-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
8 changed files
with
304 additions
and
0 deletions.
There are no files selected for viewing
28 changes: 28 additions & 0 deletions
28
modules/aws/networking/network-firewall-rules-egress/custom_firewall_rule_group.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
resource "aws_networkfirewall_rule_group" "allow_domains_for_nonprod_01" { | ||
capacity = 2000 | ||
name = "egress-allowed-domainlist-to-internet-01" | ||
description = "Allow egress internet access for Non-Production environment" | ||
type = "STATEFUL" | ||
rule_group { | ||
stateful_rule_options { | ||
rule_order = "STRICT_ORDER" | ||
} | ||
rule_variables { | ||
ip_sets { | ||
key = "HOME_NET" | ||
ip_set { | ||
definition = [var.cidr_input] | ||
} | ||
} | ||
} | ||
rules_source { | ||
rules_source_list { | ||
generated_rules_type = "ALLOWLIST" | ||
target_types = ["HTTP_HOST", "TLS_SNI"] | ||
targets = [ | ||
for line in split("\n", (var.whitelisted_domains)) : trim(line, " \r") | ||
] | ||
} | ||
} | ||
} | ||
} |
89 changes: 89 additions & 0 deletions
89
modules/aws/networking/network-firewall-rules-egress/main.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
############################################### | ||
# Importing the already existing nfw # | ||
############################################### | ||
data "aws_networkfirewall_firewall" "existing_firewall" { | ||
name = var.network_firewall_name # "your-existing-firewall-name" imported using terragrunt as it was created using LZA | ||
} | ||
|
||
# Imported the existing NFW below as it was created using LZA | ||
# example: | ||
# terragrunt import aws_networkfirewall_firewall.existing_firewall arn:aws:network-firewall:eu-west-2:<aws-account-id>:firewall/<existing-nfw-name> | ||
|
||
import { | ||
to = aws_networkfirewall_firewall.existing_firewall | ||
id = "arn:aws:network-firewall:eu-west-2:${var.account_id}:firewall/${var.network_firewall_name}" | ||
} | ||
|
||
resource "aws_networkfirewall_firewall" "existing_firewall" { | ||
name = var.network_firewall_name ## Existing firewall name | ||
vpc_id = var.vpc_id ## Use the existing VPC ID | ||
firewall_policy_arn = aws_networkfirewall_firewall_policy.policy.arn | ||
|
||
# Subnet mappings (use the existing subnets here) | ||
dynamic "subnet_mapping" { | ||
for_each = data.aws_networkfirewall_firewall.existing_firewall.subnet_mapping | ||
content { | ||
subnet_id = subnet_mapping.value.subnet_id | ||
} | ||
} | ||
## Keeping the old tags when it was created first time | ||
tags = { | ||
"Accelerator" = "AWSAccelerator" | ||
"Name" = var.network_firewall_name | ||
} | ||
# Add other necessary attributes here | ||
} | ||
|
||
################ | ||
## nfw-policy # | ||
################ | ||
|
||
# Reading rule groups from text file supplied | ||
locals { | ||
rule_group_arns = split("\n", trimspace(var.aws_managed_rule_groups)) | ||
} | ||
|
||
resource "aws_networkfirewall_firewall_policy" "policy" { | ||
name = var.network_firewall_policy_name | ||
|
||
firewall_policy { | ||
# Reference AWS managed or custom stateful rule groups | ||
|
||
# Specify stateful default actions | ||
stateful_default_actions = [ | ||
"aws:drop_established", | ||
"aws:alert_established" | ||
] | ||
|
||
# Configure stateful engine options | ||
stateful_engine_options { | ||
rule_order = "STRICT_ORDER" # Options: "STRICT_ORDER" or "DEFAULT_ACTION_ORDER" | ||
} | ||
|
||
dynamic "stateful_rule_group_reference" { | ||
for_each = local.rule_group_arns | ||
|
||
content { | ||
resource_arn = "arn:aws:network-firewall:eu-west-2:aws-managed:stateful-rulegroup/${stateful_rule_group_reference.value}" | ||
