├── .gitignore
├── .header.md
├── .pre-commit-config.yaml
├── .terraform-docs.yaml
├── .tflint.hcl
├── .tfsec
    ├── launch_configuration_imdsv2_tfchecks.json
    ├── launch_template_imdsv2_tfchecks.json
    ├── no_launch_config_tfchecks.json
    ├── sg_no_embedded_egress_rules_tfchecks.json
    └── sg_no_embedded_ingress_rules_tfchecks.json
├── CODEOWNERS
├── LICENSE
├── NOTICE.txt
├── README.md
├── docs
    └── UPGRADE-GUIDE-1.0.md
├── examples
    ├── central_inspection_with_egress
    │   ├── .header.md
    │   ├── .terraform-docs.yaml
    │   ├── README.md
    │   ├── main.tf
    │   ├── outputs.tf
    │   ├── policy.tf
    │   ├── providers.tf
    │   └── variables.tf
    ├── central_inspection_without_egress
    │   ├── .header.md
    │   ├── .terraform-docs.yaml
    │   ├── README.md
    │   ├── main.tf
    │   ├── outputs.tf
    │   ├── policy.tf
    │   ├── providers.tf
    │   └── variables.tf
    ├── intra_vpc_inspection
    │   ├── .header.md
    │   ├── .terraform-docs.yaml
    │   ├── README.md
    │   ├── main.tf
    │   ├── outputs.tf
    │   ├── policy.tf
    │   ├── providers.tf
    │   └── variables.tf
    └── single_vpc_logging
    │   ├── .header.md
    │   ├── .terraform-docs.yaml
    │   ├── README.md
    │   ├── kms_keys.tf
    │   ├── main.tf
    │   ├── outputs.tf
    │   ├── policy.tf
    │   ├── providers.tf
    │   └── variables.tf
├── main.tf
├── modules
    ├── central_inspection_with_egress_routing
    │   ├── main.tf
    │   ├── outputs.tf
    │   ├── providers.tf
    │   └── variables.tf
    ├── intra_vpc_routing
    │   ├── main.tf
    │   ├── outputs.tf
    │   ├── providers.tf
    │   └── variables.tf
    └── logging
    │   ├── main.tf
    │   ├── outputs.tf
    │   ├── providers.tf
    │   └── variables.tf
├── moved.tf
├── outputs.tf
├── providers.tf
├── test
    ├── examples_central_inspection_with_egress_test.go
    ├── examples_central_inspection_without_egress_test.go
    ├── examples_intra_vpc_inspection_test.go
    └── examples_single_vpc_logging_test.go
└── variables.tf


/.gitignore:
--------------------------------------------------------------------------------
 1 | build/
 2 | plan.out
 3 | plan.out.json
 4 | 
 5 | # Local .terraform directories
 6 | .terraform/
 7 | 
 8 | # .tfstate files
 9 | *.tfstate
10 | *.tfstate.*
11 | 
12 | # Crash log files
13 | crash.log
14 | 
15 | # Exclude all .tfvars files, which are likely to contain sentitive data, such as
16 | # password, private keys, and other secrets. These should not be part of version
17 | # control as they are data points which are potentially sensitive and subject
18 | # to change depending on the environment.
19 | #
20 | *.tfvars
21 | 
22 | # Ignore override files as they are usually used to override resources locally and so
23 | # are not checked in
24 | override.tf
25 | override.tf.json
26 | *_override.tf
27 | *_override.tf.json
28 | 
29 | # Include override files you do wish to add to version control using negated pattern
30 | #
31 | # !example_override.tf
32 | 
33 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
34 | # example: *tfplan*
35 | 
36 | # Ignore CLI configuration files
37 | .terraformrc
38 | terraform.rc
39 | .terraform.lock.hcl
40 | 
41 | go.mod
42 | go.sum
43 | 
44 | # DS_Store
45 | 
46 | .DS_Store
47 | 


--------------------------------------------------------------------------------
/.header.md:
--------------------------------------------------------------------------------
  1 | # AWS Network Firewall Module
  2 | 
  3 | *NOTE*: For information regarding the 1.0 upgrade see our [upgrade guide](./docs/UPGRADE-GUIDE-1.0.md)
  4 | 
  5 | [AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html) is a managed network security service that makes it easy to deploy threat prevention for Amazon VPCs. This module can be used to deploy an AWS Network Firewall resource in the desired VPC, automating all the routing and logging configuration when the resource is deployed.
  6 | 
  7 | The module only handles the creation of the infrastructure, leaving full freedom to the user when defining the firewall rules (which should be done outside the module). Same applies to IAM roles and KMS keys when you define the firewall logging - rememeber that it is a best practice to encryt at rest your firewall logs.
  8 | 
  9 | ## Usage
 10 | 
 11 | To create AWS Network Firewall in your VPC, you need to provide the following information:
 12 | 
 13 | - `network_firewall_name` = (Required|string) Name to provide the AWS Network Firewall resource.
 14 | - `network_firewall_description` = (Required|string) A friendly description of the firewall resource.
 15 | - `network_firewall_policy`= (Required|string) ARN of the firewall policy to apply in the AWS Network Firewall resource. Check the definition of [AWS Network Firewall Policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy) and [AWS Network Firewall Rule Groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) to see how you can create firewall policies.
 16 | - `network_firewall_delete_protection` = (Optional|bool) A boolean flag indicating whether it is possible to delete the firewall. Defaults to `false`. 
 17 | - `network_firewall_policy_change_protection` = (Optional|bool) To indicate whether it is possible to change the associated firewall policy after creation. Defaults to `false`.
 18 | - `network_firewall_subnet_change_protection` = (Optional|bool) To indicate whether it is possible to change the associated subnet(s) after creation. Defaults to `false`.
 19 | - `network_firewall_encryption_key_arn` = (Optional|string) ARN of Customer managed KMS key for data encryption. By default, AWS managed key will be used.
 20 | - `vpc_id` = (Required|string) ID of the VPC where the AWS Network Firewall resource should be placed.
 21 | - `vpc_subnets` = (Required|map(string)) Map of subnet IDs to place the Network Firewall endpoints. The expected format of the map is the Availability Zone as key, and the ID of the subnet as value. Example (supposing us-east-1 as AWS Region):
 22 | 
 23 | ```hcl
 24 | vpc_subnets = {
 25 |     us-east-1a = subnet-IDa
 26 |     us-east-1b = subnet-IDb
 27 |     us-east-1c = subnet-IDc
 28 | }
 29 | ```
 30 | 
 31 | - `number_azs` = (Required|number) Number of Availability Zones to place the AWS Network Firewall endpoints.
 32 | - `routing_configuration` = (Required|any) Configuration of the routing desired in the VPC. Depending the VPC type, the information to provide is different. The configuration types supported are: `single_vpc`, `intra_vpc_inspection`, `centralized_inspection_without_egress`, and `centralized_inspection_with_egress`. **Only one key (option) can be defined**. More information about the differences between each of the VPC types (and examples) can be checked in the section below.
 33 | - `tags`= (Optional|map(string)) List of tags to apply to the AWS Network Firewall resource.
 34 | 
 35 | ## Routing configuration
 36 | 
 37 | Once the AWS Network Firewall resource is created, the routing to the firewall endpoints need to be created. However, depending the VPC and how we want to inspect the traffic, this routing configuration is going to be different. The module supports the routing configuration of 4 different types of VPCs, covering the most common [Inspection Deployment models with with AWS Network Firewall](https://d1.awsstatic.com/architecture-diagrams/ArchitectureDiagrams/inspection-deployment-models-with-AWS-network-firewall-ra.pdf).
 38 | 
 39 | ### Single VPC
 40 | 
 41 | The first use case is when the firewall endpoints are located in the VPC to inspect the traffic from/to workloads in that same VPC. When using this routing configuration, it is expected to place the firewall endpoints in subnets between the Internet gateway (IGW) and the public subnets (where you can place the Elastic Load Balancers and NAT gateways). The module expects in this configuration three variables:
 42 | 
 43 | - `igw_route_table` = (Required|string) VPC route table ID associated to an Internet gateway. In this route table it will be created routes pointing to the Network Firewall endpoints with destination the CIDR blocks provided in the `protected_subnet_cidr_blocks` variable.
 44 | - `protected_subnet_route_tables` = (Required|map(string)) Map of the VPC subnet route tables where the resources to protect (using the Network Firewall resource) are located - expected format of the map is Availability Zone (key) --> VPC route table (value). In these route tables it will be created the default route table pointing to the Network Firewall endpoints - ensuring Availability Zone affinity.
 45 | - `protected_subnet_cidr_blocks` = (Required|map(string)) Map of IPv4 CIDR blocks indicating the subnets where the resources to protect (using the Network Firewall resource) are located - expected format of the map is Availability Zone (key) --> IPv4 CIDR block (value).
 46 | 
 47 | An example of the definition of this routing configuration is the following one:
 48 | 
 49 | ```hcl
 50 | routing_configuration = { 
 51 |     single_vpc = { 
 52 |       igw_route_table = rtb-ID
 53 |       protected_subnet_route_tables = { 
 54 |         us-east-1a = rtb-IDa
 55 |         us-east-1b = rtb-IDb
 56 |         us-east-1c = rtb-IDc
 57 |       }
 58 |       protected_subnet_cidr_blocks = {
 59 |         us-east-1a = "10.0.0.0/24"
 60 |         us-east-1b = "10.0.1.0/24"
 61 |         us-east-1c = "10.0.2.0/24"
 62 |       }
 63 |     }
 64 | }
 65 | ```
 66 | 
 67 | ### Intra-VPC Inspection
 68 | 
 69 | When placing firewall endpoints to inspect traffic between workloads inside the same VPC (between your EC2 instances and the database layer, for example) you can take advantage of the VPC routing enhacement - which allows you to include more specific routing than the local one. The module expects in this configuration two variables:
 70 | 
 71 | - `number_routes` = (Required|number) Number of configured items in the `routes` variable.
 72 | - `routes` = (Required|list(map(any))) List of intra-VPC route configurations. Important to note that only one direction is configured per item in this list, so in most situations you will need two items per group of subnets to inspect. Each item expects a map of strings with two values: 
 73 |   - `source_subnet_route_tables` = (Required|map(string)) VPC route table of the source subnet - expected format of the map is Availability Zone (key) --> VPC route table (value)
 74 |   - `destination_subnet_cidr_blocks` = (Required|map(string)). IPv4 CIDR blocks of the destination subnet - expected format of the map is Availability Zone (key) --> IPv4 CIDR block (value)
 75 | 
 76 | An example of the definition of this routing configuration is the following one.
 77 | 
 78 | ```hcl
 79 | routing_configuration = { 
 80 |     intra_vpc_inspection = { 
 81 |       number_routes = 2
 82 |       routes = {
 83 |         { 
 84 |           source_subnet_route_tables = { 
 85 |             us-east-1a = rtb-IDa
 86 |             us-east-1b = rtb-IDb
 87 |             us-east-1c = rtb-IDc
 88 |           }
 89 |           destination_subnet_cidr_blocks = {
 90 |             us-east-1a = "10.0.0.0/24"
 91 |             us-east-1b = "10.0.1.0/24"
 92 |             us-east-1c = "10.0.2.0/24"
 93 |           }
 94 |         },
 95 |         {
 96 |           source_subnet_route_tables = { 
 97 |             us-east-1a = rtb-IDaa
 98 |             us-east-1b = rtb-IDbb
 99 |             us-east-1c = rtb-IDcc
100 |           }
101 |           destination_subnet_cidr_blocks = {
102 |             us-east-1a = "10.0.3.0/24"
103 |             us-east-1b = "10.0.4.0/24"
104 |             us-east-1c = "10.0.5.0/24"
105 |           }
106 |         }
107 |       }
108 |     }
109 | }
110 | ```
111 | 
112 | ### Hub and Spoke with Inspection VPC
113 | 
114 | The use case covers the creation of a centralized Inspection VPC in a hub-and-spoke architecture with [AWS Transit Gateway](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html) and/or [AWS Cloud WAN](https://docs.aws.amazon.com/network-manager/latest/cloudwan/what-is-cloudwan.html), with the idea of managing the traffic inspection at scale. When using the key `centralized_inspection_without_egress` it is supposed that the Inspection VPC created is only used to place the Transit Gateway or Cloud WAN's core network ENIs and the firewall endpoints. In this configuration, you can configurate the following variables:
115 | 
116 | - `connectivity_subnet_route_tables` = (Optional|map(string)) Map of VPC subnet route tables where the Transit Gateway or Cloud WAN's core network ENIs are located. In these route tables a default route pointing to the Network Firewall endpoints is created - expected format of the map is Availability Zone (key) --> VPC route table (value)
117 | 
118 | An example of the definition of this routing configuration is the following one:
119 | 
120 | ```hcl
121 | routing_configuration = {
122 |     centralized_inspection_without_egress = { 
123 |       connectivity_subnet_route_tables = { 
124 |         us-east-1a = rtb-IDa
125 |         us-east-1b = rtb-IDb
126 |         us-east-1c = rtb-IDc
127 |       }
128 |     }
129 | }
130 | ```
131 | 
132 | ### Hub and Spoke with Inspection VPC (with egress traffic)
133 | 
134 | The use case covers the creation of a centralized Inspection VPC in a hub-and-spoke architecture with [AWS Transit Gateway](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html) or [AWS Cloud WAN](https://docs.aws.amazon.com/network-manager/latest/cloudwan/what-is-cloudwan.html), with the idea of managing the traffic inspection at scale. When using the key `centralized_inspection_with_egress` it is supposed that the Inspection VPC also has access to the Internet, to centralize inspection and egress traffic at the same time. In this configuration, you can configurate the following variables:
135 | 
136 | - `connectivity_subnet_route_tables` = (Optional|map(string)) Map of VPC subnet route tables where the Transit Gateway or Cloud WAN's core network ENIs are located. In these route tables a default route pointing to the Network Firewall endpoints is created - expected format of the map is Availability Zone (key) --> VPC route table (value)
137 | - `public_subnet_route_tables` = (Required|map(string)) Map of VPC public subnet route tables. In these route tables, routes are created pointing to the Network Firewall endpoints with destination the CIDR blocks defined in the `network_cidr_blocks` variable. The expected format of the map is Availability Zone (key) --> VPC route table (value)
138 | - `network_cidr_blocks` = (Required|list(string)) List of IPv4 CIDR blocks defining the AWS network.
139 | 
140 | An example of the definition of this routing configuration is the following one:
141 | 
142 | ```hcl
143 | routing_configuration = {
144 |     centralized_inspection_with_egress = {
145 |       connectivity_subnet_route_tables = { 
146 |         us-east-1a = rtb-IDa
147 |         us-east-1b = rtb-IDb
148 |         us-east-1c = rtb-IDc
149 |       }
150 |       public_subnet_route_tables = {
151 |         us-east-1a = rtb-IDaa
152 |         us-east-1b = rtb-IDbb
153 |         us-east-1c = rtb-IDcc
154 |       }
155 |       network_cidr_blocks = ["10.0.0.0/8", "192.168.0.0/24"]
156 |     }
157 | }
158 | ```
159 | 
160 | ## Logging
161 | 
162 | You can enable AWS Network Firewall logging for the [stateful engine](https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-rules-engines.html). You can record the flow logs and/or alert logs, with only one destination per log type:
163 | 
164 | * [Amazon S3](https://aws.amazon.com/s3/) bucket.
165 | * [Amazon CloudWatch](https://aws.amazon.com/cloudwatch/) log group.
166 | * [Amazon Kinesis Data Firehose](https://aws.amazon.com/kinesis/data-firehose/) stream.
167 | 
168 | For more information about the logging in AWS Network Firewall, check the [AWS Network Firewall documentation](https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-logging.html).
169 | 
170 | Regarding the format of the variable, you can define either `flow_log` or `alert_log` configurations; with only 1 destination in each one of them. As mentioned above, 3 different destinations can be configured:
171 | 
172 | - `s3_bucket` = (Optional|map(string)) Configuration of an S3 bucket as logging destination. Two attributes are expected:
173 |   - `bucketName` = (Required|string) Name of the S3 bucket to deliver the logs.
174 |   - `logPrefix` = (Optional|string) Path inside the S3 bucket.
175 | - `cloudwatch_logs` = (Optional|map(string)) Configuration of a CloudWatch log group as logging destination. Only the attribute `logGroupName` (Required|string) is expected.
176 | - `kinesis_firehose` = (Optional|map(string)) Configuration of a Kinesis Data Firehose stream as logging desintation. Only the attribute `deliveryStreamName` (Required|string) is expected.
177 | 
178 | Example definition of each type: 
179 | 
180 | ```hcl
181 | logging_configuration = {
182 |   flow_log = {
183 |     s3_bucket = {
184 |       bucketName = "my-bucket"
185 |       logPrefix = "/logs"
186 |     }
187 |   }
188 | }
189 | 
190 | logging_configuration = {
191 |   alert_log = {
192 |     cloudwatch_logs = {
193 |       logGroupName = "my-log-group"
194 |     }
195 |   }
196 | }
197 | 
198 | logging_configuration = {
199 |   alert_log = {
200 |     kinesis_firehose = {
201 |       deliveryStreamName = "my-stream"
202 |     }
203 |   }
204 | }
205 | ```
206 | 
207 | ## References
208 | 
209 | - Reference Architecture: [Inspection Deployment models with with AWS Network Firewall](https://d1.awsstatic.com/architecture-diagrams/ArchitectureDiagrams/inspection-deployment-models-with-AWS-network-firewall-ra.pdf)
210 | - Blog post: [Deployment models for AWS Network Firewall](https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/)
211 | - Blog post: [Deployment models for AWS Network Firewall with VPC routing enhancements](https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall-with-vpc-routing-enhancements/)
212 | 


--------------------------------------------------------------------------------
/.pre-commit-config.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | fail_fast: false
 3 | minimum_pre_commit_version: "2.6.0"
 4 | repos:
 5 |   -
 6 |     repo: https://github.com/aws-ia/pre-commit-configs
 7 |     # To update run:
 8 |     # pre-commit autoupdate --freeze
 9 |     rev: 80ed3f0a164f282afaac0b6aec70e20f7e541932  # frozen: v1.5.0
10 |     hooks:
11 |       - id: aws-ia-meta-hook
12 | 


--------------------------------------------------------------------------------
/.terraform-docs.yaml:
--------------------------------------------------------------------------------
 1 | formatter: markdown
 2 | header-from: .header.md
 3 | settings:
 4 |   anchor: true
 5 |   color: true
 6 |   default: true
 7 |   escape: true
 8 |   html: true
 9 |   indent: 2
10 |   required: true
11 |   sensitive: true
12 |   type: true
13 | 
14 | sort:
15 |   enabled: true
16 |   by: required
17 | 
18 | output:
19 |   file: README.md
20 |   mode: replace
21 | 


