Merge pull request #301 from binbashar/fix/cws-locals

Fix/cws locals
binbashar · Aug 26, 2021 · bb11e4d · bb11e4d
2 parents 23b809b + ee60b3b
commit bb11e4d
Show file tree

Hide file tree

Showing 8 changed files with 98 additions and 70 deletions.
diff --git a/network/base-network/customer_gateways.tf b/network/base-network/customer_gateways.tf
@@ -0,0 +1,61 @@
+locals {
+  customer_gateways = {
+    cgw1 = {
+      bgp_asn    = 65220
+      ip_address = "172.83.124.10"
+      tunnel1 = {
+        inside_cidr   = "169.254.10.0/30"
+        preshared_key = "pr3shr3_k3y1"
+      }
+      tunnel2 = {
+        inside_cidr   = "169.254.10.4/30"
+        preshared_key = "pr3shr3_k3y2"
+      }
+      vpn_connection_static_routes_only = true
+      static_routes                     = ["10.10.0.0/20", "10.30.0.0/20"]
+      local_ipv4_network_cidr           = "10.0.0.0/16"
+      #remote_ipv4_network_cidr          = "0.0.0.0/0"
+    },
+    cgw2 = {
+      bgp_asn    = 65220
+      ip_address = "172.83.124.11"
+      tunnel1 = {
+        inside_cidr   = "169.254.10.8/30"
+        preshared_key = "pr3shr3_k3y3" # Use a data source to retrieve secrets from a vault
+        # Other parameters (https://github.com/binbashar/terraform-aws-vpn-gateway#inputs)
+        #dpd_timeout_action           = ""
+        #dpd_timeout_seconds          = 30
+        #ike_versions                 = ["ikev1", "ikev2"]
+        #phase1_dh_group_numbers      = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
+        #phase1_encryption_algorithms = ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]
+        #phase1_lifetime_seconds      = 28800
+        #phase2_dh_group_numbers      = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
+        #phase2_encryption_algorithms = ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]
+        #phase2_lifetime_seconds      = 3600
+        #rekey_fuzz_percentage        = 100
+        #rekey_margin_time_seconds    = 540
+        #replay_window_size           = 1024
+        #startup_action               = "add"
+      }
+      tunnel2 = {
+        inside_cidr   = "169.254.10.12/30"
+        preshared_key = "pr3shr3_k3y4" # Use a data source to retrieve secrets from a vault
+        # Other parameters (https://github.com/binbashar/terraform-aws-vpn-gateway#inputs)
+        #dpd_timeout_action           = ""
+        #dpd_timeout_seconds          = 30
+        #ike_versions                 = ["ikev1", "ikev2"]
+        #phase1_dh_group_numbers      = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
+        #phase1_encryption_algorithms = ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]
+        #phase1_lifetime_seconds      = 28800
+        #phase2_dh_group_numbers      = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
+        #phase2_encryption_algorithms = ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]
+        #phase2_lifetime_seconds      = 3600
+        #rekey_fuzz_percentage        = 100
+        #rekey_margin_time_seconds    = 540
+        #replay_window_size           = 1024
+        #startup_action               = "add"
+      }
+      #static_routes = ["10.40.0.0/20", "10.50.0.0/20"]
+    }
+  }
+}
diff --git a/network/base-network/locals.tf b/network/base-network/locals.tf
@@ -168,14 +168,14 @@ locals {
 }
 
 locals {
-  customer_gateways = { for k, v in var.customer_gateways :
+  cgws = { for k, v in local.customer_gateways :
     k => {
       bgp_asn    = v["bgp_asn"]
       ip_address = v["ip_address"]
     }
   }
 
-  vpn_static_routes = flatten([for k, v in var.customer_gateways :
+  vpn_static_routes = flatten([for k, v in local.customer_gateways :
     [for r in lookup(v, "static_routes", []) :
       {
         cgw   = k

diff --git a/network/base-network/network.auto.tfvars b/network/base-network/network.auto.tfvars
@@ -4,62 +4,3 @@ vpc_single_nat_gateway = true
 
