feat: initial version to allow network firewall support

Author: roger-amorim-dv

main.tf

@@ -6,15 +6,26 @@ locals {
   len_redshift_subnets    = max(length(var.redshift_subnets), length(var.redshift_subnet_ipv6_prefixes))
   len_intra_subnets       = max(length(var.intra_subnets), length(var.intra_subnet_ipv6_prefixes))
   len_outpost_subnets     = max(length(var.outpost_subnets), length(var.outpost_subnet_ipv6_prefixes))
+  len_firewall_subnets    = max(length(var.firewall_subnets), length(var.firewall_subnet_ipv6_prefixes))
 
   max_subnet_length = max(
     local.len_private_subnets,
     local.len_public_subnets,
     local.len_elasticache_subnets,
     local.len_database_subnets,
     local.len_redshift_subnets,
+    local.len_firewall_subnets,
   )
 
+  // TODO - comment what this line does
+  firewall_sync_states = try(module.firewall[0].status[0].sync_states, {})
+  firewall_vpce = {
+    for state in local.firewall_sync_states: state.availability_zone => {
+        cidr_block = one([ for subnet in aws_subnet.firewall : subnet.cidr_block if subnet.id == state.attachment[0].subnet_id ])
+        endpoint_id = state.attachment[0].endpoint_id
+      }
+    }
+
   # Use `local.vpc_id` to give a hint to Terraform that subnets should be deleted before secondary CIDR blocks can be free!
   vpc_id = try(aws_vpc_ipv4_cidr_block_association.this[0].vpc_id, aws_vpc.this[0].id, "")
 
@@ -153,7 +164,7 @@ resource "aws_route_table_association" "public" {
 }
 
 resource "aws_route" "public_internet_gateway" {
-  count = local.create_public_subnets && var.create_igw ? local.num_public_route_tables : 0
+  count = local.create_public_subnets && var.create_igw && !(var.enable_network_firewall && local.len_firewall_subnets > 0) ? local.num_public_route_tables : 0
 
   route_table_id         = aws_route_table.public[count.index].id
   destination_cidr_block = "0.0.0.0/0"
@@ -164,6 +175,32 @@ resource "aws_route" "public_internet_gateway" {
   }
 }
 
+resource "aws_route_table_association" "public_internet_gateway" {
+  count = local.create_vpc && var.create_igw && var.enable_network_firewall && local.len_firewall_subnets > 0 ? 1 : 0
+
+  gateway_id     = aws_internet_gateway.this[0].id
+  route_table_id = aws_route_table.internet_gateway[0].id
+}
+
+resource "aws_route_table_association" "firewall" {
+  count = local.create_vpc && local.len_firewall_subnets > 0 ? local.len_firewall_subnets : 0
+
+  subnet_id      = element(aws_subnet.firewall.*.id, count.index)
+  route_table_id = aws_route_table.firewall[0].id
+}
+
+resource "aws_route" "public_firewall" {
+  count = local.create_vpc && var.enable_network_firewall ? local.len_public_subnets : 0
+
+  route_table_id         = element(aws_route_table.public.*.id, count.index)
+  destination_cidr_block = "0.0.0.0/0"
+  vpc_endpoint_id        = local.firewall_vpce[aws_subnet.public[count.index].availability_zone].endpoint_id
+
+  timeouts {
+    create = "5m"
+  }
+}
+
 resource "aws_route" "public_internet_gateway_ipv6" {
   count = local.create_public_subnets && var.create_igw && var.enable_ipv6 ? local.num_public_route_tables : 0
 
@@ -223,6 +260,145 @@ resource "aws_network_acl_rule" "public_outbound" {
   ipv6_cidr_block = lookup(var.public_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
 }
 