--------------------------------------------------------------------------------
/.tflint.hcl:
--------------------------------------------------------------------------------
 1 | # https://github.com/terraform-linters/tflint/blob/master/docs/user-guide/module-inspection.md
 2 | # borrowed & modified indefinitely from https://github.com/ksatirli/building-infrastructure-you-can-mostly-trust/blob/main/.tflint.hcl
 3 | 
 4 | plugin "aws" {
 5 |     enabled = true
 6 |     version = "0.21.1"
 7 |     source  = "github.com/terraform-linters/tflint-ruleset-aws"
 8 | }
 9 | 
10 | config {
11 |   module     = false
12 |   force      = false
13 | }
14 | 
15 | rule "terraform_required_providers" {
16 |   enabled = true
17 | }
18 | 
19 | rule "terraform_required_version" {
20 |   enabled = true
21 | }
22 | 
23 | rule "terraform_naming_convention" {
24 |   enabled = true
25 |   format  = "snake_case"
26 | }
27 | 
28 | rule "terraform_typed_variables" {
29 |   enabled = true
30 | }
31 | 
32 | rule "terraform_unused_declarations" {
33 |   enabled = true
34 | }
35 | 
36 | rule "terraform_comment_syntax" {
37 |   enabled = true
38 | }
39 | 
40 | rule "terraform_deprecated_index" {
41 |   enabled = true
42 | }
43 | 
44 | rule "terraform_deprecated_interpolation" {
45 |   enabled = true
46 | }
47 | 
48 | rule "terraform_documented_outputs" {
49 |   enabled = true
50 | }
51 | 
52 | rule "terraform_documented_variables" {
53 |   enabled = true
54 | }
55 | 
56 | rule "terraform_module_pinned_source" {
57 |   enabled = true
58 | }
59 | 
60 | rule "terraform_standard_module_structure" {
61 |   enabled = true
62 | }
63 | 
64 | rule "terraform_workspace_remote" {
65 |   enabled = true
66 | }
67 | 
68 | # seems to be a bug when a resource is not created
69 | rule "aws_route_not_specified_target" {
70 |   enabled = false
71 | }
72 | 
73 | rule "aws_route_specified_multiple_targets" {
74 |   enabled = false
75 | }
76 | 


--------------------------------------------------------------------------------
/.tfsec/launch_configuration_imdsv2_tfchecks.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "checks": [
 3 |     {
 4 |       "code": "CUS002",
 5 |       "description": "Check to IMDSv2 is required on EC2 instances created by this Launch Template",
 6 |       "impact": "Instance metadata service can be interacted with freely",
 7 |       "resolution": "Enable HTTP token requirement for IMDS",
 8 |       "requiredTypes": [
 9 |         "resource"
10 |       ],
11 |       "requiredLabels": [
12 |         "aws_launch_configuration"
13 |       ],
14 |       "severity": "CRITICAL",
15 |       "matchSpec": {
16 |           "action": "isPresent",
17 |           "name": "metadata_options",
18 |           "subMatch": {
19 |             "action": "and",
20 |             "predicateMatchSpec": [
21 |               {
22 |                 "action": "equals",
23 |                 "name": "http_tokens",
24 |                 "value": "required"
25 | 
26 |               }
27 |             ]
28 |           }
29 |         },
30 | 
31 |       "errorMessage": "is missing `metadata_options` block - it is required with `http_tokens` set to `required` to make Instance Metadata Service more secure.",
32 |       "relatedLinks": [
33 |         "https://tfsec.dev/docs/aws/ec2/enforce-http-token-imds#aws/ec2",
34 |         "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_configuration#metadata-options",
35 |         "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service"
36 |       ]
37 |     }
38 |   ]
39 | }
40 | 


--------------------------------------------------------------------------------
/.tfsec/launch_template_imdsv2_tfchecks.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "checks": [
 3 |     {
 4 |       "code": "CUS001",
 5 |       "description": "Check to IMDSv2 is required on EC2 instances created by this Launch Template",
 6 |       "impact": "Instance metadata service can be interacted with freely",
 7 |       "resolution": "Enable HTTP token requirement for IMDS",
 8 |       "requiredTypes": [
 9 |         "resource"
10 |       ],
11 |       "requiredLabels": [
12 |         "aws_launch_template"
13 |       ],
14 |       "severity": "CRITICAL",
15 |       "matchSpec": {
16 |           "action": "isPresent",
17 |           "name": "metadata_options",
18 |           "subMatch": {
19 |             "action": "and",
20 |             "predicateMatchSpec": [
21 |               {
22 |                 "action": "equals",
23 |                 "name": "http_tokens",
24 |                 "value": "required"
25 | 
26 |               }
27 |             ]
28 |           }
29 |         },
30 | 
31 |       "errorMessage": "is missing `metadata_options` block - it is required with `http_tokens` set to `required` to make Instance Metadata Service more secure.",
32 |       "relatedLinks": [
33 |         "https://tfsec.dev/docs/aws/ec2/enforce-http-token-imds#aws/ec2",
34 |         "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template#metadata-options",
35 |         "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service"
36 |       ]
37 |     }
38 |   ]
39 | }
40 | 


--------------------------------------------------------------------------------
/.tfsec/no_launch_config_tfchecks.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "checks": [
 3 |     {
 4 |       "code": "CUS003",
 5 |       "description": "Use `aws_launch_template` over `aws_launch_configuration",
 6 |       "impact": "Launch configurations are not capable of versions",
 7 |       "resolution": "Convert resource type and attributes to `aws_launch_template`",
 8 |       "requiredTypes": [
 9 |         "resource"
10 |       ],
11 |       "requiredLabels": [
12 |         "aws_launch_configuration"
13 |       ],
14 |       "severity": "MEDIUM",
15 |       "matchSpec": {
16 |           "action": "notPresent",
17 |           "name": "image_id"
18 |         },
19 | 
20 |       "errorMessage": "should be changed to `aws_launch_template` since the functionality is the same but templates can be versioned.",
21 |       "relatedLinks": [
22 |         "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/launch_template",
23 |         "https://aws.amazon.com/blogs/security/defense-in-depth-open-firewalls-reverse-proxies-ssrf-vulnerabilities-ec2-instance-metadata-service"
24 |       ]
25 |     }
26 |   ]
27 | }
28 | 


--------------------------------------------------------------------------------
/.tfsec/sg_no_embedded_egress_rules_tfchecks.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "checks": [
 3 |     {
 4 |       "code": "CUS005",
 5 |       "description": "Security group rules should be defined with `aws_security_group_rule` instead of embedded.",
 6 |       "impact": "Embedded security group rules can cause issues during configuration updates.",
 7 |       "resolution": "Move `egress` rules to `aws_security_group_rule` and attach to `aws_security_group`.",
 8 |       "requiredTypes": [
 9 |         "resource"
10 |       ],
11 |       "requiredLabels": [
12 |         "aws_security_group"
13 |       ],
14 |       "severity": "MEDIUM",
15 |       "matchSpec": {
16 |           "action": "notPresent",
17 |           "name": "egress"
18 |         },
19 | 
20 |       "errorMessage": "`egress` rules should be moved to `aws_security_group_rule` and attached to `aws_security_group` instead of embedded.",
21 |       "relatedLinks": [
22 |         "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule",
23 |         "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group"
24 |       ]
25 |     }
26 |   ]
27 | }
28 | 


--------------------------------------------------------------------------------
/.tfsec/sg_no_embedded_ingress_rules_tfchecks.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "checks": [
 3 |     {
 4 |       "code": "CUS004",
 5 |       "description": "Security group rules should be defined with `aws_security_group_rule` instead of embedded.",
 6 |       "impact": "Embedded security group rules can cause issues during configuration updates.",
 7 |       "resolution": "Move `ingress` rules to `aws_security_group_rule` and attach to `aws_security_group`.",
 8 |       "requiredTypes": [
 9 |         "resource"
10 |       ],
11 |       "requiredLabels": [
12 |         "aws_security_group"
13 |       ],
14 |       "severity": "MEDIUM",
15 |       "matchSpec": {
16 |           "action": "notPresent",
17 |           "name": "ingress"
18 |         },
19 | 
20 |       "errorMessage": "`ingress` rules should be moved to `aws_security_group_rule` and attached to `aws_security_group` instead of embedded.",
21 |       "relatedLinks": [
22 |         "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule",
23 |         "https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group"
24 |       ]
25 |     }
26 |   ]
27 | }
28 | 


--------------------------------------------------------------------------------
/CODEOWNERS:
--------------------------------------------------------------------------------
1 | * @aws-ia/aws-ia


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "[]"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright [yyyy] [name of copyright owner]
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/NOTICE.txt:
--------------------------------------------------------------------------------
1 | Copyright 2016-2022 Amazon.com, Inc. or its affiliates. All Rights Reserved.
2 | 
3 | Licensed under the Apache License, Version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at
4 | 
5 |     http://aws.amazon.com/apache2.0/
6 | 
7 | or in the "license" file accompanying this file. This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
8 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | <!-- BEGIN_TF_DOCS -->
  2 | # AWS Network Firewall Module
  3 | 
  4 | *NOTE*: For information regarding the 1.0 upgrade see our [upgrade guide](./docs/UPGRADE-GUIDE-1.0.md)
  5 | 
  6 | [AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/latest/developerguide/what-is-aws-network-firewall.html) is a managed network security service that makes it easy to deploy threat prevention for Amazon VPCs. This module can be used to deploy an AWS Network Firewall resource in the desired VPC, automating all the routing and logging configuration when the resource is deployed.
  7 | 
  8 | The module only handles the creation of the infrastructure, leaving full freedom to the user when defining the firewall rules (which should be done outside the module). Same applies to IAM roles and KMS keys when you define the firewall logging - rememeber that it is a best practice to encryt at rest your firewall logs.
  9 | 
 10 | ## Usage
 11 | 
 12 | To create AWS Network Firewall in your VPC, you need to provide the following information:
 13 | 
 14 | - `network_firewall_name` = (Required|string) Name to provide the AWS Network Firewall resource.
 15 | - `network_firewall_description` = (Required|string) A friendly description of the firewall resource.
 16 | - `network_firewall_policy`= (Required|string) ARN of the firewall policy to apply in the AWS Network Firewall resource. Check the definition of [AWS Network Firewall Policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy) and [AWS Network Firewall Rule Groups](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) to see how you can create firewall policies.
 17 | - `network_firewall_delete_protection` = (Optional|bool) A boolean flag indicating whether it is possible to delete the firewall. Defaults to `false`.
 18 | - `network_firewall_policy_change_protection` = (Optional|bool) To indicate whether it is possible to change the associated firewall policy after creation. Defaults to `false`.
 19 | - `network_firewall_subnet_change_protection` = (Optional|bool) To indicate whether it is possible to change the associated subnet(s) after creation. Defaults to `false`.
 20 | - `network_firewall_encryption_key_arn` = (Optional|string) ARN of Customer managed KMS key for data encryption. By default, AWS managed key will be used.
 21 | - `vpc_id` = (Required|string) ID of the VPC where the AWS Network Firewall resource should be placed.
 22 | - `vpc_subnets` = (Required|map(string)) Map of subnet IDs to place the Network Firewall endpoints. The expected format of the map is the Availability Zone as key, and the ID of the subnet as value. Example (supposing us-east-1 as AWS Region):
 23 | 
 24 | ```hcl
 25 | vpc_subnets = {
 26 |     us-east-1a = subnet-IDa
 27 |     us-east-1b = subnet-IDb
 28 |     us-east-1c = subnet-IDc
 29 | }
 30 | ```
 31 | 
 32 | - `number_azs` = (Required|number) Number of Availability Zones to place the AWS Network Firewall endpoints.
 33 | - `routing_configuration` = (Required|any) Configuration of the routing desired in the VPC. Depending the VPC type, the information to provide is different. The configuration types supported are: `single_vpc`, `intra_vpc_inspection`, `centralized_inspection_without_egress`, and `centralized_inspection_with_egress`. **Only one key (option) can be defined**. More information about the differences between each of the VPC types (and examples) can be checked in the section below.
 34 | - `tags`= (Optional|map(string)) List of tags to apply to the AWS Network Firewall resource.
 35 | 
 36 | ## Routing configuration
 37 | 
 38 | Once the AWS Network Firewall resource is created, the routing to the firewall endpoints need to be created. However, depending the VPC and how we want to inspect the traffic, this routing configuration is going to be different. The module supports the routing configuration of 4 different types of VPCs, covering the most common [Inspection Deployment models with with AWS Network Firewall](https://d1.awsstatic.com/architecture-diagrams/ArchitectureDiagrams/inspection-deployment-models-with-AWS-network-firewall-ra.pdf).
 39 | 
 40 | ### Single VPC
 41 | 
 42 | The first use case is when the firewall endpoints are located in the VPC to inspect the traffic from/to workloads in that same VPC. When using this routing configuration, it is expected to place the firewall endpoints in subnets between the Internet gateway (IGW) and the public subnets (where you can place the Elastic Load Balancers and NAT gateways). The module expects in this configuration three variables:
 43 | 
 44 | - `igw_route_table` = (Required|string) VPC route table ID associated to an Internet gateway. In this route table it will be created routes pointing to the Network Firewall endpoints with destination the CIDR blocks provided in the `protected_subnet_cidr_blocks` variable.
 45 | - `protected_subnet_route_tables` = (Required|map(string)) Map of the VPC subnet route tables where the resources to protect (using the Network Firewall resource) are located - expected format of the map is Availability Zone (key) --> VPC route table (value). In these route tables it will be created the default route table pointing to the Network Firewall endpoints - ensuring Availability Zone affinity.
 46 | - `protected_subnet_cidr_blocks` = (Required|map(string)) Map of IPv4 CIDR blocks indicating the subnets where the resources to protect (using the Network Firewall resource) are located - expected format of the map is Availability Zone (key) --> IPv4 CIDR block (value).
 47 | 
 48 | An example of the definition of this routing configuration is the following one:
 49 | 
 50 | ```hcl
 51 | routing_configuration = {
 52 |     single_vpc = {
 53 |       igw_route_table = rtb-ID
 54 |       protected_subnet_route_tables = {
 55 |         us-east-1a = rtb-IDa
 56 |         us-east-1b = rtb-IDb
 57 |         us-east-1c = rtb-IDc
 58 |       }
 59 |       protected_subnet_cidr_blocks = {
 60 |         us-east-1a = "10.0.0.0/24"
 61 |         us-east-1b = "10.0.1.0/24"
 62 |         us-east-1c = "10.0.2.0/24"
 63 |       }
 64 |     }
 65 | }
 66 | ```
 67 | 
 68 | ### Intra-VPC Inspection
 69 | 
 70 | When placing firewall endpoints to inspect traffic between workloads inside the same VPC (between your EC2 instances and the database layer, for example) you can take advantage of the VPC routing enhacement - which allows you to include more specific routing than the local one. The module expects in this configuration two variables:
 71 | 
 72 | - `number_routes` = (Required|number) Number of configured items in the `routes` variable.
 73 | - `routes` = (Required|list(map(any))) List of intra-VPC route configurations. Important to note that only one direction is configured per item in this list, so in most situations you will need two items per group of subnets to inspect. Each item expects a map of strings with two values:
 74 |   - `source_subnet_route_tables` = (Required|map(string)) VPC route table of the source subnet - expected format of the map is Availability Zone (key) --> VPC route table (value)
 75 |   - `destination_subnet_cidr_blocks` = (Required|map(string)). IPv4 CIDR blocks of the destination subnet - expected format of the map is Availability Zone (key) --> IPv4 CIDR block (value)
 76 | 
 77 | An example of the definition of this routing configuration is the following one.
 78 | 
 79 | ```hcl
 80 | routing_configuration = {
 81 |     intra_vpc_inspection = {
 82 |       number_routes = 2
 83 |       routes = {
 84 |         {
 85 |           source_subnet_route_tables = {
 86 |             us-east-1a = rtb-IDa
 87 |             us-east-1b = rtb-IDb
 88 |             us-east-1c = rtb-IDc
 89 |           }
 90 |           destination_subnet_cidr_blocks = {
 91 |             us-east-1a = "10.0.0.0/24"
 92 |             us-east-1b = "10.0.1.0/24"
 93 |             us-east-1c = "10.0.2.0/24"
 94 |           }
 95 |         },
 96 |         {
 97 |           source_subnet_route_tables = {
 98 |             us-east-1a = rtb-IDaa
 99 |             us-east-1b = rtb-IDbb
100 |             us-east-1c = rtb-IDcc
101 |           }
102 |           destination_subnet_cidr_blocks = {
103 |             us-east-1a = "10.0.3.0/24"
104 |             us-east-1b = "10.0.4.0/24"
105 |             us-east-1c = "10.0.5.0/24"
106 |           }
107 |         }
108 |       }
109 |     }
110 | }
111 | ```
112 | 
113 | ### Hub and Spoke with Inspection VPC
114 | 
115 | The use case covers the creation of a centralized Inspection VPC in a hub-and-spoke architecture with [AWS Transit Gateway](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html) and/or [AWS Cloud WAN](https://docs.aws.amazon.com/network-manager/latest/cloudwan/what-is-cloudwan.html), with the idea of managing the traffic inspection at scale. When using the key `centralized_inspection_without_egress` it is supposed that the Inspection VPC created is only used to place the Transit Gateway or Cloud WAN's core network ENIs and the firewall endpoints. In this configuration, you can configurate the following variables:
116 | 
117 | - `connectivity_subnet_route_tables` = (Optional|map(string)) Map of VPC subnet route tables where the Transit Gateway or Cloud WAN's core network ENIs are located. In these route tables a default route pointing to the Network Firewall endpoints is created - expected format of the map is Availability Zone (key) --> VPC route table (value)
118 | 
119 | An example of the definition of this routing configuration is the following one:
120 | 
121 | ```hcl
122 | routing_configuration = {
123 |     centralized_inspection_without_egress = {
124 |       connectivity_subnet_route_tables = {
125 |         us-east-1a = rtb-IDa
126 |         us-east-1b = rtb-IDb
127 |         us-east-1c = rtb-IDc
128 |       }
129 |     }
130 | }
131 | ```
132 | 
133 | ### Hub and Spoke with Inspection VPC (with egress traffic)
134 | 
135 | The use case covers the creation of a centralized Inspection VPC in a hub-and-spoke architecture with [AWS Transit Gateway](https://docs.aws.amazon.com/vpc/latest/tgw/what-is-transit-gateway.html) or [AWS Cloud WAN](https://docs.aws.amazon.com/network-manager/latest/cloudwan/what-is-cloudwan.html), with the idea of managing the traffic inspection at scale. When using the key `centralized_inspection_with_egress` it is supposed that the Inspection VPC also has access to the Internet, to centralize inspection and egress traffic at the same time. In this configuration, you can configurate the following variables:
136 | 
137 | - `connectivity_subnet_route_tables` = (Optional|map(string)) Map of VPC subnet route tables where the Transit Gateway or Cloud WAN's core network ENIs are located. In these route tables a default route pointing to the Network Firewall endpoints is created - expected format of the map is Availability Zone (key) --> VPC route table (value)
138 | - `public_subnet_route_tables` = (Required|map(string)) Map of VPC public subnet route tables. In these route tables, routes are created pointing to the Network Firewall endpoints with destination the CIDR blocks defined in the `network_cidr_blocks` variable. The expected format of the map is Availability Zone (key) --> VPC route table (value)
139 | - `network_cidr_blocks` = (Required|list(string)) List of IPv4 CIDR blocks defining the AWS network.
140 | 
141 | An example of the definition of this routing configuration is the following one:
142 | 
143 | ```hcl
144 | routing_configuration = {
145 |     centralized_inspection_with_egress = {
146 |       connectivity_subnet_route_tables = {
147 |         us-east-1a = rtb-IDa
148 |         us-east-1b = rtb-IDb
149 |         us-east-1c = rtb-IDc
150 |       }
151 |       public_subnet_route_tables = {
152 |         us-east-1a = rtb-IDaa
153 |         us-east-1b = rtb-IDbb
154 |         us-east-1c = rtb-IDcc
155 |       }
156 |       network_cidr_blocks = ["10.0.0.0/8", "192.168.0.0/24"]
157 |     }
158 | }
159 | ```
160 | 
161 | ## Logging
162 | 
163 | You can enable AWS Network Firewall logging for the [stateful engine](https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-rules-engines.html). You can record the flow logs and/or alert logs, with only one destination per log type:
164 | 
165 | * [Amazon S3](https://aws.amazon.com/s3/) bucket.
166 | * [Amazon CloudWatch](https://aws.amazon.com/cloudwatch/) log group.
167 | * [Amazon Kinesis Data Firehose](https://aws.amazon.com/kinesis/data-firehose/) stream.
168 | 
169 | For more information about the logging in AWS Network Firewall, check the [AWS Network Firewall documentation](https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-logging.html).
170 | 
171 | Regarding the format of the variable, you can define either `flow_log` or `alert_log` configurations; with only 1 destination in each one of them. As mentioned above, 3 different destinations can be configured:
172 | 
173 | - `s3_bucket` = (Optional|map(string)) Configuration of an S3 bucket as logging destination. Two attributes are expected:
174 |   - `bucketName` = (Required|string) Name of the S3 bucket to deliver the logs.
175 |   - `logPrefix` = (Optional|string) Path inside the S3 bucket.
176 | - `cloudwatch_logs` = (Optional|map(string)) Configuration of a CloudWatch log group as logging destination. Only the attribute `logGroupName` (Required|string) is expected.
177 | - `kinesis_firehose` = (Optional|map(string)) Configuration of a Kinesis Data Firehose stream as logging desintation. Only the attribute `deliveryStreamName` (Required|string) is expected.
178 | 
179 | Example definition of each type:
180 | 
181 | ```hcl
182 | logging_configuration = {
183 |   flow_log = {
184 |     s3_bucket = {
185 |       bucketName = "my-bucket"
186 |       logPrefix = "/logs"
187 |     }
188 |   }
189 | }
190 | 
191 | logging_configuration = {
192 |   alert_log = {
193 |     cloudwatch_logs = {
194 |       logGroupName = "my-log-group"
195 |     }
196 |   }
197 | }
198 | 
199 | logging_configuration = {
200 |   alert_log = {
201 |     kinesis_firehose = {
202 |       deliveryStreamName = "my-stream"
203 |     }
204 |   }
205 | }
206 | ```
207 | 
208 | ## References
209 | 
210 | - Reference Architecture: [Inspection Deployment models with with AWS Network Firewall](https://d1.awsstatic.com/architecture-diagrams/ArchitectureDiagrams/inspection-deployment-models-with-AWS-network-firewall-ra.pdf)
211 | - Blog post: [Deployment models for AWS Network Firewall](https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/)
212 | - Blog post: [Deployment models for AWS Network Firewall with VPC routing enhancements](https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall-with-vpc-routing-enhancements/)
213 | 
214 | ## Requirements
215 | 
216 | | Name | Version |
217 | |------|---------|
218 | | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
219 | | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73.0 |
220 | 
221 | ## Providers
222 | 
223 | | Name | Version |
224 | |------|---------|
225 | | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.73.0 |
226 | 
227 | ## Modules
228 | 
229 | | Name | Source | Version |
230 | |------|--------|---------|
231 | | <a name="module_central_inspection_with_egress_routing"></a> [central\_inspection\_with\_egress\_routing](#module\_central\_inspection\_with\_egress\_routing) | ./modules/central_inspection_with_egress_routing | n/a |
232 | | <a name="module_intra_vpc_routing"></a> [intra\_vpc\_routing](#module\_intra\_vpc\_routing) | ./modules/intra_vpc_routing | n/a |
233 | | <a name="module_logging"></a> [logging](#module\_logging) | ./modules/logging | n/a |
234 | | <a name="module_tags"></a> [tags](#module\_tags) | aws-ia/label/aws | 0.0.6 |
235 | 
236 | ## Resources
237 | 
238 | | Name | Type |
239 | |------|------|
240 | | [aws_networkfirewall_firewall.anfw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall) | resource |
241 | | [aws_route.connectivity_to_firewall_endpoint](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
242 | | [aws_route.connectivity_to_firewall_endpoint_without_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
243 | | [aws_route.igw_route_table_to_protected_subnets](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
244 | | [aws_route.protected_route_table_to_internet](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
245 | 
246 | ## Inputs
247 | 
248 | | Name | Description | Type | Default | Required |
249 | |------|-------------|------|---------|:--------:|
250 | | <a name="input_network_firewall_description"></a> [network\_firewall\_description](#input\_network\_firewall\_description) | A friendly description of the firewall resource. | `string` | n/a | yes |
251 | | <a name="input_network_firewall_name"></a> [network\_firewall\_name](#input\_network\_firewall\_name) | Name to give the AWS Network Firewall resource created. | `string` | n/a | yes |
252 | | <a name="input_network_firewall_policy"></a> [network\_firewall\_policy](#input\_network\_firewall\_policy) | ARN of the firewall policy to include in AWS Network Firewall. | `string` | n/a | yes |
253 | | <a name="input_number_azs"></a> [number\_azs](#input\_number\_azs) | Number of Availability Zones to place the Network Firewall endpoints. | `number` | n/a | yes |
254 | | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID to place the Network Firewall endpoints. | `string` | n/a | yes |
255 | | <a name="input_vpc_subnets"></a> [vpc\_subnets](#input\_vpc\_subnets) | Map of subnet IDs to place the Network Firewall endpoints. The expected format of the map is the Availability Zone as key, and the ID of the subnet as value.<br>Example (supposing us-east-1 as AWS Region):<pre>vpc_subnets = {<br>    us-east-1a = subnet-IDa<br>    us-east-1b = subnet-IDb<br>    us-east-1c = subnet-IDc<br>}</pre> | `map(string)` | n/a | yes |
256 | | <a name="input_logging_configuration"></a> [logging\_configuration](#input\_logging\_configuration) | Configuration of the logging desired for the Network Firewall. You can configure at most 2 destinations for your logs, 1 for FLOW logs and 1 for ALERT logs.<br>More information about the format of the variable (and examples) can be found in the README.<pre></pre> | `any` | `{}` | no |
257 | | <a name="input_network_firewall_delete_protection"></a> [network\_firewall\_delete\_protection](#input\_network\_firewall\_delete\_protection) | A boolean flag indicating whether it is possible to delete the firewall. Defaults to `false`. | `bool` | `false` | no |
258 | | <a name="input_network_firewall_encryption_key_arn"></a> [network\_firewall\_encryption\_key\_arn](#input\_network\_firewall\_encryption\_key\_arn) | Customer managed KMS Key ARN for encryption at rest. | `string` | `null` | no |
259 | | <a name="input_network_firewall_policy_change_protection"></a> [network\_firewall\_policy\_change\_protection](#input\_network\_firewall\_policy\_change\_protection) | A boolean flag indicating whether it is possible to change the associated firewall policy. Defaults to `false`. | `bool` | `false` | no |
260 | | <a name="input_network_firewall_subnet_change_protection"></a> [network\_firewall\_subnet\_change\_protection](#input\_network\_firewall\_subnet\_change\_protection) | A boolean flag indicating whether it is possible to change the associated subnet(s). Defaults to `false`. | `bool` | `false` | no |
261 | | <a name="input_routing_configuration"></a> [routing\_configuration](#input\_routing\_configuration) | Configuration of the routing desired in the VPC. Depending the VPC type, the information to provide is different. The configuration types supported are: `single_vpc`, `intra_vpc_inspection`, `centralized_inspection_without_egress`, and `centralized_inspection_with_egress`. **Only one key (option) can be defined**<br>More information about the differences between each the routing configurations (and examples) can be checked in the README.<pre></pre> | `any` | `{}` | no |
262 | | <a name="input_tags"></a> [tags](#input\_tags) | Tags to apply to the resources. | `map(string)` | `{}` | no |
263 | 
264 | ## Outputs
265 | 
266 | | Name | Description |
267 | |------|-------------|
268 | | <a name="output_aws_network_firewall"></a> [aws\_network\_firewall](#output\_aws\_network\_firewall) | Full output of aws\_networkfirewall\_firewall resource. |
269 | <!-- END_TF_DOCS -->
270 | 


