Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/terraform-aws-modules/terraform-aws-network-firewall

Terraform module to create AWS Network Firewall resources πŸ‡ΊπŸ‡¦
https://github.com/terraform-aws-modules/terraform-aws-network-firewall

aws-network-firewall network-firewall terraform terraform-module terraform-modules

Last synced: 28 days ago
JSON representation

Terraform module to create AWS Network Firewall resources πŸ‡ΊπŸ‡¦

Awesome Lists containing this project

README 

        
# AWS Network Firewall Terraform module



Terraform module which creates AWS network firewall resources.



[![SWUbanner](https://raw.githubusercontent.com/vshymanskyy/StandWithUkraine/main/banner2-direct.svg)](https://github.com/vshymanskyy/StandWithUkraine/blob/main/docs/README.md)



## Usage



This project supports creating resources through individual sub-modules for better support for RAM resource sharing, or through a single module that creates both the firewall and firewall policy resources.

See the respective sub-module directory for more details and example usage.



```hcl

module "network_firewall" {

  source = "terraform-aws-modules/network-firewall/aws"



  # Firewall

  name        = "example"

  description = "Example network firewall"



  vpc_id = "vpc-1234556abcdef"

  subnet_mapping = {

    subnet1 = {

      subnet_id       = "subnet-abcde012"

      ip_address_type = "IPV4"

    }

    subnet2 = {

      subnet_id       = "subnet-bcde012a"

      ip_address_type = "IPV4"

    }

    subnet2 = {

      subnet_id       = "subnet-fghi345a"

      ip_address_type = "IPV4"

    }

  }



  # Logging configuration

  create_logging_configuration = true

  logging_configuration_destination_config = [

    {

      log_destination = {

        logGroup = "/aws/network-firewall/example"

      }

      log_destination_type = "CloudWatchLogs"

      log_type             = "ALERT"

    },

    {

      log_destination = {

        bucketName = "s3-example-bucket-firewall-flow-logs"

        prefix     = "example"

      }

      log_destination_type = "S3"

      log_type             = "FLOW"

    }

  ]



  # Policy

  policy_name        = "example"

  policy_description = "Example network firewall policy"



  policy_stateful_rule_group_reference = {

    one = {

      priority     = 0

      resource_arn = "arn:aws:network-firewall:us-east-1:1234567890:stateful-rulegroup/example"

    }

  }



  policy_stateless_default_actions          = ["aws:pass"]

  policy_stateless_fragment_default_actions = ["aws:drop"]

  policy_stateless_rule_group_reference = {

    one = {

      priority     = 0

      resource_arn = "arn:aws:network-firewall:us-east-1:1234567890:stateless-rulegroup/example"

    }

  }



  tags = {

    Terraform   = "true"

    Environment = "dev"

  }

}

```



## Examples



Examples codified under the [`examples`](https://github.com/terraform-aws-modules/terraform-aws-network-firewall/tree/master/examples) are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!



- [Complete](https://github.com/terraform-aws-modules/terraform-aws-network-firewall/tree/master/examples/complete)

- [Separate](https://github.com/terraform-aws-modules/terraform-aws-network-firewall/tree/master/examples/separate)



## Requirements



| Name | Version |

|------|---------|

|  [terraform](#requirement\_terraform) | >= 1.0 |



## Providers



No providers.



## Modules



| Name | Source | Version |

|------|--------|---------|

|  [firewall](#module\_firewall) | ./modules/firewall | n/a |

|  [policy](#module\_policy) | ./modules/policy | n/a |



## Resources



No resources.



## Inputs



| Name | Description | Type | Default | Required |

|------|-------------|------|---------|:--------:|

|  [create](#input\_create) | Controls if resources should be created | `bool` | `true` | no |

|  [create\_logging\_configuration](#input\_create\_logging\_configuration) | Controls if a Logging Configuration should be created | `bool` | `false` | no |

|  [create\_policy](#input\_create\_policy) | Controls if policy should be created | `bool` | `true` | no |

|  [create\_policy\_resource\_policy](#input\_create\_policy\_resource\_policy) | Controls if a resource policy should be created | `bool` | `false` | no |

|  [delete\_protection](#input\_delete\_protection) | A boolean flag indicating whether it is possible to delete the firewall. Defaults to `true` | `bool` | `true` | no |

|  [description](#input\_description) | A friendly description of the firewall | `string` | `""` | no |

|  [encryption\_configuration](#input\_encryption\_configuration) | KMS encryption configuration settings | `any` | `{}` | no |

|  [firewall\_policy\_arn](#input\_firewall\_policy\_arn) | The ARN of the Firewall Policy to use | `string` | `""` | no |

|  [firewall\_policy\_change\_protection](#input\_firewall\_policy\_change\_protection) | A boolean flag indicating whether it is possible to change the associated firewall policy. Defaults to `false` | `bool` | `null` | no |

|  [logging\_configuration\_destination\_config](#input\_logging\_configuration\_destination\_config) | A list of min 1, max 2 configuration blocks describing the destination for the logging configuration | `any` | `[]` | no |

|  [name](#input\_name) | A friendly name of the firewall | `string` | `""` | no |

