Terraform module which creates AWS network firewall resources.
This project supports creating resources through individual sub-modules for better support for RAM resource sharing, or through a single module that creates both the firewall and firewall policy resources. See the respective sub-module directory for more details and example usage.
module "network_firewall" {
source = "terraform-aws-modules/network-firewall/aws"
# Firewall
name = "example"
description = "Example network firewall"
vpc_id = "vpc-1234556abcdef"
subnet_mapping = {
subnet1 = {
subnet_id = "subnet-abcde012"
ip_address_type = "IPV4"
}
subnet2 = {
subnet_id = "subnet-bcde012a"
ip_address_type = "IPV4"
}
subnet2 = {
subnet_id = "subnet-fghi345a"
ip_address_type = "IPV4"
}
}
# Logging configuration
create_logging_configuration = true
logging_configuration_destination_config = [
{
log_destination = {
logGroup = "/aws/network-firewall/example"
}
log_destination_type = "CloudWatchLogs"
log_type = "ALERT"
},
{
log_destination = {
bucketName = "s3-example-bucket-firewall-flow-logs"
prefix = "example"
}
log_destination_type = "S3"
log_type = "FLOW"
}
]
# Policy
policy_name = "example"
policy_description = "Example network firewall policy"
policy_stateful_rule_group_reference = {
one = {
priority = 0
resource_arn = "arn:aws:network-firewall:us-east-1:1234567890:stateful-rulegroup/example"
}
}
policy_stateless_default_actions = ["aws:pass"]
policy_stateless_fragment_default_actions = ["aws:drop"]
policy_stateless_rule_group_reference = {
one = {
priority = 0
resource_arn = "arn:aws:network-firewall:us-east-1:1234567890:stateless-rulegroup/example"
}
}
tags = {
Terraform = "true"
Environment = "dev"
}
}Examples codified under the examples are intended to give users references for how to use the module(s) as well as testing/validating changes to the source code of the module. If contributing to the project, please be sure to make any appropriate updates to the relevant examples to allow maintainers to test your changes and to keep the examples up to date for users. Thank you!
| Name | Version |
|---|---|
| terraform | >= 1.0 |
No providers.
| Name | Source | Version |
|---|---|---|
| firewall | ./modules/firewall | n/a |
| policy | ./modules/policy | n/a |
No resources.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| create | Controls if resources should be created | bool |
true |
no |
| create_logging_configuration | Controls if a Logging Configuration should be created | bool |
false |
no |
| create_policy | Controls if policy should be created | bool |
true |
no |
| create_policy_resource_policy | Controls if a resource policy should be created | bool |
false |
no |
| delete_protection | A boolean flag indicating whether it is possible to delete the firewall. Defaults to true |
bool |
true |
no |
| description | A friendly description of the firewall | string |
"" |
no |
| encryption_configuration | KMS encryption configuration settings | any |
{} |
no |
| firewall_policy_arn | The ARN of the Firewall Policy to use | string |
"" |
no |
| firewall_policy_change_protection | A boolean flag indicating whether it is possible to change the associated firewall policy. Defaults to false |
bool |
null |
no |
| logging_configuration_destination_config | A list of min 1, max 2 configuration blocks describing the destination for the logging configuration | any |
[] |
no |
| name | A friendly name of the firewall | string |
"" |
no |
| policy_attach_resource_policy | Controls if a resource policy should be attached to the firewall policy | bool |
false |
no |
| policy_description | A friendly description of the firewall policy | string |
null |
no |
| policy_encryption_configuration | KMS encryption configuration settings | any |
{} |
no |
| policy_name | A friendly name of the firewall policy | string |
"" |
no |
| policy_ram_resource_associations | A map of RAM resource associations for the created firewall policy | map(string) |
{} |
no |
| policy_resource_policy | The policy JSON to use for the resource policy; required when create_resource_policy is false |
string |
"" |
no |
| policy_resource_policy_actions | A list of IAM actions allowed in the resource policy | list(string) |
[] |
no |
| policy_resource_policy_principals | A list of IAM principals allowed in the resource policy | list(string) |
[] |
no |
| policy_stateful_default_actions | Set of actions to take on a packet if it does not match any stateful rules in the policy. This can only be specified if the policy has a stateful_engine_options block with a rule_order value of STRICT_ORDER. You can specify one of either or neither values of aws:drop_strict or aws:drop_established, as well as any combination of aws:alert_strict and aws:alert_established |
list(string) |
[] |
no |
| policy_stateful_engine_options | A configuration block that defines options on how the policy handles stateful rules. See Stateful Engine Options for details | any |
{} |
no |
| policy_stateful_rule_group_reference | Set of configuration blocks containing references to the stateful rule groups that are used in the policy. See Stateful Rule Group Reference for details | any |
{} |
no |
| policy_stateless_custom_action | Set of configuration blocks describing the custom action definitions that are available for use in the firewall policy's stateless_default_actions |
any |
{} |
no |
| policy_stateless_default_actions | Set of actions to take on a packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop, aws:pass, or aws:forward_to_sfe |
list(string) |
[ |
no |
| policy_stateless_fragment_default_actions | Set of actions to take on a fragmented packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop, aws:pass, or aws:forward_to_sfe |
list(string) |
[ |
no |
| policy_stateless_rule_group_reference | Set of configuration blocks containing references to the stateless rule groups that are used in the policy. See Stateless Rule Group Reference for details | any |
{} |
no |
| policy_tags | A map of tags to add to all resources | map(string) |
{} |
no |
| subnet_change_protection | A boolean flag indicating whether it is possible to change the associated subnet(s). Defaults to true |
bool |
true |
no |
| subnet_mapping | Set of configuration blocks describing the public subnets. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet | any |
{} |
no |
| tags | A map of tags to add to all resources | map(string) |
{} |
no |
| vpc_id | The unique identifier of the VPC where AWS Network Firewall should create the firewall | string |
"" |
no |
| Name | Description |
|---|---|
| arn | The Amazon Resource Name (ARN) that identifies the firewall |
| id | The Amazon Resource Name (ARN) that identifies the firewall |
| logging_configuration_id | The Amazon Resource Name (ARN) of the associated firewall |
| policy_arn | The Amazon Resource Name (ARN) that identifies the firewall policy |
| policy_id | The Amazon Resource Name (ARN) that identifies the firewall policy |
| policy_resource_policy_id | The Amazon Resource Name (ARN) of the firewall policy associated with the resource policy |
| policy_update_token | A string token used when updating a firewall policy |
| status | Nested list of information about the current status of the firewall |
| update_token | A string token used when updating a firewall |
Apache-2.0 Licensed. See LICENSE.