priority = 200 + index(local.rule_group_arns, stateful_rule_group_reference.value) + 1 | ||
} | ||
} | ||
|
||
# custom rules defined by core-cloud-platform | ||
stateful_rule_group_reference { | ||
resource_arn = aws_networkfirewall_rule_group.allow_domains_for_nonprod_01.arn | ||
priority = 250 | ||
} | ||
|
||
# Define the stateless default actions explicitly | ||
stateless_default_actions = ["aws:forward_to_sfe"] | ||
|
||
# Define the stateless fragment default actions explicitly | ||
stateless_fragment_default_actions = ["aws:forward_to_sfe"] | ||
} | ||
|
||
tags = { | ||
Name = var.network_firewall_policy_name | ||
} | ||
} | ||
|
3 changes: 3 additions & 0 deletions
3
modules/aws/networking/network-firewall-rules-egress/outputs.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
output "firewall_policy" { | ||
value = aws_networkfirewall_firewall_policy.policy | ||
} |
41 changes: 41 additions & 0 deletions
41
modules/aws/networking/network-firewall-rules-egress/variables.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
# variables | ||
variable "tags" { | ||
description = "Tags to apply to the resources." | ||
type = map(string) | ||
default = {} | ||
} | ||
|
||
variable "account_id" { | ||
description = "Network Firewall Account-id" | ||
type = string | ||
} | ||
|
||
variable "network_firewall_name" { | ||
description = "Network Firewall name to be supplied" | ||
type = string | ||
} | ||
|
||
variable "network_firewall_policy_name" { | ||
description = "Network Firewall Policy name to be supplied" | ||
type = string | ||
} | ||
|
||
variable "vpc_id" { | ||
description = "VPC assocaited with Network Firewall" | ||
type = string | ||
} | ||
|
||
variable "cidr_input" { | ||
description = "CIDR range" | ||
type = string | ||
} | ||
|
||
variable "whitelisted_domains" { | ||
description = "Network Firewall - whitelisted domains file" | ||
type = string | ||
} | ||
|
||
variable "aws_managed_rule_groups" { | ||
description = "Network Firewall - A list of AWS maanged stateful rule group arns" | ||
type = string | ||
} |
16 changes: 16 additions & 0 deletions
16
modules/aws/networking/network-firewall-rules-inspection/custom_firewall_rule_group.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
resource "aws_networkfirewall_rule_group" "main_rules" { | ||
capacity = 5000 | ||
name = "${var.network_firewall_name}-base-rules" | ||
type = "STATEFUL" | ||
|
||
rule_group { | ||
rules_source { | ||
#rules_string = file("${path.module}/rules.txt") | ||
rules_string = var.rules_file | ||
} | ||
|
||
stateful_rule_options { | ||
rule_order = "STRICT_ORDER" | ||
} | ||
} | ||
} |
88 changes: 88 additions & 0 deletions
88
modules/aws/networking/network-firewall-rules-inspection/main.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,88 @@ | ||
############################################ | ||
# Importing the existing network firewall # | ||
############################################ | ||
data "aws_networkfirewall_firewall" "existing_firewall" { | ||
name = var.network_firewall_name # "your-existing-firewall-name" imported using terragrunt as it was created using LZA | ||
} | ||
|
||
# Imported the existing NFW below as it was created using LZA | ||
# example: | ||
# terragrunt import aws_networkfirewall_firewall.existing_firewall arn:aws:network-firewall:eu-west-2:<aws-account-id>:firewall/<existing-firewal-name> | ||
import { | ||
to = aws_networkfirewall_firewall.existing_firewall | ||
id = "arn:aws:network-firewall:eu-west-2:${var.account_id}:firewall/${var.network_firewall_name}" | ||
} | ||
|
||
