Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/mattyait/terraform-aws-network-firewall

Terraform module for AWS Network Firewall
https://github.com/mattyait/terraform-aws-network-firewall

aws aws-firewall aws-network-firewall firewall network network-firewall networkfirewall terraform terraform-module

Last synced: about 2 months ago
JSON representation

Terraform module for AWS Network Firewall

Host: GitHub
URL: https://github.com/mattyait/terraform-aws-network-firewall
Owner: mattyait
License: other
Created: 2021-01-22T03:11:42.000Z (almost 4 years ago)
Default Branch: master
Last Pushed: 2024-02-01T23:40:23.000Z (11 months ago)
Last Synced: 2024-11-02T04:51:40.974Z (2 months ago)
Topics: aws, aws-firewall, aws-network-firewall, firewall, network, network-firewall, networkfirewall, terraform, terraform-module
Language: HCL
Homepage: https://registry.terraform.io/modules/mattyait/network-firewall/aws/latest
Size: 40 KB
Stars: 21
Watchers: 6
Forks: 21
Open Issues: 0
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE

Awesome Lists containing this project

README

        #  AWS Network Firewall Module

AWS Network Firewall Module which creates

-  Stateful Firewall rule group with 5-tuple option

-  Stateful Firewall rule group domain option

-  Stateful firewall rule group with Suricta Compatible IPS rules option

- Statelless Firewall rule group

- Firewall Policy with attached above rule group

- Firewall Network

## Usage

```hcl

module "network_firewall" {

    source  = "mattyait/network-firewall/aws"

    version = "0.1.2"

    firewall_name = "example"

    vpc_id        = "vpc-27517c40"

    prefix        = "test"

    #Passing Individual Subnet ID to have required endpoint

    subnet_mapping = [

        "subnet-da6b7ebd",

        "subnet-a256d2fa"

    ]

    fivetuple_stateful_rule_group = [

        {

        capacity    = 100

        name        = "stateful"

        description = "Stateful rule example1 with 5 tuple option"

        rule_config = [{

            description           = "Pass All Rule"

            protocol              = "TCP"

            source_ipaddress      = "1.2.3.4/32"

            source_port           = 443

            destination_ipaddress = "124.1.1.5/32"

            destination_port      = 443

            direction             = "any"

            sid                   = 1

            actions = {

            type = "pass"

            }

        }]

        },

    ]

    # Stateless Rule Group

    stateless_rule_group = [

        {

        capacity    = 100

        name        = "stateless"

        description = "Stateless rule example1"

        rule_config = [{

            priority              = 1

            protocols_number      = [6]

            source_ipaddress      = "1.2.3.4/32"

            source_from_port      = 443

            source_to_port        = 443

            destination_ipaddress = "124.1.1.5/32"

            destination_from_port = 443

            destination_to_port   = 443

            tcp_flag = {

            flags = ["SYN"]

            masks = ["SYN", "ACK"]

            }

            actions = {

            type = "pass"

            }

        }]

        }]

    tags = {

        Name        = "example"

        Environment = "Test"

        Created_By  = "Terraform"

    }

}

```

## Requirements

| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | >=1.0.3 |

|  [aws](#requirement\_aws) | >= 4.50 |

## Providers

| Name | Version |

|------|---------|

|  [aws](#provider\_aws) | >= 4.50 |

## Modules

No modules.

## Resources

| Name | Type |

|------|------|

| [aws_cloudwatch_log_group.nfw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |

| [aws_networkfirewall_firewall.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall) | resource |

| [aws_networkfirewall_firewall_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy) | resource |

| [aws_networkfirewall_logging_configuration.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_logging_configuration) | resource |

| [aws_networkfirewall_rule_group.domain_stateful_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |

| [aws_networkfirewall_rule_group.fivetuple_stateful_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |

| [aws_networkfirewall_rule_group.stateless_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |

| [aws_networkfirewall_rule_group.suricata_stateful_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |

## Inputs

| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [aws\_managed\_rule\_group](#input\_aws\_managed\_rule\_group) | List of AWS managed rule group arn | `list(any)` | `[]` | no |

|  [description](#input\_description) | Description for the resources | `string` | `""` | no |

|  [domain\_stateful\_rule\_group](#input\_domain\_stateful\_rule\_group) | Config for domain type stateful rule group | `any` | `[]` | no |

|  [firewall\_name](#input\_firewall\_name) | firewall name | `string` | `"example"` | no |

|  [firewall\_policy\_change\_protection](#input\_firewall\_policy\_change\_protection) | (Option) A boolean flag indicating whether it is possible to change the associated firewall policy | `string` | `false` | no |

|  [fivetuple\_stateful\_rule\_group](#input\_fivetuple\_stateful\_rule\_group) | Config for 5-tuple type stateful rule group | `any` | `[]` | no |

|  [logging\_config](#input\_logging\_config) | logging config for cloudwatch logs created for network firewall | `map(any)` | `{}` | no |

|  [prefix](#input\_prefix) | The descriptio for each environment, ie: bin-dev | `string` | n/a | yes |

|  [stateless\_default\_actions](#input\_stateless\_default\_actions) | Default stateless Action | `string` | `"forward_to_sfe"` | no |

|  [stateless\_fragment\_default\_actions](#input\_stateless\_fragment\_default\_actions) | Default Stateless action for fragmented packets | `string` | `"forward_to_sfe"` | no |

|  [stateless\_rule\_group](#input\_stateless\_rule\_group) | Config for stateless rule group | `any` | n/a | yes |

|  [subnet\_change\_protection](#input\_subnet\_change\_protection) | (Optional) A boolean flag indicating whether it is possible to change the associated subnet(s) | `string` | `false` | no |

|  [subnet\_mapping](#input\_subnet\_mapping) | Subnet ids mapping to have individual firewall endpoint | `list(string)` | n/a | yes |

|  [suricata\_stateful\_rule\_group](#input\_suricata\_stateful\_rule\_group) | Config for Suricata type stateful rule group | `any` | `[]` | no |

|  [tags](#input\_tags) | The tags for the resources | `map(any)` | `{}` | no |

|  [vpc\_id](#input\_vpc\_id) | VPC ID | `string` | n/a | yes |

## Outputs

| Name | Description |

|------|-------------|

|  [arn](#output\_arn) | Created Network Firewall ARN from network\_firewall module |

|  [endpoint\_id](#output\_endpoint\_id) | Created Network Firewall endpoint id |

|  [endpoint\_id\_az](#output\_endpoint\_id\_az) | Map value with Availability Zone and Firewall endpoint id |

|  [id](#output\_id) | Created Network Firewall ID from network\_firewall module |

|  [subnet\_id](#output\_subnet\_id) | Created Network Firewall subnet id |

|  [sync\_states](#output\_sync\_states) | Created Network Firewall states |