+################################################################################
+# Firewall Subnets
+################################################################################
+
+locals {
+  create_firewall_subnets = local.create_vpc && local.len_firewall_subnets > 0
+}
+
+resource "aws_subnet" "firewall" {
+  count = local.create_firewall_subnets ? local.len_firewall_subnets : 0
+
+  vpc_id                          = local.vpc_id
+  cidr_block                      = var.firewall_subnets[count.index]
+  availability_zone               = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) > 0 ? element(var.azs, count.index) : null
+  availability_zone_id            = length(regexall("^[a-z]{2}-", element(var.azs, count.index))) == 0 ? element(var.azs, count.index) : null
+  assign_ipv6_address_on_creation = var.enable_ipv6 && var.firewall_subnet_ipv6_native ? true : var.firewall_subnet_assign_ipv6_address_on_creation
+
+  ipv6_cidr_block = var.enable_ipv6 && length(var.firewall_subnet_ipv6_prefixes) > 0 ? cidrsubnet(aws_vpc.this[0].ipv6_cidr_block, 8, var.firewall_subnet_ipv6_prefixes[count.index]) : null
+
+  tags = merge(
+    {
+      "Name" = format(
+        "%s-${var.firewall_subnet_suffix}-%s",
+        var.name,
+        element(var.azs, count.index),
+      )
+    },
+    var.tags,
+    var.firewall_subnet_tags,
+  )
+}
+
+
+resource "aws_route_table" "firewall" {
+  count = local.create_vpc && var.create_firewall_subnet_route_table && local.len_firewall_subnets > 0 ? 1 : 0
+
+  vpc_id = local.vpc_id
+
+  tags = merge(
+    {
+      "Name" = "${var.name}-${var.firewall_subnet_suffix}"
+    },
+    var.tags,
+    var.firewall_route_table_tags,
+  )
+}
+
+resource "aws_route" "firewall_internet_gateway" {
+  count = local.create_vpc && var.create_igw && local.len_firewall_subnets > 0 ? 1 : 0
+
+  route_table_id         = aws_route_table.firewall[count.index].id
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = aws_internet_gateway.this[0].id
+
+  timeouts {
+    create = "5m"
+  }
+}
+
+resource "aws_route_table" "internet_gateway" {
+  count  = local.create_vpc && var.enable_network_firewall && local.len_firewall_subnets > 0 ? 1 : 0
+  vpc_id = local.vpc_id
+
+  tags = merge(
+    {
+      "Name" = format("%s-internet-gateway-${var.firewall_subnet_suffix}", var.name)
+    },
+    var.tags,
+    var.public_route_table_tags,
+  )
+}
+
+resource "aws_route" "internet_gateway_firewall" {
+  count = local.create_vpc && var.enable_network_firewall && local.len_firewall_subnets > 0 ? local.len_public_subnets : 0
+
+  route_table_id         = aws_route_table.internet_gateway[0].id
+  destination_cidr_block = aws_subnet.public[count.index].cidr_block
+
+
+  vpc_endpoint_id = local.firewall_vpce[aws_subnet.public[count.index].availability_zone].endpoint_id // TODO testing
+  #vpc_endpoint_id        = element(local.firewall_endpoint_ids_ordered_by_azs, count.index)
