feat: add network firewall example

Author: roger-amorim-dv

examples/network-firewall/main.tf

@@ -0,0 +1,88 @@
+provider "aws" {
+  region = local.region
+}
+
+locals {
+  region      = "us-east-2"
+  name        = "nf-example-${random_pet.this.id}"
+  environment = "test"
+}
+
+resource "random_pet" "this" {
+  length    = 2
+  separator = "-"
+}
+
+################################################################################
+# KMS Module
+################################################################################
+
+module "kms" {
+  #source      = "git::https://github.com/withclutch/terraform-modules-registry?ref=aws-kms_v1.194"
+  source = "/Users/roger.amorim/Clutch/projects/infrastructure/terraform-modules/modules/aws-kms"
+
+  name                              = local.name
+  environment                       = "test"
+  description                       = "KMS key used to test the ${local.name} AWS Network Firewall"
+  allow_usage_in_network_log_groups = true
+}
+
+################################################################################
+# VPC Module
+################################################################################
+
+module "vpc" {
+  source = "../../"
+
+  environment = "test"
+  name        = "nf-example"
+
+  ######### VPC ##########
+  cidr = "10.0.0.0/16"
+  azs  = ["${local.region}a", "${local.region}b", "${local.region}c"]
+
+  ######### Subnets ##########
+  private_subnets  = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"]
+  public_subnets   = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
+  firewall_subnets = ["10.0.3.0/28", "10.0.3.16/28", "10.0.3.32/28"]
+
+  create_multiple_public_route_tables = true
+
+  ######### NAT Gateway ##########
+  enable_nat_gateway     = true
+  one_nat_gateway_per_az = true
+
+  ########## Firewall ##########
+  create_network_firewall = true
+  enable_network_firewall = true
+
+  ######### Firewall Logs ##########
+  firewall_logs_retention_in_days = 14
+  firewall_logs_kms_key_arn       = module.kms.key_arn
+
+  ######### Firewall Rules and Filter ##########
+  firewall_log_types      = ["FLOW", "ALERT"]
+  firewall_managed_rules  = [
+    "AbusedLegitMalwareDomainsStrictOrder",
+    "BotNetCommandAndControlDomainsStrictOrder",
+    "AbusedLegitBotNetCommandAndControlDomainsStrictOrder",
+    "MalwareDomainsStrictOrder",
+    "ThreatSignaturesIOCStrictOrder",
+    "ThreatSignaturesPhishingStrictOrder",
+    "ThreatSignaturesBotnetWebStrictOrder",
+    "ThreatSignaturesEmergingEventsStrictOrder",
+    "ThreatSignaturesDoSStrictOrder",
+    "ThreatSignaturesMalwareWebStrictOrder",
+    "ThreatSignaturesExploitsStrictOrder",
+    "ThreatSignaturesWebAttacksStrictOrder",
+    "ThreatSignaturesScannersStrictOrder",
+    "ThreatSignaturesBotnetStrictOrder",
+    "ThreatSignaturesMalwareStrictOrder",
+    "ThreatSignaturesMalwareCoinminingStrictOrder",
+    "ThreatSignaturesFUPStrictOrder",
+    "ThreatSignaturesSuspectStrictOrder",
+    "ThreatSignaturesBotnetWindowsStrictOrder",
+  ]
+
+  depends_on = [module.kms]
+}

examples/network-firewall/outputs.tf

@@ -0,0 +1,41 @@
+################################################################################
+# VPC
+################################################################################
+
+output "vpc_id" {
+  description = "The ID of the VPC"
+  value       = module.vpc.vpc_id
+}
+
+################################################################################
+# Subnets
+################################################################################
+
+output "private_subnets" {
+  description = "List of IDs of private subnets"
+  value       = module.vpc.private_subnets
+}
+
+output "public_subnets" {
+  description = "List of IDs of public subnets"
+  value       = module.vpc.public_subnets
+}
+
+output "firewall_subnets" {
+  description = "List of IDs of firewall subnets"
+  value       = module.vpc.firewall_subnets
+}
+
+################################################################################
+# NAT Gateway
+################################################################################
+
+output "nat_public_ips" {
+  description = "List of public Elastic IPs created for AWS NAT Gateway"
+  value       = module.vpc.nat_public_ips
+}
+
+output "network_firewall_arn" {
+  description = "ARN of the Network Firewall"
+  value       = module.vpc.network_firewall_arn
+}

examples/network-firewall/variables.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.46"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.0"
+    }
+  }
+}

