|
| 1 | +# Terraform AWS ARC Network Firewall Module Usage Guide |
| 2 | + |
| 3 | +## Introduction |
| 4 | + |
| 5 | +### Purpose of the Document |
| 6 | + |
| 7 | +This document provides guidelines and instructions for users looking to implement the Terraform AWS ARC Network Firewall module for securing network traffic in AWS environments. |
| 8 | + |
| 9 | +### Module Overview |
| 10 | + |
| 11 | +The Terraform AWS ARC Network Firewall module provides a secure and modular foundation for deploying AWS Network Firewall on AWS. This module supports both VPC-attached and Transit Gateway-attached configurations, offering comprehensive network security with stateful and stateless rule groups, advanced logging capabilities, and TLS inspection features. |
| 12 | + |
| 13 | +### Prerequisites |
| 14 | + |
| 15 | +Before using this module, ensure you have the following: |
| 16 | + |
| 17 | +- AWS credentials configured with appropriate permissions |
| 18 | +- Terraform installed (version >= 1.5) |
| 19 | +- A working knowledge of AWS VPC, Network Firewall, and Terraform concepts |
| 20 | +- Understanding of network security concepts and firewall rules |
| 21 | + |
| 22 | +## Getting Started |
| 23 | + |
| 24 | +### Module Source |
| 25 | + |
| 26 | +To use the module in your Terraform configuration, include the following source block: |
| 27 | + |
| 28 | +```hcl |
| 29 | +module "arc-network-firewall" { |
| 30 | + source = "sourcefuse/arc-network-firewall/aws" |
| 31 | + version = "0.0.1" |
| 32 | +
|
| 33 | + # Required variables |
| 34 | + name = "my-network-firewall" |
| 35 | + vpc_id = "vpc-12345678" |
| 36 | + subnet_ids = ["subnet-12345678", "subnet-87654321"] |
| 37 | + create_firewall = true |
| 38 | + firewall_policy_config = { |
| 39 | + create = true |
| 40 | + } |
| 41 | +
|
| 42 | + tags = { |
| 43 | + Environment = "production" |
| 44 | + Project = "security" |
| 45 | + } |
| 46 | +} |
| 47 | +``` |
| 48 | + |
| 49 | +Refer to the [Terraform Registry](https://github.com/sourcefuse/terraform-aws-arc-network-firewall) for the latest version. |
| 50 | + |
| 51 | +### Integration with Existing Terraform Configurations |
| 52 | + |
| 53 | +To integrate the module with your existing Terraform mono repo configuration, follow the steps below: |
| 54 | + |
| 55 | +- Create a new folder in terraform/ named `network-firewall` |
| 56 | +- Create the required files, see the examples to base off of |
| 57 | +- Configure with your backend: |
| 58 | + - Create the environment backend configuration file: `config.<environment>.hcl` |
| 59 | + - region: Where the backend resides |
| 60 | + - key: `network-firewall/terraform.tfstate` |
| 61 | + - bucket: Bucket name where the terraform state will reside |
| 62 | + - dynamodb_table: Lock table so there are not duplicate tfplans in the mix |
| 63 | + - encrypt: Encrypt all traffic to and from the backend |
| 64 | + |
| 65 | +### Required AWS Permissions |
| 66 | + |
| 67 | +Ensure that the AWS credentials used to execute Terraform have the necessary permissions to create, list and modify: |
| 68 | + |
| 69 | +- AWS Network Firewall resources |
| 70 | +- VPC and subnet resources |
| 71 | +- IAM roles and policies for logging |
| 72 | +- CloudWatch Logs groups |
| 73 | +- S3 buckets for logging |
| 74 | +- KMS keys for encryption |
| 75 | + |
| 76 | +## Module Configuration |
| 77 | + |
| 78 | +### Input Variables |
| 79 | + |
| 80 | +For a complete list of input variables, see the README [Inputs](../../README.md#inputs) section. |
| 81 | + |
| 82 | +Key variables include: |
| 83 | +- `name`: Name of the Network Firewall |
| 84 | +- `vpc_id`: VPC ID where the firewall will be deployed |
| 85 | +- `subnet_ids`: List of subnet IDs for firewall endpoints |
| 86 | +- `firewall_config`: Combined firewall settings object |
| 87 | +- `create_firewall_policy`: Whether to create a firewall policy |
| 88 | + |
| 89 | +### Output Values |
| 90 | + |
| 91 | +For a complete list of outputs, see the README [Outputs](../../README.md#outputs) section. |
| 92 | + |
| 93 | +Key outputs include: |