--------------------------------------------------------------------------------
/docs/UPGRADE-GUIDE-1.0.md:
--------------------------------------------------------------------------------
 1 | # Changes from 0.x to 1.x
 2 | 
 3 | * The input for the route tables of those subnets used for inter-VPC connectivity (where either AWS Transit Gateway or AWS Cloud WAN ENIs are placed) was renamed from `tgw_subnet_route_table` to `connectivity_subnet_route_table` to avoid confusion if those subnets where used for Cloud WAN attachments. This change applies in two routing configurations: `centralized_inspection_without_egress` and `centralized_inspection_with_egress`.
 4 | 
 5 | # Required Changes to Make
 6 | 
 7 | ## Changes in routing configuration `centralized_inspection_without_egress`
 8 | 
 9 | Before:
10 | 
11 | ```hcl
12 | routing_configuration = {
13 |   centralized_inspection_without_egress = {
14 |     tgw_subnet_route_tables = {...}
15 |   }
16 | }
17 | ```
18 | 
19 | After:
20 | 
21 | ```hcl
22 | routing_configuration = {
23 |   centralized_inspection_without_egress = {
24 |     connectivity_subnet_route_tables = {...}
25 |   }
26 | }
27 | ```
28 | 
29 | ## Changes in routing configuration `centralized_inspection_with_egress`
30 | 
31 | Before:
32 | 
33 | ```hcl
34 | routing_configuration = {
35 |   centralized_inspection_with_egress = {
36 |     tgw_subnet_route_tables    = {...}
37 |     public_subnet_route_tables = {...}
38 |     network_cidr_blocks        = [...]
39 |   }
40 | }
41 | ```
42 | 
43 | After:
44 | 
45 | ```hcl
46 | routing_configuration = {
47 |   centralized_inspection_with_egress = {
48 |     connectivity_subnet_route_tables = {...}
49 |     public_subnet_route_tables       = {...}
50 |     network_cidr_blocks              = [...]
51 |   }
52 | }
53 | ```
54 | 
55 | # Moved Resources
56 | 
57 | With this change in the new version, the VPC routes resources from the connectivity subnets (Transit Gateway or Cloud WAN's core network) to the Network Firewall endpoints change - creating a potential re-creation of the resources when you upgrade the module version.
58 | 
59 | To avoid the recreation of resources, we use [moved blocks](https://developer.hashicorp.com/terraform/language/modules/develop/refactoring) to update the Terraform state with the new names. You can find the moved blocks declaration in the **moved.tf** file.
60 | 


--------------------------------------------------------------------------------
/examples/central_inspection_with_egress/.header.md:
--------------------------------------------------------------------------------
 1 | # AWS Network Firewall Module - Centralized Inspection VPC (with egress traffic) in a Hub and Spoke architecture with AWS Transit Gateway
 2 | 
 3 | This example shows the creation of a centralized Inspection VPC in a Hub and Spoke architecture with AWS Transit Gateway, with the idea of managing the traffic inspection at scale (East/West and North/South). This example creates the following resources:
 4 | 
 5 | * Outside of the Network Firewall module:
 6 |   * Firewall policies - in `policy.tf`
 7 |   * AWS Transit Gateway.
 8 |   * Inspection VPC, attached to the Transit Gateway, and with NAT gateways (to allow egress traffic).
 9 |   * Routing in the Inspection VPC to route traffic from the NAT gateways to the Internet (0.0.0.0/0), and from the inspection subnets to the Transit Gateway (network's supernet defined in `variables.tf`).
10 | * Created by the Network Firewall mdodule:
11 |   * AWS Network Firewall resource.
12 |   * Routing to the firewall endpoints (from the transit_gateway and public subnets).
13 | 
14 | The AWS Region used in the example is **eu-west-1 (Ireland)**.
15 | 
16 | ## Prerequisites
17 | 
18 | * An AWS account with an IAM user with the appropriate permissions
19 | * Terraform installed
20 | 
21 | ## Code Principles
22 | 
23 | * Writing DRY (Do No Repeat Yourself) code using a modular design pattern
24 | 
25 | ## Usage
26 | 
27 | * Clone the repository
28 | * Edit the *variables.tf* file in the project root directory
29 | 
30 | **Note** Network Firewall endpoints will be deployed in all the Availability Zones used in the example (*var.inspection_vpc.number_azs*). By default, the number of AZs used is 2 to follow best practices. Take that into account when doing tests from a cost perspective.


--------------------------------------------------------------------------------
/examples/central_inspection_with_egress/.terraform-docs.yaml:
--------------------------------------------------------------------------------
 1 | formatter: markdown
 2 | header-from: .header.md
 3 | settings:
 4 |   anchor: true
 5 |   color: true
 6 |   default: true
 7 |   escape: true
 8 |   html: true
 9 |   indent: 2
10 |   required: true
11 |   sensitive: true
12 |   type: true
13 | 
14 | sort:
15 |   enabled: true
16 |   by: required
17 | 
18 | output:
19 |   file: README.md
20 |   mode: replace
21 | 


--------------------------------------------------------------------------------
/examples/central_inspection_with_egress/README.md:
--------------------------------------------------------------------------------
 1 | <!-- BEGIN_TF_DOCS -->
 2 | # AWS Network Firewall Module - Centralized Inspection VPC (with egress traffic) in a Hub and Spoke architecture with AWS Transit Gateway
 3 | 
 4 | This example shows the creation of a centralized Inspection VPC in a Hub and Spoke architecture with AWS Transit Gateway, with the idea of managing the traffic inspection at scale (East/West and North/South). This example creates the following resources:
 5 | 
 6 | * Outside of the Network Firewall module:
 7 |   * Firewall policies - in `policy.tf`
 8 |   * AWS Transit Gateway.
 9 |   * Inspection VPC, attached to the Transit Gateway, and with NAT gateways (to allow egress traffic).
10 |   * Routing in the Inspection VPC to route traffic from the NAT gateways to the Internet (0.0.0.0/0), and from the inspection subnets to the Transit Gateway (network's supernet defined in `variables.tf`).
11 | * Created by the Network Firewall mdodule:
12 |   * AWS Network Firewall resource.
13 |   * Routing to the firewall endpoints (from the transit\_gateway and public subnets).
14 | 
15 | The AWS Region used in the example is **eu-west-1 (Ireland)**.
16 | 
17 | ## Prerequisites
18 | 
19 | * An AWS account with an IAM user with the appropriate permissions
20 | * Terraform installed
21 | 
22 | ## Code Principles
23 | 
24 | * Writing DRY (Do No Repeat Yourself) code using a modular design pattern
25 | 
26 | ## Usage
27 | 
28 | * Clone the repository
29 | * Edit the *variables.tf* file in the project root directory
30 | 
31 | **Note** Network Firewall endpoints will be deployed in all the Availability Zones used in the example (*var.inspection\_vpc.number\_azs*). By default, the number of AZs used is 2 to follow best practices. Take that into account when doing tests from a cost perspective.
32 | 
33 | ## Requirements
34 | 
35 | | Name | Version |
36 | |------|---------|
37 | | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
38 | | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73.0 |
39 | 
40 | ## Providers
41 | 
42 | | Name | Version |
43 | |------|---------|
44 | | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.73.0 |
45 | 
46 | ## Modules
47 | 
48 | | Name | Source | Version |
49 | |------|--------|---------|
50 | | <a name="module_inspection_vpc"></a> [inspection\_vpc](#module\_inspection\_vpc) | aws-ia/vpc/aws | = 4.3.0 |
51 | | <a name="module_network_firewall"></a> [network\_firewall](#module\_network\_firewall) | aws-ia/networkfirewall/aws | 1.0.0 |
52 | 
53 | ## Resources
54 | 
55 | | Name | Type |
56 | |------|------|
57 | | [aws_ec2_transit_gateway.tgw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway) | resource |
58 | | [aws_networkfirewall_firewall_policy.anfw_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy) | resource |
59 | | [aws_networkfirewall_rule_group.allow_domains](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |
60 | | [aws_networkfirewall_rule_group.allow_icmp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |
61 | | [aws_networkfirewall_rule_group.drop_remote](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |
62 | 
63 | ## Inputs
64 | 
65 | | Name | Description | Type | Default | Required |
66 | |------|-------------|------|---------|:--------:|
67 | | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS Region. | `string` | `"eu-west-1"` | no |
68 | | <a name="input_identifier"></a> [identifier](#input\_identifier) | Project identifier. | `string` | `"central-inspection-egress"` | no |
69 | | <a name="input_inspection_vpc"></a> [inspection\_vpc](#input\_inspection\_vpc) | VPCs to create | `any` | <pre>{<br>  "cidr_block": "10.129.0.0/16",<br>  "inspection_subnet_netmask": 28,<br>  "number_azs": 2,<br>  "public_subnet_netmask": 28,<br>  "tgw_subnet_netmask": 28<br>}</pre> | no |
70 | | <a name="input_supernet"></a> [supernet](#input\_supernet) | Supernet CIDR block. | `map(string)` | <pre>{<br>  "ipv4": "10.0.0.0/8",<br>  "ipv6": "2001:db8:1234:1a00::/56"<br>}</pre> | no |
71 | 
72 | ## Outputs
73 | 
74 | | Name | Description |
75 | |------|-------------|
76 | | <a name="output_inspection_vpc"></a> [inspection\_vpc](#output\_inspection\_vpc) | VPCs created. |
77 | | <a name="output_network_firewall"></a> [network\_firewall](#output\_network\_firewall) | AWS Network Firewall ID. |
78 | | <a name="output_transit_gateway"></a> [transit\_gateway](#output\_transit\_gateway) | AWS Transit Gateway ID. |
79 | <!-- END_TF_DOCS -->