 # VPN Gateways
 vpc_enable_vpn_gateway = false
-customer_gateways = {
-  cgw1 = {
-    bgp_asn    = 65220
-    ip_address = "172.83.124.10"
-    tunnel1 = {
-      inside_cidr   = "169.254.10.0/30"
-      preshared_key = "pr3shr3_k3y1"
-    }
-    tunnel2 = {
-      inside_cidr   = "169.254.10.4/30"
-      preshared_key = "pr3shr3_k3y2"
-    }
-    vpn_connection_static_routes_only = true
-    static_routes                     = ["10.10.0.0/20", "10.30.0.0/20"]
-    local_ipv4_network_cidr           = "10.0.0.0/16"
-    #remote_ipv4_network_cidr          = "0.0.0.0/0"
-  },
-  cgw2 = {
-    bgp_asn    = 65220
-    ip_address = "172.83.124.11"
-    tunnel1 = {
-      inside_cidr   = "169.254.10.8/30"
-      preshared_key = "pr3shr3_k3y3"
-      # Other parameters (https://github.com/binbashar/terraform-aws-vpn-gateway#inputs)
-      #dpd_timeout_action           = ""
-      #dpd_timeout_seconds          = 30
-      #ike_versions                 = ["ikev1", "ikev2"]
-      #phase1_dh_group_numbers      = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
-      #phase1_encryption_algorithms = ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]
-      #phase1_lifetime_seconds      = 28800
-      #phase2_dh_group_numbers      = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
-      #phase2_encryption_algorithms = ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]
-      #phase2_lifetime_seconds      = 3600
-      #rekey_fuzz_percentage        = 100
-      #rekey_margin_time_seconds    = 540
-      #replay_window_size           = 1024
-      #startup_action               = "add"
-    }
-    tunnel2 = {
-      inside_cidr   = "169.254.10.12/30"
-      preshared_key = "pr3shr3_k3y4"
-      # Other parameters (https://github.com/binbashar/terraform-aws-vpn-gateway#inputs)
-      #dpd_timeout_action           = ""
-      #dpd_timeout_seconds          = 30
-      #ike_versions                 = ["ikev1", "ikev2"]
-      #phase1_dh_group_numbers      = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
-      #phase1_encryption_algorithms = ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]
-      #phase1_lifetime_seconds      = 28800
-      #phase2_dh_group_numbers      = [2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24]
-      #phase2_encryption_algorithms = ["AES128", "AES256", "AES128-GCM-16", "AES256-GCM-16"]
-      #phase2_lifetime_seconds      = 3600
-      #rekey_fuzz_percentage        = 100
-      #rekey_margin_time_seconds    = 540
-      #replay_window_size           = 1024
-      #startup_action               = "add"
-    }
-    #static_routes = ["10.40.0.0/20", "10.50.0.0/20"]
-  }
-}
diff --git a/network/base-network/network.tf b/network/base-network/network.tf
@@ -27,7 +27,7 @@ module "vpc" {
 
   # VPN Gateway
   amazon_side_asn   = var.vpn_gateway_amazon_side_asn
-  customer_gateways = var.vpc_enable_vpn_gateway ? local.customer_gateways : {}
+  customer_gateways = var.vpc_enable_vpn_gateway ? local.cgws : {}
 
   # Tags
   tags = local.tags

diff --git a/network/base-network/variables.tf b/network/base-network/variables.tf
@@ -238,9 +238,3 @@ variable "vpn_gateway_amazon_side_asn" {
   type        = number
   default     = 64512
 }
-
-variable "customer_gateways" {
-  description = "Customer Gateways"
-  type        = any
-  default     = {}
-}
diff --git a/network/base-network/vpn_gateways.tf b/network/base-network/vpn_gateways.tf
@@ -3,7 +3,7 @@ module "vpn_gateways" {
 
   source = "github.com/binbashar/terraform-aws-vpn-gateway.git?ref=v2.10.1"
 
-  for_each = { for k, v in var.customer_gateways :
+  for_each = { for k, v in local.customer_gateways :
     k => v if var.enable_tgw && var.vpc_enable_vpn_gateway
   }
 

diff --git a/network/network-firewall/README.md b/network/network-firewall/README.md
@@ -0,0 +1,28 @@
+# Domain list inspection for traffic from outside the Network Firewall VPC
+To use domain name filtering for traffic from outside the VPC where you've deployed Network Firewall, you must manually set the `HOME_NET` variable for the rule group. The most common use case for this is a central firewall VPC with traffic coming from other VPCs through a transit gateway.
+
+Include the `HOME_NET` variable in the dtaeful group definiton as follow:
+
+```
+  # Stateful rules
+  stateful_rule_groups = {
+    # rules_source_list examples
+    stateful-group-1 = {
+      description = "Stateful Inspection for denying access to domains"
+      capacity    = 100
+      rule_variables = {
+        ip_sets = {
+          HOME_NET = ["0.0.0.0/0"]
+        }
+      }
+      rules_source_list = {
+        generated_rules_type = "DENYLIST"
+        target_types         = ["TLS_SNI", "HTTP_HOST"]
+        targets              = [".wikipedia.org", ".bad-domain.com"]
+      }
+    }
+  }
+}
+```
+**Reference**: [Domain list inspection for traffic from outside the deployment VPC](https://docs.aws.amazon.com/network-firewall/latest/developerguide/stateful-rule-groups-domain-names.html#:~:text=see%20Domain%20filtering.-,Domain%20list%20inspection%20for%20traffic%20from%20outside%20the%20deployment%20VPC,-To%20use%20domain)
+
diff --git a/network/network-firewall/firewall.tf b/network/network-firewall/firewall.tf
@@ -56,7 +56,11 @@ module "firewall" {
     stateful-group-1 = {
       description = "Stateful Inspection for denying access to domains"
       capacity    = 100
-      #rule_variables = {}
+      rule_variables = {
+        ip_sets = {
+          HOME_NET = ["0.0.0.0/0"]
+        }
+      }
       rules_source_list = {
         generated_rules_type = "DENYLIST"
         target_types         = ["TLS_SNI", "HTTP_HOST"]