feat: adjust example and minor fixes

Author: roger-amorim-dv

examples/network-firewall/README.md

@@ -0,0 +1,41 @@
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.46 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_random"></a> [random](#provider\_random) | 3.6.3 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_kms"></a> [kms](#module\_kms) | git::https://github.com/withclutch/terraform-modules-registry | aws-kms_v1.194 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | ../../ | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_firewall_subnets"></a> [firewall\_subnets](#output\_firewall\_subnets) | List of IDs of firewall subnets |
+| <a name="output_nat_public_ips"></a> [nat\_public\_ips](#output\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway |
+| <a name="output_network_firewall_arn"></a> [network\_firewall\_arn](#output\_network\_firewall\_arn) | ARN of the Network Firewall |
+| <a name="output_private_subnets"></a> [private\_subnets](#output\_private\_subnets) | List of IDs of private subnets |
+| <a name="output_public_subnets"></a> [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets |
+| <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | The ID of the VPC |

examples/network-firewall/main.tf

@@ -3,7 +3,7 @@ provider "aws" {
 }
 
 locals {
-  region      = "us-east-2"
+  region      = "us-east-1"
   name        = "nf-example-${random_pet.this.id}"
   environment = "test"
 }
@@ -18,13 +18,11 @@ resource "random_pet" "this" {
 ################################################################################
 
 module "kms" {
-  #source      = "git::https://github.com/withclutch/terraform-modules-registry?ref=aws-kms_v1.194"
-  source = "/Users/roger.amorim/Clutch/projects/infrastructure/terraform-modules/modules/aws-kms"
+  source = "git::https://github.com/withclutch/terraform-modules-registry?ref=aws-kms_v1.194"
 
-  name                              = local.name
-  environment                       = "test"
-  description                       = "KMS key used to test the ${local.name} AWS Network Firewall"
-  allow_usage_in_network_log_groups = true
+  name        = local.name
+  environment = "test"
+  description = "KMS key used to test the ${local.name} AWS Network Firewall"
 }
 
 ################################################################################
@@ -59,10 +57,11 @@ module "vpc" {
   ######### Firewall Logs ##########
   firewall_logs_retention_in_days = 14
   firewall_logs_kms_key_arn       = module.kms.key_arn
+  create_logging_configuration    = true
 
   ######### Firewall Rules and Filter ##########
-  firewall_log_types      = ["FLOW", "ALERT"]
-  firewall_managed_rules  = [
+  firewall_log_types = ["FLOW", "ALERT"]
+  firewall_managed_rules = [
     "AbusedLegitMalwareDomainsStrictOrder",
     "BotNetCommandAndControlDomainsStrictOrder",
     "AbusedLegitBotNetCommandAndControlDomainsStrictOrder",

main.tf

@@ -20,11 +20,11 @@ locals {
   // TODO - comment what this line does
   firewall_sync_states = try(module.firewall[0].status[0].sync_states, {})
   firewall_vpce = {
-    for state in local.firewall_sync_states: state.availability_zone => {
-        cidr_block = one([ for subnet in aws_subnet.firewall : subnet.cidr_block if subnet.id == state.attachment[0].subnet_id ])
-        endpoint_id = state.attachment[0].endpoint_id
-      }
+    for state in local.firewall_sync_states : state.availability_zone => {
+      cidr_block  = one([for subnet in aws_subnet.firewall : subnet.cidr_block if subnet.id == state.attachment[0].subnet_id])
+      endpoint_id = state.attachment[0].endpoint_id
     }
+  }
 
   # Use `local.vpc_id` to give a hint to Terraform that subnets should be deleted before secondary CIDR blocks can be free!
   vpc_id = try(aws_vpc_ipv4_cidr_block_association.this[0].vpc_id, aws_vpc.this[0].id, "")
@@ -325,7 +325,7 @@ resource "aws_route_table" "internet_gateway" {
 
   tags = merge(
     {
-      "Name" = format("%s-internet-gateway-${var.firewall_subnet_suffix}", var.name)
+      "Name" = format("%s-internet-gateway-${var.public_subnet_suffix}", var.name)
     },
     var.tags,
     var.public_route_table_tags,

network-firewall.tf

@@ -4,17 +4,16 @@ locals {
   name                         = "${var.name}-network-firewall"
 }
 
