diff --git a/modules/aws/networking/network-firewall-rules-inspection/custom_firewall_rule_group.tf b/modules/aws/networking/network-firewall-rules-inspection/custom_firewall_rule_group.tf new file mode 100644 index 0000000..97083cd --- /dev/null +++ b/modules/aws/networking/network-firewall-rules-inspection/custom_firewall_rule_group.tf @@ -0,0 +1,16 @@ +resource "aws_networkfirewall_rule_group" "main_rules" { + capacity = 5000 + name = "${var.network_firewall_name}-base-rules" + type = "STATEFUL" + + rule_group { + rules_source { + #rules_string = file("${path.module}/rules.txt") + rules_string = var.rules_file + } + + stateful_rule_options { + rule_order = "STRICT_ORDER" + } + } +} diff --git a/modules/aws/networking/network-firewall-rules-inspection/main.tf b/modules/aws/networking/network-firewall-rules-inspection/main.tf new file mode 100644 index 0000000..1e1b957 --- /dev/null +++ b/modules/aws/networking/network-firewall-rules-inspection/main.tf @@ -0,0 +1,88 @@ +############################################ +# Importing the existing network firewall # +############################################ +data "aws_networkfirewall_firewall" "existing_firewall" { + name = var.network_firewall_name # "your-existing-firewall-name" imported using terragrunt as it was created using LZA +} + +# Imported the existing NFW below as it was created using LZA +# example: +# terragrunt import aws_networkfirewall_firewall.existing_firewall arn:aws:network-firewall:eu-west-2::firewall/ +import { + to = aws_networkfirewall_firewall.existing_firewall + id = "arn:aws:network-firewall:eu-west-2:${var.account_id}:firewall/${var.network_firewall_name}" +} + +resource "aws_networkfirewall_firewall" "existing_firewall" { + name = var.network_firewall_name # Existing firewall name + vpc_id = var.vpc_id # Use the existing VPC ID + firewall_policy_arn = aws_networkfirewall_firewall_policy.policy.arn + + # Subnet mappings (use the existing subnets here) + dynamic "subnet_mapping" { + for_each = data.aws_networkfirewall_firewall.existing_firewall.subnet_mapping + content { + subnet_id = subnet_mapping.value.subnet_id + } + } + ## Keeping the old tags when it was created first time + tags = { + "Accelerator" = "AWSAccelerator" + "Name" = var.network_firewall_name + } + # Add other necessary attributes here +} + +################ +## nfw-policy" # +################ + +# Reading rule groups from text file supplied +locals { + rule_group_arns = split("\n", trimspace(var.aws_managed_rule_groups)) +} + +resource "aws_networkfirewall_firewall_policy" "policy" { + name = var.network_firewall_policy_name + + firewall_policy { + # Reference AWS managed or custom stateful rule groups + + # Specify stateful default actions + stateful_default_actions = [ + "aws:drop_established", + "aws:alert_established" + ] + + # Configure stateful engine options + stateful_engine_options { + rule_order = "STRICT_ORDER" # Options: "STRICT_ORDER" or "DEFAULT_ACTION_ORDER" + } + + dynamic "stateful_rule_group_reference" { + for_each = local.rule_group_arns + + content { + resource_arn = "arn:aws:network-firewall:eu-west-2:aws-managed:stateful-rulegroup/${stateful_rule_group_reference.value}" + priority = 200 + index(local.rule_group_arns, stateful_rule_group_reference.value) + 1 + } + } + + # custom rules defined by core-cloud-platform + stateful_rule_group_reference { + resource_arn = aws_networkfirewall_rule_group.main_rules.arn + priority = 250 + } + + # Define the stateless default actions explicitly + stateless_default_actions = ["aws:forward_to_sfe"] + + # Define the stateless fragment default actions explicitly + stateless_fragment_default_actions = ["aws:forward_to_sfe"] + } + + tags = { + Name = var.network_firewall_policy_name + } +} + diff --git a/modules/aws/networking/network-firewall-rules-inspection/outputs.tf b/modules/aws/networking/network-firewall-rules-inspection/outputs.tf new file mode 100644 index 0000000..13aa298 --- /dev/null +++ b/modules/aws/networking/network-firewall-rules-inspection/outputs.tf @@ -0,0 +1,3 @@ +output "firewall_policy" { + value = aws_networkfirewall_firewall_policy.policy +} diff --git a/modules/aws/networking/network-firewall-rules-inspection/variables.tf b/modules/aws/networking/network-firewall-rules-inspection/variables.tf new file mode 100644 index 0000000..85ff3d3 --- /dev/null +++ b/modules/aws/networking/network-firewall-rules-inspection/variables.tf @@ -0,0 +1,36 @@ +# variables +variable "tags" { + description = "Tags to apply to the resources." + type = map(string) + default = {} +} + +variable "account_id" { + description = "Network Firewall Account-id" + type = string +} + +variable "network_firewall_name" { + description = "Network Firewall name to be supplied" + type = string +} + +variable "network_firewall_policy_name" { + description = "Network Firewall Policy name to be supplied" + type = string +} + +variable "vpc_id" { + description = "VPC assocaited with Network Firewall" + type = string +} + +variable "rules_file" { + description = "Network Firewall rules file" + type = string +} + +variable "aws_managed_rule_groups" { + description = "Network Firewall - A list of AWS maanged stateful rule group arns" + type = string +} \ No newline at end of file