AWS Network Firewall Terraform module

Terraform module which creates AWS network firewall resources.

Usage

This project supports creating resources through individual sub-modules for better support for RAM resource sharing, or through a single module that creates both the firewall and firewall policy resources. See the respective sub-module directory for more details and example usage.

module "network_firewall" {
  source = "terraform-aws-modules/network-firewall/aws"

  # Firewall
  name        = "example"
  description = "Example network firewall"

  vpc_id = "vpc-1234556abcdef"
  subnet_mapping = {
    subnet1 = {
      subnet_id       = "subnet-abcde012"
      ip_address_type = "IPV4"
    }
    subnet2 = {
      subnet_id       = "subnet-bcde012a"
      ip_address_type = "IPV4"
    }
    subnet2 = {
      subnet_id       = "subnet-fghi345a"
      ip_address_type = "IPV4"
    }
  }

  # Logging configuration
  create_logging_configuration = true
  logging_configuration_destination_config = [
    {
      log_destination = {
        logGroup = "/aws/network-firewall/example"
      }
      log_destination_type = "CloudWatchLogs"
      log_type             = "ALERT"
    },
    {
      log_destination = {
        bucketName = "s3-example-bucket-firewall-flow-logs"
        prefix     = "example"
      }
      log_destination_type = "S3"
      log_type             = "FLOW"
    }
  ]

  # Policy
  policy_name        = "example"
  policy_description = "Example network firewall policy"

  policy_stateful_rule_group_reference = {
    one = {
      priority     = 0
      resource_arn = "arn:aws:network-firewall:us-east-1:1234567890:stateful-rulegroup/example"
    }
  }

  policy_stateless_default_actions          = ["aws:pass"]
  policy_stateless_fragment_default_actions = ["aws:drop"]
  policy_stateless_rule_group_reference = {
    one = {
      priority     = 0
      resource_arn = "arn:aws:network-firewall:us-east-1:1234567890:stateless-rulegroup/example"
    }
  }

  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

Examples

Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!

• Complete
• Separate

Requirements

Name	Version
terraform	>= 1.5.7

Providers

No providers.

Modules

Name	Source	Version
firewall	./modules/firewall	n/a
policy	./modules/policy	n/a

Resources

No resources.

