Announcing Support for AWS Network Firewall in the Terraform AWS Provider
The Terraform AWS provider has added support for the newly released AWS Network Firewall service.
In partnership with AWS, we are pleased to announce launch day support for the AWS Network Firewall service within the Terraform AWS Provider. AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs).
»How It Works
AWS Network Firewall can be set up via the AWS console with just a few clicks and scales automatically with your network traffic so you don't have to worry about deploying and managing any infrastructure. AWS Network Firewall’s flexible rules engine lets you define firewall rules that provide fine-grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious activity. You can also import rules you’ve already written in common open source rule formats as well as enable integrations with managed intelligence feeds sourced by AWS partners. AWS Network Firewall works together with AWS Firewall Manager so you can build policies based on AWS Network Firewall rules and then centrally apply those policies across your VPCs and accounts.
For additional information regarding AWS Network Firewall, please consult the blog post from AWS as well as the AWS Network Firewall service documentation.
»Using AWS Network Firewall in the Terraform AWS Provider
In order to use AWS Network Firewall in the Terraform AWS provider, you will need to employ three new resources, aws_networkfirewall_firewall_policy, aws_networkfirewall_firewall, and aws_networkfirewall_rule_group, along with additional attributes to existing resources.
In order to try out this feature, you will need:
- Terraform v0.12 or greater installed.
- The latest version of the Terraform AWS provider.
The Terraform configuration below demonstrates how the Terraform AWS provider can be used to configure an AWS Network Firewall VPC Firewall, Firewall Policy, and Firewall Rule Group with the proper settings and attributes. In addition to these new resources you will need a VPC, Subnet, Route Table, Route Table Association, and Internet Gateway.
data "aws_availability_zones" "available" {
state = "available"
}
resource "aws_vpc" "example" {
cidr_block = "10.0.0.0/16"
}
resource "aws_internet_gateway" "example" {
vpc_id = aws_vpc.example.id
}
resource "aws_subnet" "application" {
availability_zone = data.aws_availability_zones.available.names[0]
cidr_block = "10.0.1.0/24"
vpc_id = aws_vpc.example.id
}
resource "aws_subnet" "firewall" {
availability_zone = data.aws_availability_zones.available.names[0]
cidr_block = "10.0.0.0/24"
vpc_id = aws_vpc.example.id
}
resource "aws_networkfirewall_rule_group" "example" {
capacity = 1000
name = "example"
type = "STATELESS"
rule_group {
rules_source {
stateless_rules_and_custom_actions {
stateless_rule {
priority = 5
rule_definition {
actions = ["aws:pass"]
match_attributes {
source {
address_definition = "10.0.0.0/8"
}
source {
address_definition = "192.168.0.0/16"
}
}
}
}
}
}
}
}
resource "aws_networkfirewall_firewall_policy" "example" {
name = "example"
firewall_policy {
stateless_default_actions = ["aws:drop"]
stateless_fragment_default_actions = ["aws:drop"]
stateless_rule_group_reference {
priority = 20
resource_arn = aws_networkfirewall_rule_group.example.arn
}
}
}
resource "aws_networkfirewall_firewall" "example" {
firewall_policy_arn = aws_networkfirewall_firewall_policy.example.arn
name = "example"
vpc_id = aws_vpc.example.id
subnet_mapping {
subnet_id = aws_subnet.firewall.id
}
}
resource "aws_network_interface" "firewall" {
subnet_id = aws_subnet.firewall.id
}
resource "aws_network_interface" "application" {
subnet_id = aws_subnet.application.id
}
data "aws_network_interface" "firewall" {
id = aws_network_interface.firewall.id
}
data "aws_network_interface" "application" {
id = aws_network_interface.application.id
}
resource "aws_route_table" "application" {
vpc_id = aws_vpc.example.id
route {
cidr_block = "0.0.0.0/0"
network_interface_id = data.aws_network_interface.application.id
}
}
resource "aws_route_table_association" "application" {
route_table_id = aws_route_table.application.id
subnet_id = aws_subnet.application.id
}
resource "aws_route_table" "gateway" {
vpc_id = aws_vpc.example.id
route {
cidr_block = aws_subnet.application.cidr_block
network_interface_id = data.aws_network_interface.firewall.id
}
}
resource "aws_route_table_association" "gateway" {
gateway_id = aws_internet_gateway.example.id
route_table_id = aws_route_table.gateway.id
}
To learn more about how to use AWS Network Firewall in Terraform, consult the provider documentation in the Terraform Registry.
To report bugs and request enhancements for this feature, open an issue on the Terraform AWS Provider repository on GitHub. We would love to hear your feedback!
Sign up for the latest HashiCorp news
More blog posts like this one
HashiCorp at Microsoft Build 2025: New products to automate, secure, and scale on Azure
Learn about the latest news from the HashiCorp and Microsoft ecosystems as we kick off Microsoft Build 2025 this week.
HCP Terraform adds public Terraform module and provider management via organizations
You can now manage your Terraform Registry artifacts within your HCP Terraform organization, simplifying and securing the ownership and management process.
Terraform AWS provider tops 4 billion downloads, 6.0 now in public beta
HashiCorp and AWS continue to support the widespread demand for standardized infrastructure lifecycle management with the Terraform AWS provider 6.0.