--------------------------------------------------------------------------------
/examples/central_inspection_with_egress/main.tf:
--------------------------------------------------------------------------------
 1 | # --- examples/central_inspection_with_egress/main.tf ---
 2 | 
 3 | # AWS Network Firewall
 4 | module "network_firewall" {
 5 |   source  = "aws-ia/networkfirewall/aws"
 6 |   version = "1.0.0"
 7 | 
 8 |   network_firewall_name        = "anfw-${var.identifier}"
 9 |   network_firewall_description = "AWS Network Firewall - ${var.identifier}"
10 |   network_firewall_policy      = aws_networkfirewall_firewall_policy.anfw_policy.arn
11 | 
12 |   vpc_id      = module.inspection_vpc.vpc_attributes.id
13 |   number_azs  = var.inspection_vpc.number_azs
14 |   vpc_subnets = { for k, v in module.inspection_vpc.private_subnet_attributes_by_az : split("/", k)[1] => v.id if split("/", k)[0] == "inspection" }
15 | 
16 |   routing_configuration = {
17 |     centralized_inspection_with_egress = {
18 |       connectivity_subnet_route_tables = { for k, v in module.inspection_vpc.rt_attributes_by_type_by_az.transit_gateway : k => v.id }
19 |       public_subnet_route_tables       = { for k, v in module.inspection_vpc.rt_attributes_by_type_by_az.public : k => v.id }
20 |       network_cidr_blocks              = [var.supernet]
21 |     }
22 |   }
23 | }
24 | 
25 | # AWS Transit Gateway
26 | resource "aws_ec2_transit_gateway" "tgw" {
27 |   description                     = "Transit Gateway - ${var.identifier}"
28 |   default_route_table_association = "disable"
29 |   default_route_table_propagation = "disable"
30 | 
31 |   tags = {
32 |     Name = "tgw-${var.identifier}"
33 |   }
34 | }
35 | 
36 | # Inspection VPC. Module - https://github.com/aws-ia/terraform-aws-vpc
37 | module "inspection_vpc" {
38 |   source  = "aws-ia/vpc/aws"
39 |   version = "= 4.3.0"
40 | 
41 |   name       = "inspection_vpc"
42 |   cidr_block = var.inspection_vpc.cidr_block
43 |   az_count   = var.inspection_vpc.number_azs
44 | 
45 |   transit_gateway_id = aws_ec2_transit_gateway.tgw.id
46 |   transit_gateway_routes = {
47 |     inspection = var.supernet
48 |   }
49 | 
50 |   subnets = {
51 |     public = {
52 |       netmask                   = var.inspection_vpc.public_subnet_netmask
53 |       nat_gateway_configuration = "all_azs"
54 |     }
55 |     inspection = {
56 |       netmask                 = var.inspection_vpc.inspection_subnet_netmask
57 |       connect_to_public_natgw = true
58 |     }
59 |     transit_gateway = {
60 |       netmask                                         = var.inspection_vpc.tgw_subnet_netmask
61 |       transit_gateway_default_route_table_association = false
62 |       transit_gateway_default_route_table_propagation = false
63 |       transit_gateway_appliance_mode_support          = "enable"
64 |     }
65 |   }
66 | }
67 | 
68 | 


--------------------------------------------------------------------------------
/examples/central_inspection_with_egress/outputs.tf:
--------------------------------------------------------------------------------
 1 | # --- examples/central_inspection_with_egress/outputs.tf ---
 2 | 
 3 | output "transit_gateway" {
 4 |   description = "AWS Transit Gateway ID."
 5 |   value       = aws_ec2_transit_gateway.tgw.id
 6 | }
 7 | 
 8 | output "inspection_vpc" {
 9 |   description = "VPCs created."
10 |   value       = module.inspection_vpc.vpc_attributes.id
11 | }
12 | 
13 | output "network_firewall" {
14 |   description = "AWS Network Firewall ID."
15 |   value       = module.network_firewall.aws_network_firewall.id
16 | }


--------------------------------------------------------------------------------
/examples/central_inspection_with_egress/policy.tf:
--------------------------------------------------------------------------------
  1 | # --- examples/central_inspection_with_egress/policy.tf ---
  2 | 
  3 | resource "aws_networkfirewall_firewall_policy" "anfw_policy" {
  4 |   name = "firewall-policy-${var.identifier}"
  5 | 
  6 |   firewall_policy {
  7 | 
  8 |     # Stateless configuration
  9 |     stateless_default_actions          = ["aws:forward_to_sfe"]
 10 |     stateless_fragment_default_actions = ["aws:forward_to_sfe"]
 11 | 
 12 |     stateless_rule_group_reference {
 13 |       priority     = 10
 14 |       resource_arn = aws_networkfirewall_rule_group.drop_remote.arn
 15 |     }
 16 | 
 17 |     # Stateful configuration
 18 |     stateful_engine_options {
 19 |       rule_order = "STRICT_ORDER"
 20 |     }
 21 |     stateful_default_actions = ["aws:drop_strict", "aws:alert_strict"]
 22 |     stateful_rule_group_reference {
 23 |       priority     = 10
 24 |       resource_arn = aws_networkfirewall_rule_group.allow_icmp.arn
 25 |     }
 26 |     stateful_rule_group_reference {
 27 |       priority     = 20
 28 |       resource_arn = aws_networkfirewall_rule_group.allow_domains.arn
 29 |     }
 30 |   }
 31 | }
 32 | 
 33 | # Stateless Rule Group - Dropping any SSH or RDP connection
 34 | resource "aws_networkfirewall_rule_group" "drop_remote" {
 35 |   capacity = 2
 36 |   name     = "drop-remote-${var.identifier}"
 37 |   type     = "STATELESS"
 38 |   rule_group {
 39 |     rules_source {
 40 |       stateless_rules_and_custom_actions {
 41 | 
 42 |         stateless_rule {
 43 |           priority = 1
 44 |           rule_definition {
 45 |             actions = ["aws:drop"]
 46 |             match_attributes {
 47 |               protocols = [6]
 48 |               source {
 49 |                 address_definition = "0.0.0.0/0"
 50 |               }
 51 |               source_port {
 52 |                 from_port = 22
 53 |                 to_port   = 22
 54 |               }
 55 |               destination {
 56 |                 address_definition = "0.0.0.0/0"
 57 |               }
 58 |               destination_port {
 59 |                 from_port = 22
 60 |                 to_port   = 22
 61 |               }
 62 |             }
 63 |           }
 64 |         }
 65 | 
 66 |         stateless_rule {
 67 |           priority = 2
 68 |           rule_definition {
 69 |             actions = ["aws:drop"]
 70 |             match_attributes {
 71 |               protocols = [27]
 72 |               source {
 73 |                 address_definition = "0.0.0.0/0"
 74 |               }
 75 |               destination {
 76 |                 address_definition = "0.0.0.0/0"
 77 |               }
 78 |             }
 79 |           }
 80 |         }
 81 |       }
 82 |     }
 83 |   }
 84 | }
 85 | 
 86 | # Stateful Rule Group 1 - Allowing ICMP traffic
 87 | resource "aws_networkfirewall_rule_group" "allow_icmp" {
 88 |   capacity = 100
 89 |   name     = "allow-icmp-${var.identifier}"
 90 |   type     = "STATEFUL"
 91 |   rule_group {
 92 |     rule_variables {
 93 |       ip_sets {
 94 |         key = "SUPERNET"
 95 |         ip_set {
 96 |           definition = [var.supernet]
 97 |         }
 98 |       }
 99 |     }
100 |     rules_source {
101 |       rules_string = <<EOF
102 |       pass icmp $SUPERNET any -> $SUPERNET any (msg: "Allowing ICMP packets"; sid:2; rev:1;)
103 |       EOF
104 |     }
105 |     stateful_rule_options {
106 |       rule_order = "STRICT_ORDER"
107 |     }
108 |   }
109 | }
110 | 
111 | # Stateful Rule Group 2 - Allowing access to .amazon.com (HTTPS)
112 | resource "aws_networkfirewall_rule_group" "allow_domains" {
113 |   capacity = 100
114 |   name     = "allow-domains-${var.identifier}"
115 |   type     = "STATEFUL"
116 |   rule_group {
117 |     rules_source {
118 |       rules_string = <<EOF
119 |       pass tcp any any <> $EXTERNAL_NET 443 (msg:"Allowing TCP in port 443"; flow:not_established; sid:892123; rev:1;)
120 |       pass tls any any -> $EXTERNAL_NET 443 (tls.sni; dotprefix; content:".amazon.com"; endswith; msg:"Allowing .amazon.com HTTPS requests"; sid:892125; rev:1;)
121 |       EOF
122 |     }
123 |     stateful_rule_options {
124 |       rule_order = "STRICT_ORDER"
125 |     }
126 |   }
127 | }


--------------------------------------------------------------------------------
/examples/central_inspection_with_egress/providers.tf:
--------------------------------------------------------------------------------
 1 | # --- examples/central_inspection_with_egress/providers.tf ---
 2 | 
 3 | terraform {
 4 |   required_version = ">= 1.3.0"
 5 |   required_providers {
 6 |     aws = {
 7 |       source  = "hashicorp/aws"
 8 |       version = ">= 3.73.0"
 9 |     }
10 |   }
11 | }
12 | 
13 | # AWS Provider configuration - AWS Region indicated in root/variables.tf
14 | provider "aws" {
15 |   region = var.aws_region
16 | }


--------------------------------------------------------------------------------
/examples/central_inspection_with_egress/variables.tf:
--------------------------------------------------------------------------------
 1 | # --- examples/central_inspection_with_egress/variables.tf ---
 2 | 
 3 | variable "aws_region" {
 4 |   description = "AWS Region."
 5 |   type        = string
 6 | 
 7 |   default = "eu-west-1"
 8 | }
 9 | 
10 | variable "identifier" {
11 |   description = "Project identifier."
12 |   type        = string
13 | 
14 |   default = "central-inspection-egress"
15 | }
16 | 
17 | variable "supernet" {
18 |   description = "Supernet CIDR block."
19 |   type        = map(string)
20 | 
21 |   default = {
22 |     ipv4 = "10.0.0.0/8"
23 |     ipv6 = "2001:db8:1234:1a00::/56"
24 |   }
25 | }
26 | 
27 | variable "inspection_vpc" {
28 |   description = "VPCs to create"
29 |   type        = any
30 |   default = {
31 |     cidr_block                = "10.129.0.0/16"
32 |     public_subnet_netmask     = 28
33 |     inspection_subnet_netmask = 28
34 |     tgw_subnet_netmask        = 28
35 |     number_azs                = 2
36 |   }
37 | }


--------------------------------------------------------------------------------
/examples/central_inspection_without_egress/.header.md:
--------------------------------------------------------------------------------
 1 | # AWS Network Firewall Module - Centralized Inspection VPC in a Hub and Spoke architecture with AWS Transit Gateway
 2 | 
 3 | This example shows the creation of a centralized Inspection VPC in a Hub and Spoke architecture with AWS Transit Gateway, with the idea of managing the traffic inspection at scale (East/West). This example creates the following resources:
 4 | 
 5 | * Outside of the Network Firewall module:
 6 |   * Firewall policies - in `policy.tf`
 7 |   * AWS Transit Gateway.
 8 |   * Inspection VPC, attached to the Transit Gateway.
 9 |   * Routing in the Inspection VPC to route traffic from the inspection subnets to the Transit Gateway (0.0.0.0/0).
10 | * Created by the Network Firewall mdodule:
11 |   * AWS Network Firewall resource.
12 |   * Routing to the firewall endpoints (from the transit_gateway).
13 | 
14 | The AWS Region used in the example is **us-west-1 (N. California)**.
15 | 
16 | ## Prerequisites
17 | 
18 | * An AWS account with an IAM user with the appropriate permissions
19 | * Terraform installed
20 | 
21 | ## Code Principles
22 | 
23 | * Writing DRY (Do No Repeat Yourself) code using a modular design pattern
24 | 
25 | ## Usage
26 | 
27 | * Clone the repository
28 | * Edit the *variables.tf* file in the project root directory
29 | 
30 | **Note** Network Firewall endpoints will be deployted in all the Availability Zones used in the example (*var.vpc.number_azs*). By default, the number of AZs used is 2 to follow best practices. Take that into account when doing tests from a cost perspective.
31 | 


--------------------------------------------------------------------------------
/examples/central_inspection_without_egress/.terraform-docs.yaml:
--------------------------------------------------------------------------------
 1 | formatter: markdown
 2 | header-from: .header.md
 3 | settings:
 4 |   anchor: true
 5 |   color: true
 6 |   default: true
 7 |   escape: true
 8 |   html: true
 9 |   indent: 2
10 |   required: true
11 |   sensitive: true
12 |   type: true
13 | 
14 | sort:
15 |   enabled: true
16 |   by: required
17 | 
18 | output:
19 |   file: README.md
20 |   mode: replace
21 | 


--------------------------------------------------------------------------------
/examples/central_inspection_without_egress/README.md:
--------------------------------------------------------------------------------
 1 | <!-- BEGIN_TF_DOCS -->
 2 | # AWS Network Firewall Module - Centralized Inspection VPC in a Hub and Spoke architecture with AWS Transit Gateway
 3 | 
 4 | This example shows the creation of a centralized Inspection VPC in a Hub and Spoke architecture with AWS Transit Gateway, with the idea of managing the traffic inspection at scale (East/West). This example creates the following resources:
 5 | 
 6 | * Outside of the Network Firewall module:
 7 |   * Firewall policies - in `policy.tf`
 8 |   * AWS Transit Gateway.
 9 |   * Inspection VPC, attached to the Transit Gateway.
10 |   * Routing in the Inspection VPC to route traffic from the inspection subnets to the Transit Gateway (0.0.0.0/0).
11 | * Created by the Network Firewall mdodule:
12 |   * AWS Network Firewall resource.
13 |   * Routing to the firewall endpoints (from the transit\_gateway).
14 | 
15 | The AWS Region used in the example is **us-west-1 (N. California)**.
16 | 
17 | ## Prerequisites
18 | 
19 | * An AWS account with an IAM user with the appropriate permissions
20 | * Terraform installed
21 | 
22 | ## Code Principles
23 | 
24 | * Writing DRY (Do No Repeat Yourself) code using a modular design pattern
25 | 
26 | ## Usage
27 | 
28 | * Clone the repository
29 | * Edit the *variables.tf* file in the project root directory
30 | 
31 | **Note** Network Firewall endpoints will be deployted in all the Availability Zones used in the example (*var.vpc.number\_azs*). By default, the number of AZs used is 2 to follow best practices. Take that into account when doing tests from a cost perspective.
32 | 
33 | ## Requirements
34 | 
35 | | Name | Version |
36 | |------|---------|
37 | | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
38 | | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73.0 |
39 | 
40 | ## Providers
41 | 
42 | | Name | Version |
43 | |------|---------|
44 | | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.73.0 |
45 | 
46 | ## Modules
47 | 
48 | | Name | Source | Version |
49 | |------|--------|---------|
50 | | <a name="module_inspection_vpc"></a> [inspection\_vpc](#module\_inspection\_vpc) | aws-ia/vpc/aws | = 4.3.0 |
51 | | <a name="module_network_firewall"></a> [network\_firewall](#module\_network\_firewall) | aws-ia/networkfirewall/aws | 1.0.0 |
52 | 
53 | ## Resources
54 | 
55 | | Name | Type |
56 | |------|------|
57 | | [aws_ec2_transit_gateway.tgw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway) | resource |
58 | | [aws_networkfirewall_firewall_policy.anfw_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy) | resource |
59 | | [aws_networkfirewall_rule_group.allow_icmp_1_to_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |
60 | | [aws_networkfirewall_rule_group.allow_icmp_2_to_3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |
61 | | [aws_networkfirewall_rule_group.drop_remote](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |
62 | 
63 | ## Inputs
64 | 
65 | | Name | Description | Type | Default | Required |
66 | |------|-------------|------|---------|:--------:|
67 | | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS Region. | `string` | `"us-west-1"` | no |
68 | | <a name="input_identifier"></a> [identifier](#input\_identifier) | Project identifier. | `string` | `"central-inspection"` | no |
69 | | <a name="input_inspection_vpc"></a> [inspection\_vpc](#input\_inspection\_vpc) | VPCs to create | `any` | <pre>{<br>  "cidr_block": "10.129.0.0/16",<br>  "number_azs": 2,<br>  "private_subnet_netmask": 28,<br>  "tgw_subnet_netmask": 28<br>}</pre> | no |
70 | 
71 | ## Outputs
72 | 
73 | | Name | Description |
74 | |------|-------------|
75 | | <a name="output_inspection_vpc"></a> [inspection\_vpc](#output\_inspection\_vpc) | Inspection VPC ID. |
76 | | <a name="output_network_firewall"></a> [network\_firewall](#output\_network\_firewall) | AWS Network Firewall ID. |
77 | | <a name="output_transit_gateway"></a> [transit\_gateway](#output\_transit\_gateway) | AWS Transit Gateway ID. |
78 | <!-- END_TF_DOCS -->


--------------------------------------------------------------------------------
/examples/central_inspection_without_egress/main.tf:
--------------------------------------------------------------------------------
 1 | # --- examples/central_inspection_without_egress/main.tf ---
 2 | 
 3 | # AWS Network Firewall
 4 | module "network_firewall" {
 5 |   source  = "aws-ia/networkfirewall/aws"
 6 |   version = "1.0.0"
 7 | 
 8 |   network_firewall_name        = "anfw-${var.identifier}"
 9 |   network_firewall_description = "AWS Network Firewall - ${var.identifier}"
10 |   network_firewall_policy      = aws_networkfirewall_firewall_policy.anfw_policy.arn
11 | 
12 |   vpc_id      = module.inspection_vpc.vpc_attributes.id
13 |   number_azs  = var.inspection_vpc.number_azs
14 |   vpc_subnets = { for k, v in module.inspection_vpc.private_subnet_attributes_by_az : split("/", k)[1] => v.id if split("/", k)[0] == "inspection" }
15 | 
16 |   routing_configuration = {
17 |     centralized_inspection_without_egress = {
18 |       connectivity_subnet_route_tables = { for k, v in module.inspection_vpc.rt_attributes_by_type_by_az.transit_gateway : k => v.id }
19 |     }
20 |   }
21 | }
22 | 
23 | # AWS Transit Gateway
24 | resource "aws_ec2_transit_gateway" "tgw" {
25 |   description                     = "Transit Gateway - ${var.identifier}"
26 |   default_route_table_association = "disable"
27 |   default_route_table_propagation = "disable"
28 | 
29 |   tags = {
30 |     Name = "tgw-${var.identifier}"
31 |   }
32 | }
33 | 
34 | # Inspection VPC. Module - https://github.com/aws-ia/terraform-aws-vpc
35 | module "inspection_vpc" {
36 |   source  = "aws-ia/vpc/aws"
37 |   version = "= 4.3.0"
38 | 
39 |   transit_gateway_id = aws_ec2_transit_gateway.tgw.id
40 |   transit_gateway_routes = {
41 |     inspection = "0.0.0.0/0"
42 |   }
43 | 
44 |   name       = "inspection_vpc"
45 |   cidr_block = var.inspection_vpc.cidr_block
46 |   az_count   = var.inspection_vpc.number_azs
47 | 
48 |   subnets = {
49 |     inspection = { netmask = var.inspection_vpc.private_subnet_netmask }
50 |     transit_gateway = {
51 |       netmask                                         = var.inspection_vpc.tgw_subnet_netmask
52 |       transit_gateway_default_route_table_association = false
53 |       transit_gateway_default_route_table_propagation = false
54 |       transit_gateway_appliance_mode_support          = "enable"
55 |     }
56 |   }
57 | }


--------------------------------------------------------------------------------
/examples/central_inspection_without_egress/outputs.tf:
--------------------------------------------------------------------------------
 1 | # --- examples/central_inspection_without_egress/outputs.tf ---
 2 | 
 3 | output "transit_gateway" {
 4 |   description = "AWS Transit Gateway ID."
 5 |   value       = aws_ec2_transit_gateway.tgw.id
 6 | }
 7 | 
 8 | output "inspection_vpc" {
 9 |   description = "Inspection VPC ID."
10 |   value       = module.inspection_vpc.vpc_attributes.id
11 | }
12 | 
13 | output "network_firewall" {
14 |   description = "AWS Network Firewall ID."
15 |   value       = module.network_firewall.aws_network_firewall.id
16 | }