| 94 | +- `firewall_arn`: ARN of the created Network Firewall |
| 95 | +- `firewall_id`: ID of the created Network Firewall |
| 96 | +- `firewall_policy_arn`: ARN of the firewall policy |
| 97 | +- `endpoint_ids`: List of firewall endpoint IDs |
| 98 | + |
| 99 | +## Module Usage |
| 100 | + |
| 101 | +### Basic Usage |
| 102 | + |
| 103 | +For basic usage, see the [basic-firewall example](../../examples/basic-firewall) folder. |
| 104 | + |
| 105 | +This example will create: |
| 106 | + |
| 107 | +- A Network Firewall with basic stateful and stateless rules |
| 108 | +- Firewall policy with default actions |
| 109 | +- Firewall endpoints in specified subnets |
| 110 | +- Basic logging configuration |
| 111 | + |
| 112 | +### Tips and Recommendations |
| 113 | + |
| 114 | +- The module focuses on provisioning AWS Network Firewall with flexible configuration options. The convention-based approach enables downstream services to easily integrate with the firewall endpoints. |
| 115 | +- Use VPC-attached configuration for protecting specific VPCs and Transit Gateway-attached for centralized inspection across multiple VPCs. |
| 116 | +- Enable logging to monitor traffic patterns and security events. |
| 117 | +- Consider using TLS inspection for encrypted traffic analysis in high-security environments. |
| 118 | +- Adjust rule group capacities based on your expected rule complexity and volume. |
| 119 | + |
| 120 | +## Troubleshooting |
| 121 | + |
| 122 | +### Common Issues |
| 123 | + |
| 124 | +1. **Subnet Selection**: Ensure subnets are in different Availability Zones for high availability |
| 125 | +2. **Capacity Planning**: Monitor rule group capacity usage to avoid hitting limits |
| 126 | +3. **Logging Configuration**: Verify IAM permissions for logging destinations |
| 127 | +4. **Transit Gateway Integration**: Ensure proper route table configurations |
| 128 | + |
| 129 | +### Reporting Issues |
| 130 | + |
| 131 | +If you encounter a bug or issue, please report it on the [GitHub repository](https://github.com/sourcefuse/terraform-aws-arc-network-firewall/issues). |
| 132 | + |
| 133 | +## Security Considerations |
| 134 | + |
| 135 | +### AWS Network Firewall Security |
| 136 | + |
| 137 | +Understand the security considerations related to Network Firewall on AWS when using this module: |
| 138 | + |
| 139 | +- Network Firewall provides stateful inspection of traffic |
| 140 | +- Rules are processed in order of priority |
| 141 | +- Default actions determine behavior for unmatched traffic |
| 142 | +- Encryption at rest and in transit is supported |
| 143 | + |
| 144 | +### Best Practices for AWS Network Firewall |
| 145 | + |
| 146 | +Follow best practices to ensure secure Network Firewall configurations: |
| 147 | + |
| 148 | +- [AWS Network Firewall Security Best Practices](https://docs.aws.amazon.com/network-firewall/latest/developerguide/security-best-practices.html) |
| 149 | +- Enable comprehensive logging for security monitoring |
| 150 | +- Use least-privilege access for firewall management |
| 151 | +- Regularly update rule groups to address new threats |
| 152 | +- Implement proper change management for firewall policies |
| 153 | + |
| 154 | +## Contributing and Community Support |
| 155 | + |
| 156 | +### Contributing Guidelines |
| 157 | + |
| 158 | +Contribute to the module by following the guidelines outlined in the [CONTRIBUTING.md](../../CONTRIBUTING.md) file. |
| 159 | + |
| 160 | +### Reporting Bugs and Issues |
| 161 | + |
| 162 | +If you find a bug or issue, report it on the [GitHub repository](https://github.com/sourcefuse/terraform-aws-arc-network-firewall/issues). |
| 163 | + |
| 164 | +## License |
| 165 | + |
| 166 | +### License Information |
| 167 | + |
| 168 | +This module is licensed under the Apache 2.0 license. Refer to the [LICENSE](../../LICENSE) file for more details. |
| 169 | + |
| 170 | +### Open Source Contribution |
| 171 | + |
| 172 | +Contribute to open source by using and enhancing this module. Your contributions are welcome! |
0 commit comments