection) | A boolean flag indicating whether it is possible to delete the firewall. Defaults to `true` | `bool` | `true` | no |\n| \u003ca name=\"input_description\"\u003e\u003c/a\u003e [description](#input\\_description) | A friendly description of the firewall | `string` | `\"\"` | no |\n| \u003ca name=\"input_enabled_analysis_types\"\u003e\u003c/a\u003e [enabled\\_analysis\\_types](#input\\_enabled\\_analysis\\_types) | Set of types for which to collect analysis metrics. Valid values: `TLS_SNI`, `HTTP_HOST`. Defaults to `[]` | `list(string)` | `null` | no |\n| \u003ca name=\"input_encryption_configuration\"\u003e\u003c/a\u003e [encryption\\_configuration](#input\\_encryption\\_configuration) | KMS encryption configuration settings | \u003cpre\u003eobject({\u003cbr/\u003e key_id = optional(string)\u003cbr/\u003e type = string\u003cbr/\u003e })\u003c/pre\u003e | `null` | no |\n| \u003ca name=\"input_firewall_policy_arn\"\u003e\u003c/a\u003e [firewall\\_policy\\_arn](#input\\_firewall\\_policy\\_arn) | The ARN of the Firewall Policy to use | `string` | `\"\"` | no |\n| \u003ca name=\"input_firewall_policy_change_protection\"\u003e\u003c/a\u003e [firewall\\_policy\\_change\\_protection](#input\\_firewall\\_policy\\_change\\_protection) | A boolean flag indicating whether it is possible to change the associated firewall policy. Defaults to `false` | `bool` | `null` | no |\n| \u003ca name=\"input_logging_configuration_destination_config\"\u003e\u003c/a\u003e [logging\\_configuration\\_destination\\_config](#input\\_logging\\_configuration\\_destination\\_config) | A list of min 1, max 2 configuration blocks describing the destination for the logging configuration | \u003cpre\u003elist(object({\u003cbr/\u003e log_destination = map(string)\u003cbr/\u003e log_destination_type = string\u003cbr/\u003e log_type = string\u003cbr/\u003e }))\u003c/pre\u003e | `null` | no |\n| \u003ca name=\"input_name\"\u003e\u003c/a\u003e [name](#input\\_name) | A friendly name of the firewall | `string` | `\"\"` | no |\n| \u003ca name=\"input_policy_attach_resource_policy\"\u003e\u003c/a\u003e [policy\\_attach\\_resource\\_policy](#input\\_policy\\_attach\\_resource\\_policy) | Controls if a resource policy should be attached to the firewall policy | `bool` | `null` | no |\n| \u003ca name=\"input_policy_description\"\u003e\u003c/a\u003e [policy\\_description](#input\\_policy\\_description) | A friendly description of the firewall policy | `string` | `null` | no |\n| \u003ca name=\"input_policy_encryption_configuration\"\u003e\u003c/a\u003e [policy\\_encryption\\_configuration](#input\\_policy\\_encryption\\_configuration) | KMS encryption configuration settings | \u003cpre\u003eobject({\u003cbr/\u003e key_id = optional(string)\u003cbr/\u003e type = string\u003cbr/\u003e })\u003c/pre\u003e | `null` | no |\n| \u003ca name=\"input_policy_name\"\u003e\u003c/a\u003e [policy\\_name](#input\\_policy\\_name) | A friendly name of the firewall policy | `string` | `\"\"` | no |\n| \u003ca name=\"input_policy_ram_resource_associations\"\u003e\u003c/a\u003e [policy\\_ram\\_resource\\_associations](#input\\_policy\\_ram\\_resource\\_associations) | A map of RAM resource associations for the created firewall policy | `map(string)` | `null` | no |\n| \u003ca name=\"input_policy_resource_policy\"\u003e\u003c/a\u003e [policy\\_resource\\_policy](#input\\_policy\\_resource\\_policy) | The policy JSON to use for the resource policy; required when `create_resource_policy` is `false` | `string` | `\"\"` | no |\n| \u003ca name=\"input_policy_resource_policy_actions\"\u003e\u003c/a\u003e [policy\\_resource\\_policy\\_actions](#input\\_policy\\_resource\\_policy\\_actions) | A list of IAM actions allowed in the resource policy | `list(string)` | `null` | no |\n| \u003ca name=\"input_policy_resource_policy_principals\"\u003e\u003c/a\u003e [policy\\_resource\\_policy\\_principals](#input\\_policy\\_resource\\_policy\\_principals) | A list of IAM principals allowed in the resource policy | `list(string)` | `null` | no |\n| \u003ca name=\"input_policy_stateful_default_actions\"\u003e\u003c/a\u003e [policy\\_stateful\\_default\\_actions](#input\\_policy\\_stateful\\_default\\_actions) | Set of actions to take on a packet if it does not match any stateful rules in the policy. This can only be specified if the policy has a `stateful_engine_options` block with a rule\\_order value of `STRICT_ORDER`. You can specify one of either or neither values of `aws:drop_strict` or `aws:drop_established`, as well as any combination of `aws:alert_strict` and `aws:alert_established` | `list(string)` | `null` | no |\n| \u003ca name=\"input_policy_stateful_engine_options\"\u003e\u003c/a\u003e [policy\\_stateful\\_engine\\_options](#input\\_policy\\_stateful\\_engine\\_options) | A configuration block that defines options on how the policy handles stateful rules. See [Stateful Engine Options](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy#stateful-engine-options) for details | \u003cpre\u003eobject({\u003cbr/\u003e flow_timeouts = optional(object({\u003cbr/\u003e tcp_idle_timeout_seconds = optional(number)\u003cbr/\u003e }))\u003cbr/\u003e rule_order = optional(string)\u003cbr/\u003e stream_exception_policy = optional(string)\u003cbr/\u003e })\u003c/pre\u003e | `null` | no |\n| \u003ca name=\"input_policy_stateful_rule_group_reference\"\u003e\u003c/a\u003e [policy\\_stateful\\_rule\\_group\\_reference](#input\\_policy\\_stateful\\_rule\\_group\\_reference) | Set of configuration blocks containing references to the stateful rule groups that are used in the policy. See [Stateful Rule Group Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy#stateful-rule-group-reference) for details | \u003cpre\u003emap(object({\u003cbr/\u003e deep_threat_inspection = optional(bool)\u003cbr/\u003e override = optional(object({\u003cbr/\u003e action = optional(string)\u003cbr/\u003e }))\u003cbr/\u003e priority = optional(number)\u003cbr/\u003e resource_arn = string\u003cbr/\u003e }))\u003c/pre\u003e | `null` | no |\n| \u003ca name=\"input_policy_stateless_custom_action\"\u003e\u003c/a\u003e [policy\\_stateless\\_custom\\_action](#input\\_policy\\_stateless\\_custom\\_action) | Set of configuration blocks describing the custom action definitions that are available for use in the firewall policy's `stateless_default_actions` | \u003cpre\u003emap(object({\u003cbr/\u003e action_definition = object({\u003cbr/\u003e publish_metric_action = optional(object({\u003cbr/\u003e dimension = optional(string)\u003cbr/\u003e }))\u003cbr/\u003e })\u003cbr/\u003e action_name = string\u003cbr/\u003e }))\u003c/pre\u003e | `null` | no |\n| \u003ca name=\"input_policy_stateless_default_actions\"\u003e\u003c/a\u003e [policy\\_stateless\\_default\\_actions](#input\\_policy\\_stateless\\_default\\_actions) | Set of actions to take on a packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: `aws:drop`, `aws:pass`, or `aws:forward_to_sfe` | `list(string)` | `null` | no |\n| \u003ca name=\"input_policy_stateless_fragment_default_actions\"\u003e\u003c/a\u003e [policy\\_stateless\\_fragment\\_default\\_actions](#input\\_policy\\_stateless\\_fragment\\_default\\_actions) | Set of actions to take on a fragmented packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: `aws:drop`, `aws:pass`, or `aws:forward_to_sfe` | `list(string)` | `null` | no |\n| \u003ca name=\"input_policy_stateless_rule_group_reference\"\u003e\u003c/a\u003e [policy\\_stateless\\_rule\\_group\\_reference](#input\\_policy\\_stateless\\_rule\\_group\\_reference) | Set of configuration blocks containing references to the stateless rule groups that are used in the policy. See [Stateless Rule Group Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy#stateless-rule-group-reference) for details | \u003cpre\u003emap(object({\u003cbr/\u003e priority = number\u003cbr/\u003e resource_arn = string\u003cbr/\u003e }))\u003c/pre\u003e | `null` | no |\n| \u003ca name=\"input_policy_tags\"\u003e\u003c/a\u003e [policy\\_tags](#input\\_policy\\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |\n| \u003ca name=\"input_policy_variables\"\u003e\u003c/a\u003e [policy\\_variables](#input\\_policy\\_variables) | Contains variables that you can use to override default Suricata settings in your firewall policy | \u003cpre\u003eobject({\u003cbr/\u003e rule_variables = list(object({\u003cbr/\u003e ip_set = optional(object({\u003cbr/\u003e definition = list(string)\u003cbr/\u003e }))\u003cbr/\u003e key = string\u003cbr/\u003e }))\u003cbr/\u003e })\u003c/pre\u003e | `null` | no |\n| \u003ca name=\"input_region\"\u003e\u003c/a\u003e [region](#input\\_region) | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration | `string` | `null` | no |\n| \u003ca name=\"input_subnet_change_protection\"\u003e\u003c/a\u003e [subnet\\_change\\_protection](#input\\_subnet\\_change\\_protection) | A boolean flag indicating whether it is possible to change the associated subnet(s). Defaults to `true` | `bool` | `true` | no |\n| \u003ca name=\"input_subnet_mapping\"\u003e\u003c/a\u003e [subnet\\_mapping](#input\\_subnet\\_mapping) | Set of configuration blocks describing the public subnets. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet | \u003cpre\u003emap(object({\u003cbr/\u003e ip_address_type = optional(string)\u003cbr/\u003e subnet_id = string\u003cbr/\u003e }))\u003c/pre\u003e | `null` | no |\n| \u003ca name=\"input_tags\"\u003e\u003c/a\u003e [tags](#input\\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |\n| \u003ca name=\"input_transit_gateway_id\"\u003e\u003c/a\u003e [transit\\_gateway\\_id](#input\\_transit\\_gateway\\_id) | The ID of the transit gateway to which the firewall is attached. Required when creating a transit gateway-attached firewall | `string` | `null` | no |\n| \u003ca name=\"input_vpc_id\"\u003e\u003c/a\u003e [vpc\\_id](#input\\_vpc\\_id) | The unique identifier of the VPC where AWS Network Firewall should create the firewall | `string` | `null` | no |\n\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_arn\"\u003e\u003c/a\u003e [arn](#output\\_arn) | The Amazon Resource Name (ARN) that identifies the firewall |\n| \u003ca name=\"output_id\"\u003e\u003c/a\u003e [id](#output\\_id) | The Amazon Resource Name (ARN) that identifies the firewall |\n| \u003ca name=\"output_logging_configuration_id\"\u003e\u003c/a\u003e [logging\\_configuration\\_id](#output\\_logging\\_configuration\\_id) | The Amazon Resource Name (ARN) of the associated firewall |\n| \u003ca name=\"output_policy_arn\"\u003e\u003c/a\u003e [policy\\_arn](#output\\_policy\\_arn) | The Amazon Resource Name (ARN) that identifies the firewall policy |\n| \u003ca name=\"output_policy_id\"\u003e\u003c/a\u003e [policy\\_id](#output\\_policy\\_id) | The Amazon Resource Name (ARN) that identifies the firewall policy |\n| \u003ca name=\"output_policy_resource_policy_id\"\u003e\u003c/a\u003e [policy\\_resource\\_policy\\_id](#output\\_policy\\_resource\\_policy\\_id) | The Amazon Resource Name (ARN) of the firewall policy associated with the resource policy |\n| \u003ca name=\"output_policy_update_token\"\u003e\u003c/a\u003e [policy\\_update\\_token](#output\\_policy\\_update\\_token) | A string token used when updating a firewall policy |\n| \u003ca name=\"output_status\"\u003e\u003c/a\u003e [status](#output\\_status) | Nested list of information about the current status of the firewall |\n| \u003ca name=\"output_update_token\"\u003e\u003c/a\u003e [update\\_token](#output\\_update\\_token) | A string token used when updating a firewall |\n\u003c!-- END_TF_DOCS --\u003e\n\n## License\n\nApache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-network-firewall/blob/master/LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fterraform-aws-modules%2Fterraform-aws-network-firewall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fterraform-aws-modules%2Fterraform-aws-network-firewall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fterraform-aws-modules%2Fterraform-aws-network-firewall/lists"}