--------------------------------------------------------------------------------
/examples/central_inspection_without_egress/policy.tf:
--------------------------------------------------------------------------------
  1 | # --- examples/central_inspection_without_egress/policy.tf ---
  2 | 
  3 | resource "aws_networkfirewall_firewall_policy" "anfw_policy" {
  4 |   name = "firewall-policy-${var.identifier}"
  5 | 
  6 |   firewall_policy {
  7 | 
  8 |     # Stateless configuration
  9 |     stateless_default_actions          = ["aws:forward_to_sfe"]
 10 |     stateless_fragment_default_actions = ["aws:forward_to_sfe"]
 11 | 
 12 |     stateless_rule_group_reference {
 13 |       priority     = 10
 14 |       resource_arn = aws_networkfirewall_rule_group.drop_remote.arn
 15 |     }
 16 | 
 17 |     # Stateful configuration
 18 |     stateful_engine_options {
 19 |       rule_order = "STRICT_ORDER"
 20 |     }
 21 |     stateful_default_actions = ["aws:drop_strict", "aws:alert_strict"]
 22 |     stateful_rule_group_reference {
 23 |       priority     = 10
 24 |       resource_arn = aws_networkfirewall_rule_group.allow_icmp_1_to_2.arn
 25 |     }
 26 |     stateful_rule_group_reference {
 27 |       priority     = 20
 28 |       resource_arn = aws_networkfirewall_rule_group.allow_icmp_2_to_3.arn
 29 |     }
 30 |   }
 31 | }
 32 | 
 33 | # Stateless Rule Group - Dropping any SSH or RDP connection
 34 | resource "aws_networkfirewall_rule_group" "drop_remote" {
 35 |   capacity = 2
 36 |   name     = "drop-remote-${var.identifier}"
 37 |   type     = "STATELESS"
 38 |   rule_group {
 39 |     rules_source {
 40 |       stateless_rules_and_custom_actions {
 41 | 
 42 |         stateless_rule {
 43 |           priority = 1
 44 |           rule_definition {
 45 |             actions = ["aws:drop"]
 46 |             match_attributes {
 47 |               protocols = [6]
 48 |               source {
 49 |                 address_definition = "0.0.0.0/0"
 50 |               }
 51 |               source_port {
 52 |                 from_port = 22
 53 |                 to_port   = 22
 54 |               }
 55 |               destination {
 56 |                 address_definition = "0.0.0.0/0"
 57 |               }
 58 |               destination_port {
 59 |                 from_port = 22
 60 |                 to_port   = 22
 61 |               }
 62 |             }
 63 |           }
 64 |         }
 65 | 
 66 |         stateless_rule {
 67 |           priority = 2
 68 |           rule_definition {
 69 |             actions = ["aws:drop"]
 70 |             match_attributes {
 71 |               protocols = [27]
 72 |               source {
 73 |                 address_definition = "0.0.0.0/0"
 74 |               }
 75 |               destination {
 76 |                 address_definition = "0.0.0.0/0"
 77 |               }
 78 |             }
 79 |           }
 80 |         }
 81 |       }
 82 |     }
 83 |   }
 84 | }
 85 | 
 86 | # Stateful Rule Group 1 - Allowing ICMP traffic from Spoke VPC 1 to 2
 87 | resource "aws_networkfirewall_rule_group" "allow_icmp_1_to_2" {
 88 |   capacity = 100
 89 |   name     = "allow-icmp-12-${var.identifier}"
 90 |   type     = "STATEFUL"
 91 |   rule_group {
 92 |     rule_variables {
 93 |       ip_sets {
 94 |         key = "SPOKE1"
 95 |         ip_set {
 96 |           definition = ["10.0.0.0/24"]
 97 |         }
 98 |       }
 99 |       ip_sets {
100 |         key = "SPOKE2"
101 |         ip_set {
102 |           definition = ["10.0.1.0/24"]
103 |         }
104 |       }
105 |     }
106 |     rules_source {
107 |       rules_string = <<EOF
108 |       pass icmp $SPOKE1 any -> $SPOKE2 any (msg: "Allowing ICMP packets from Spoke VPC 1 to 2"; sid:2; rev:1;)
109 |       EOF
110 |     }
111 |     stateful_rule_options {
112 |       rule_order = "STRICT_ORDER"
113 |     }
114 |   }
115 | }
116 | 
117 | # Stateful Rule Group 2 - Allowing ICMP traffic from Spoke VPC 2 to 3
118 | resource "aws_networkfirewall_rule_group" "allow_icmp_2_to_3" {
119 |   capacity = 100
120 |   name     = "allow-icmp-23-${var.identifier}"
121 |   type     = "STATEFUL"
122 |   rule_group {
123 |     rule_variables {
124 |       ip_sets {
125 |         key = "SPOKE2"
126 |         ip_set {
127 |           definition = ["10.0.1.0/24"]
128 |         }
129 |       }
130 |       ip_sets {
131 |         key = "SPOKE3"
132 |         ip_set {
133 |           definition = ["10.0.2.0/24"]
134 |         }
135 |       }
136 |     }
137 |     rules_source {
138 |       rules_string = <<EOF
139 |       pass icmp $SPOKE2 any -> $SPOKE3 any (msg: "Allowing ICMP packets from Spoke VPC 2 to 3"; sid:2; rev:1;)
140 |       EOF
141 |     }
142 |     stateful_rule_options {
143 |       rule_order = "STRICT_ORDER"
144 |     }
145 |   }
146 | }
147 | 


--------------------------------------------------------------------------------
/examples/central_inspection_without_egress/providers.tf:
--------------------------------------------------------------------------------
 1 | # --- examples/central_inspection_without_egress/providers.tf ---
 2 | 
 3 | terraform {
 4 |   required_version = ">= 1.3.0"
 5 |   required_providers {
 6 |     aws = {
 7 |       source  = "hashicorp/aws"
 8 |       version = ">= 3.73.0"
 9 |     }
10 |   }
11 | }
12 | 
13 | # AWS Provider configuration - AWS Region indicated in root/variables.tf
14 | provider "aws" {
15 |   region = var.aws_region
16 | }


--------------------------------------------------------------------------------
/examples/central_inspection_without_egress/variables.tf:
--------------------------------------------------------------------------------
 1 | # --- examples/central_inspection_without_egress/variables.tf ---
 2 | 
 3 | variable "aws_region" {
 4 |   description = "AWS Region."
 5 |   type        = string
 6 | 
 7 |   default = "us-west-1"
 8 | }
 9 | 
10 | variable "identifier" {
11 |   description = "Project identifier."
12 |   type        = string
13 | 
14 |   default = "central-inspection"
15 | }
16 | 
17 | variable "inspection_vpc" {
18 |   description = "VPCs to create"
19 |   type        = any
20 |   default = {
21 |     cidr_block             = "10.129.0.0/16"
22 |     private_subnet_netmask = 28
23 |     tgw_subnet_netmask     = 28
24 |     number_azs             = 2
25 |   }
26 | }


--------------------------------------------------------------------------------
/examples/intra_vpc_inspection/.header.md:
--------------------------------------------------------------------------------
 1 | # AWS Network Firewall Module - Intra-VPC Inspection
 2 | 
 3 | This example builds AWS Network Firewall in a single VPC to perform intra-VPC inspection between its subnets. This example creates the following resources:
 4 | 
 5 | * Outside of the Network Firewall module:
 6 |   * Firewall policies - in `policy.tf`
 7 |   * Amazon VPC with several subnets (3 private subnets, 1 inspection subnet, 1 endpoints subnet)
 8 | * Created by the Network Firewall mdodule:
 9 |   * AWS Network Firewall resource.
10 |   * Routing to the firewall endpoints - to inspect traffic between the private subnets.
11 | 
12 | The AWS Region used in the example is **eu-west-2 (London)**.
13 | 
14 | ## Prerequisites
15 | 
16 | * An AWS account with an IAM user with the appropriate permissions
17 | * Terraform installed
18 | 
19 | ## Code Principles
20 | 
21 | * Writing DRY (Do No Repeat Yourself) code using a modular design pattern
22 | 
23 | ## Usage
24 | 
25 | * Clone the repository
26 | * Edit the *variables.tf* file in the project root directory
27 | 
28 | **Note** Network Firewall endpoints will be deployed in all the Availability Zones used in the example (*var.vpc.number_azs*). By default, the number of AZs used is 2 to follow best practices. Take that into account when doing tests from a cost perspective.
29 | 


--------------------------------------------------------------------------------
/examples/intra_vpc_inspection/.terraform-docs.yaml:
--------------------------------------------------------------------------------
 1 | formatter: markdown
 2 | header-from: .header.md
 3 | settings:
 4 |   anchor: true
 5 |   color: true
 6 |   default: true
 7 |   escape: true
 8 |   html: true
 9 |   indent: 2
10 |   required: true
11 |   sensitive: true
12 |   type: true
13 | 
14 | sort:
15 |   enabled: true
16 |   by: required
17 | 
18 | output:
19 |   file: README.md
20 |   mode: replace
21 | 


--------------------------------------------------------------------------------
/examples/intra_vpc_inspection/README.md:
--------------------------------------------------------------------------------
 1 | <!-- BEGIN_TF_DOCS -->
 2 | # AWS Network Firewall Module - Intra-VPC Inspection
 3 | 
 4 | This example builds AWS Network Firewall in a single VPC to perform intra-VPC inspection between its subnets. This example creates the following resources:
 5 | 
 6 | * Outside of the Network Firewall module:
 7 |   * Firewall policies - in `policy.tf`
 8 |   * Amazon VPC with several subnets (3 private subnets, 1 inspection subnet, 1 endpoints subnet)
 9 | * Created by the Network Firewall mdodule:
10 |   * AWS Network Firewall resource.
11 |   * Routing to the firewall endpoints - to inspect traffic between the private subnets.
12 | 
13 | The AWS Region used in the example is **eu-west-2 (London)**.
14 | 
15 | ## Prerequisites
16 | 
17 | * An AWS account with an IAM user with the appropriate permissions
18 | * Terraform installed
19 | 
20 | ## Code Principles
21 | 
22 | * Writing DRY (Do No Repeat Yourself) code using a modular design pattern
23 | 
24 | ## Usage
25 | 
26 | * Clone the repository
27 | * Edit the *variables.tf* file in the project root directory
28 | 
29 | **Note** Network Firewall endpoints will be deployed in all the Availability Zones used in the example (*var.vpc.number\_azs*). By default, the number of AZs used is 2 to follow best practices. Take that into account when doing tests from a cost perspective.
30 | 
31 | ## Requirements
32 | 
33 | | Name | Version |
34 | |------|---------|
35 | | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
36 | | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73.0 |
37 | 
38 | ## Providers
39 | 
40 | | Name | Version |
41 | |------|---------|
42 | | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.73.0 |
43 | 
44 | ## Modules
45 | 
46 | | Name | Source | Version |
47 | |------|--------|---------|
48 | | <a name="module_network_firewall"></a> [network\_firewall](#module\_network\_firewall) | aws-ia/networkfirewall/aws | 1.0.0 |
49 | | <a name="module_vpc"></a> [vpc](#module\_vpc) | aws-ia/vpc/aws | = 4.3.0 |
50 | 
51 | ## Resources
52 | 
53 | | Name | Type |
54 | |------|------|
55 | | [aws_networkfirewall_firewall_policy.anfw_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy) | resource |
56 | | [aws_networkfirewall_rule_group.allow_icmp_private1_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |
57 | | [aws_networkfirewall_rule_group.allow_icmp_private2_3](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |
58 | | [aws_networkfirewall_rule_group.drop_remote](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |
59 | 
60 | ## Inputs
61 | 
62 | | Name | Description | Type | Default | Required |
63 | |------|-------------|------|---------|:--------:|
64 | | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS Region. | `string` | `"eu-west-2"` | no |
65 | | <a name="input_identifier"></a> [identifier](#input\_identifier) | Project identifier. | `string` | `"intra-vpc-inspection"` | no |
66 | | <a name="input_vpc"></a> [vpc](#input\_vpc) | Information about the VPC to create. | `any` | <pre>{<br>  "cidr_block": "10.129.0.0/16",<br>  "inspection_subnet_cidrs": [<br>    "10.129.6.0/28",<br>    "10.129.6.16/28"<br>  ],<br>  "number_azs": 2,<br>  "private1_subnet_cidrs": [<br>    "10.129.0.0/24",<br>    "10.129.1.0/24"<br>  ],<br>  "private2_subnet_cidrs": [<br>    "10.129.2.0/24",<br>    "10.129.3.0/24"<br>  ],<br>  "private3_subnet_cidrs": [<br>    "10.129.4.0/24",<br>    "10.129.5.0/24"<br>  ]<br>}</pre> | no |
67 | 
68 | ## Outputs
69 | 
70 | | Name | Description |
71 | |------|-------------|
72 | | <a name="output_network_firewall"></a> [network\_firewall](#output\_network\_firewall) | AWS Network Firewall ID. |
73 | | <a name="output_vpc"></a> [vpc](#output\_vpc) | VPC ID. |
74 | <!-- END_TF_DOCS -->


--------------------------------------------------------------------------------
/examples/intra_vpc_inspection/main.tf:
--------------------------------------------------------------------------------
 1 | # --- examples/intra_vpc_inspection/main.tf ---
 2 | 
 3 | # AWS Network Firewall
 4 | module "network_firewall" {
 5 |   source  = "aws-ia/networkfirewall/aws"
 6 |   version = "1.0.0"
 7 | 
 8 |   network_firewall_name        = "anfw-${var.identifier}"
 9 |   network_firewall_description = "AWS Network Firewall - ${var.identifier}"
10 |   network_firewall_policy      = aws_networkfirewall_firewall_policy.anfw_policy.arn
11 | 
12 |   vpc_id      = module.vpc.vpc_attributes.id
13 |   number_azs  = var.vpc.number_azs
14 |   vpc_subnets = { for k, v in module.vpc.private_subnet_attributes_by_az : split("/", k)[1] => v.id if split("/", k)[0] == "inspection" }
15 | 
16 |   routing_configuration = {
17 |     intra_vpc_inspection = {
18 |       number_routes = 6
19 |       routes = [
20 |         {
21 |           source_subnet_route_tables     = { for k, v in module.vpc.rt_attributes_by_type_by_az.private : split("/", k)[1] => v.id if split("/", k)[0] == "private1" }
22 |           destination_subnet_cidr_blocks = local.private2_cidrs
23 |         },
24 |         {
25 |           source_subnet_route_tables     = { for k, v in module.vpc.rt_attributes_by_type_by_az.private : split("/", k)[1] => v.id if split("/", k)[0] == "private2" }
26 |           destination_subnet_cidr_blocks = local.private1_cidrs
27 |         },
28 |         {
29 |           source_subnet_route_tables     = { for k, v in module.vpc.rt_attributes_by_type_by_az.private : split("/", k)[1] => v.id if split("/", k)[0] == "private1" }
30 |           destination_subnet_cidr_blocks = local.private3_cidrs
31 |         },
32 |         {
33 |           source_subnet_route_tables     = { for k, v in module.vpc.rt_attributes_by_type_by_az.private : split("/", k)[1] => v.id if split("/", k)[0] == "private3" }
34 |           destination_subnet_cidr_blocks = local.private1_cidrs
35 |         },
36 |         {
37 |           source_subnet_route_tables     = { for k, v in module.vpc.rt_attributes_by_type_by_az.private : split("/", k)[1] => v.id if split("/", k)[0] == "private2" }
38 |           destination_subnet_cidr_blocks = local.private3_cidrs
39 |         },
40 |         {
41 |           source_subnet_route_tables     = { for k, v in module.vpc.rt_attributes_by_type_by_az.private : split("/", k)[1] => v.id if split("/", k)[0] == "private3" }
42 |           destination_subnet_cidr_blocks = local.private2_cidrs
43 |         }
44 |       ]
45 |     }
46 |   }
47 | }
48 | 
49 | # VPC Module - https://github.com/aws-ia/terraform-aws-vpc
50 | module "vpc" {
51 |   source  = "aws-ia/vpc/aws"
52 |   version = "= 4.3.0"
53 | 
54 |   name       = "vpc_intra_inspection"
55 |   cidr_block = var.vpc.cidr_block
56 |   az_count   = var.vpc.number_azs
57 | 
58 |   subnets = {
59 |     private1   = { cidrs = var.vpc.private1_subnet_cidrs }
60 |     private2   = { cidrs = var.vpc.private2_subnet_cidrs }
61 |     private3   = { cidrs = var.vpc.private3_subnet_cidrs }
62 |     inspection = { cidrs = var.vpc.inspection_subnet_cidrs }
63 |   }
64 | }
65 | 
66 | # Local variables - creating maps of subnet CIDRs. Format: AZ --> CIDR block
67 | locals {
68 |   private1_cidrs = tomap({
69 |     for i, az in module.vpc.azs : az => var.vpc.private1_subnet_cidrs[i]
70 |   })
71 |   private2_cidrs = tomap({
72 |     for i, az in module.vpc.azs : az => var.vpc.private2_subnet_cidrs[i]
73 |   })
74 |   private3_cidrs = tomap({
75 |     for i, az in module.vpc.azs : az => var.vpc.private3_subnet_cidrs[i]
76 |   })
77 | }
78 | 
79 | 
80 | 


--------------------------------------------------------------------------------
/examples/intra_vpc_inspection/outputs.tf:
--------------------------------------------------------------------------------
 1 | # --- examples/intra_vpc_inspection/outputs.tf ---
 2 | 
 3 | output "vpc" {
 4 |   description = "VPC ID."
 5 |   value       = module.vpc.vpc_attributes.id
 6 | }
 7 | 
 8 | output "network_firewall" {
 9 |   description = "AWS Network Firewall ID."
10 |   value       = module.network_firewall.aws_network_firewall.id
11 | }
12 | 


