diff --git a/network/network-firewall/firewall.tf b/network/network-firewall/firewall.tf index 264a66937..585412c3f 100644 --- a/network/network-firewall/firewall.tf +++ b/network/network-firewall/firewall.tf @@ -1,119 +1,68 @@ -# Firewall -resource "aws_networkfirewall_firewall" "firewall" { +module "firewall" { count = var.enable_network_firewall ? 1 : 0 - name = "${var.project}-${var.environment}-firewall" - firewall_policy_arn = aws_networkfirewall_firewall_policy.policy[0].arn - vpc_id = module.vpc.vpc_id - - # subnet_mapping - dynamic "subnet_mapping" { - for_each = [for k, v in module.network_firewall_private_subnets.az_subnet_ids : - v if contains(local.firewall_endpoints, k) - ] - - content { - subnet_id = subnet_mapping.value - } - } - - tags = local.tags -} - -# Policy -resource "aws_networkfirewall_firewall_policy" "policy" { - - count = var.enable_network_firewall ? 1 : 0 - - name = "${var.project}-${var.environment}-firewall-policy" - - firewall_policy { - stateless_default_actions = ["aws:pass"] - stateless_fragment_default_actions = ["aws:drop"] - - stateless_rule_group_reference { - priority = 10 - resource_arn = aws_networkfirewall_rule_group.staless_rule_group[0].arn - } - - stateful_rule_group_reference { - resource_arn = aws_networkfirewall_rule_group.staleful_rule_group[0].arn - } - } - - tags = local.tags -} - -# Stateless rule groups -resource "aws_networkfirewall_rule_group" "staless_rule_group" { - - count = var.enable_network_firewall ? 1 : 0 - - name = "${var.project}-${var.environment}-default-forward" - - description = "Stateless Rule" - capacity = 100 - type = "STATELESS" - rule_group { - rules_source { - stateless_rules_and_custom_actions { - stateless_rule { + source = "github.com/binbashar/terraform-aws-network-firewall.git?ref=v0.1.0" + + name = "${var.project}-${var.environment}-firewall" + + description = "AWS Network Firewall example" + delete_protection = false + firewall_policy_change_protection = false + subnet_change_protection = false + vpc_id = module.vpc.vpc_id + + stateless_default_actions = ["aws:pass"] + stateless_fragment_default_actions = ["aws:drop"] + + subnet_mapping = module.network_firewall_private_subnets.az_subnet_ids + + # Stateless rule groups + stateless_rule_groups = { + # stateless-group-1 rules + staless-group-1 = { + description = "Staless rules" + priority = 10 + capacity = 100 + rules = [ + { + priority = 1 + actions = ["aws:drop"] + protocols = [1] # ICMP + source = { + address = "0.0.0.0/0" + } + destination = { + address = "0.0.0.0/0" + } + }, + { priority = 10 - rule_definition { - actions = ["aws:forward_to_sfe"] - match_attributes { - source { - address_definition = "0.0.0.0/0" - } - #source_port { - # from_port = 0 - # to_port = 0 - #} - destination { - address_definition = "0.0.0.0/0" - } - #destination_port { - # from_port = 0 - # to_port = 0 - #} - } + actions = ["aws:forward_to_sfe"] + source = { + address = "0.0.0.0/0" } - } - } + destination = { + address = "0.0.0.0/0" + } + }, + ] } } - tags = local.tags -} - -# Stateful rule groups -resource "aws_networkfirewall_rule_group" "staleful_rule_group" { - - count = var.enable_network_firewall ? 1 : 0 - - name = "${var.project}-${var.environment}-deny-wikipedia" - capacity = 50 - description = "Deny Wikipedia access" - type = "STATEFUL" - rule_group { - rule_variables { - ip_sets { - key = "HOME_NET" - ip_set { - definition = ["0.0.0.0/0"] - } - - } - } - rules_source { - rules_source_list { + # Stateful rules + stateful_rule_groups = { + # rules_source_list examples + stateful-group-1 = { + description = "Stateful Inspection for denying access to domains" + capacity = 100 + #rule_variables = {} + rules_source_list = { generated_rules_type = "DENYLIST" target_types = ["TLS_SNI", "HTTP_HOST"] - targets = [".wikipedia.org"] + targets = [".wikipedia.org", ".bad-domain.com"] } } } - - tags = local.tags } + diff --git a/network/network-firewall/outputs.tf b/network/network-firewall/outputs.tf index dd252a26a..a6657324b 100644 --- a/network/network-firewall/outputs.tf +++ b/network/network-firewall/outputs.tf @@ -52,15 +52,15 @@ output "inspection_route_table_ids" { # Network Firewall output "network_firewall_status" { description = "Nested list of information about the current status of the firewall." - value = var.enable_network_firewall && length(data.terraform_remote_state.inspection_vpc.outputs) > 0 ? aws_networkfirewall_firewall.firewall[0].firewall_status : [] + value = var.enable_network_firewall && length(data.terraform_remote_state.inspection_vpc.outputs) > 0 ? module.firewall[0].network_firewall_status : [] } output "sync_states" { description = "Set of subnets configured for use by the firewall." - value = var.enable_network_firewall && length(data.terraform_remote_state.inspection_vpc.outputs) > 0 ? aws_networkfirewall_firewall.firewall[0].firewall_status.*.sync_states : [] + value = var.enable_network_firewall && length(data.terraform_remote_state.inspection_vpc.outputs) > 0 ? module.firewall[0].network_firewall_status.*.sync_states : [] } output "network_firewall_subnet_id_endpoint_id" { description = "Map of endpoint_id per subnet_id" - value = var.enable_network_firewall && length(data.terraform_remote_state.inspection_vpc.outputs) > 0 ? { for v in aws_networkfirewall_firewall.firewall[0].firewall_status[0]["sync_states"].*.attachment : v[0]["subnet_id"] => v[0]["endpoint_id"] } : {} + value = var.enable_network_firewall && length(data.terraform_remote_state.inspection_vpc.outputs) > 0 ? { for v in module.firewall[0].network_firewall_status[0]["sync_states"].*.attachment : v[0]["subnet_id"] => v[0]["endpoint_id"] } : {} }