+}
+
+################################################################################
+# Firewall Network ACLs
+################################################################################
+
+locals {
+  create_firewall_network_acl = local.create_firewall_subnets && var.firewall_dedicated_network_acl
+}
+
+resource "aws_network_acl" "firewall" {
+  count = local.create_firewall_network_acl ? 1 : 0
+
+  vpc_id     = local.vpc_id
+  subnet_ids = aws_subnet.firewall[*].id
+
+  tags = merge(
+    { "Name" = "${var.name}-${var.firewall_subnet_suffix}" },
+    var.tags,
+    var.firewall_acl_tags,
+  )
+}
+
+resource "aws_network_acl_rule" "firewall_inbound" {
+  count = local.create_firewall_network_acl ? length(var.firewall_inbound_acl_rules) : 0
+
+  network_acl_id = aws_network_acl.firewall[0].id
+
+  egress          = false
+  rule_number     = var.firewall_inbound_acl_rules[count.index]["rule_number"]
+  rule_action     = var.firewall_inbound_acl_rules[count.index]["rule_action"]
+  from_port       = lookup(var.firewall_inbound_acl_rules[count.index], "from_port", null)
+  to_port         = lookup(var.firewall_inbound_acl_rules[count.index], "to_port", null)
+  icmp_code       = lookup(var.firewall_inbound_acl_rules[count.index], "icmp_code", null)
+  icmp_type       = lookup(var.firewall_inbound_acl_rules[count.index], "icmp_type", null)
+  protocol        = var.firewall_inbound_acl_rules[count.index]["protocol"]
+  cidr_block      = lookup(var.firewall_inbound_acl_rules[count.index], "cidr_block", null)
+  ipv6_cidr_block = lookup(var.firewall_inbound_acl_rules[count.index], "ipv6_cidr_block", null)
+}
+
+resource "aws_network_acl_rule" "firewall_outbound" {
+  count = local.create_firewall_network_acl ? length(var.firewall_outbound_acl_rules) : 0
+
+  network_acl_id = aws_network_acl.firewall[0].id
+
+  egress          = true
+  rule_number     = var.firewall_outbound_acl_rules[count.index]["rule_number"]
+  rule_action     = var.firewall_outbound_acl_rules[count.index]["rule_action"]
+  from_port       = lookup(var.firewall_outbound_acl_rules[count.index], "from_port", null)
+  to_port         = lookup(var.firewall_outbound_acl_rules[count.index], "to_port", null)
+  icmp_code       = lookup(var.firewall_outbound_acl_rules[count.index], "icmp_code", null)
+  icmp_type       = lookup(var.firewall_outbound_acl_rules[count.index], "icmp_type", null)
+  protocol        = var.firewall_outbound_acl_rules[count.index]["protocol"]
+  cidr_block      = lookup(var.firewall_outbound_acl_rules[count.index], "cidr_block", null)
+  ipv6_cidr_block = lookup(var.firewall_outbound_acl_rules[count.index], "ipv6_cidr_block", null)
+}
+
+
 ################################################################################
 # Private Subnets
 ################################################################################