Inputs

Name	Description	Type	Default	Required
availability_zone_change_protection	A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. When set to true, you must first disable this protection before adding or removing Availability Zones	bool	null	no
availability_zone_mapping	Required when creating a transit gateway-attached firewall. Set of configuration blocks describing the avaiability availability where you want to create firewall endpoints for a transit gateway-attached firewall	list(object({ availability_zone_id = string }))	null	no
create	Controls if resources should be created	bool	true	no
create_logging_configuration	Controls if a Logging Configuration should be created	bool	null	no
create_policy	Controls if policy should be created	bool	true	no
create_policy_resource_policy	Controls if a resource policy should be created	bool	null	no
delete_protection	A boolean flag indicating whether it is possible to delete the firewall. Defaults to true	bool	true	no
description	A friendly description of the firewall	string	""	no
enabled_analysis_types	Set of types for which to collect analysis metrics. Valid values: TLS_SNI, HTTP_HOST. Defaults to []	list(string)	null	no
encryption_configuration	KMS encryption configuration settings	object({ key_id = optional(string) type = string })	null	no
firewall_policy_arn	The ARN of the Firewall Policy to use	string	""	no
firewall_policy_change_protection	A boolean flag indicating whether it is possible to change the associated firewall policy. Defaults to false	bool	null	no
logging_configuration_destination_config	A list of min 1, max 2 configuration blocks describing the destination for the logging configuration	list(object({ log_destination = map(string) log_destination_type = string log_type = string }))	null	no
name	A friendly name of the firewall	string	""	no
policy_attach_resource_policy	Controls if a resource policy should be attached to the firewall policy	bool	null	no
policy_description	A friendly description of the firewall policy	string	null	no
policy_encryption_configuration	KMS encryption configuration settings	object({ key_id = optional(string) type = string })	null	no
policy_name	A friendly name of the firewall policy	string	""	no
policy_ram_resource_associations	A map of RAM resource associations for the created firewall policy	map(string)	null	no
policy_resource_policy	The policy JSON to use for the resource policy; required when create_resource_policy is false	string	""	no
policy_resource_policy_actions	A list of IAM actions allowed in the resource policy	list(string)	null	no
policy_resource_policy_principals	A list of IAM principals allowed in the resource policy	list(string)	null	no
policy_stateful_default_actions	Set of actions to take on a packet if it does not match any stateful rules in the policy. This can only be specified if the policy has a stateful_engine_options block with a rule_order value of STRICT_ORDER. You can specify one of either or neither values of aws:drop_strict or aws:drop_established, as well as any combination of aws:alert_strict and aws:alert_established	list(string)	null	no
policy_stateful_engine_options	A configuration block that defines options on how the policy handles stateful rules. See Stateful Engine Options for details	object({ flow_timeouts = optional(object({ tcp_idle_timeout_seconds = optional(number) })) rule_order = optional(string) stream_exception_policy = optional(string) })	null	no
policy_stateful_rule_group_reference	Set of configuration blocks containing references to the stateful rule groups that are used in the policy. See Stateful Rule Group Reference for details	map(object({ deep_threat_inspection = optional(bool) override = optional(object({ action = optional(string) })) priority = optional(number) resource_arn = string }))	null	no
policy_stateless_custom_action	Set of configuration blocks describing the custom action definitions that are available for use in the firewall policy's stateless_default_actions	map(object({ action_definition = object({ publish_metric_action = optional(object({ dimension = optional(string) })) }) action_name = string }))	null	no
policy_stateless_default_actions	Set of actions to take on a packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop, aws:pass, or aws:forward_to_sfe	list(string)	null	no
policy_stateless_fragment_default_actions	Set of actions to take on a fragmented packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop, aws:pass, or aws:forward_to_sfe	list(string)	null	no
policy_stateless_rule_group_reference	Set of configuration blocks containing references to the stateless rule groups that are used in the policy. See Stateless Rule Group Reference for details	map(object({ priority = number resource_arn = string }))	null	no
policy_tags	A map of tags to add to all resources	map(string)	{}	no
policy_variables	Contains variables that you can use to override default Suricata settings in your firewall policy	object({ rule_variables = list(object({ ip_set = optional(object({ definition = list(string) })) key = string })) })	null	no
region	Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration	string	null	no
subnet_change_protection	A boolean flag indicating whether it is possible to change the associated subnet(s). Defaults to true	bool	true	no
subnet_mapping	Set of configuration blocks describing the public subnets. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet	map(object({ ip_address_type = optional(string) subnet_id = string }))	null	no
tags	A map of tags to add to all resources	map(string)	{}	no
transit_gateway_id	The ID of the transit gateway to which the firewall is attached. Required when creating a transit gateway-attached firewall	string	null	no
vpc_id	The unique identifier of the VPC where AWS Network Firewall should create the firewall	string	null	no

Outputs

Name	Description
arn	The Amazon Resource Name (ARN) that identifies the firewall
id	The Amazon Resource Name (ARN) that identifies the firewall
logging_configuration_id	The Amazon Resource Name (ARN) of the associated firewall
policy_arn	The Amazon Resource Name (ARN) that identifies the firewall policy
policy_id	The Amazon Resource Name (ARN) that identifies the firewall policy
policy_resource_policy_id	The Amazon Resource Name (ARN) of the firewall policy associated with the resource policy
policy_update_token	A string token used when updating a firewall policy
status	Nested list of information about the current status of the firewall
update_token	A string token used when updating a firewall

License

Apache-2.0 Licensed. See LICENSE.