Skip to content

Module Structure

terraform-aws-arc-network-firewall

Latest Release Last Updated Terraform GitHub Actions

Quality gate

Overview

SourceFuse AWS Reference Architecture (ARC) Terraform module for managing the AWS Network Firewall module.

Features

  • Flexible Deployment: Support for both VPC-attached and Transit Gateway-attached firewalls
  • Comprehensive Rule Support: Stateful and stateless rule groups with Suricata compatibility
  • Advanced Logging: CloudWatch Logs, S3, and Kinesis Data Firehose integration
  • Security Best Practices: Encryption, tagging, and protection settings
  • High Availability: Multi-AZ deployment support
  • Policy Management: Custom and AWS managed rule groups
  • Conditional Resources: Smart resource creation based on configuration
  • Production Ready: Comprehensive validation and error handling

Usage

Basic Firewall

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
module "network_firewall" {
  source = "sourcefuse/arc-network-firewall/aws"

  name        = "my-network-firewall"
  description = "Basic Network Firewall"

  create_firewall = true
  vpc_id          = "vpc-12345678"
  subnet_ids      = ["subnet-12345678", "subnet-87654321"]

  firewall_policy_config = {
    create                             = true
    name                               = "my-firewall-policy"
    stateless_default_actions          = ["aws:forward_to_sfe"]
    stateless_fragment_default_actions = ["aws:forward_to_sfe"]
  }

  tags = {
    Environment = "production"
    Project     = "security"
  }
}

Transit Gateway-Attached Firewall

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
module "network_firewall" {
  source = "sourcefuse/arc-network-firewall/aws"

  name               = "tgw-firewall"
  availability_zones = ["use1-az1", "use1-az2"]

  create_firewall = true
  firewall_config = {
    transit_gateway_id = "tgw-12345678"
  }

  firewall_policy_config = {
    create                             = true
    name                               = "tgw-policy"
    stateless_default_actions          = ["aws:forward_to_sfe"]
    stateless_fragment_default_actions = ["aws:forward_to_sfe"]
  }

  tags = {
    Environment = "production"
    Project     = "security"
  }
}

Firewall with Resource Policy

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
module "network_firewall" {
  source = "sourcefuse/arc-network-firewall/aws"

  name        = "firewall-with-policy"
  description = "Network Firewall with resource policy"

  create_firewall = true
  vpc_id          = "vpc-12345678"
  subnet_ids      = ["subnet-12345678", "subnet-87654321"]

  firewall_policy_config = {
    create                             = true
    name                               = "shared-policy"
    stateless_default_actions          = ["aws:forward_to_sfe"]
    stateless_fragment_default_actions = ["aws:forward_to_sfe"]
  }

  create_firewall_policy_resource_policy = true
  firewall_policy_resource_policy = {
    statements = [
      {
        actions = [
          "network-firewall:ListFirewallPolicies",
          "network-firewall:CreateFirewall",
          "network-firewall:UpdateFirewall",
          "network-firewall:AssociateFirewallPolicy"
        ]
        effect = "Allow"
        principals = {
          aws = ["arn:aws:iam::123456789012:root"]
        }
      }
    ]
  }

  tags = {
    Environment = "production"
    Project     = "security"
  }
}

Examples

The examples/ directory contains complete, working examples:

Security Best Practices

  • Encryption: Use customer-managed KMS keys for encryption at rest
  • Logging: Enable comprehensive logging for security monitoring
  • Protection Settings: Enable all protection mechanisms in production
  • Rule Ordering: Use STRICT_ORDER for deterministic rule evaluation
  • Least Privilege: Apply minimal required permissions for IAM roles
  • Tagging: Implement consistent tagging for resource management

Requirements

Name Version
terraform >= 1.3
aws >= 5.0, < 7.0

Providers

Name Version
aws 6.16.0

Modules

Name Source Version
s3_firewall_logs sourcefuse/arc-s3/aws 0.0.5

Resources

Name Type
aws_cloudwatch_log_group.firewall_logs resource
aws_networkfirewall_firewall.this resource
aws_networkfirewall_firewall_policy.this resource
aws_networkfirewall_logging_configuration.this resource
aws_networkfirewall_resource_policy.example resource
aws_networkfirewall_resource_policy.firewall_policy resource
aws_networkfirewall_rule_group.this resource
aws_networkfirewall_tls_inspection_configuration.this resource
aws_networkfirewall_vpc_endpoint_association.this resource