--------------------------------------------------------------------------------
/examples/intra_vpc_inspection/policy.tf:
--------------------------------------------------------------------------------
  1 | # --- examples/intra_vpc_inspection/policy.tf ---
  2 | 
  3 | resource "aws_networkfirewall_firewall_policy" "anfw_policy" {
  4 |   name = "firewall-policy-${var.identifier}"
  5 | 
  6 |   firewall_policy {
  7 | 
  8 |     # Stateless configuration
  9 |     stateless_default_actions          = ["aws:forward_to_sfe"]
 10 |     stateless_fragment_default_actions = ["aws:forward_to_sfe"]
 11 | 
 12 |     stateless_rule_group_reference {
 13 |       priority     = 10
 14 |       resource_arn = aws_networkfirewall_rule_group.drop_remote.arn
 15 |     }
 16 | 
 17 |     # Stateful configuration
 18 |     stateful_engine_options {
 19 |       rule_order = "STRICT_ORDER"
 20 |     }
 21 |     stateful_default_actions = ["aws:drop_strict", "aws:alert_strict"]
 22 |     stateful_rule_group_reference {
 23 |       priority     = 10
 24 |       resource_arn = aws_networkfirewall_rule_group.allow_icmp_private1_2.arn
 25 |     }
 26 |     stateful_rule_group_reference {
 27 |       priority     = 20
 28 |       resource_arn = aws_networkfirewall_rule_group.allow_icmp_private2_3.arn
 29 |     }
 30 |   }
 31 | }
 32 | 
 33 | # Stateless Rule Group - Dropping any SSH or RDP connection
 34 | resource "aws_networkfirewall_rule_group" "drop_remote" {
 35 |   capacity = 2
 36 |   name     = "drop-remote-${var.identifier}"
 37 |   type     = "STATELESS"
 38 |   rule_group {
 39 |     rules_source {
 40 |       stateless_rules_and_custom_actions {
 41 | 
 42 |         stateless_rule {
 43 |           priority = 1
 44 |           rule_definition {
 45 |             actions = ["aws:drop"]
 46 |             match_attributes {
 47 |               protocols = [6]
 48 |               source {
 49 |                 address_definition = "0.0.0.0/0"
 50 |               }
 51 |               source_port {
 52 |                 from_port = 22
 53 |                 to_port   = 22
 54 |               }
 55 |               destination {
 56 |                 address_definition = "0.0.0.0/0"
 57 |               }
 58 |               destination_port {
 59 |                 from_port = 22
 60 |                 to_port   = 22
 61 |               }
 62 |             }
 63 |           }
 64 |         }
 65 | 
 66 |         stateless_rule {
 67 |           priority = 2
 68 |           rule_definition {
 69 |             actions = ["aws:drop"]
 70 |             match_attributes {
 71 |               protocols = [27]
 72 |               source {
 73 |                 address_definition = "0.0.0.0/0"
 74 |               }
 75 |               destination {
 76 |                 address_definition = "0.0.0.0/0"
 77 |               }
 78 |             }
 79 |           }
 80 |         }
 81 |       }
 82 |     }
 83 |   }
 84 | }
 85 | 
 86 | # Stateful Rule Group 1 - Allowing ICMP traffic from private1 subnets to private2 subnets
 87 | resource "aws_networkfirewall_rule_group" "allow_icmp_private1_2" {
 88 |   capacity = 100
 89 |   name     = "allow-icmp-private12-${var.identifier}"
 90 |   type     = "STATEFUL"
 91 |   rule_group {
 92 |     rule_variables {
 93 |       ip_sets {
 94 |         key = "PRIVATE1"
 95 |         ip_set {
 96 |           definition = var.vpc.private1_subnet_cidrs
 97 |         }
 98 |       }
 99 |       ip_sets {
100 |         key = "PRIVATE2"
101 |         ip_set {
102 |           definition = var.vpc.private2_subnet_cidrs
103 |         }
104 |       }
105 |     }
106 |     rules_source {
107 |       rules_string = <<EOF
108 |       pass icmp $PRIVATE1 any -> $PRIVATE2 any (msg: "Allowing ICMP packets from private1 to private2 subnets"; sid:2; rev:1;)
109 |       EOF
110 |     }
111 |     stateful_rule_options {
112 |       rule_order = "STRICT_ORDER"
113 |     }
114 |   }
115 | }
116 | 
117 | # Stateful Rule Group 2 - Allowing ICMP traffic from private2 subnets to private3 subnets
118 | resource "aws_networkfirewall_rule_group" "allow_icmp_private2_3" {
119 |   capacity = 100
120 |   name     = "allow-icmp-private23-${var.identifier}"
121 |   type     = "STATEFUL"
122 |   rule_group {
123 |     rule_variables {
124 |       ip_sets {
125 |         key = "PRIVATE2"
126 |         ip_set {
127 |           definition = var.vpc.private2_subnet_cidrs
128 |         }
129 |       }
130 |       ip_sets {
131 |         key = "PRIVATE3"
132 |         ip_set {
133 |           definition = var.vpc.private3_subnet_cidrs
134 |         }
135 |       }
136 |     }
137 |     rules_source {
138 |       rules_string = <<EOF
139 |       pass icmp $PRIVATE2 any -> $PRIVATE3 any (msg: "Allowing ICMP packets from private2 to private3 subnets"; sid:2; rev:1;)
140 |       EOF
141 |     }
142 |     stateful_rule_options {
143 |       rule_order = "STRICT_ORDER"
144 |     }
145 |   }
146 | }


--------------------------------------------------------------------------------
/examples/intra_vpc_inspection/providers.tf:
--------------------------------------------------------------------------------
 1 | # --- examples/intra_vpc_inspection/providers.tf ---
 2 | 
 3 | terraform {
 4 |   required_version = ">= 1.3.0"
 5 |   required_providers {
 6 |     aws = {
 7 |       source  = "hashicorp/aws"
 8 |       version = ">= 3.73.0"
 9 |     }
10 |   }
11 | }
12 | 
13 | # AWS Provider configuration - AWS Region indicated in root/variables.tf
14 | provider "aws" {
15 |   region = var.aws_region
16 | }


--------------------------------------------------------------------------------
/examples/intra_vpc_inspection/variables.tf:
--------------------------------------------------------------------------------
 1 | # --- examples/intra_vpc_inspection/variables.tf ---
 2 | 
 3 | variable "aws_region" {
 4 |   description = "AWS Region."
 5 |   type        = string
 6 | 
 7 |   default = "eu-west-2"
 8 | }
 9 | 
10 | variable "identifier" {
11 |   description = "Project identifier."
12 |   type        = string
13 | 
14 |   default = "intra-vpc-inspection"
15 | }
16 | 
17 | variable "vpc" {
18 |   description = "Information about the VPC to create."
19 |   type        = any
20 |   default = {
21 |     cidr_block              = "10.129.0.0/16"
22 |     number_azs              = 2
23 |     private1_subnet_cidrs   = ["10.129.0.0/24", "10.129.1.0/24"]
24 |     private2_subnet_cidrs   = ["10.129.2.0/24", "10.129.3.0/24"]
25 |     private3_subnet_cidrs   = ["10.129.4.0/24", "10.129.5.0/24"]
26 |     inspection_subnet_cidrs = ["10.129.6.0/28", "10.129.6.16/28"]
27 |   }
28 | }
29 | 
30 | 


--------------------------------------------------------------------------------
/examples/single_vpc_logging/.header.md:
--------------------------------------------------------------------------------
 1 | # AWS Network Firewall Module - Single VPC (with logging)
 2 | 
 3 | This example builds AWS Network Firewall in a single VPC to inspect any ingress/egress traffic - distributed inspection model. 
 4 | 
 5 | * Outside of the Network Firewall module:
 6 |   * Firewall policies - in `policy.tf`
 7 |   * Amazon VPC with 3 subnet types (firewall, protected, and private)
 8 |   * KMS Key for CloudWatch log groups encryption
 9 |   * KMS key for Network Firewall data encryption
10 | * Created by the Network Firewall module:
11 |   * AWS Network Firewall resource.
12 |   * Routing to the firewall endpoints - to inspect traffic between the Internet gateway and the protected subnets.
13 |   * Logging configuration.
14 | 
15 | The AWS Region used in the example is **us-east-2 (Ohio)**.
16 | 
17 | ## Prerequisites
18 | 
19 | * An AWS account with an IAM user with the appropriate permissions
20 | * Terraform installed
21 | 
22 | ## Code Principles
23 | 
24 | * Writing DRY (Do No Repeat Yourself) code using a modular design pattern
25 | 
26 | ## Usage
27 | 
28 | * Clone the repository
29 | * Edit the *variables.tf* file in the project root directory
30 | 
31 | **Note** Network Firewall endpoints will be deployed in all the Availability Zones used in the example (*var.vpc.number_azs*). By default, the number of AZs used is 2 to follow best practices. Take that into account when doing tests from a cost perspective.
32 | 


--------------------------------------------------------------------------------
/examples/single_vpc_logging/.terraform-docs.yaml:
--------------------------------------------------------------------------------
 1 | formatter: markdown
 2 | header-from: .header.md
 3 | settings:
 4 |   anchor: true
 5 |   color: true
 6 |   default: true
 7 |   escape: true
 8 |   html: true
 9 |   indent: 2
10 |   required: true
11 |   sensitive: true
12 |   type: true
13 | 
14 | sort:
15 |   enabled: true
16 |   by: required
17 | 
18 | output:
19 |   file: README.md
20 |   mode: replace
21 | 


--------------------------------------------------------------------------------
/examples/single_vpc_logging/README.md:
--------------------------------------------------------------------------------
 1 | <!-- BEGIN_TF_DOCS -->
 2 | # AWS Network Firewall Module - Single VPC (with logging)
 3 | 
 4 | This example builds AWS Network Firewall in a single VPC to inspect any ingress/egress traffic - distributed inspection model.
 5 | 
 6 | * Outside of the Network Firewall module:
 7 |   * Firewall policies - in `policy.tf`
 8 |   * Amazon VPC with 3 subnet types (firewall, protected, and private)
 9 |   * KMS Key for CloudWatch log groups encryption
10 |   * KMS key for Network Firewall data encryption
11 | * Created by the Network Firewall module:
12 |   * AWS Network Firewall resource.
13 |   * Routing to the firewall endpoints - to inspect traffic between the Internet gateway and the protected subnets.
14 |   * Logging configuration.
15 | 
16 | The AWS Region used in the example is **us-east-2 (Ohio)**.
17 | 
18 | ## Prerequisites
19 | 
20 | * An AWS account with an IAM user with the appropriate permissions
21 | * Terraform installed
22 | 
23 | ## Code Principles
24 | 
25 | * Writing DRY (Do No Repeat Yourself) code using a modular design pattern
26 | 
27 | ## Usage
28 | 
29 | * Clone the repository
30 | * Edit the *variables.tf* file in the project root directory
31 | 
32 | **Note** Network Firewall endpoints will be deployed in all the Availability Zones used in the example (*var.vpc.number\_azs*). By default, the number of AZs used is 2 to follow best practices. Take that into account when doing tests from a cost perspective.
33 | 
34 | ## Requirements
35 | 
36 | | Name | Version |
37 | |------|---------|
38 | | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
39 | | <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.73.0 |
40 | 
41 | ## Providers
42 | 
43 | | Name | Version |
44 | |------|---------|
45 | | <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.73.0 |
46 | 
47 | ## Modules
48 | 
49 | | Name | Source | Version |
50 | |------|--------|---------|
51 | | <a name="module_network_firewall"></a> [network\_firewall](#module\_network\_firewall) | ../../ | n/a |
52 | | <a name="module_vpc"></a> [vpc](#module\_vpc) | aws-ia/vpc/aws | = 4.4.1 |
53 | 
54 | ## Resources
55 | 
56 | | Name | Type |
57 | |------|------|
58 | | [aws_cloudwatch_log_group.alert_lg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
59 | | [aws_cloudwatch_log_group.flow_lg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
60 | | [aws_kms_key.encryption_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
61 | | [aws_kms_key.log_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
62 | | [aws_networkfirewall_firewall_policy.anfw_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy) | resource |
63 | | [aws_networkfirewall_rule_group.allow_domains](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |
64 | | [aws_networkfirewall_rule_group.allow_icmp](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |
65 | | [aws_networkfirewall_rule_group.drop_remote](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |
66 | | [aws_route_table.igw_route_table](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table) | resource |
67 | | [aws_route_table_association.igw_route_table_assoc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table_association) | resource |
68 | | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
69 | | [aws_iam_policy_document.policy_encryption_key_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
70 | | [aws_iam_policy_document.policy_kms_logs_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
71 | 
72 | ## Inputs
73 | 
74 | | Name | Description | Type | Default | Required |
75 | |------|-------------|------|---------|:--------:|
76 | | <a name="input_aws_region"></a> [aws\_region](#input\_aws\_region) | AWS Region. | `string` | `"us-east-2"` | no |
77 | | <a name="input_identifier"></a> [identifier](#input\_identifier) | Project identifier. | `string` | `"single-vpc"` | no |
78 | | <a name="input_vpc"></a> [vpc](#input\_vpc) | Information about the VPC to create. | `any` | <pre>{<br>  "cidr_block": "10.129.0.0/16",<br>  "inspection_subnet_cidrs": [<br>    "10.129.0.0/24",<br>    "10.129.1.0/24"<br>  ],<br>  "number_azs": 2,<br>  "private_subnet_cidrs": [<br>    "10.129.4.0/24",<br>    "10.129.5.0/24"<br>  ],<br>  "protected_subnet_cidrs": [<br>    "10.129.2.0/24",<br>    "10.129.3.0/24"<br>  ]<br>}</pre> | no |
79 | 
80 | ## Outputs
81 | 
82 | | Name | Description |
83 | |------|-------------|
84 | | <a name="output_network_firewall"></a> [network\_firewall](#output\_network\_firewall) | AWS Network Firewall ID. |
85 | | <a name="output_vpc"></a> [vpc](#output\_vpc) | VPC ID. |
86 | <!-- END_TF_DOCS -->


--------------------------------------------------------------------------------
/examples/single_vpc_logging/kms_keys.tf:
--------------------------------------------------------------------------------
  1 | # DATA SOURCE: AWS CALLER IDENTITY - Used to get the Account ID
  2 | data "aws_caller_identity" "current" {}
  3 | 
  4 | # KMS Key for CloudWatch Log Groups
  5 | resource "aws_kms_key" "log_key" {
  6 |   description             = "KMS Logs Key"
  7 |   deletion_window_in_days = 7
  8 |   enable_key_rotation     = true
  9 |   policy                  = data.aws_iam_policy_document.policy_kms_logs_document.json
 10 | 
 11 |   tags = {
 12 |     Name = "kms-key-${var.identifier}"
 13 |   }
 14 | }
 15 | 
 16 | # KMS Policy - it allows the use of the Key by the CloudWatch log groups created in this sample
 17 | data "aws_iam_policy_document" "policy_kms_logs_document" {
 18 |   statement {
 19 |     sid       = "Enable IAM User Permissions"
 20 |     actions   = ["kms:*"]
 21 |     resources = ["arn:aws:kms:${var.aws_region}:${data.aws_caller_identity.current.account_id}:*"]
 22 | 
 23 |     principals {
 24 |       type        = "AWS"
 25 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
 26 |     }
 27 |   }
 28 | 
 29 |   statement {
 30 |     sid = "Enable KMS to be used by CloudWatch Logs"
 31 |     actions = [
 32 |       "kms:Encrypt*",
 33 |       "kms:Decrypt*",
 34 |       "kms:ReEncrypt*",
 35 |       "kms:GenerateDataKey*",
 36 |       "kms:Describe*"
 37 |     ]
 38 |     resources = ["arn:aws:kms:${var.aws_region}:${data.aws_caller_identity.current.account_id}:*"]
 39 | 
 40 |     principals {
 41 |       type        = "Service"
 42 |       identifiers = ["logs.${var.aws_region}.amazonaws.com"]
 43 |     }
 44 | 
 45 |     condition {
 46 |       test     = "ArnLike"
 47 |       variable = "kms:EncryptionContext:aws:logs:arn"
 48 |       values   = ["arn:aws:logs:${var.aws_region}:${data.aws_caller_identity.current.account_id}:*"]
 49 |     }
 50 |   }
 51 | }
 52 | 
 53 | # Encryption KMS Key
 54 | resource "aws_kms_key" "encryption_key" {
 55 |   description             = "KMS Encryption Key"
 56 |   deletion_window_in_days = 7
 57 |   enable_key_rotation     = true
 58 |   policy                  = data.aws_iam_policy_document.policy_encryption_key_document.json
 59 | 
 60 |   tags = {
 61 |     Name = "kms-key-${var.identifier}"
 62 |   }
 63 | }
 64 | 
 65 | # KMS Policy - it allows the use of the KMS Key by the root account and key creator
 66 | data "aws_iam_policy_document" "policy_encryption_key_document" {
 67 |   statement {
 68 |     sid       = "Enable IAM User Permissions"
 69 |     actions   = ["kms:*"]
 70 |     resources = ["arn:aws:kms:${var.aws_region}:${data.aws_caller_identity.current.account_id}:*"]
 71 | 
 72 |     principals {
 73 |       type        = "AWS"
 74 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
 75 |     }
 76 |   }
 77 | 
 78 |   statement {
 79 |     sid = "Allow access for Key Administrators"
 80 |     actions = [
 81 |       "kms:Create*",
 82 |       "kms:Describe*",
 83 |       "kms:Enable*",
 84 |       "kms:List*",
 85 |       "kms:Put*",
 86 |       "kms:Update*",
 87 |       "kms:Revoke*",
 88 |       "kms:Disable*",
 89 |       "kms:Get*",
 90 |       "kms:Delete*",
 91 |       "kms:TagResource",
 92 |       "kms:UntagResource",
 93 |       "kms:ScheduleKeyDeletion",
 94 |       "kms:CancelKeyDeletion"
 95 |     ]
 96 | 
 97 |     resources = ["*"]
 98 |     principals {
 99 |       type        = "AWS"
100 |       identifiers = [data.aws_caller_identity.current.arn]
101 |     }
102 |   }
103 | 
104 |   statement {
105 |     sid = "Allow attachment of persistent resources"
106 |     actions = [
107 |       "kms:CreateGrant",
108 |       "kms:ListGrants",
109 |       "kms:RevokeGrant"
110 |     ]
111 |     resources = ["*"]
112 |     principals {
113 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
114 |       type        = "AWS"
115 |     }
116 |     condition {
117 |       test     = "Bool"
118 |       values   = ["true"]
119 |       variable = "kms:GrantIsForAWSResource"
120 |     }
121 |   }
122 | }
123 | 


--------------------------------------------------------------------------------
/examples/single_vpc_logging/main.tf:
--------------------------------------------------------------------------------
 1 | # --- examples/single_vpc_logging/main.tf ---
 2 | 
 3 | # AWS Network Firewall
 4 | module "network_firewall" {
 5 |   source = "../../"
 6 | 
 7 |   network_firewall_name               = "anfw-${var.identifier}"
 8 |   network_firewall_description        = "AWS Network Firewall - ${var.identifier}"
 9 |   network_firewall_policy             = aws_networkfirewall_firewall_policy.anfw_policy.arn
10 |   network_firewall_encryption_key_arn = aws_kms_key.encryption_key.arn
11 | 
12 |   vpc_id      = module.vpc.vpc_attributes.id
13 |   number_azs  = var.vpc.number_azs
14 |   vpc_subnets = { for k, v in module.vpc.private_subnet_attributes_by_az : split("/", k)[1] => v.id if split("/", k)[0] == "inspection" }
15 | 
16 |   routing_configuration = {
17 |     single_vpc = {
18 |       igw_route_table               = aws_route_table.igw_route_table.id
19 |       protected_subnet_route_tables = { for k, v in module.vpc.rt_attributes_by_type_by_az.public : k => v.id }
20 |       protected_subnet_cidr_blocks = tomap({
21 |         for i, az in module.vpc.azs : az => var.vpc.protected_subnet_cidrs[i]
22 |       })
23 |     }
24 |   }
25 | 
26 |   logging_configuration = {
27 |     flow_log = {
28 |       cloudwatch_logs = {
29 |         logGroupName = aws_cloudwatch_log_group.flow_lg.name
30 |       }
31 |     }
32 |     alert_log = {
33 |       cloudwatch_logs = {
34 |         logGroupName = aws_cloudwatch_log_group.alert_lg.name
35 |       }
36 |     }
37 |   }
38 | }
39 | 
40 | # VPC Module - https://github.com/aws-ia/terraform-aws-vpc
41 | module "vpc" {
42 |   source  = "aws-ia/vpc/aws"
43 |   version = "= 4.4.1"
44 | 
45 |   name       = "single_vpc"
46 |   cidr_block = var.vpc.cidr_block
47 |   az_count   = var.vpc.number_azs
48 | 
49 |   subnets = {
50 |     public = {
51 |       cidrs          = var.vpc.protected_subnet_cidrs
52 |       connect_to_igw = false
53 |     }
54 |     private    = { cidrs = var.vpc.private_subnet_cidrs }
55 |     inspection = { cidrs = var.vpc.inspection_subnet_cidrs }
56 |   }
57 | }
58 | 
59 | # Internet gateway route table
60 | resource "aws_route_table" "igw_route_table" {
61 |   vpc_id = module.vpc.vpc_attributes.id
62 | 
63 |   tags = {
64 |     Name = "igw-route-table"
65 |   }
66 | }
67 | 
68 | resource "aws_route_table_association" "igw_route_table_assoc" {
69 |   gateway_id     = module.vpc.internet_gateway.id
70 |   route_table_id = aws_route_table.igw_route_table.id
71 | }
72 | 
73 | # CloudWath Log Groups - for Flow and Alert
74 | resource "aws_cloudwatch_log_group" "alert_lg" {
75 |   name              = "alert-anfw-${var.identifier}"
76 |   retention_in_days = 7
77 |   kms_key_id        = aws_kms_key.log_key.arn
78 | }
79 | 
80 | resource "aws_cloudwatch_log_group" "flow_lg" {
81 |   name              = "flow-anfw-${var.identifier}"
82 |   retention_in_days = 7
83 |   kms_key_id        = aws_kms_key.log_key.arn
84 | }
85 | 


