Skip to content

Commit

Permalink
Merge pull request #300 from binbashar/feature/nfw-module
Browse files Browse the repository at this point in the history 
Change NFW implementation to the module approach
  • Loading branch information
@lgallard
lgallard authored Aug 25, 2021
2 parents a2c18be + e765cb7 commit 556d036
Show file tree
Hide file tree
Showing 2 changed files with 57 additions and 108 deletions.
159 changes: 54 additions & 105 deletions network/network-firewall/firewall.tf
View file
Original file line number Diff line number Diff line change
@@ -1,119 +1,68 @@
# Firewall
resource "aws_networkfirewall_firewall" "firewall" {
module "firewall" {

count = var.enable_network_firewall ? 1 : 0

name = "${var.project}-${var.environment}-firewall"
firewall_policy_arn = aws_networkfirewall_firewall_policy.policy[0].arn
vpc_id = module.vpc.vpc_id

# subnet_mapping
dynamic "subnet_mapping" {
for_each = [for k, v in module.network_firewall_private_subnets.az_subnet_ids :
v if contains(local.firewall_endpoints, k)
]

content {
subnet_id = subnet_mapping.value
}
}

tags = local.tags
}

# Policy
resource "aws_networkfirewall_firewall_policy" "policy" {

count = var.enable_network_firewall ? 1 : 0

name = "${var.project}-${var.environment}-firewall-policy"

firewall_policy {
stateless_default_actions = ["aws:pass"]
stateless_fragment_default_actions = ["aws:drop"]

stateless_rule_group_reference {
priority = 10
resource_arn = aws_networkfirewall_rule_group.staless_rule_group[0].arn
}

stateful_rule_group_reference {
resource_arn = aws_networkfirewall_rule_group.staleful_rule_group[0].arn
}
}

tags = local.tags
}

# Stateless rule groups
resource "aws_networkfirewall_rule_group" "staless_rule_group" {

count = var.enable_network_firewall ? 1 : 0

name = "${var.project}-${var.environment}-default-forward"

description = "Stateless Rule"
capacity = 100
type = "STATELESS"
rule_group {
rules_source {
stateless_rules_and_custom_actions {
stateless_rule {
source = "github.com/binbashar/terraform-aws-network-firewall.git?ref=v0.1.0"

name = "${var.project}-${var.environment}-firewall"

description = "AWS Network Firewall example"
delete_protection = false
firewall_policy_change_protection = false
subnet_change_protection = false
vpc_id = module.vpc.vpc_id

stateless_default_actions = ["aws:pass"]
stateless_fragment_default_actions = ["aws:drop"]

subnet_mapping = module.network_firewall_private_subnets.az_subnet_ids

# Stateless rule groups
stateless_rule_groups = {
# stateless-group-1 rules
staless-group-1 = {
description = "Staless rules"
priority = 10
capacity = 100
rules = [
{
priority = 1
actions = ["aws:drop"]
protocols = [1] # ICMP
source = {
address = "0.0.0.0/0"
}
destination = {
address = "0.0.0.0/0"
}
},
{
priority = 10
rule_definition {
actions = ["aws:forward_to_sfe"]
match_attributes {
source {
address_definition = "0.0.0.0/0"
}
#source_port {
# from_port = 0
# to_port = 0
#}
destination {
address_definition = "0.0.0.0/0"
}
#destination_port {
# from_port = 0
# to_port = 0
#}
}
actions = ["aws:forward_to_sfe"]
source = {
address = "0.0.0.0/0"
}
}
}
destination = {
address = "0.0.0.0/0"
}
},
]
}
}

tags = local.tags
}

# Stateful rule groups
resource "aws_networkfirewall_rule_group" "staleful_rule_group" {

count = var.enable_network_firewall ? 1 : 0

name = "${var.project}-${var.environment}-deny-wikipedia"
capacity = 50
description = "Deny Wikipedia access"
type = "STATEFUL"
rule_group {
rule_variables {
ip_sets {
key = "HOME_NET"
ip_set {
definition = ["0.0.0.0/0"]
}

}
}
rules_source {
rules_source_list {
# Stateful rules
stateful_rule_groups = {
# rules_source_list examples
stateful-group-1 = {
description = "Stateful Inspection for denying access to domains"
capacity = 100
#rule_variables = {}
rules_source_list = {
generated_rules_type = "DENYLIST"
target_types = ["TLS_SNI", "HTTP_HOST"]
targets = [".wikipedia.org"]
targets = [".wikipedia.org", ".bad-domain.com"]
}
}
}

tags = local.tags
}

6 changes: 3 additions & 3 deletions network/network-firewall/outputs.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,15 +52,15 @@ output "inspection_route_table_ids" {
# Network Firewall
output "network_firewall_status" {
description = "Nested list of information about the current status of the firewall."
value = var.enable_network_firewall && length(data.terraform_remote_state.inspection_vpc.outputs) > 0 ? aws_networkfirewall_firewall.firewall[0].firewall_status : []
value = var.enable_network_firewall && length(data.terraform_remote_state.inspection_vpc.outputs) > 0 ? module.firewall[0].network_firewall_status : []
}

output "sync_states" {
description = "Set of subnets configured for use by the firewall."
value = var.enable_network_firewall && length(data.terraform_remote_state.inspection_vpc.outputs) > 0 ? aws_networkfirewall_firewall.firewall[0].firewall_status.*.sync_states : []
value = var.enable_network_firewall && length(data.terraform_remote_state.inspection_vpc.outputs) > 0 ? module.firewall[0].network_firewall_status.*.sync_states : []
}

output "network_firewall_subnet_id_endpoint_id" {
description = "Map of endpoint_id per subnet_id"
value = var.enable_network_firewall && length(data.terraform_remote_state.inspection_vpc.outputs) > 0 ? { for v in aws_networkfirewall_firewall.firewall[0].firewall_status[0]["sync_states"].*.attachment : v[0]["subnet_id"] => v[0]["endpoint_id"] } : {}
value = var.enable_network_firewall && length(data.terraform_remote_state.inspection_vpc.outputs) > 0 ? { for v in module.firewall[0].network_firewall_status[0]["sync_states"].*.attachment : v[0]["subnet_id"] => v[0]["endpoint_id"] } : {}
}

0 comments on commit 556d036

Please sign in to comment.