examples/network-firewall/versions.tf

@@ -1,46 +1,24 @@
 locals {
-  #aws_managed_rules_prefix_arn = "arn:aws:network-firewall:${data.aws_region.current.name}:aws-managed:stateful-rulegroup"
-  aws_managed_rules_prefix_arn = "arn:aws:network-firewall:us-east-2:aws-managed:stateful-rulegroup" // TODO - review this region
-
-  // TODO - Review these rules
-  firewall_managed_rules = distinct(concat([
-    "AbusedLegitMalwareDomainsStrictOrder",
-    "BotNetCommandAndControlDomainsStrictOrder",
-    "AbusedLegitBotNetCommandAndControlDomainsStrictOrder",
-    "MalwareDomainsStrictOrder",
-    "ThreatSignaturesIOCStrictOrder",
-    "ThreatSignaturesPhishingStrictOrder",
-    "ThreatSignaturesBotnetWebStrictOrder",
-    "ThreatSignaturesEmergingEventsStrictOrder",
-    "ThreatSignaturesDoSStrictOrder",
-    "ThreatSignaturesMalwareWebStrictOrder",
-    "ThreatSignaturesExploitsStrictOrder",
-    "ThreatSignaturesWebAttacksStrictOrder",
-    "ThreatSignaturesScannersStrictOrder",
-    "ThreatSignaturesBotnetStrictOrder",
-    "ThreatSignaturesMalwareStrictOrder",
-    "ThreatSignaturesMalwareCoinminingStrictOrder",
-    "ThreatSignaturesFUPStrictOrder",
-    "ThreatSignaturesSuspectStrictOrder",
-    "ThreatSignaturesBotnetWindowsStrictOrder",
-  ], var.firewall_managed_rules))
-
-  name = "${var.name}-network-firewall"
+  aws_managed_rules_prefix_arn = "arn:aws:network-firewall:${var.region}:aws-managed:stateful-rulegroup"
+  firewall_managed_rules       = distinct(var.firewall_managed_rules)
+  name                         = "${var.name}-network-firewall"
 }
 
 module "firewall" {
-  source = "terraform-aws-modules/network-firewall/aws"
+  source  = "terraform-aws-modules/network-firewall/aws"
+  version = "~> 1.0"
 
   count = var.create_network_firewall ? 1 : 0
 
-  # Firewall
+
   name        = local.name
-  description = var.description
+  description = var.firewall_description
+
 
-  # Only for example
-  delete_protection                 = var.delete_protection
+  delete_protection                 = var.firewall_delete_protection
   firewall_policy_change_protection = var.firewall_policy_change_protection
-  subnet_change_protection          = var.subnet_change_protection
+  subnet_change_protection          = var.firewall_subnet_change_protection
+
 
   vpc_id = aws_vpc.this[0].id
   subnet_mapping = { for subnet_id in aws_subnet.firewall.*.id :
@@ -50,8 +28,8 @@ module "firewall" {
     }
   }
 
-  # Logging configuration
-  create_logging_configuration = true
+  ### Logging configuration ###
+  create_logging_configuration = false
   logging_configuration_destination_config = [
     {
       log_destination = {
@@ -74,11 +52,10 @@ module "firewall" {
     type   = "CUSTOMER_KMS"
   }
 
-  # Policy
+  ### Policy ###
   policy_name        = local.name
   policy_description = "Default network firewall policy for ${local.name}"
 
-  # policy_stateful_rule_group_reference = {}
   policy_stateful_rule_group_reference = {
     for i, rule_group in local.firewall_managed_rules : rule_group => {
       resource_arn = "${local.aws_managed_rules_prefix_arn}/${rule_group}",
@@ -94,42 +71,46 @@ module "firewall" {
 
   tags = var.tags // TODO - review these tags
 
-  depends_on = [module.kms]
+  depends_on = [module.kms, module.logs_alerts, module.logs_flow]
 }
 
 module "logs_alerts" {
   source       = "git::https://github.com/withclutch/terraform-modules-registry?ref=aws-log-group_v1.194"
 
   count = var.create_network_firewall ? 1 : 0
 
-  name        = "${local.name}-alerts"
+  name        = "nf-network-log-alerts"
   tenant      = var.tenant
   region      = var.region
   environment = var.environment
 
-  retention_in_days                  = var.logs_retention_in_days
-  kms_key_arn                        = var.logs_kms_key_arn
+  retention_in_days                  = var.firewall_logs_retention_in_days
+  kms_key_arn                        = module.kms[0].key_arn
   create_datadog_subscription_filter = true
+
+  depends_on = [module.kms]
 }
 
-// TODO review if this module is really necessary
 module "logs_flow" {
   source      = "git::https://github.com/withclutch/terraform-modules-registry?ref=aws-log-group_v1.194"
 
   count       = var.create_network_firewall ? 1 : 0
 
-  name        = "${local.name}-flow" // TODO - review this name
+  name        = "nf-network-log-flow"
   tenant      = var.tenant
   region      = var.region
   environment = var.environment
 
-  retention_in_days                  = var.logs_retention_in_days
-  kms_key_arn                        = var.logs_kms_key_arn
+  retention_in_days                  = var.firewall_logs_retention_in_days
+  kms_key_arn                        = module.kms[0].key_arn
   create_datadog_subscription_filter = false
+
+  depends_on = [module.kms]
 }
 
 module "kms" {
-  source      = "git::https://github.com/withclutch/terraform-modules-registry?ref=aws-kms_v1.194"
+  #source      = "git::https://github.com/withclutch/terraform-modules-registry?ref=aws-kms_v1.194"
+  source = "/Users/roger.amorim/Clutch/projects/infrastructure/terraform-modules/modules/aws-kms"
 
   count = var.create_network_firewall ? 1 : 0
 
@@ -140,5 +121,6 @@ module "kms" {
   namespace   = var.namespace
   tenant      = var.tenant
   tags        = var.tags
+  #allow_usage_in_network_log_groups = true
 }
 

network-firewall.tf

@@ -708,6 +708,11 @@ output "firewall_status" {
   value       = try(module.firewall[0].status, {})
 }
 
+output "network_firewall_arn" {
+  description = "ARN of the Network Firewall"
+  value       = try(module.firewall[0].arn, {})
+}
+
 ################################################################################
 # Static values (arguments)
 ################################################################################