Skip to content

Latest commit

 

History

History
131 lines (111 loc) · 6.36 KB

README.md

File metadata and controls

131 lines (111 loc) · 6.36 KB
Raw

AWS Network Firewall Module

AWS Network Firewall Module which creates

  • Stateful Firewall rule group with 5-tuple option
  • Stateful Firewall rule group domain option
  • Stateful firewall rule group with Suricta Compatible IPS rules option
  • Statelless Firewall rule group
  • Firewall Policy with attached above rule group
  • Firewall Network

Usage

module "network_firewall" {
    source  = "mattyait/network-firewall/aws"
    version = "0.1.0"
    firewall_name = "example"
    vpc_id        = "vpc-27517c40"

    #Passing Individual Subnet ID to have required endpoint
    subnet_mapping = [
        { subnet_id : subnet-da6b7ebd },
        { subnet_id : subnet-a256d2fa }
    ]

    fivetuple_stateful_rule_group = [
        {
        capacity    = 100
        name        = "stateful"
        description = "Stateful rule example1 with 5 tuple option"
        rule_config = [{
            protocol              = "TCP"
            source_ipaddress      = "1.2.3.4/32"
            source_port           = 443
            destination_ipaddress = "124.1.1.5/32"
            destination_port      = 443
            direction             = "any"
            actions = {
            type = "pass"
            }
        }]
        },
    ]

    # Stateless Rule Group
    stateless_rule_group = [
        {
        capacity    = 100
        name        = "stateless"
        description = "Stateless rule example1"
        rule_config = [{
            priority              = 1
            protocols_number      = [6]
            source_ipaddress      = "1.2.3.4/32"
            source_from_port      = 443
            source_to_port        = 443
            destination_ipaddress = "124.1.1.5/32"
            destination_from_port = 443
            destination_to_port   = 443
            tcp_flag = {
            flags = ["SYN"]
            masks = ["SYN", "ACK"]
            }
            actions = {
            type = "pass"
            }
        }]
        }]

    tags = {
        Name        = "example"
        Environment = "Test"
        Created_By  = "Terraform"
    }
}

Requirements

Name Version
aws ~> 4.31.0

Providers

Name Version
aws ~> 4.31.0

Modules

No modules.

Resources

Name Type
aws_networkfirewall_firewall.this resource
aws_networkfirewall_firewall_policy.this resource
aws_networkfirewall_rule_group.domain_stateful_group resource
aws_networkfirewall_rule_group.fivetuple_stateful_group resource
aws_networkfirewall_rule_group.stateless_group resource
aws_networkfirewall_rule_group.suricata_stateful_group resource

Inputs

Name Description Type Default Required
description n/a string "" no
domain_stateful_rule_group Config for domain type stateful rule group list(any) [] no
firewall_policy_change_protection (optional) we set false because we apply gitops for this string false no
fivetuple_stateful_rule_group Config for 5-tuple type stateful rule group list(any) [] no
nfw_name firewall name string "example" no
prefix The descriptio for each environment, ie: bin-dev string n/a yes
stateless_default_actions Default stateless Action string "forward_to_sfe" no
stateless_fragment_default_actions Default Stateless action for fragmented packets string "forward_to_sfe" no
stateless_rule_group Config for stateless rule group list(any) n/a yes
subnet_change_protection (optional) we set false because we apply gitops for this string false no
subnet_mapping Subnet ids mapping to have individual firewall endpoint any n/a yes
suricata_stateful_rule_group Config for Suricata type stateful rule group list(any) [] no
tags The tags for the resources map(any) {} no
vpc_id VPC ID string n/a yes

Outputs

Name Description
arn Created Network Firewall ARN from network_firewall module
endpoint_id Created Network Firewall endpoint id
id Created Network Firewall ID from network_firewall module