Inputs

Name Description Type Default Required
availability_zones List of availability zone IDs for transit gateway-attached firewall list(string) [] no
create_firewall Controls whether the Network Firewall should be created bool true no
create_firewall_policy_resource_policy Whether to create a resource policy for the firewall policy bool false no
create_rule_group_resource_policy Whether to attach a resource policy to the Rule Group bool false no
description Description of the Network Firewall string null no
firewall_config Combined firewall settings 
object({
    transit_gateway_id                  = optional(string)
    delete_protection                   = optional(bool, false)
    subnet_change_protection            = optional(bool, false)
    firewall_policy_change_protection   = optional(bool, false)
    availability_zone_change_protection = optional(bool, false)
    enabled_analysis_types              = optional(list(string), [])
    encryption_configuration = optional(object({
      type   = string
      key_id = optional(string)
    }))
    timeouts = optional(object({
      create = optional(string)
      update = optional(string)
      delete = optional(string)
    }))
  })
 {} no
firewall_policy_config # Firewall Policy Configuration 
object({
    create      = optional(bool, false)
    arn         = optional(string)
    name        = optional(string)
    description = optional(string)
    encryption_configuration = optional(object({
      type   = string
      key_id = optional(string)
    }))
    stateless_default_actions          = optional(list(string), ["aws:forward_to_sfe"])
    stateless_fragment_default_actions = optional(list(string), ["aws:forward_to_sfe"])
    stateful_default_actions           = optional(list(string))
    stateful_engine_options = optional(object({
      rule_order              = optional(string, "DEFAULT_ACTION_ORDER")
      stream_exception_policy = optional(string, "DROP")
      flow_timeouts = optional(object({
        tcp_idle_timeout_seconds = optional(number, 350)
      }))
    }))
    policy_variables = optional(object({
      rule_variables = optional(map(object({
        definition = list(string)
      })), {})
    }), {})
    stateless_rule_groups = optional(list(object({
      resource_arn = string
      priority     = number
    })), [])
    stateful_rule_groups = optional(list(object({
      resource_arn           = string
      priority               = number
      deep_threat_inspection = optional(bool)
      override = optional(object({
        action = string
      }))
    })), [])
    stateless_custom_actions = optional(list(object({
      action_name = string
      action_definition = object({
        publish_metric_action = object({
          dimensions = list(object({
            value = string
          }))
        })
      })
    })), [])
    tls_inspection_configuration_arn    = optional(string)
    create_tls_inspection_configuration = optional(bool, false)
  })
 {} no
firewall_policy_resource_policy Resource policy configuration for the firewall policy 
object({
    statements = list(object({
      actions = list(string)
      effect  = string
      principals = object({
        aws = list(string)
      })
    }))
  })
 
{
  "statements": []
}
 no
logging_config List of logging destinations to configure.
Example:
[
{
log_type = "FLOW"
log_destination_type = "S3"
log_destination_name = "firewall-logs-bucket"
},
{
log_type = "ALERT"
log_destination_type = "CloudWatchLogs"
log_destination_name = "firewall-alerts-loggroup"
}
]		 
object({
    enable             = optional(bool, true)
    log_retention_days = optional(number, 7)
    destinations = optional(list(object({
      log_type             = string
      log_destination_type = string # S3
 CloudWatchLogs KinesisDataFirehose
log_destination_name = string # bucket name or log group name
})), [])
})
name Name of the Network Firewall string n/a yes
rule_group_config Complete rule group configuration in one object 
object({
    create      = optional(bool, false)
    description = optional(string)
    capacity    = optional(number)
    type        = optional(string)
    encryption_configuration = optional(object({
      type   = string
      key_id = optional(string)
    }))
    rules = optional(string)
    rule_variables = optional(object({
      ip_sets = optional(list(object({
        key        = string
        definition = list(string)
      })))
      port_sets = optional(list(object({
        key        = string
        definition = list(string)
      })))
    }))
    rules_source = optional(object({
      rules_source_list = optional(list(object({
        generated_rules_type = string
        target_types         = list(string)
        targets              = list(string)
      })))
      rules_string = optional(string)
      stateful_rules = optional(list(object({
        action = string
        header = object({
          destination      = string
          destination_port = string
          direction        = string
          protocol         = string
          source           = string
          source_port      = string
        })
        rule_options = optional(list(object({
          keyword  = string
          settings = optional(list(string))
        })))
      })))
      stateless = optional(list(object({
        custom_actions = optional(list(object({
          action_name = string
          dimension   = string
        })))
        rules = list(object({
          priority = number
          actions  = list(string)
          match = object({
            destination = string
            destination_port = object({
              from = number
              to   = number
            })
            source = string
            source_port = object({
              from = number
              to   = number
            })
            protocols = optional(list(number))
          })
        }))
      })))
    }))
    stateful_rule_options = optional(object({
      rule_order = string
    }))
    reference_sets = optional(list(object({
      key = string
      arn = string
    })))
  })
 {} no
rule_group_resource_policy IAM-style resource policy for Network Firewall Rule Group 
object({
    statements = list(object({
      actions = list(string)
      effect  = string
      principals = object({
        aws = list(string)
      })
    }))
  })
 
