Merge pull request #288 from binbashar/feature/aws-network-firewall

Feature/aws network firewall

apps-devstg/base-network/locals.tf

@@ -60,6 +60,14 @@ locals {
     # Allow / Deny VPC private subnets inbound default traffic
     #
     default_inbound = [
+      {
+        rule_number = 800 # own private subnet cidr
+        rule_action = "allow"
+        from_port   = 0
+        to_port     = 65535
+        protocol    = "all"
+        cidr_block  = local.private_subnets_cidr[0]
+      },
       {
         rule_number = 900 # NTP traffic
         rule_action = "allow"

apps-prd/base-network/locals.tf

@@ -74,6 +74,14 @@ locals {
     # Allow / Deny VPC private subnets inbound default traffic
     #
     default_inbound = [
+      {
+        rule_number = 800 # own private subnet cidr
+        rule_action = "allow"
+        from_port   = 0
+        to_port     = 65535
+        protocol    = "all"
+        cidr_block  = local.private_subnets_cidr[0]
+      },
       {
         rule_number = 900 # shared pritunl vpn server
         rule_action = "allow"
@@ -135,6 +143,12 @@ locals {
       bucket  = "${var.project}-network-terraform-backend"
       key     = "network/network/terraform.tfstate"
     }
+    network-firewall = {
+      region  = var.region
+      profile = "${var.project}-network-devops"
+      bucket  = "${var.project}-network-terraform-backend"
+      key     = "network/network-firewall/terraform.tfstate"
+    }
   }
 
   datasources-vpcs = merge(

apps-prd/base-network/network_vpc_peering_requester_apps_prd_to_shared.tf

@@ -9,7 +9,7 @@
 # VPC Apps Prd w/ Shared
 #
 resource "aws_vpc_peering_connection" "apps_prd_vpc_with_shared_vpc" {
-  count = var.vpc_shared_created && !data.terraform_remote_state.network-vpcs["network-base"].outputs.enable_tgw ? 1 : 0
+  count = var.vpc_shared_created && !data.terraform_remote_state.network-vpcs["network-base"].outputs.enable_vpc_attach["apps-prd"] ? 1 : 0
 
   peer_owner_id = var.shared_account_id
   peer_vpc_id   = data.terraform_remote_state.shared-vpcs["shared-base"].outputs.vpc_id
@@ -28,15 +28,15 @@ resource "aws_vpc_peering_connection" "apps_prd_vpc_with_shared_vpc" {
 # read more: https://github.com/binbashar/le-tf-infra-aws/issues/49
 #
 resource "aws_route" "priv_route_table_1_apps_prd_vpc_to_shared_vpc" {
-  count = var.vpc_shared_created && !data.terraform_remote_state.network-vpcs["network-base"].outputs.enable_tgw ? 1 : 0
+  count = var.vpc_shared_created && !data.terraform_remote_state.network-vpcs["network-base"].outputs.enable_vpc_attach["apps-prd"] ? 1 : 0
 
   route_table_id            = element(module.vpc.private_route_table_ids, 0)
   destination_cidr_block    = data.terraform_remote_state.shared-vpcs["shared-base"].outputs.vpc_cidr_block
   vpc_peering_connection_id = aws_vpc_peering_connection.apps_prd_vpc_with_shared_vpc[0].id
 }
 
 resource "aws_route" "pub_route_table_1_apps_prd_vpc_to_shared_vpc" {
-  count = var.vpc_shared_created && !data.terraform_remote_state.network-vpcs["network-base"].outputs.enable_tgw ? 1 : 0
+  count = var.vpc_shared_created && !data.terraform_remote_state.network-vpcs["network-base"].outputs.enable_vpc_attach["apps-prd"] ? 1 : 0
 
   route_table_id            = element(module.vpc.public_route_table_ids, 0)
   destination_cidr_block    = data.terraform_remote_state.shared-vpcs["shared-base"].outputs.vpc_cidr_block

