This mdule creates AWS Network firewall resources, which includes:
- Network Firewall
- Network Firewall Policy
- Network Firewall Stateless groups and rules
- Network Firewall Stateful groups and rules
- Use custom Suricata Rules
- Use Managed Rules
- Use “Strict, Drop Established” rule order
- Use stateful rules instead of stateless rules
- Use $HOME_NET
Deny domain access
module "firewall" {
source = "github.com/binbashar/terraform-aws-network-firewall.git"
name = "firewall"
description = "AWS Network Firewall example"
vpc_id = "vpc-12345678910111213"
subnet_mapping = {
us-east-1a = "subnet-23456780101112131"
us-east-1b = "subnet-13121110987654321"
}
# Stateless rule groups
stateless_rule_groups = {
stateless-group-1 = {
description = "Stateless rules"
priority = 1
capacity = 100
# stateless-group-1 rules
rules = [
{
priority = 2
actions = ["aws:drop"]
protocols = [1]
source = {
address = "0.0.0.0/0"
}
destination = {
address = "0.0.0.0/0"
}
},
{
priority = 10
actions = ["aws:forward_to_sfe"]
source = {
address = "0.0.0.0/0"
}
destination = {
address = "0.0.0.0/0"
}
},
]
}
}
# Stateful rules
stateful_rule_groups = {
# rules_source_list examples
stateful-group-1 = {
description = "Stateful Inspection for denying access to domains"
capacity = 100
#rule_variables = {}
rules_source_list = {
generated_rules_type = "DENYLIST"
target_types = ["TLS_SNI", "HTTP_HOST"]
targets = [".bad-omain.org", ".evil-domain.com"]
}
}
}
}
You can check the complete example for other usages.
No requirements.
| Name | Version |
|---|---|
| aws | n/a |
No modules.
| Name | Type |
|---|---|
| aws_networkfirewall_firewall.firewall | resource |
| aws_networkfirewall_firewall_policy.policy | resource |
| aws_networkfirewall_rule_group.stateful_rule_group | resource |
| aws_networkfirewall_rule_group.stateless_rule_group | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| create_network_firewall | Set to false if you just want to create the security policy, stateless and stateful rules | bool |
true |
no |
| delete_protection | A boolean flag indicating whether it is possible to delete the firewall. | bool |
false |
no |
| description | A friendly description of the firewall. | string |
null |
no |
| enabled | Change to false to avoid deploying AWS Network Firewall resources. | bool |
true |
no |
| firewall_policy_change_protection | A boolean flag indicating whether it is possible to change the associated firewall policy. | bool |
false |
no |
| firewall_policy_name | A friendly name of the firewall policy. | string |
null |
no |
| name | A friendly name of the firewall. | string |
n/a | yes |
| vpc_id | The unique identifier of the VPC where AWS Network Firewall should create the firewall. | string |
n/a | yes |
| subnet_mapping | Subnets map. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet. | map(any) |
n/a | yes |
| stateless_default_actions | Set of actions to take on a packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop, aws:pass, or aws:forward_to_sf. |
list(any) |
["aws:drop"] |
no |
| stateless_fragment_default_actions | Set of actions to take on a fragmented packet if it does not match any of the stateless rules in the policy. | list(any) |
["aws:drop"] |
no |
| stateless_rule_groups | Map of stateless rules groups, including custom actions. | any |
{} |
no |
| stateful_rule_groups | Map of stateful rules groups, including Suricata and AWS Managed Rules. | any |
{} |
no |
| stateful_suricata_rule_groups | Map of custom Suricata rules for stateful inspection. | any |
{} |
no |
| managed_rule_groups | Map of AWS Managed Rule Groups for stateful inspection. | any |
{} |
no |
| rule_order | The order in which stateless rules are evaluated: STRICT_ORDER or DEFAULT_ACTION_ORDER. |
string |
"DEFAULT_ACTION_ORDER" |
no |
| stream_exception_policy | Policy for handling stream exceptions: DROP, CONTINUE, or REJECT. |
string |
"DROP" |
no |
| home_net_cidr | CIDR block to define the home network for the firewall rules. | string |
n/a | yes |
| Name | Description |
|---|---|
| arn | The Amazon Resource Name (ARN) that identifies the firewall. |
| id | The ID that identifies the firewall. |
| network_firewall_policy | The Firewall Network policy created. |
| network_firewall_stateful_group | Map of stateful group rules. |
| network_firewall_stateless_group | Map of stateless group rules. |
| network_firewall_status | Nested list of information about the current status of the firewall. |
| network_firewall_suricata_rule_groups | Map of Suricata rule groups for stateful inspection. |
| network_firewall_managed_rule_groups | Map of AWS Managed Rule Groups for stateful inspection. |