|  [policy\_attach\_resource\_policy](#input\_policy\_attach\_resource\_policy) | Controls if a resource policy should be attached to the firewall policy | `bool` | `false` | no |

|  [policy\_description](#input\_policy\_description) | A friendly description of the firewall policy | `string` | `null` | no |

|  [policy\_encryption\_configuration](#input\_policy\_encryption\_configuration) | KMS encryption configuration settings | `any` | `{}` | no |

|  [policy\_name](#input\_policy\_name) | A friendly name of the firewall policy | `string` | `""` | no |

|  [policy\_ram\_resource\_associations](#input\_policy\_ram\_resource\_associations) | A map of RAM resource associations for the created firewall policy | `map(string)` | `{}` | no |

|  [policy\_resource\_policy](#input\_policy\_resource\_policy) | The policy JSON to use for the resource policy; required when `create_resource_policy` is `false` | `string` | `""` | no |

|  [policy\_resource\_policy\_actions](#input\_policy\_resource\_policy\_actions) | A list of IAM actions allowed in the resource policy | `list(string)` | `[]` | no |

|  [policy\_resource\_policy\_principals](#input\_policy\_resource\_policy\_principals) | A list of IAM principals allowed in the resource policy | `list(string)` | `[]` | no |

|  [policy\_stateful\_default\_actions](#input\_policy\_stateful\_default\_actions) | Set of actions to take on a packet if it does not match any stateful rules in the policy. This can only be specified if the policy has a `stateful_engine_options` block with a rule\_order value of `STRICT_ORDER`. You can specify one of either or neither values of `aws:drop_strict` or `aws:drop_established`, as well as any combination of `aws:alert_strict` and `aws:alert_established` | `list(string)` | `[]` | no |

|  [policy\_stateful\_engine\_options](#input\_policy\_stateful\_engine\_options) | A configuration block that defines options on how the policy handles stateful rules. See [Stateful Engine Options](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy#stateful-engine-options) for details | `any` | `{}` | no |

|  [policy\_stateful\_rule\_group\_reference](#input\_policy\_stateful\_rule\_group\_reference) | Set of configuration blocks containing references to the stateful rule groups that are used in the policy. See [Stateful Rule Group Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy#stateful-rule-group-reference) for details | `any` | `{}` | no |

|  [policy\_stateless\_custom\_action](#input\_policy\_stateless\_custom\_action) | Set of configuration blocks describing the custom action definitions that are available for use in the firewall policy's `stateless_default_actions` | `any` | `{}` | no |

|  [policy\_stateless\_default\_actions](#input\_policy\_stateless\_default\_actions) | Set of actions to take on a packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: `aws:drop`, `aws:pass`, or `aws:forward_to_sfe` | `list(string)` | 
[
  "aws:pass"
]
 | no |

|  [policy\_stateless\_fragment\_default\_actions](#input\_policy\_stateless\_fragment\_default\_actions) | Set of actions to take on a fragmented packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: `aws:drop`, `aws:pass`, or `aws:forward_to_sfe` | `list(string)` | 
[
  "aws:pass"
]
 | no |

|  [policy\_stateless\_rule\_group\_reference](#input\_policy\_stateless\_rule\_group\_reference) | Set of configuration blocks containing references to the stateless rule groups that are used in the policy. See [Stateless Rule Group Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy#stateless-rule-group-reference) for details | `any` | `{}` | no |

|  [policy\_tags](#input\_policy\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |

|  [subnet\_change\_protection](#input\_subnet\_change\_protection) | A boolean flag indicating whether it is possible to change the associated subnet(s). Defaults to `true` | `bool` | `true` | no |

|  [subnet\_mapping](#input\_subnet\_mapping) | Set of configuration blocks describing the public subnets. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet | `any` | `{}` | no |

|  [tags](#input\_tags) | A map of tags to add to all resources | `map(string)` | `{}` | no |

|  [vpc\_id](#input\_vpc\_id) | The unique identifier of the VPC where AWS Network Firewall should create the firewall | `string` | `""` | no |



## Outputs



| Name | Description |

|------|-------------|

|  [arn](#output\_arn) | The Amazon Resource Name (ARN) that identifies the firewall |

|  [id](#output\_id) | The Amazon Resource Name (ARN) that identifies the firewall |

|  [logging\_configuration\_id](#output\_logging\_configuration\_id) | The Amazon Resource Name (ARN) of the associated firewall |

|  [policy\_arn](#output\_policy\_arn) | The Amazon Resource Name (ARN) that identifies the firewall policy |

|  [policy\_id](#output\_policy\_id) | The Amazon Resource Name (ARN) that identifies the firewall policy |

|  [policy\_resource\_policy\_id](#output\_policy\_resource\_policy\_id) | The Amazon Resource Name (ARN) of the firewall policy associated with the resource policy |

|  [policy\_update\_token](#output\_policy\_update\_token) | A string token used when updating a firewall policy |

|  [status](#output\_status) | Nested list of information about the current status of the firewall |

|  [update\_token](#output\_update\_token) | A string token used when updating a firewall |



## License



Apache-2.0 Licensed. See [LICENSE](https://github.com/terraform-aws-modules/terraform-aws-network-firewall/blob/master/LICENSE).