apps-prd/k8s-eks/network/locals.tf

@@ -68,6 +68,14 @@ locals {
     # Allow / Deny VPC private subnets inbound default traffic
     #
     default_inbound = [
+      {
+        rule_number = 800 # own private subnet cidr
+        rule_action = "allow"
+        from_port   = 0
+        to_port     = 65535
+        protocol    = "all"
+        cidr_block  = local.private_subnets_cidr[0]
+      },
       {
         rule_number = 900 # shared pritunl vpn server
         rule_action = "allow"
@@ -137,6 +145,12 @@ locals {
       bucket  = "${var.project}-network-terraform-backend"
       key     = "network/network/terraform.tfstate"
     }
+    network-firewall = {
+      region  = var.region
+      profile = "${var.project}-network-devops"
+      bucket  = "${var.project}-network-terraform-backend"
+      key     = "network/network-firewall/terraform.tfstate"
+    }
   }
 
   datasources-vpcs = merge(

network/base-identities/policies.tf

@@ -45,12 +45,14 @@ resource "aws_iam_policy" "devops_access" {
                 "elasticloadbalancing:*",
                 "es:*",
                 "events:*",
+                "fms:*",
                 "guardduty:*",
                 "health:*",
                 "iam:*",
                 "kms:*",
                 "lambda:*",
                 "logs:*",
+                "network-firewall:*",
                 "ram:*",
                 "rds:*",
                 "redshift:*",

network/base-network/config.tf

@@ -68,9 +68,22 @@ data "terraform_remote_state" "tools-vpn-server" {
   }
 }
 
+data "terraform_remote_state" "network-firewall" {
+
+  backend = "s3"
+
+  config = {
+    region  = var.region
+    profile = "${var.project}-network-devops"
+    bucket  = "${var.project}-network-terraform-backend"
+    key     = "network/network-firewall/terraform.tfstate"
+
+  }
+}
+
 # VPC remote states for network
 data "terraform_remote_state" "network-vpcs" {
-  for_each = local.network-vpcs
+  for_each = var.enable_network_firewall ? local.network-vpcs : {}
 
   backend = "s3"
 

network/base-network/locals.tf

@@ -113,11 +113,11 @@ locals {
 
   # network
   network-vpcs = {
-    network-base = {
+    network-firewall = {
       region  = var.region
       profile = "${var.project}-network-devops"
       bucket  = "${var.project}-network-terraform-backend"
-      key     = "network/network/terraform.tfstate"
+      key     = "network/network-firewall/terraform.tfstate"
     }
   }
 
@@ -160,9 +160,10 @@ locals {
   }
 
   datasources-vpcs = merge(
-    data.terraform_remote_state.network-vpcs,     # network
-    data.terraform_remote_state.shared-vpcs,      # shared
-    data.terraform_remote_state.apps-devstg-vpcs, # apps-devstg-vpcs
-    data.terraform_remote_state.apps-prd-vpcs,    # apps-prd-vpcs
+    data.terraform_remote_state.network-vpcs, # network
+    #data.terraform_remote_state.shared-vpcs,      # shared
+    #data.terraform_remote_state.apps-devstg-vpcs, # apps-devstg-vpcs
+    data.terraform_remote_state.apps-prd-vpcs, # apps-prd-vpcs
   )
 }
+

network/base-network/network.auto.tfvars

@@ -11,3 +11,6 @@ enable_vpc_attach = {
   apps-devstg = false
   apps-prd    = false
 }
+
+# Network Firewall
+enable_network_firewall = false

network/base-network/outputs.tf

@@ -59,3 +59,23 @@ output "enable_tgw" {
   description = "This is set to `true` if the Transit Gateway is enabled"
   value       = var.enable_tgw
 }
+
+output "enable_vpc_attach" {
+  description = "VPC attachments per account"
+  value       = var.enable_vpc_attach
+}
+
+output "enable_network_firewall" {
+  description = "This is set to `true` if the AWS Network Firewall is enabled"
+  value       = var.enable_network_firewall
+}
+
+output "tgw_route_tabe_id" {
+  description = "TGW default route table id"
+  value       = var.enable_tgw ? module.tgw[0].transit_gateway_route_table_id : null
+}
+
+output "tgw_inspection_route_tabe_id" {
+  description = "TGW inspection route table id"
+  value       = var.enable_tgw && var.enable_network_firewall && lookup(var.enable_vpc_attach, "network", false) ? module.tgw_vpc_attachments_and_subnet_routes_network_firewall["network-firewall"].transit_gateway_route_table_id : null
+}