moving local module to core-cloud-terraform-modules

UKHomeOffice · Oct 9, 2024 · 7d0a8a6 · 7d0a8a6
1 parent f89170f
commit 7d0a8a6
Show file tree

Hide file tree

Showing 4 changed files with 143 additions and 0 deletions.
diff --git a/modules/aws/networking/network-firewall-rules-inspection/custom_firewall_rule_group.tf b/modules/aws/networking/network-firewall-rules-inspection/custom_firewall_rule_group.tf
@@ -0,0 +1,16 @@
+resource "aws_networkfirewall_rule_group" "main_rules" {
+  capacity = 5000
+  name     = "${var.network_firewall_name}-base-rules"
+  type     = "STATEFUL"
+
+  rule_group {
+    rules_source {
+      #rules_string = file("${path.module}/rules.txt")
+      rules_string = var.rules_file
+    }
+
+    stateful_rule_options {
+      rule_order = "STRICT_ORDER"
+    }
+  }
+}
diff --git a/modules/aws/networking/network-firewall-rules-inspection/main.tf b/modules/aws/networking/network-firewall-rules-inspection/main.tf
@@ -0,0 +1,88 @@
+############################################
+# Importing the existing network firewall  #
+############################################
+data "aws_networkfirewall_firewall" "existing_firewall" {
+  name = var.network_firewall_name   # "your-existing-firewall-name" imported using terragrunt as it was created using LZA
+}
+
+# Imported the existing NFW below as it was created using LZA
+# example:
+# terragrunt import aws_networkfirewall_firewall.existing_firewall arn:aws:network-firewall:eu-west-2:<aws-account-id>:firewall/<existing-firewal-name>
+import {
+  to = aws_networkfirewall_firewall.existing_firewall
+  id = "arn:aws:network-firewall:eu-west-2:${var.account_id}:firewall/${var.network_firewall_name}"
+}
+
+resource "aws_networkfirewall_firewall" "existing_firewall" {
+  name                = var.network_firewall_name # Existing firewall name
+  vpc_id              = var.vpc_id                # Use the existing VPC ID
+  firewall_policy_arn = aws_networkfirewall_firewall_policy.policy.arn
+
+  # Subnet mappings (use the existing subnets here)
+  dynamic "subnet_mapping" {
+    for_each = data.aws_networkfirewall_firewall.existing_firewall.subnet_mapping
+    content {
+      subnet_id = subnet_mapping.value.subnet_id
+    }
+  }
+  ## Keeping the old tags when it was created first time
+  tags = {
+    "Accelerator" = "AWSAccelerator"
+    "Name"        = var.network_firewall_name
+  }
+  # Add other necessary attributes here
+}
+
+################
+## nfw-policy" #
+################
+
+# Reading rule groups from text file supplied
+locals {
+  rule_group_arns = split("\n", trimspace(var.aws_managed_rule_groups))
+}
+
+resource "aws_networkfirewall_firewall_policy" "policy" {
+  name = var.network_firewall_policy_name
+
+  firewall_policy {
+    # Reference AWS managed or custom stateful rule groups
+
+    # Specify stateful default actions
+    stateful_default_actions = [
+      "aws:drop_established",     
+      "aws:alert_established"     
+    ]
+
+    # Configure stateful engine options
+    stateful_engine_options {
+      rule_order = "STRICT_ORDER"  # Options: "STRICT_ORDER" or "DEFAULT_ACTION_ORDER"
+    }
+
+    dynamic "stateful_rule_group_reference" {
+      for_each = local.rule_group_arns
+
+      content {
+        resource_arn = "arn:aws:network-firewall:eu-west-2:aws-managed:stateful-rulegroup/${stateful_rule_group_reference.value}"
+        priority     = 200 + index(local.rule_group_arns, stateful_rule_group_reference.value) + 1
+      }
+    }
+
+    # custom rules defined by core-cloud-platform
+    stateful_rule_group_reference {
+      resource_arn = aws_networkfirewall_rule_group.main_rules.arn
+      priority     = 250
+    }
+
+    # Define the stateless default actions explicitly
+    stateless_default_actions = ["aws:forward_to_sfe"]
+
+    # Define the stateless fragment default actions explicitly
+    stateless_fragment_default_actions = ["aws:forward_to_sfe"]
+  }
+
+  tags = {
+    Name = var.network_firewall_policy_name
+  }
+}
+
diff --git a/modules/aws/networking/network-firewall-rules-inspection/outputs.tf b/modules/aws/networking/network-firewall-rules-inspection/outputs.tf
@@ -0,0 +1,3 @@
+output "firewall_policy" {
+  value = aws_networkfirewall_firewall_policy.policy
+}
diff --git a/modules/aws/networking/network-firewall-rules-inspection/variables.tf b/modules/aws/networking/network-firewall-rules-inspection/variables.tf
@@ -0,0 +1,36 @@
+# variables
+variable "tags" {
+  description = "Tags to apply to the resources."
+  type        = map(string)
+  default     = {}
+}
+
+variable "account_id" {
+    description = "Network Firewall Account-id"
+    type        = string  
+}
+
+variable "network_firewall_name" {
+    description = "Network Firewall name to be supplied"
+    type        = string  
+}
+
+variable "network_firewall_policy_name" {
+    description = "Network Firewall Policy name to be supplied"
+    type        = string  
+}
+
+variable "vpc_id" {
+    description = "VPC assocaited with Network Firewall"
+    type        = string  
+}
+
+variable "rules_file" {
+    description = "Network Firewall rules file"
+    type        = string  
+}
+
+variable "aws_managed_rule_groups" {
+    description = "Network Firewall - A list of AWS maanged stateful rule group arns"
+    type        = string  
+}