network-firewall.tf

@@ -0,0 +1,144 @@
+locals {
+  #aws_managed_rules_prefix_arn = "arn:aws:network-firewall:${data.aws_region.current.name}:aws-managed:stateful-rulegroup"
+  aws_managed_rules_prefix_arn = "arn:aws:network-firewall:us-east-2:aws-managed:stateful-rulegroup" // TODO - review this region
+
+  // TODO - Review these rules
+  firewall_managed_rules = distinct(concat([
+    "AbusedLegitMalwareDomainsStrictOrder",
+    "BotNetCommandAndControlDomainsStrictOrder",
+    "AbusedLegitBotNetCommandAndControlDomainsStrictOrder",
+    "MalwareDomainsStrictOrder",
+    "ThreatSignaturesIOCStrictOrder",
+    "ThreatSignaturesPhishingStrictOrder",
+    "ThreatSignaturesBotnetWebStrictOrder",
+    "ThreatSignaturesEmergingEventsStrictOrder",
+    "ThreatSignaturesDoSStrictOrder",
+    "ThreatSignaturesMalwareWebStrictOrder",
+    "ThreatSignaturesExploitsStrictOrder",
+    "ThreatSignaturesWebAttacksStrictOrder",
+    "ThreatSignaturesScannersStrictOrder",
+    "ThreatSignaturesBotnetStrictOrder",
+    "ThreatSignaturesMalwareStrictOrder",
+    "ThreatSignaturesMalwareCoinminingStrictOrder",
+    "ThreatSignaturesFUPStrictOrder",
+    "ThreatSignaturesSuspectStrictOrder",
+    "ThreatSignaturesBotnetWindowsStrictOrder",
+  ], var.firewall_managed_rules))
+
+  name = "${var.name}-network-firewall"
+}
+
+module "firewall" {
+  source = "terraform-aws-modules/network-firewall/aws"
+
+  count = var.create_network_firewall ? 1 : 0
+
+  # Firewall
+  name        = local.name
+  description = var.description
+
+  # Only for example
+  delete_protection                 = var.delete_protection
+  firewall_policy_change_protection = var.firewall_policy_change_protection
+  subnet_change_protection          = var.subnet_change_protection
+
+  vpc_id = aws_vpc.this[0].id
+  subnet_mapping = { for subnet_id in aws_subnet.firewall.*.id :
+    "subnet-${subnet_id}" => {
+      subnet_id       = subnet_id
+      ip_address_type = "IPV4"
+    }
+  }
+
+  # Logging configuration
+  create_logging_configuration = true
+  logging_configuration_destination_config = [
+    {
+      log_destination = {
+        logGroup = module.logs_alerts[0].cloudwatch_log_group_name
+      }
+      log_destination_type = "CloudWatchLogs"
+      log_type             = "ALERT"
+    },
+    {
+      log_destination = {
+        logGroup = module.logs_flow[0].cloudwatch_log_group_name
+      }
+      log_destination_type = "CloudWatchLogs"
+      log_type             = "FLOW"
+    },
+  ]
+
+  encryption_configuration = {
+    key_id = module.kms[0].key_arn
+    type   = "CUSTOMER_KMS"
+  }
+
+  # Policy
+  policy_name        = local.name
+  policy_description = "Default network firewall policy for ${local.name}"
+
+  # policy_stateful_rule_group_reference = {}
+  policy_stateful_rule_group_reference = {
+    for i, rule_group in local.firewall_managed_rules : rule_group => {
+      resource_arn = "${local.aws_managed_rules_prefix_arn}/${rule_group}",
+      priority     = i + 1,
+    }
+  }
+
+  policy_stateful_engine_options = {
+    rule_order = "STRICT_ORDER"
+  }
+  policy_stateless_default_actions          = ["aws:forward_to_sfe"]
+  policy_stateless_fragment_default_actions = ["aws:forward_to_sfe"]
+
+  tags = var.tags // TODO - review these tags
+
+  depends_on = [module.kms]
+}
+
+module "logs_alerts" {
+  source       = "git::https://github.com/withclutch/terraform-modules-registry?ref=aws-log-group_v1.194"
+
+  count = var.create_network_firewall ? 1 : 0
+
+  name        = "${local.name}-alerts"
+  tenant      = var.tenant
+  region      = var.region
+  environment = var.environment
+
+  retention_in_days                  = var.logs_retention_in_days
+  kms_key_arn                        = var.logs_kms_key_arn
+  create_datadog_subscription_filter = true
+}
+
+// TODO review if this module is really necessary
+module "logs_flow" {
+  source      = "git::https://github.com/withclutch/terraform-modules-registry?ref=aws-log-group_v1.194"
+
+  count       = var.create_network_firewall ? 1 : 0
+
+  name        = "${local.name}-flow" // TODO - review this name
+  tenant      = var.tenant
+  region      = var.region
+  environment = var.environment
+
+  retention_in_days                  = var.logs_retention_in_days
+  kms_key_arn                        = var.logs_kms_key_arn
+  create_datadog_subscription_filter = false
+}
+
+module "kms" {
+  source      = "git::https://github.com/withclutch/terraform-modules-registry?ref=aws-kms_v1.194"
+
+  count = var.create_network_firewall ? 1 : 0
+
+  description = "KMS key used for ${var.name} AWS Network Firewall"
+  name        = var.name // TODO - review this name
+  region      = var.region
+  environment = var.environment
+  namespace   = var.namespace
+  tenant      = var.tenant
+  tags        = var.tags
+}
+