From a91d235cbc49f65331726bf72c441194fad7c0cf Mon Sep 17 00:00:00 2001
From: parav24 <venkata.para@digital.homeoffice.gov.uk>
Date: Wed, 9 Oct 2024 11:35:17 +0100
Subject: [PATCH] Ccl 865/move local modules (#186)

* moving local module to core-cloud-terraform-modules

* moving local module to core-cloud-terraform-modules
---
 .../custom_firewall_rule_group.tf             | 28 ++++++
 .../network-firewall-rules-egress/main.tf     | 89 +++++++++++++++++++
 .../network-firewall-rules-egress/outputs.tf  |  3 +
 .../variables.tf                              | 41 +++++++++
 .../custom_firewall_rule_group.tf             | 16 ++++
 .../network-firewall-rules-inspection/main.tf | 88 ++++++++++++++++++
 .../outputs.tf                                |  3 +
 .../variables.tf                              | 36 ++++++++
 8 files changed, 304 insertions(+)
 create mode 100644 modules/aws/networking/network-firewall-rules-egress/custom_firewall_rule_group.tf
 create mode 100644 modules/aws/networking/network-firewall-rules-egress/main.tf
 create mode 100644 modules/aws/networking/network-firewall-rules-egress/outputs.tf
 create mode 100644 modules/aws/networking/network-firewall-rules-egress/variables.tf
 create mode 100644 modules/aws/networking/network-firewall-rules-inspection/custom_firewall_rule_group.tf
 create mode 100644 modules/aws/networking/network-firewall-rules-inspection/main.tf
 create mode 100644 modules/aws/networking/network-firewall-rules-inspection/outputs.tf
 create mode 100644 modules/aws/networking/network-firewall-rules-inspection/variables.tf

diff --git a/modules/aws/networking/network-firewall-rules-egress/custom_firewall_rule_group.tf b/modules/aws/networking/network-firewall-rules-egress/custom_firewall_rule_group.tf
new file mode 100644
index 0000000..8888868
--- /dev/null
+++ b/modules/aws/networking/network-firewall-rules-egress/custom_firewall_rule_group.tf
@@ -0,0 +1,28 @@
+resource "aws_networkfirewall_rule_group" "allow_domains_for_nonprod_01" {
+  capacity    = 2000
+  name        = "egress-allowed-domainlist-to-internet-01"
+  description = "Allow egress internet access for Non-Production environment"
+  type        = "STATEFUL"
+  rule_group {
+    stateful_rule_options {
+      rule_order = "STRICT_ORDER"
+    }
+    rule_variables {
+      ip_sets {
+        key = "HOME_NET"
+        ip_set {
+          definition = [var.cidr_input]
+        }
+      }
+    }
+    rules_source {
+      rules_source_list {
+        generated_rules_type = "ALLOWLIST"
+        target_types         = ["HTTP_HOST", "TLS_SNI"]
+        targets = [
+          for line in split("\n", (var.whitelisted_domains)) : trim(line, " \r")
+        ]
+      }
+    }
+  }
+}
diff --git a/modules/aws/networking/network-firewall-rules-egress/main.tf b/modules/aws/networking/network-firewall-rules-egress/main.tf
new file mode 100644
index 0000000..adbeef5
--- /dev/null
+++ b/modules/aws/networking/network-firewall-rules-egress/main.tf
@@ -0,0 +1,89 @@
+###############################################
+# Importing the already existing nfw #
+###############################################
+data "aws_networkfirewall_firewall" "existing_firewall" {
+  name = var.network_firewall_name   # "your-existing-firewall-name" imported using terragrunt as it was created using LZA
+}
+
+# Imported the existing NFW below as it was created using LZA
+# example:
+# terragrunt import aws_networkfirewall_firewall.existing_firewall arn:aws:network-firewall:eu-west-2:<aws-account-id>:firewall/<existing-nfw-name>
+
+import {
+  to = aws_networkfirewall_firewall.existing_firewall
+  id = "arn:aws:network-firewall:eu-west-2:${var.account_id}:firewall/${var.network_firewall_name}"
+}
+
+resource "aws_networkfirewall_firewall" "existing_firewall" {
+  name                = var.network_firewall_name ## Existing firewall name
+  vpc_id              = var.vpc_id                ## Use the existing VPC ID
+  firewall_policy_arn = aws_networkfirewall_firewall_policy.policy.arn 
+
+  # Subnet mappings (use the existing subnets here)
+  dynamic "subnet_mapping" {
+    for_each = data.aws_networkfirewall_firewall.existing_firewall.subnet_mapping
+    content {
+      subnet_id = subnet_mapping.value.subnet_id
+    }
+  }
+  ## Keeping the old tags when it was created first time
+  tags = {
+    "Accelerator" = "AWSAccelerator"
+    "Name"        = var.network_firewall_name
+  }
+  # Add other necessary attributes here
+}
+
