Announcing Support for AWS Network Firewall in the Terraform AWS Provider

In partnership with AWS, we are pleased to announce launch day support for the AWS Network Firewall service within the Terraform AWS Provider. AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs).

»How It Works

AWS Network Firewall can be set up via the AWS console with just a few clicks and scales automatically with your network traffic so you don't have to worry about deploying and managing any infrastructure. AWS Network Firewall’s flexible rules engine lets you define firewall rules that provide fine-grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious activity. You can also import rules you’ve already written in common open source rule formats as well as enable integrations with managed intelligence feeds sourced by AWS partners. AWS Network Firewall works together with AWS Firewall Manager so you can build policies based on AWS Network Firewall rules and then centrally apply those policies across your VPCs and accounts.

For additional information regarding AWS Network Firewall, please consult the blog post from AWS as well as the AWS Network Firewall service documentation.

»Using AWS Network Firewall in the Terraform AWS Provider

In order to use AWS Network Firewall in the Terraform AWS provider, you will need to employ three new resources, aws_networkfirewall_firewall_policy, aws_networkfirewall_firewall, and aws_networkfirewall_rule_group, along with additional attributes to existing resources.

In order to try out this feature, you will need:

• Terraform v0.12 or greater installed.
• The latest version of the Terraform AWS provider.

The Terraform configuration below demonstrates how the Terraform AWS provider can be used to configure an AWS Network Firewall VPC Firewall, Firewall Policy, and Firewall Rule Group with the proper settings and attributes. In addition to these new resources you will need a VPC, Subnet, Route Table, Route Table Association, and Internet Gateway.

data "aws_availability_zones" "available" {
  state = "available"
}
resource "aws_vpc" "example" {
  cidr_block = "10.0.0.0/16"
}
resource "aws_internet_gateway" "example" {
  vpc_id = aws_vpc.example.id
}
resource "aws_subnet" "application" {
  availability_zone = data.aws_availability_zones.available.names[0]
  cidr_block        = "10.0.1.0/24"
  vpc_id            = aws_vpc.example.id
}
resource "aws_subnet" "firewall" {
  availability_zone = data.aws_availability_zones.available.names[0]
  cidr_block        = "10.0.0.0/24"
  vpc_id            = aws_vpc.example.id
}
resource "aws_networkfirewall_rule_group" "example" {
  capacity = 1000
  name     = "example"
  type     = "STATELESS"
  rule_group {
    rules_source {
      stateless_rules_and_custom_actions {
        stateless_rule {
          priority = 5
          rule_definition {
            actions = ["aws:pass"]
            match_attributes {
              source {
                address_definition = "10.0.0.0/8"
              }
              source {
                address_definition = "192.168.0.0/16"
              }
            }
          }
        }
      }
    }
  }
}
resource "aws_networkfirewall_firewall_policy" "example" {
  name = "example"
  firewall_policy {
    stateless_default_actions = ["aws:drop"]
    stateless_fragment_default_actions = ["aws:drop"]
    stateless_rule_group_reference {
      priority     = 20
      resource_arn = aws_networkfirewall_rule_group.example.arn
    }
  }
}
resource "aws_networkfirewall_firewall" "example" {
  firewall_policy_arn = aws_networkfirewall_firewall_policy.example.arn
  name                = "example"
  vpc_id              = aws_vpc.example.id
  subnet_mapping {
    subnet_id          = aws_subnet.firewall.id
  }
}
resource "aws_network_interface" "firewall" {
  subnet_id       = aws_subnet.firewall.id
}
resource "aws_network_interface" "application" { 
  subnet_id = aws_subnet.application.id
}
data "aws_network_interface" "firewall" { 
  id = aws_network_interface.firewall.id
}
data  "aws_network_interface" "application" { 
  id = aws_network_interface.application.id
}
resource "aws_route_table" "application" {
  vpc_id = aws_vpc.example.id
  route {
    cidr_block           = "0.0.0.0/0"
    network_interface_id = data.aws_network_interface.application.id
  }
}
resource "aws_route_table_association" "application" {
  route_table_id = aws_route_table.application.id
  subnet_id      = aws_subnet.application.id
}
resource "aws_route_table" "gateway" {
  vpc_id = aws_vpc.example.id
  route {
    cidr_block           = aws_subnet.application.cidr_block
    network_interface_id = data.aws_network_interface.firewall.id
  }
}
resource "aws_route_table_association" "gateway" {
  gateway_id     = aws_internet_gateway.example.id
  route_table_id = aws_route_table.gateway.id
}

To learn more about how to use AWS Network Firewall in Terraform, consult the provider documentation in the Terraform Registry.

To report bugs and request enhancements for this feature, open an issue on the Terraform AWS Provider repository on GitHub. We would love to hear your feedback!