AWS Network Firewall Module

• This module for creating AWS Network Firewall by Terraform
• Source: https://github.com/mattyait/terraform-aws-network-firewall

Contributing Guidelines

Thank you for your interest in contributing to our project. Whether it's a bug report, new feature, correction, or additional documentation, we greatly value feedback and contributions from our community.

Please read through CONTRIBUTING before submitting any issues or pull requests to ensure we have all the necessary information to effectively respond to your bug report or contribution.

Usage Sample:

• Configuration link

module "nfw" {
  source = "../"

  for_each = var.nfw

  nfw_name        = each.value.nfw_name
  vpc_id          = each.value.vpc_id
  subnet_mapping  = each.value.subnet_mapping
  logging_config  = try(each.value.logging_config, {})

  prefix                        = local.app_env_prefix
  # Five Tuple Firewall Rule Group
  fivetuple_stateful_rule_group = try(concat(each.value.fivetuple_stateful_rule_group, var.fivetuple_stateful_rule_group), [])
  
  # Stateless Rule Group
  stateless_rule_group          = try(concat(each.value.stateless_rule_group, var.stateless_rule_group), [])
  
  #Suricate Firewall Rule Group
  suricata_stateful_rule_group  = try(concat(each.value.suricata_stateful_rule_group, var.suricata_stateful_rule_group), [])
  
  #Domain Firewall Rule Group
  domain_stateful_rule_group    = try(concat(each.value.domain_stateful_rule_group, var.domain_stateful_rule_group), [])
  tags = {
    "end_to_end" = "true"
  }
}
locals {
  app_env_prefix = "${lookup(var.default_tags, "component", "-")}-${lookup(var.default_tags, "env", "-")}"
}

Requirements

Name	Version
aws	~> 4.31.0

Providers

Name	Version
aws	~> 4.31.0

Modules

No modules.

Resources

Name	Type
aws_cloudwatch_log_group.nfw	resource
aws_networkfirewall_firewall.this	resource
aws_networkfirewall_firewall_policy.this	resource
aws_networkfirewall_logging_configuration.this	resource
aws_networkfirewall_rule_group.domain_stateful_group	resource
aws_networkfirewall_rule_group.fivetuple_stateful_group	resource
aws_networkfirewall_rule_group.stateless_group	resource
aws_networkfirewall_rule_group.suricata_stateful_group	resource

Inputs

Name	Description	Type	Default	Required
description	n/a	string	""	no
domain_stateful_rule_group	Config for domain type stateful rule group	list(any)	[]	no
firewall_policy_change_protection	(optional) we set false because we apply gitops for this	string	false	no
fivetuple_stateful_rule_group	Config for 5-tuple type stateful rule group	list(any)	[]	no
logging_config	(optional) Logging config for network firewall	map(any)	{}	no
nfw_name	firewall name	string	"example"	no
prefix	The descriptio for each environment, ie: bin-dev	string	n/a	yes
stateless_default_actions	Default stateless Action	string	"forward_to_sfe"	no
stateless_fragment_default_actions	Default Stateless action for fragmented packets	string	"forward_to_sfe"	no
stateless_rule_group	Config for stateless rule group	list(any)	n/a	yes
subnet_change_protection	(optional) we set false because we apply gitops for this	string	false	no
subnet_mapping	Subnet ids mapping to have individual firewall endpoint	any	n/a	yes
suricata_stateful_rule_group	Config for Suricata type stateful rule group	list(any)	[]	no
tags	The tags for the resources	map(any)	{}	no
vpc_id	VPC ID	string	n/a	yes

Outputs

Name	Description
arn	Created Network Firewall ARN from network_firewall module
endpoint_id	Created Network Firewall endpoint id
id	Created Network Firewall ID from network_firewall module

Contributors