+################
+## nfw-policy  #
+################
+
+# Reading rule groups from text file supplied
+locals {
+  rule_group_arns = split("\n", trimspace(var.aws_managed_rule_groups))
+}
+
+resource "aws_networkfirewall_firewall_policy" "policy" {
+  name = var.network_firewall_policy_name
+
+  firewall_policy {
+    # Reference AWS managed or custom stateful rule groups
+
+    # Specify stateful default actions
+    stateful_default_actions = [
+      "aws:drop_established",     
+      "aws:alert_established"     
+    ]
+
+    # Configure stateful engine options
+    stateful_engine_options {
+      rule_order = "STRICT_ORDER"  # Options: "STRICT_ORDER" or "DEFAULT_ACTION_ORDER"
+    }
+
+    dynamic "stateful_rule_group_reference" {
+      for_each = local.rule_group_arns
+
+      content {
+        resource_arn = "arn:aws:network-firewall:eu-west-2:aws-managed:stateful-rulegroup/${stateful_rule_group_reference.value}"
+        priority     = 200 + index(local.rule_group_arns, stateful_rule_group_reference.value) + 1
+      }
+    }
+
+    # custom rules defined by core-cloud-platform
+    stateful_rule_group_reference {
+      resource_arn = aws_networkfirewall_rule_group.allow_domains_for_nonprod_01.arn
+      priority     = 250
+    }
+
+    # Define the stateless default actions explicitly
+    stateless_default_actions = ["aws:forward_to_sfe"]
+
+    # Define the stateless fragment default actions explicitly
+    stateless_fragment_default_actions = ["aws:forward_to_sfe"]
+  }
+
+  tags = {
+    Name = var.network_firewall_policy_name
+  }
+}
+
diff --git a/modules/aws/networking/network-firewall-rules-egress/outputs.tf b/modules/aws/networking/network-firewall-rules-egress/outputs.tf
new file mode 100644
index 0000000..13aa298
--- /dev/null
+++ b/modules/aws/networking/network-firewall-rules-egress/outputs.tf
@@ -0,0 +1,3 @@
+output "firewall_policy" {
+  value = aws_networkfirewall_firewall_policy.policy
+}
diff --git a/modules/aws/networking/network-firewall-rules-egress/variables.tf b/modules/aws/networking/network-firewall-rules-egress/variables.tf
new file mode 100644
index 0000000..4510d0a
--- /dev/null
+++ b/modules/aws/networking/network-firewall-rules-egress/variables.tf
@@ -0,0 +1,41 @@
+# variables
+variable "tags" {
+  description = "Tags to apply to the resources."
+  type        = map(string)
+  default     = {}
+}
+
+variable "account_id" {
+    description = "Network Firewall Account-id"
+    type        = string  
+}
+
+variable "network_firewall_name" {
+    description = "Network Firewall name to be supplied"
+    type        = string  
+}
+
+variable "network_firewall_policy_name" {
+    description = "Network Firewall Policy name to be supplied"
+    type        = string  
+}
+
+variable "vpc_id" {
+    description = "VPC assocaited with Network Firewall"
+    type        = string  
+}
+
+variable "cidr_input" {
+    description = "CIDR range"
+    type        = string
+}
+
+variable "whitelisted_domains" {
+    description = "Network Firewall - whitelisted domains file"
+    type        = string  
+}
+
+variable "aws_managed_rule_groups" {
+    description = "Network Firewall - A list of AWS maanged stateful rule group arns"
+    type        = string  
+}
\ No newline at end of file
diff --git a/modules/aws/networking/network-firewall-rules-inspection/custom_firewall_rule_group.tf b/modules/aws/networking/network-firewall-rules-inspection/custom_firewall_rule_group.tf
new file mode 100644
index 0000000..97083cd
--- /dev/null
+++ b/modules/aws/networking/network-firewall-rules-inspection/custom_firewall_rule_group.tf
@@ -0,0 +1,16 @@
+resource "aws_networkfirewall_rule_group" "main_rules" {
+  capacity = 5000
+  name     = "${var.network_firewall_name}-base-rules"
+  type     = "STATEFUL"
+
+  rule_group {
+    rules_source {
+      #rules_string = file("${path.module}/rules.txt")
+      rules_string = var.rules_file
+    }
+
+    stateful_rule_options {
+      rule_order = "STRICT_ORDER"
+    }
+  }
+}
diff --git a/modules/aws/networking/network-firewall-rules-inspection/main.tf b/modules/aws/networking/network-firewall-rules-inspection/main.tf
new file mode 100644
index 0000000..1e1b957
--- /dev/null
+++ b/modules/aws/networking/network-firewall-rules-inspection/main.tf
@@ -0,0 +1,88 @@
+############################################
+# Importing the existing network firewall  #
+############################################
+data "aws_networkfirewall_firewall" "existing_firewall" {
