Skip to content

Latest commit

 

History

History

fms-dns-firewall-policy

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
resource-group.tf
resource-group.tf
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

README.md

fms-dns-firewall-policy

This module creates following resources.

  • aws_fms_policy

Requirements

Name Version
terraform >= 1.5
aws >= 4.36

Providers

Name Version
aws 5.19.0

Modules

Name Source Version
resource_group tedilabs/misc/aws//modules/resource-group ~> 0.10.0

Resources

Name Type
aws_fms_policy.this resource

Inputs

Name Description Type Default Required
name (Required) The friendly name of the AWS Firewall Manager Policy. string n/a yes
pre_rule_groups (Required) A list of rule groups to process first. Each item of pre_rule_groups block as defined below.
(Required) priority - The setting that determines the processing order of the rule group among the rule groups that you associate with the specified VPC. DNS Firewall filters VPC traffic starting from the rule group with the lowest numeric priority setting. Valid values for priority are between 1 and 99.
(Required) rule_group - The ID of the firewall rule group.		 
list(object({
    priority   = number
    rule_group = string
  }))
 n/a yes
auto_remediation_enabled (Optional) Indicate if the policy should be automatically applied to new resources. Defaults to false. bool false no
cascade_deletion_enabled (Optional) Whether to cleanup resources which is managed by the policy on deletion. Defaults to true.

If true, the request performs cleanup according to the policy type.

For AWS WAF and Shield Advanced policies, the cleanup does the following:
- Deletes rule groups created by AWS Firewall Manager
- Removes web ACLs from in-scope resources
- Deletes web ACLs that contain no rules or rule groups

For security group policies, the cleanup does the following for each security group in the policy:
- Disassociates the security group from in-scope resources
- Deletes the security group if it was created through Firewall Manager and if it's no longer associated with any resources through another policy

After the cleanup, in-scope resources are no longer protected by web ACLs in this policy. Protection of out-of-scope resources remains unchanged.		 bool true no
module_tags_enabled (Optional) Whether to create AWS Resource Tags for the module informations. bool true no
organization_filter (Optional) A filter configuration to decide protections on resources based on the accounts and organization units. organization_filter block as defined below.
(Optional) type - Whether to include or exclude resources that contain accounts or organization_units from protections by this policy. Valid values are WHITELIST and BLACKLIST.
(Optional) accounts - A list of AWS Organization member accounts that you want to include or to exclude for this AWS FMS Policy.
(Optional) organization_units - A list of AWS Organization Units that you want to include or to exclude for this AWS FMS Policy.		 
object({
    type               = optional(string, "WHITELIST")
    accounts           = optional(set(string), [])
    organization_units = optional(set(string), [])
  })
 {} no
post_rule_groups (Optional) A list of rule groups to process last. Each item of post_rule_groups block as defined below.
(Required) priority - The setting that determines the processing order of the rule group among the rule groups that you associate with the specified VPC. DNS Firewall filters VPC traffic starting from the rule group with the lowest numeric priority setting. Valid values for priority are between 9901 and 10000.
(Required) rule_group - The ID of the firewall rule group.		 
list(object({
    priority   = number
    rule_group = string
  }))
 [] no
resource_cleanup_on_leave_enabled (Optional) Whether Firewall Manager will automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL from a protected customer resource when the customer resource leaves policy scope. Defaults to false. This option is not available for Shield Advanced or AWS WAF Classic policies. bool false no
resource_group_description (Optional) The description of Resource Group. string "Managed by Terraform." no
resource_group_enabled (Optional) Whether to create Resource Group to find and group AWS resources which are created by this module. bool true no
resource_group_name (Optional) The name of Resource Group. A Resource Group name can have a maximum of 127 characters, including letters, numbers, hyphens, dots, and underscores. The name cannot start with AWS or aws. string "" no
resource_tags_filter (Optional) A filter configuration to decide protections on resources based on the resource tags. resourcee_tags_filter block as defined below.
(Optional) type - Whether to include or exclude resources that contain tags from protections by this policy. Valid values are WHITELIST and BLACKLIST.
(Optional) tags - A map of resource tags to filter resources.		 
object({
    type = optional(string, "WHITELIST")
    tags = optional(map(string), {})
  })
 {} no
resource_types (Optional) A list of resource types to protect. list(string) 
[
  "AWS::EC2::VPC"
]
 no
tags (Optional) A map of tags to add to all resources. map(string) {} no

Outputs

Name Description
arn The ARN of the AWS Firewall Manager Policy.
attributes A set of attributes that applied to the AWS Firewall Manager Policy.
id The ID of the AWS Firewall Manager Policy.
name The name of the AWS Firewall Manager Policy.
policy The configuration of this policy.
scope The configuration of this policy scope.