resource "aws_networkfirewall_firewall" "existing_firewall" { | ||
name = var.network_firewall_name # Existing firewall name | ||
vpc_id = var.vpc_id # Use the existing VPC ID | ||
firewall_policy_arn = aws_networkfirewall_firewall_policy.policy.arn | ||
|
||
# Subnet mappings (use the existing subnets here) | ||
dynamic "subnet_mapping" { | ||
for_each = data.aws_networkfirewall_firewall.existing_firewall.subnet_mapping | ||
content { | ||
subnet_id = subnet_mapping.value.subnet_id | ||
} | ||
} | ||
## Keeping the old tags when it was created first time | ||
tags = { | ||
"Accelerator" = "AWSAccelerator" | ||
"Name" = var.network_firewall_name | ||
} | ||
# Add other necessary attributes here | ||
} | ||
|
||
################ | ||
## nfw-policy" # | ||
################ | ||
|
||
# Reading rule groups from text file supplied | ||
locals { | ||
rule_group_arns = split("\n", trimspace(var.aws_managed_rule_groups)) | ||
} | ||
|
||
resource "aws_networkfirewall_firewall_policy" "policy" { | ||
name = var.network_firewall_policy_name | ||
|
||
firewall_policy { | ||
# Reference AWS managed or custom stateful rule groups | ||
|
||
# Specify stateful default actions | ||
stateful_default_actions = [ | ||
"aws:drop_established", | ||
"aws:alert_established" | ||
] | ||
|
||
# Configure stateful engine options | ||
stateful_engine_options { | ||
rule_order = "STRICT_ORDER" # Options: "STRICT_ORDER" or "DEFAULT_ACTION_ORDER" | ||
} | ||
|
||
dynamic "stateful_rule_group_reference" { | ||
for_each = local.rule_group_arns | ||
|
||
content { | ||
resource_arn = "arn:aws:network-firewall:eu-west-2:aws-managed:stateful-rulegroup/${stateful_rule_group_reference.value}" | ||
priority = 200 + index(local.rule_group_arns, stateful_rule_group_reference.value) + 1 | ||
} | ||
} | ||
|
||
# custom rules defined by core-cloud-platform | ||
stateful_rule_group_reference { | ||
resource_arn = aws_networkfirewall_rule_group.main_rules.arn | ||
priority = 250 | ||
} | ||
|
||
# Define the stateless default actions explicitly | ||
stateless_default_actions = ["aws:forward_to_sfe"] | ||
|
||
# Define the stateless fragment default actions explicitly | ||
stateless_fragment_default_actions = ["aws:forward_to_sfe"] | ||
} | ||
|
||
tags = { | ||
Name = var.network_firewall_policy_name | ||
} | ||
} | ||
|
3 changes: 3 additions & 0 deletions
3
modules/aws/networking/network-firewall-rules-inspection/outputs.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
output "firewall_policy" { | ||
value = aws_networkfirewall_firewall_policy.policy | ||
} |
36 changes: 36 additions & 0 deletions
36
modules/aws/networking/network-firewall-rules-inspection/variables.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
# variables | ||
variable "tags" { | ||
description = "Tags to apply to the resources." | ||
type = map(string) | ||
default = {} | ||
} | ||
|
||
variable "account_id" { | ||
description = "Network Firewall Account-id" | ||
type = string | ||
} | ||
|
||
variable "network_firewall_name" { | ||
description = "Network Firewall name to be supplied" | ||
type = string | ||
} | ||
|
||
variable "network_firewall_policy_name" { | ||
description = "Network Firewall Policy name to be supplied" | ||
type = string | ||
} | ||
|
||
variable "vpc_id" { | ||
description = "VPC assocaited with Network Firewall" | ||
type = string | ||
} | ||
|
||
variable "rules_file" { | ||
description = "Network Firewall rules file" | ||
type = string | ||
} | ||
|
||
variable "aws_managed_rule_groups" { | ||
description = "Network Firewall - A list of AWS maanged stateful rule group arns" | ||
type = string | ||
} |