+### TODO - AWS Network Firewall Managed and Custom Rules will be reviewed/implemented in next release - ###
 module "firewall" {
   source  = "terraform-aws-modules/network-firewall/aws"
   version = "~> 1.0"
 
   count = var.create_network_firewall ? 1 : 0
 
-
   name        = local.name
   description = var.firewall_description
 
-
   delete_protection                 = var.firewall_delete_protection
   firewall_policy_change_protection = var.firewall_policy_change_protection
   subnet_change_protection          = var.firewall_subnet_change_protection
@@ -29,7 +28,7 @@ module "firewall" {
   }
 
   ### Logging configuration ###
-  create_logging_configuration = false
+  create_logging_configuration = var.create_logging_configuration
   logging_configuration_destination_config = [
     {
       log_destination = {
@@ -69,17 +68,17 @@ module "firewall" {
   policy_stateless_default_actions          = ["aws:forward_to_sfe"]
   policy_stateless_fragment_default_actions = ["aws:forward_to_sfe"]
 
-  tags = var.tags // TODO - review these tags
+  tags = var.tags
 
   depends_on = [module.kms, module.logs_alerts, module.logs_flow]
 }
 
 module "logs_alerts" {
-  source       = "git::https://github.com/withclutch/terraform-modules-registry?ref=aws-log-group_v1.194"
+  source = "git::https://github.com/withclutch/terraform-modules-registry?ref=aws-log-group_v1.194"
 
   count = var.create_network_firewall ? 1 : 0
 
-  name        = "nf-network-log-alerts"
+  name        = "${local.name}-alerts"
   tenant      = var.tenant
   region      = var.region
   environment = var.environment
@@ -88,15 +87,17 @@ module "logs_alerts" {
   kms_key_arn                        = module.kms[0].key_arn
   create_datadog_subscription_filter = true
 
+  tags = merge(var.tags, var.firewall_log_tags)
+
   depends_on = [module.kms]
 }
 
 module "logs_flow" {
-  source      = "git::https://github.com/withclutch/terraform-modules-registry?ref=aws-log-group_v1.194"
+  source = "git::https://github.com/withclutch/terraform-modules-registry?ref=aws-log-group_v1.194"
 
-  count       = var.create_network_firewall ? 1 : 0
+  count = var.create_network_firewall ? 1 : 0
 
-  name        = "nf-network-log-flow"
+  name        = "${local.name}-flow"
   tenant      = var.tenant
   region      = var.region
   environment = var.environment
@@ -105,22 +106,22 @@ module "logs_flow" {
   kms_key_arn                        = module.kms[0].key_arn
   create_datadog_subscription_filter = false
 
+  tags = merge(var.tags, var.firewall_log_tags)
+
   depends_on = [module.kms]
 }
 
 module "kms" {
-  #source      = "git::https://github.com/withclutch/terraform-modules-registry?ref=aws-kms_v1.194"
-  source = "/Users/roger.amorim/Clutch/projects/infrastructure/terraform-modules/modules/aws-kms"
+  source = "git::https://github.com/withclutch/terraform-modules-registry?ref=aws-kms_v1.194"
 
   count = var.create_network_firewall ? 1 : 0
 
-  description = "KMS key used for ${var.name} AWS Network Firewall"
-  name        = var.name // TODO - review this name
+  description = "KMS key used for ${local.name} AWS Network Firewall"
+  name        = "${local.name}-kms"
   region      = var.region
   environment = var.environment
   namespace   = var.namespace
   tenant      = var.tenant
   tags        = var.tags
-  #allow_usage_in_network_log_groups = true
 }
 

variables.tf

@@ -1200,10 +1200,16 @@ variable "firewall_log_types" {
   default     = ["FLOW", "ALERT"]
 }
 
-variable "firewall_log_cloudwatch_log_group_name_prefix" {
-  description = "Specifies the name prefix of Network Firewall Log Group for Network Firewall logs."
-  type        = string
-  default     = "/aws/network-firewall-log/"
+variable "firewall_log_tags" {
+  description = "Additional tags for the Firewall Logs"
+  type        = map(string)
+  default     = {}
+}
+
+variable "create_logging_configuration" {
+  description = "Controls if a Logging Configuration should be created"
+  type        = bool
+  default     = false
 }
 
 variable "region" {