+  name = var.network_firewall_name   # "your-existing-firewall-name" imported using terragrunt as it was created using LZA
+}
+
+# Imported the existing NFW below as it was created using LZA
+# example:
+# terragrunt import aws_networkfirewall_firewall.existing_firewall arn:aws:network-firewall:eu-west-2:<aws-account-id>:firewall/<existing-firewal-name>
+import {
+  to = aws_networkfirewall_firewall.existing_firewall
+  id = "arn:aws:network-firewall:eu-west-2:${var.account_id}:firewall/${var.network_firewall_name}"
+}
+
+resource "aws_networkfirewall_firewall" "existing_firewall" {
+  name                = var.network_firewall_name # Existing firewall name
+  vpc_id              = var.vpc_id                # Use the existing VPC ID
+  firewall_policy_arn = aws_networkfirewall_firewall_policy.policy.arn
+
+  # Subnet mappings (use the existing subnets here)
+  dynamic "subnet_mapping" {
+    for_each = data.aws_networkfirewall_firewall.existing_firewall.subnet_mapping
+    content {
+      subnet_id = subnet_mapping.value.subnet_id
+    }
+  }
+  ## Keeping the old tags when it was created first time
+  tags = {
+    "Accelerator" = "AWSAccelerator"
+    "Name"        = var.network_firewall_name
+  }
+  # Add other necessary attributes here
+}
+
+################
+## nfw-policy" #
+################
+
+# Reading rule groups from text file supplied
+locals {
+  rule_group_arns = split("\n", trimspace(var.aws_managed_rule_groups))
+}
+
+resource "aws_networkfirewall_firewall_policy" "policy" {
+  name = var.network_firewall_policy_name
+
+  firewall_policy {
+    # Reference AWS managed or custom stateful rule groups
+
+    # Specify stateful default actions
+    stateful_default_actions = [
+      "aws:drop_established",     
+      "aws:alert_established"     
+    ]
+
+    # Configure stateful engine options
+    stateful_engine_options {
+      rule_order = "STRICT_ORDER"  # Options: "STRICT_ORDER" or "DEFAULT_ACTION_ORDER"
+    }
+
+    dynamic "stateful_rule_group_reference" {
+      for_each = local.rule_group_arns
+
+      content {
+        resource_arn = "arn:aws:network-firewall:eu-west-2:aws-managed:stateful-rulegroup/${stateful_rule_group_reference.value}"
+        priority     = 200 + index(local.rule_group_arns, stateful_rule_group_reference.value) + 1
+      }
+    }
+
+    # custom rules defined by core-cloud-platform
+    stateful_rule_group_reference {
+      resource_arn = aws_networkfirewall_rule_group.main_rules.arn
+      priority     = 250
+    }
+
+    # Define the stateless default actions explicitly
+    stateless_default_actions = ["aws:forward_to_sfe"]
+
+    # Define the stateless fragment default actions explicitly
+    stateless_fragment_default_actions = ["aws:forward_to_sfe"]
+  }
+
+  tags = {
+    Name = var.network_firewall_policy_name
+  }
+}
+
diff --git a/modules/aws/networking/network-firewall-rules-inspection/outputs.tf b/modules/aws/networking/network-firewall-rules-inspection/outputs.tf
new file mode 100644
index 0000000..13aa298
--- /dev/null
+++ b/modules/aws/networking/network-firewall-rules-inspection/outputs.tf
@@ -0,0 +1,3 @@
+output "firewall_policy" {
+  value = aws_networkfirewall_firewall_policy.policy
+}
diff --git a/modules/aws/networking/network-firewall-rules-inspection/variables.tf b/modules/aws/networking/network-firewall-rules-inspection/variables.tf
new file mode 100644
index 0000000..85ff3d3
--- /dev/null
+++ b/modules/aws/networking/network-firewall-rules-inspection/variables.tf
@@ -0,0 +1,36 @@
+# variables
+variable "tags" {
+  description = "Tags to apply to the resources."
+  type        = map(string)
+  default     = {}
+}
+
+variable "account_id" {
+    description = "Network Firewall Account-id"
+    type        = string  
+}
+
+variable "network_firewall_name" {
+    description = "Network Firewall name to be supplied"
+    type        = string  
+}
+
+variable "network_firewall_policy_name" {
+    description = "Network Firewall Policy name to be supplied"
+    type        = string  
+}
+
+variable "vpc_id" {
+    description = "VPC assocaited with Network Firewall"
+    type        = string  
+}
+
+variable "rules_file" {
+    description = "Network Firewall rules file"
+    type        = string  
+}
+
+variable "aws_managed_rule_groups" {
+    description = "Network Firewall - A list of AWS maanged stateful rule group arns"
+    type        = string  
+}
\ No newline at end of file