{
  "statements": []
}
 no
subnet_ids List of subnet IDs for firewall endpoints list(string) [] no
tags Tags to apply to all resources map(string) {} no
tls_inspection_configuration TLS inspection configuration 
object({
    create      = optional(bool, false)
    name        = optional(string)
    description = optional(string)
    encryption_configuration = optional(object({
      key_id = optional(string)
      type   = optional(string, "AWS_OWNED_KMS_KEY")
    }))
    server_certificate_configurations = optional(list(object({
      certificate_authority_arn = optional(string)
      check_certificate_revocation_status = optional(object({
        revoked_status_action = optional(string, "REJECT")
        unknown_status_action = optional(string, "PASS")
      }))
      server_certificates = optional(list(object({
        resource_arn = string
      })), [])
      scopes = list(object({
        protocols = optional(list(number), [6])
        destinations = list(object({
          address_definition = string
        }))
        destination_ports = optional(list(object({
          from_port = number
          to_port   = optional(number)
        })), [])
        sources = optional(list(object({
          address_definition = string
        })), [])
        source_ports = optional(list(object({
          from_port = number
          to_port   = optional(number)
        })), [])
      }))
    })), [])
    timeouts = optional(object({
      create = optional(string)
      update = optional(string)
      delete = optional(string)
    }))
  })
 {} no
vpc_endpoint_association Configuration for VPC Endpoint Association 
object({
    create      = optional(bool, false)
    description = optional(string)
    subnet_mappings = optional(list(object({
      subnet_id       = string
      ip_address_type = optional(string) # IPV4 or DUALSTACK
    })), [])
  })
 {} no
vpc_id VPC ID where the firewall will be deployed string null no

Outputs

Name Description
arn ARN of the rule group
availability_zones Availability zones where firewall endpoints are created
firewall_arn The firewall ARN
firewall_endpoint_ids Map of endpoint IDs per AZ
firewall_id The firewall ID
firewall_name Firewall name
firewall_policy_arn The Amazon Resource Name (ARN) that identifies the firewall policy
firewall_policy_id The Amazon Resource Name (ARN) that identifies the firewall policy
firewall_policy_name The name of the firewall policy
firewall_policy_resource_policy_id ID of the firewall policy resource policy
firewall_policy_update_token A string token used when updating the firewall policy
firewall_status Firewall status
id ID of the rule group
logging_configuration_id The Amazon Resource Name (ARN) of the associated firewall for logging
resource_policy_ids List of resource policy IDs
subnet_ids List of subnet IDs where firewall endpoints are created
tags_all All tags for the firewall
tls_inspection_configuration_arn ARN of the TLS inspection configuration
tls_inspection_configuration_certificate_authority Certificate authority information
tls_inspection_configuration_certificates Certificates information
tls_inspection_configuration_id ID of the TLS inspection configuration
tls_inspection_configuration_update_token Update token of the TLS inspection configuration
transit_gateway_id The Transit Gateway ID for transit gateway-attached firewall
update_token Update token of the rule group
vpc_id The VPC ID where the firewall is deployed