--------------------------------------------------------------------------------
/examples/single_vpc_logging/outputs.tf:
--------------------------------------------------------------------------------
 1 | # --- examples/single_vpc_logging/outputs.tf ---
 2 | 
 3 | output "vpc" {
 4 |   description = "VPC ID."
 5 |   value       = module.vpc.vpc_attributes.id
 6 | }
 7 | 
 8 | output "network_firewall" {
 9 |   description = "AWS Network Firewall ID."
10 |   value       = module.network_firewall.aws_network_firewall.id
11 | }
12 | 


--------------------------------------------------------------------------------
/examples/single_vpc_logging/policy.tf:
--------------------------------------------------------------------------------
  1 | # --- examples/single_vpc_logging/policy.tf ---
  2 | 
  3 | resource "aws_networkfirewall_firewall_policy" "anfw_policy" {
  4 |   name = "policy-firewall-${var.identifier}"
  5 | 
  6 |   firewall_policy {
  7 | 
  8 |     # Stateless configuration
  9 |     stateless_default_actions          = ["aws:forward_to_sfe"]
 10 |     stateless_fragment_default_actions = ["aws:forward_to_sfe"]
 11 | 
 12 |     stateless_rule_group_reference {
 13 |       priority     = 10
 14 |       resource_arn = aws_networkfirewall_rule_group.drop_remote.arn
 15 |     }
 16 | 
 17 |     # Stateful configuration
 18 |     stateful_engine_options {
 19 |       rule_order = "STRICT_ORDER"
 20 |     }
 21 |     stateful_default_actions = ["aws:drop_strict", "aws:alert_strict"]
 22 |     stateful_rule_group_reference {
 23 |       priority     = 10
 24 |       resource_arn = aws_networkfirewall_rule_group.allow_icmp.arn
 25 |     }
 26 |     stateful_rule_group_reference {
 27 |       priority     = 20
 28 |       resource_arn = aws_networkfirewall_rule_group.allow_domains.arn
 29 |     }
 30 |   }
 31 | }
 32 | 
 33 | # Stateless Rule Group - Dropping any SSH or RDP connection
 34 | resource "aws_networkfirewall_rule_group" "drop_remote" {
 35 |   capacity = 2
 36 |   name     = "drop-remote-${var.identifier}"
 37 |   type     = "STATELESS"
 38 |   rule_group {
 39 |     rules_source {
 40 |       stateless_rules_and_custom_actions {
 41 | 
 42 |         stateless_rule {
 43 |           priority = 1
 44 |           rule_definition {
 45 |             actions = ["aws:drop"]
 46 |             match_attributes {
 47 |               protocols = [6]
 48 |               source {
 49 |                 address_definition = "0.0.0.0/0"
 50 |               }
 51 |               source_port {
 52 |                 from_port = 22
 53 |                 to_port   = 22
 54 |               }
 55 |               destination {
 56 |                 address_definition = "0.0.0.0/0"
 57 |               }
 58 |               destination_port {
 59 |                 from_port = 22
 60 |                 to_port   = 22
 61 |               }
 62 |             }
 63 |           }
 64 |         }
 65 | 
 66 |         stateless_rule {
 67 |           priority = 2
 68 |           rule_definition {
 69 |             actions = ["aws:drop"]
 70 |             match_attributes {
 71 |               protocols = [27]
 72 |               source {
 73 |                 address_definition = "0.0.0.0/0"
 74 |               }
 75 |               destination {
 76 |                 address_definition = "0.0.0.0/0"
 77 |               }
 78 |             }
 79 |           }
 80 |         }
 81 |       }
 82 |     }
 83 |   }
 84 | }
 85 | 
 86 | # Stateful Rule Group 1 - Allowing ICMP traffic
 87 | resource "aws_networkfirewall_rule_group" "allow_icmp" {
 88 |   capacity = 100
 89 |   name     = "allow-icmp-${var.identifier}"
 90 |   type     = "STATEFUL"
 91 |   rule_group {
 92 |     rules_source {
 93 |       rules_string = <<EOF
 94 |       pass icmp any any -> any any (msg: "Allowing ICMP packets"; sid:2; rev:1;)
 95 |       EOF
 96 |     }
 97 |     stateful_rule_options {
 98 |       rule_order = "STRICT_ORDER"
 99 |     }
100 |   }
101 | }
102 | 
103 | # Stateful Rule Group 2 - Allowing access to .amazon.com (HTTPS)
104 | resource "aws_networkfirewall_rule_group" "allow_domains" {
105 |   capacity = 100
106 |   name     = "allow-domains-${var.identifier}"
107 |   type     = "STATEFUL"
108 |   rule_group {
109 |     rules_source {
110 |       rules_string = <<EOF
111 |       pass tcp any any <> $EXTERNAL_NET 443 (msg:"Allowing TCP in port 443"; flow:not_established; sid:892123; rev:1;)
112 |       pass tls any any -> $EXTERNAL_NET 443 (tls.sni; dotprefix; content:".amazon.com"; endswith; msg:"Allowing .amazon.com HTTPS requests"; sid:892125; rev:1;)
113 |       EOF
114 |     }
115 |     stateful_rule_options {
116 |       rule_order = "STRICT_ORDER"
117 |     }
118 |   }
119 | }


--------------------------------------------------------------------------------
/examples/single_vpc_logging/providers.tf:
--------------------------------------------------------------------------------
 1 | # --- examples/single_vpc_logging/providers.tf ---
 2 | 
 3 | terraform {
 4 |   required_version = ">= 1.3.0"
 5 |   required_providers {
 6 |     aws = {
 7 |       source  = "hashicorp/aws"
 8 |       version = ">= 3.73.0"
 9 |     }
10 |   }
11 | }
12 | 
13 | # AWS Provider configuration - AWS Region indicated in root/variables.tf
14 | provider "aws" {
15 |   region = var.aws_region
16 | }


--------------------------------------------------------------------------------
/examples/single_vpc_logging/variables.tf:
--------------------------------------------------------------------------------
 1 | # --- examples/single_vpc_logging/variables.tf ---
 2 | 
 3 | variable "aws_region" {
 4 |   description = "AWS Region."
 5 |   type        = string
 6 | 
 7 |   default = "us-east-2"
 8 | }
 9 | 
10 | variable "identifier" {
11 |   description = "Project identifier."
12 |   type        = string
13 | 
14 |   default = "single-vpc"
15 | }
16 | 
17 | variable "vpc" {
18 |   description = "Information about the VPC to create."
19 |   type        = any
20 |   default = {
21 |     cidr_block              = "10.129.0.0/16"
22 |     number_azs              = 2
23 |     inspection_subnet_cidrs = ["10.129.0.0/24", "10.129.1.0/24"]
24 |     protected_subnet_cidrs  = ["10.129.2.0/24", "10.129.3.0/24"]
25 |     private_subnet_cidrs    = ["10.129.4.0/24", "10.129.5.0/24"]
26 |   }
27 | }
28 | 
29 | 


--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
  1 | # --- root/variables.tf ---
  2 | 
  3 | # santizes tags for both aws / awscc providers
  4 | # aws   tags = module.tags.tags_aws
  5 | # awscc tags = module.tags.tags
  6 | module "tags" {
  7 |   source  = "aws-ia/label/aws"
  8 |   version = "0.0.6"
  9 | 
 10 |   tags = var.tags
 11 | }
 12 | 
 13 | # Local values
 14 | locals {
 15 |   # Number of Availability Zones used by the user (taken from the number of subnets defined)
 16 |   availability_zones = keys(var.vpc_subnets)
 17 |   # Obtaining the key of the routing configuration chosen: "single_vpc", "single_vpc_intra_subnet", "centralized_inspection_without_egress", or "centralized_inspection_with_egress"
 18 |   vpc_type = keys(var.routing_configuration)[0]
 19 |   # Map: key (availability zone ID) => value (firewall endpoint ID)
 20 |   networkfirewall_endpoints = { for i in aws_networkfirewall_firewall.anfw.firewall_status[0].sync_states : i.availability_zone => i.attachment[0].endpoint_id }
 21 | }
 22 | 
 23 | # AWS NETWORK FIREWALL RESOURCE
 24 | resource "aws_networkfirewall_firewall" "anfw" {
 25 |   name                = var.network_firewall_name
 26 |   description         = var.network_firewall_description
 27 |   firewall_policy_arn = var.network_firewall_policy
 28 | 
 29 |   delete_protection                 = var.network_firewall_delete_protection
 30 |   firewall_policy_change_protection = var.network_firewall_policy_change_protection
 31 |   subnet_change_protection          = var.network_firewall_subnet_change_protection
 32 | 
 33 |   vpc_id = var.vpc_id
 34 |   dynamic "subnet_mapping" {
 35 |     for_each = values(var.vpc_subnets)
 36 | 
 37 |     content {
 38 |       subnet_id       = subnet_mapping.value
 39 |       ip_address_type = "IPV4"
 40 |     }
 41 |   }
 42 | 
 43 |   dynamic "encryption_configuration" {
 44 |     for_each = var.network_firewall_encryption_key_arn == null ? [] : [1]
 45 | 
 46 |     content {
 47 |       type   = "CUSTOMER_KMS"
 48 |       key_id = var.network_firewall_encryption_key_arn
 49 |     }
 50 |   }
 51 | 
 52 |   tags = module.tags.tags_aws
 53 | }
 54 | 
 55 | # ROUTES: SINGLE VPC
 56 | # Route from the Internet gateway route table to the specified CIDR blocks via the firewall endpoints
 57 | resource "aws_route" "igw_route_table_to_protected_subnets" {
 58 |   count = local.vpc_type == "single_vpc" ? var.number_azs : 0
 59 | 
 60 |   route_table_id         = var.routing_configuration.single_vpc.igw_route_table
 61 |   destination_cidr_block = var.routing_configuration.single_vpc.protected_subnet_cidr_blocks[local.availability_zones[count.index]]
 62 |   vpc_endpoint_id        = local.networkfirewall_endpoints[local.availability_zones[count.index]]
 63 | }
 64 | 
 65 | # Route from the "protected" subnets to 0.0.0.0/0 via the firewall endpoints
 66 | resource "aws_route" "protected_route_table_to_internet" {
 67 |   count = local.vpc_type == "single_vpc" ? var.number_azs : 0
 68 | 
 69 |   route_table_id         = var.routing_configuration.single_vpc.protected_subnet_route_tables[local.availability_zones[count.index]]
 70 |   destination_cidr_block = "0.0.0.0/0"
 71 |   vpc_endpoint_id        = local.networkfirewall_endpoints[local.availability_zones[count.index]]
 72 | }
 73 | 
 74 | # ROUTES: SINGLE VPC INTRA ROUTING
 75 | module "intra_vpc_routing" {
 76 |   count  = local.vpc_type == "intra_vpc_inspection" ? var.routing_configuration.intra_vpc_inspection.number_routes : 0
 77 |   source = "./modules/intra_vpc_routing"
 78 | 
 79 |   number_azs         = var.number_azs
 80 |   availability_zones = local.availability_zones
 81 |   route_tables       = var.routing_configuration.intra_vpc_inspection.routes[count.index].source_subnet_route_tables
 82 |   cidr_blocks        = var.routing_configuration.intra_vpc_inspection.routes[count.index].destination_subnet_cidr_blocks
 83 |   firewall_endpoints = local.networkfirewall_endpoints
 84 | }
 85 | 
 86 | # ROUTES: Central Inspection VPC (without egress)
 87 | # Route from the connectivity subnets (Transit Gateway or Cloud WAN's core network) to 0.0.0.0/0 via the firewall endpoints
 88 | resource "aws_route" "connectivity_to_firewall_endpoint_without_egress" {
 89 |   count = local.vpc_type == "centralized_inspection_without_egress" ? var.number_azs : 0
 90 | 
 91 |   route_table_id         = var.routing_configuration.centralized_inspection_without_egress.connectivity_subnet_route_tables[local.availability_zones[count.index]]
 92 |   destination_cidr_block = "0.0.0.0/0"
 93 |   vpc_endpoint_id        = local.networkfirewall_endpoints[local.availability_zones[count.index]]
 94 | }
 95 | 
 96 | # ROUTES: Central Inspection VPC (with egress)
 97 | # Route from the connectivity subnets (Transit Gateway or Cloud WAN's core network) to 0.0.0.0/0 via the firewall endpoints
 98 | resource "aws_route" "connectivity_to_firewall_endpoint" {
 99 |   count = local.vpc_type == "centralized_inspection_with_egress" ? var.number_azs : 0
100 | 
101 |   route_table_id         = var.routing_configuration.centralized_inspection_with_egress.connectivity_subnet_route_tables[local.availability_zones[count.index]]
102 |   destination_cidr_block = "0.0.0.0/0"
103 |   vpc_endpoint_id        = local.networkfirewall_endpoints[local.availability_zones[count.index]]
104 | }
105 | 
106 | # Route from the public subnets to the AWS network via the firewall endpoints
107 | # Several routes can be configured in each AZ, so we need to call the vpc_route module for each AZ in place. The module creates an aws_route resource per each CIDR block configured.
108 | module "central_inspection_with_egress_routing" {
109 |   count  = local.vpc_type == "centralized_inspection_with_egress" ? var.number_azs : 0
110 |   source = "./modules/central_inspection_with_egress_routing"
111 | 
112 |   route_table_id  = var.routing_configuration.centralized_inspection_with_egress.public_subnet_route_tables[local.availability_zones[count.index]]
113 |   cidr_blocks     = var.routing_configuration.centralized_inspection_with_egress.network_cidr_blocks
114 |   vpc_endpoint_id = local.networkfirewall_endpoints[local.availability_zones[count.index]]
115 | }
116 | 
117 | # LOGGING: Module will be used when a logging_configuration is defined
118 | module "logging" {
119 |   count  = length(var.logging_configuration) != 0 ? 1 : 0
120 |   source = "./modules/logging"
121 | 
122 |   firewall_arn          = aws_networkfirewall_firewall.anfw.arn
123 |   logging_configuration = var.logging_configuration
124 | }
125 | 


--------------------------------------------------------------------------------
/modules/central_inspection_with_egress_routing/main.tf:
--------------------------------------------------------------------------------
1 | # --- modules/central_inspection_with_egress_routing/main.tf ---
2 | 
3 | resource "aws_route" "route_public_to_firewall_endpoint" {
4 |   count = length(var.cidr_blocks)
5 | 
6 |   route_table_id         = var.route_table_id
7 |   destination_cidr_block = var.cidr_blocks[count.index]
8 |   vpc_endpoint_id        = var.vpc_endpoint_id
9 | }


--------------------------------------------------------------------------------
/modules/central_inspection_with_egress_routing/outputs.tf:
--------------------------------------------------------------------------------
1 | # --- modules/central_inspection_with_egress_routing/outputs.tf ---


--------------------------------------------------------------------------------
/modules/central_inspection_with_egress_routing/providers.tf:
--------------------------------------------------------------------------------
 1 | # --- modules/central_inspection_with_egress_routing/providers.tf ---
 2 | 
 3 | terraform {
 4 |   required_version = ">= 1.3.0"
 5 |   required_providers {
 6 |     aws = {
 7 |       source  = "hashicorp/aws"
 8 |       version = ">= 3.73.0"
 9 |     }
10 |   }
11 | }


--------------------------------------------------------------------------------
/modules/central_inspection_with_egress_routing/variables.tf:
--------------------------------------------------------------------------------
 1 | # --- modules/central_inspection_with_egress_routing/variables.tf ---
 2 | 
 3 | variable "route_table_id" {
 4 |   type        = string
 5 |   description = "Route Table IDs."
 6 | }
 7 | 
 8 | variable "cidr_blocks" {
 9 |   type        = list(string)
10 |   description = "List of destination CIDR blocks."
11 | }
12 | 
13 | variable "vpc_endpoint_id" {
14 |   type        = string
15 |   description = "VPC endpoint IDs."
16 | }
17 | 
18 | 
19 | 


--------------------------------------------------------------------------------
/modules/intra_vpc_routing/main.tf:
--------------------------------------------------------------------------------
1 | # --- modules/intra_vpc_routing/main.tf ---
2 | 
3 | resource "aws_route" "intra_vpc_route" {
4 |   count = var.number_azs
5 | 
6 |   route_table_id         = var.route_tables[var.availability_zones[count.index]]
7 |   destination_cidr_block = var.cidr_blocks[var.availability_zones[count.index]]
8 |   vpc_endpoint_id        = var.firewall_endpoints[var.availability_zones[count.index]]
9 | }


--------------------------------------------------------------------------------
/modules/intra_vpc_routing/outputs.tf:
--------------------------------------------------------------------------------
1 | # --- modules/intra_vpc_routing/outputs.tf ---


--------------------------------------------------------------------------------
/modules/intra_vpc_routing/providers.tf:
--------------------------------------------------------------------------------
 1 | # --- modules/routing_enhacement/providers.tf ---
 2 | 
 3 | terraform {
 4 |   required_version = ">= 1.3.0"
 5 |   required_providers {
 6 |     aws = {
 7 |       source  = "hashicorp/aws"
 8 |       version = ">= 3.73.0"
 9 |     }
10 |   }
11 | }


--------------------------------------------------------------------------------
/modules/intra_vpc_routing/variables.tf:
--------------------------------------------------------------------------------
 1 | # --- modules/intra_vpc_routing/variables.tf ---
 2 | 
 3 | variable "number_azs" {
 4 |   type        = number
 5 |   description = "Number of Availability Zones."
 6 | }
 7 | 
 8 | variable "availability_zones" {
 9 |   type        = list(string)
10 |   description = "List of Availability Zones."
11 | }
12 | 
13 | variable "route_tables" {
14 |   type        = map(string)
15 |   description = "Map of Route Tables to configure (key = az, value = route table ID)."
16 | }
17 | 
18 | variable "cidr_blocks" {
19 |   type        = map(string)
20 |   description = "Map of destination's CIDR blocks (key = az, value = CIDR block)."
21 | }
22 | 
23 | variable "firewall_endpoints" {
24 |   type        = map(string)
25 |   description = "Map of firewall endpoints (key = az, value = endpoint ID)."
26 | }
27 | 
28 | 
29 | 


