network-firewall
binbashar/network-firewall/aws
Terraform module for creating AWS Network Firewall resources
terraform-aws-network-firewall Overview This mdule creates AWS Network firewall resources, which includes: Network Firewall Network Firewall Policy Network Firewall Stateless groups and rules Network Firewall Stateful groups and rules Use custom Suricata Rules Use Managed Rules Use “Strict, Drop Established” rule order Use stateful rules instead of stateless rules Use $HOME_NET Example Deny domain access** `` module "firewall" { source = "github.com/binbashar/terraform-aws-network-firewall.git" name = "firewall" description = "AWS Network Firewall example" vpc_id = "vpc-12345678910111213" subnet_mapping = { us-east-1a = "subnet-23456780101112131" us-east-1b = "subnet-13121110987654321" } # Stateless rule groups stateless_rule_groups = { stateless-group-1 = { description = "Stateless rules"
| Name | Type | Description | Default |
|---|---|---|---|
| subnet_mapping | map(any) | Subnets map. Each subnet must belong to a different Availability Zone in the VPC | |
| name | string | A friendly name of the firewall. | |
| vpc_id | string | The unique identifier of the VPC where AWS Network Firewall should create the fi | |
| log_retention_in_days | number | The number of days to retain log events in the log group | 90 |
| stateful_suricata_rule_groups | map(object({ description | Optional stateful Suricata rule groups | {} |
| managed_rule_groups | list(object({ name | List of managed rule groups with ARNs, priorities, and action modes | [] |
| home_net_cidr | list(string) | List of CIDR blocks for the internal network (HOME_NET) | [] |
| external_net_cidr | list(string) | List of CIDR blocks for the externla network (EXTERNAL_NET) | [] |
| log_type | list(string) | Log types to enable. Options: FLOW, ALERT | [
"FLOW",
"ALERT"
] |
| create_network_firewall | bool | Set to false if you just want to create the security policy, stateless and state | true |
| stateless_default_actions | list(any) | Set of actions to take on a packet if it does not match any of the stateless rul | [
"aws:aws:forward_to_sfe"
] |
| s3_bucket_name | string | S3 bucket name | null |
| subnet_change_protection | bool | A boolean flag indicating whether it is possible to change the associated subnet | false |
| tags | map(string) | Map of resource tags to associate with the resource. If configured with a provid | {} |
| rule_order | string | Define the rule evaluation order for stateful rule groups. Options: STRICT_ORDER | "DEFAULT_ACTION_ORDER" |
| kinesis_stream_arn | string | Amazon Resource Name (ARN) of the Kinesis Data Firehose stream | null |
| stateless_fragment_default_actions | list(any) | Set of actions to take on a fragmented packet if it does not match any of the st | [
"aws:drop"
] |
| cloudwatch_log_group_name | string | CloudWatch log group name | null |
| firewall_policy_change_protection | bool | A boolean flag indicating whether it is possible to change the associated firewa | false |
| firewall_policy_name | string | A friendly name of the firewall policy. | null |
| stateful_rule_groups | any | Map of stateful rules groups. | {} |
| stream_exception_policy | string | Define the action to take on a packet that does not match any stateful rule grou | "DROP" |
| enable_firewall_logs | bool | Enable logging for the firewall | false |
id — The ID that identifies the firewall.arn — The Amazon Resource Name (ARN) that identifies the firewall.network_firewall_policy — The Firewall Network policy creatednetwork_firewall_status — Nested list of information about the current status of the firewall.network_firewall_stateless_group — Map of stateless group rulesnetwork_firewall_stateful_group — Map of stateful group rulesnetwork_firewall_suricata_rule_groups — Map of Suricata rule groupsAzure landing zones Terraform module
Terraform supermodule for the Terraform platform engineering for Azure
Terraform module to deploy landing zone subscriptions (and much more) in Azure
Terraform Module to define a consistent naming convention by (namespace, stage,