--------------------------------------------------------------------------------
/modules/logging/main.tf:
--------------------------------------------------------------------------------
 1 | # --- modules/logging/main.tf ---
 2 | locals {
 3 |   log_type_lookup = {
 4 |     alert_log = "ALERT",
 5 |     flow_log  = "FLOW"
 6 |   }
 7 | 
 8 |   log_destination_lookup = {
 9 |     s3_bucket        = "S3",
10 |     cloudwatch_logs  = "CloudWatchLogs",
11 |     kinesis_firehose = "KinesisDataFirehose"
12 |   }
13 | 
14 |   log_destination_params = {
15 |     alert_log = {
16 |       s3_bucket = {
17 |         bucketName = try(var.logging_configuration.alert_log.s3_bucket.bucketName, null)
18 |         prefix     = try(var.logging_configuration.alert_log.s3_bucket.logPrefix, null)
19 |       }
20 |       cloudwatch_logs = {
21 |         logGroup = try(var.logging_configuration.alert_log.cloudwatch_logs.logGroupName, null)
22 |       }
23 |       kinesis_firehose = {
24 |         deliveryStream = try(var.logging_configuration.alert_log.kinesis_firehose.deliveryStreamName, null)
25 |       }
26 |     }
27 | 
28 |     flow_log = {
29 |       s3_bucket = {
30 |         bucketName = try(var.logging_configuration.flow_log.s3_bucket.bucketName, null)
31 |         prefix     = try(var.logging_configuration.flow_log.s3_bucket.logPrefix, null)
32 |       }
33 |       cloudwatch_logs = {
34 |         logGroup = try(var.logging_configuration.flow_log.cloudwatch_logs.logGroupName, null)
35 |       }
36 |       kinesis_firehose = {
37 |         deliveryStream = try(var.logging_configuration.flow_log.kinesis_firehose.deliveryStreamName, null)
38 |       }
39 |     }
40 | 
41 |   }
42 | }
43 | 
44 | resource "aws_networkfirewall_logging_configuration" "anfw_logs" {
45 |   firewall_arn = var.firewall_arn
46 |   logging_configuration {
47 |     dynamic "log_destination_config" {
48 |       for_each = var.logging_configuration
49 |       content {
50 |         log_type             = local.log_type_lookup[log_destination_config.key]
51 |         log_destination_type = local.log_destination_lookup[keys(log_destination_config.value)[0]]
52 |         log_destination      = local.log_destination_params[log_destination_config.key][keys(log_destination_config.value)[0]]
53 |       }
54 |     }
55 |   }
56 | }
57 | 


--------------------------------------------------------------------------------
/modules/logging/outputs.tf:
--------------------------------------------------------------------------------
1 | # --- modules/logging/outputs.tf ---
2 | 


--------------------------------------------------------------------------------
/modules/logging/providers.tf:
--------------------------------------------------------------------------------
 1 | # --- modules/logging/providers.tf ---
 2 | 
 3 | terraform {
 4 |   required_version = ">= 1.3.0"
 5 |   required_providers {
 6 |     aws = {
 7 |       source  = "hashicorp/aws"
 8 |       version = ">= 3.73.0"
 9 |     }
10 |   }
11 | }
12 | 


--------------------------------------------------------------------------------
/modules/logging/variables.tf:
--------------------------------------------------------------------------------
 1 | # --- modules/logging/variables.tf ---
 2 | 
 3 | variable "firewall_arn" {
 4 |   type        = string
 5 |   description = "The ARN of the Network Firewall on which logging will be configured."
 6 | }
 7 | 
 8 | variable "logging_configuration" {
 9 |   type        = any
10 |   description = "The logging configuration. See top module for more details."
11 | }
12 | 


--------------------------------------------------------------------------------
/moved.tf:
--------------------------------------------------------------------------------
 1 | # --- root/moved.tf ---
 2 | 
 3 | # Moved blocks for VPC routes in routing configuration centralizded_inspection_with_egress
 4 | # Maximum number of AZs in a Region is 6 (us-east-1)
 5 | 
 6 | moved {
 7 |   from = aws_route.tgw_to_firewall_endpoint[0]
 8 |   to   = aws_route.connectivity_to_firewall_endpoint[0]
 9 | }
10 | 
11 | moved {
12 |   from = aws_route.tgw_to_firewall_endpoint[1]
13 |   to   = aws_route.connectivity_to_firewall_endpoint[1]
14 | }
15 | 
16 | moved {
17 |   from = aws_route.tgw_to_firewall_endpoint[2]
18 |   to   = aws_route.connectivity_to_firewall_endpoint[2]
19 | }
20 | 
21 | moved {
22 |   from = aws_route.tgw_to_firewall_endpoint[3]
23 |   to   = aws_route.connectivity_to_firewall_endpoint[3]
24 | }
25 | 
26 | moved {
27 |   from = aws_route.tgw_to_firewall_endpoint[4]
28 |   to   = aws_route.connectivity_to_firewall_endpoint[4]
29 | }
30 | 
31 | moved {
32 |   from = aws_route.tgw_to_firewall_endpoint[5]
33 |   to   = aws_route.connectivity_to_firewall_endpoint[5]
34 | }
35 | 
36 | # Moved blocks for VPC routes in routing configuration centralizded_inspection_without_egress
37 | # Maximum number of AZs in a Region is 6 (us-east-1)
38 | 
39 | moved {
40 |   from = aws_route.tgw_to_firewall_endpoint_without_egress[0]
41 |   to   = aws_route.connectivity_to_firewall_endpoint_without_egress[0]
42 | }
43 | 
44 | moved {
45 |   from = aws_route.tgw_to_firewall_endpoint_without_egress[1]
46 |   to   = aws_route.connectivity_to_firewall_endpoint_without_egress[1]
47 | }
48 | 
49 | moved {
50 |   from = aws_route.tgw_to_firewall_endpoint_without_egress[2]
51 |   to   = aws_route.connectivity_to_firewall_endpoint_without_egress[2]
52 | }
53 | 
54 | moved {
55 |   from = aws_route.tgw_to_firewall_endpoint_without_egress[3]
56 |   to   = aws_route.connectivity_to_firewall_endpoint_without_egress[3]
57 | }
58 | 
59 | moved {
60 |   from = aws_route.tgw_to_firewall_endpoint_without_egress[4]
61 |   to   = aws_route.connectivity_to_firewall_endpoint_without_egress[4]
62 | }
63 | 
64 | moved {
65 |   from = aws_route.tgw_to_firewall_endpoint_without_egress[5]
66 |   to   = aws_route.connectivity_to_firewall_endpoint_without_egress[5]
67 | }


--------------------------------------------------------------------------------
/outputs.tf:
--------------------------------------------------------------------------------
1 | # --- root/outputs.tf ---
2 | 
3 | output "aws_network_firewall" {
4 |   description = "Full output of aws_networkfirewall_firewall resource."
5 |   value       = aws_networkfirewall_firewall.anfw
6 | }


--------------------------------------------------------------------------------
/providers.tf:
--------------------------------------------------------------------------------
 1 | # --- root/providers.tf ---
 2 | 
 3 | terraform {
 4 |   required_version = ">= 1.3.0"
 5 |   required_providers {
 6 |     aws = {
 7 |       source  = "hashicorp/aws"
 8 |       version = ">= 3.73.0"
 9 |     }
10 |   }
11 | }
12 | 


--------------------------------------------------------------------------------
/test/examples_central_inspection_with_egress_test.go:
--------------------------------------------------------------------------------
 1 | package test
 2 | 
 3 | import (
 4 | 	"testing"
 5 | 
 6 | 	"github.com/gruntwork-io/terratest/modules/terraform"
 7 | )
 8 | 
 9 | func TestExamplesCentralInspectionEgress(t *testing.T) {
10 | 	terraformOptions := &terraform.Options{
11 | 		TerraformDir: "../examples/central_inspection_with_egress",
12 | 	}
13 | 
14 | 	defer terraform.Destroy(t, terraformOptions)
15 | 	terraform.InitAndApply(t, terraformOptions)
16 | }
17 | 


--------------------------------------------------------------------------------
/test/examples_central_inspection_without_egress_test.go:
--------------------------------------------------------------------------------
 1 | package test
 2 | 
 3 | import (
 4 | 	"testing"
 5 | 
 6 | 	"github.com/gruntwork-io/terratest/modules/terraform"
 7 | )
 8 | 
 9 | func TestExamplesCentralInspection(t *testing.T) {
10 | 	terraformOptions := &terraform.Options{
11 | 		TerraformDir: "../examples/central_inspection_without_egress",
12 | 	}
13 | 
14 | 	defer terraform.Destroy(t, terraformOptions)
15 | 	terraform.InitAndApply(t, terraformOptions)
16 | }
17 | 


--------------------------------------------------------------------------------
/test/examples_intra_vpc_inspection_test.go:
--------------------------------------------------------------------------------
 1 | package test
 2 | 
 3 | import (
 4 | 	"testing"
 5 | 
 6 | 	"github.com/gruntwork-io/terratest/modules/terraform"
 7 | )
 8 | 
 9 | func TestExamplesIntraVPC(t *testing.T) {
10 | 	terraformOptions := &terraform.Options{
11 | 		TerraformDir: "../examples/intra_vpc_inspection",
12 | 	}
13 | 
14 | 	defer terraform.Destroy(t, terraformOptions)
15 | 	terraform.InitAndApply(t, terraformOptions)
16 | }
17 | 


--------------------------------------------------------------------------------
/test/examples_single_vpc_logging_test.go:
--------------------------------------------------------------------------------
 1 | package test
 2 | 
 3 | import (
 4 | 	"testing"
 5 | 
 6 | 	"github.com/gruntwork-io/terratest/modules/terraform"
 7 | )
 8 | 
 9 | func TestExamplesSingleVPC(t *testing.T) {
10 | 	terraformOptions := &terraform.Options{
11 | 		TerraformDir: "../examples/single_vpc_logging",
12 | 	}
13 | 
14 | 	defer terraform.Destroy(t, terraformOptions)
15 | 	terraform.InitAndApply(t, terraformOptions)
16 | }
17 | 


--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
  1 | # --- root/variables.tf ---
  2 | 
  3 | # Variables related to AWS Network Firewall resource
  4 | variable "network_firewall_name" {
  5 |   type        = string
  6 |   description = "Name to give the AWS Network Firewall resource created."
  7 | }
  8 | 
  9 | variable "network_firewall_description" {
 10 |   type        = string
 11 |   description = "A friendly description of the firewall resource."
 12 | }
 13 | 
 14 | variable "network_firewall_policy" {
 15 |   type        = string
 16 |   description = "ARN of the firewall policy to include in AWS Network Firewall."
 17 | }
 18 | 
 19 | variable "network_firewall_delete_protection" {
 20 |   type        = bool
 21 |   description = "A boolean flag indicating whether it is possible to delete the firewall. Defaults to `false`."
 22 | 
 23 |   default = false
 24 | }
 25 | 
 26 | variable "network_firewall_policy_change_protection" {
 27 |   type        = bool
 28 |   description = "A boolean flag indicating whether it is possible to change the associated firewall policy. Defaults to `false`."
 29 | 
 30 |   default = false
 31 | }
 32 | 
 33 | variable "network_firewall_subnet_change_protection" {
 34 |   type        = bool
 35 |   description = "A boolean flag indicating whether it is possible to change the associated subnet(s). Defaults to `false`."
 36 | 
 37 |   default = false
 38 | }
 39 | 
 40 | variable "network_firewall_encryption_key_arn" {
 41 |   type        = string
 42 |   description = "Customer managed KMS Key ARN for encryption at rest."
 43 | 
 44 |   default = null
 45 | }
 46 | 
 47 | variable "tags" {
 48 |   description = "Tags to apply to the resources."
 49 |   type        = map(string)
 50 |   default     = {}
 51 | }
 52 | 
 53 | # Variables related to the VPC, subnets, and routing configuration where AWS Network Firewall is placed.
 54 | variable "vpc_id" {
 55 |   type        = string
 56 |   description = "VPC ID to place the Network Firewall endpoints."
 57 | }
 58 | 
 59 | variable "number_azs" {
 60 |   type        = number
 61 |   description = "Number of Availability Zones to place the Network Firewall endpoints."
 62 | }
 63 | 
 64 | variable "vpc_subnets" {
 65 |   type        = map(string)
 66 |   description = <<-EOF
 67 |   Map of subnet IDs to place the Network Firewall endpoints. The expected format of the map is the Availability Zone as key, and the ID of the subnet as value.
 68 |   Example (supposing us-east-1 as AWS Region): 
 69 |   ```
 70 |   vpc_subnets = {
 71 |       us-east-1a = subnet-IDa
 72 |       us-east-1b = subnet-IDb
 73 |       us-east-1c = subnet-IDc
 74 |   }
 75 |   ```
 76 | EOF
 77 | }
 78 | 
 79 | variable "routing_configuration" {
 80 |   type        = any
 81 |   default     = {}
 82 |   description = <<-EOF
 83 |   Configuration of the routing desired in the VPC. Depending the VPC type, the information to provide is different. The configuration types supported are: `single_vpc`, `intra_vpc_inspection`, `centralized_inspection_without_egress`, and `centralized_inspection_with_egress`. **Only one key (option) can be defined**
 84 |   More information about the differences between each the routing configurations (and examples) can be checked in the README. 
 85 |   ```
 86 | EOF
 87 | 
 88 |   # Valid keys in var.routing_configuration
 89 |   validation {
 90 |     error_message = "Valid keys in var.routing_configuration: \"single_vpc\", \"single_vpc_intra_subnet\", \"centralized_inspection_without_egress\", \"centralized_inspection_with_egress\"."
 91 |     condition = length(setsubtract(keys(try(var.routing_configuration, {})), [
 92 |       "single_vpc",
 93 |       "intra_vpc_inspection",
 94 |       "centralized_inspection_without_egress",
 95 |       "centralized_inspection_with_egress"
 96 |     ])) == 0
 97 |   }
 98 | 
 99 |   # Only one key is allowed
100 |   validation {
101 |     error_message = "Only 1 definition of the routing configuration is allowed."
102 |     condition     = (length(keys(try(var.routing_configuration, {})))) == 1
103 |   }
104 | 
105 |   # Valid keys in Single VPC (Ingress/Egress Routing Inspection)
106 |   validation {
107 |     error_message = "When configuring the inspecton routing in a single VPC, the valid key values are: \"igw_route_table\", \"protected_subnet_route_tables\", \"protected_subnet_cidr_blocks\"."
108 |     condition = length(setsubtract(keys(try(var.routing_configuration.single_vpc, {})), [
109 |       "igw_route_table",
110 |       "protected_subnet_route_tables",
111 |       "protected_subnet_cidr_blocks"
112 |     ])) == 0
113 |   }
114 | 
115 |   # Valid keys in Intra-VPC Inspection
116 |   validation {
117 |     error_message = "When configuring the intra-VPC inspecton routing, the valid key values are: \"number_routes\", \"routes\"."
118 |     condition = length(setsubtract(keys(try(var.routing_configuration.intra_vpc_inspection, {})), [
119 |       "number_routes",
120 |       "routes"
121 |     ])) == 0
122 |   }
123 | 
124 |   # Valid keys in Intra-VPC Inspection Routes
125 |   validation {
126 |     error_message = "When configuring the routes in intra-VPC inspection routing, the valid key values are: \"source_subnet_route_tables\", \"destination_subnet_cidr_blocks\"."
127 |     condition = alltrue([
128 |       for c in try(var.routing_configuration.intra_vpc_inspection.routes, {}) : length(setsubtract(keys(try(c, {})), [
129 |         "source_subnet_route_tables",
130 |         "destination_subnet_cidr_blocks"
131 |       ])) == 0
132 |     ])
133 |   }
134 | 
135 |   # Valid keys in Central Inspection VPC (without egress traffic)
136 |   validation {
137 |     error_message = "When configuring the inspecton routing in a central Inspection VPC (without egress traffic), the valid key values are: \"connectivity_subnet_route_tables\", \"cwan_subnet_route_tables\"."
138 |     condition = length(setsubtract(keys(try(var.routing_configuration.centralized_inspection_without_egress, {})), [
139 |       "connectivity_subnet_route_tables"
140 |     ])) == 0
141 |   }
142 | 
143 |   # Valid keys in Central Inspection VPC (with egress traffic)
144 |   validation {
145 |     error_message = "When configuring the inspecton routing in a central Inspection VPC (with egress traffic), the valid key values are: \"connectivity_subnet_route_tables\", \"public_route_tables\", \"network_cidr_blocks\"."
146 |     condition = length(setsubtract(keys(try(var.routing_configuration.centralized_inspection_with_egress, {})), [
147 |       "connectivity_subnet_route_tables",
148 |       "public_subnet_route_tables",
149 |       "network_cidr_blocks"
150 |     ])) == 0
151 |   }
152 | }
153 | 
154 | # AWS Network Firewall logging configuration
155 | variable "logging_configuration" {
156 |   type        = any
157 |   default     = {}
158 |   description = <<-EOF
159 |   Configuration of the logging desired for the Network Firewall. You can configure at most 2 destinations for your logs, 1 for FLOW logs and 1 for ALERT logs.
160 |   More information about the format of the variable (and examples) can be found in the README.
161 |   ```
162 |   EOF
163 | 
164 |   # You cannot specify other keys than the ones allowed
165 |   validation {
166 |     error_message = "Valid keys in var.logging_configuration: \"flow_log\", \"alert_log\"."
167 |     condition = length(
168 |       setsubtract(
169 |         setunion(keys(var.logging_configuration), ["flow_log", "alert_log"]),
170 |         ["flow_log", "alert_log"]
171 |       )
172 |     ) == 0
173 |   }
174 | 
175 |   # You cannot specify other keys than the logging destination supported
176 |   validation {
177 |     error_message = "Valid keys within \"flow_log\", \"alert_log\" are: \"s3_bucket\", \"cloudwatch_logs\", \"kinesis_firehose\"."
178 |     condition = length(
179 |       setsubtract(
180 |         setunion(distinct(flatten([for c in var.logging_configuration : keys(c)])), ["s3_bucket", "cloudwatch_logs", "kinesis_firehose"]),
181 |         ["s3_bucket", "cloudwatch_logs", "kinesis_firehose"]
182 |       )
183 |     ) == 0
184 |   }
185 | 
186 |   # You cannot specify other keys than the supported by S3
187 |   validation {
188 |     error_message = "Valid keys within \"s3_bucket\", are: \"bucketName\", \"logPrefix\"."
189 |     condition = length(
190 |       setsubtract(
191 |         setunion(distinct(flatten([for c in var.logging_configuration : keys(try(c.s3_bucket, {}))])), ["bucketName", "logPrefix"]),
192 |         ["bucketName", "logPrefix"]
193 |       )
194 |     ) == 0
195 |   }
196 | 
197 |   # You cannot specify other keys than the supported by CWLogs
198 |   validation {
199 |     error_message = "Valid keys within \"cloudwatch_logs\", are: \"logGroupName\"."
200 |     condition = length(
201 |       setsubtract(
202 |         setunion(distinct(flatten([for c in var.logging_configuration : keys(try(c.cloudwatch_logs, {}))])), ["logGroupName"]),
203 |         ["logGroupName"]
204 |       )
205 |     ) == 0
206 |   }
207 | 
208 |   # You cannot specify other keys than the supported by Kinesis Firehose
209 |   validation {
210 |     error_message = "Valid keys within \"kinesis_firehose\", are: \"deliveryStreamName\"."
211 |     condition = length(
212 |       setsubtract(
213 |         setunion(distinct(flatten([for c in var.logging_configuration : keys(try(c.kinesis_firehose, {}))])), ["deliveryStreamName"]),
214 |         ["deliveryStreamName"]
215 |       )
216 |     ) == 0
217 |   }
218 | }
219 | 
220 | 


--------------------------------------------------------------------------------