The Terraform AWS provider has added support for the newly released AWS Network Firewall service.
In partnership with AWS, we are pleased to announce launch day support for the AWS Network Firewall service within the Terraform AWS Provider. AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs).
AWS Network Firewall can be set up via the AWS console with just a few clicks and scales automatically with your network traffic so you don't have to worry about deploying and managing any infrastructure. AWS Network Firewall’s flexible rules engine lets you define firewall rules that provide fine-grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious activity. You can also import rules you’ve already written in common open source rule formats as well as enable integrations with managed intelligence feeds sourced by AWS partners. AWS Network Firewall works together with AWS Firewall Manager so you can build policies based on AWS Network Firewall rules and then centrally apply those policies across your VPCs and accounts.
For additional information regarding AWS Network Firewall, please consult the blog post from AWS as well as the AWS Network Firewall service documentation.
In order to use AWS Network Firewall in the Terraform AWS provider, you will need to employ three new resources, aws_networkfirewall_firewall_policy, aws_networkfirewall_firewall
, and aws_networkfirewall_rule_group
, along with additional attributes to existing resources.
In order to try out this feature, you will need:
The Terraform configuration below demonstrates how the Terraform AWS provider can be used to configure an AWS Network Firewall VPC Firewall, Firewall Policy, and Firewall Rule Group with the proper settings and attributes. In addition to these new resources you will need a VPC, Subnet, Route Table, Route Table Association, and Internet Gateway.
data "aws_availability_zones" "available" {
state = "available"
}
resource "aws_vpc" "example" {
cidr_block = "10.0.0.0/16"
}
resource "aws_internet_gateway" "example" {
vpc_id = aws_vpc.example.id
}
resource "aws_subnet" "application" {
availability_zone = data.aws_availability_zones.available.names[0]
cidr_block = "10.0.1.0/24"
vpc_id = aws_vpc.example.id
}
resource "aws_subnet" "firewall" {
availability_zone = data.aws_availability_zones.available.names[0]
cidr_block = "10.0.0.0/24"
vpc_id = aws_vpc.example.id
}
resource "aws_networkfirewall_rule_group" "example" {
capacity = 1000
name = "example"
type = "STATELESS"
rule_group {
rules_source {
stateless_rules_and_custom_actions {
stateless_rule {
priority = 5
rule_definition {
actions = ["aws:pass"]
match_attributes {
source {
address_definition = "10.0.0.0/8"
}
source {
address_definition = "192.168.0.0/16"
}
}
}
}
}
}
}
}
resource "aws_networkfirewall_firewall_policy" "example" {
name = "example"
firewall_policy {
stateless_default_actions = ["aws:drop"]
stateless_fragment_default_actions = ["aws:drop"]
stateless_rule_group_reference {
priority = 20
resource_arn = aws_networkfirewall_rule_group.example.arn
}
}
}
resource "aws_networkfirewall_firewall" "example" {
firewall_policy_arn = aws_networkfirewall_firewall_policy.example.arn
name = "example"
vpc_id = aws_vpc.example.id
subnet_mapping {
subnet_id = aws_subnet.firewall.id
}
}
resource "aws_network_interface" "firewall" {
subnet_id = aws_subnet.firewall.id
}
resource "aws_network_interface" "application" {
subnet_id = aws_subnet.application.id
}
data "aws_network_interface" "firewall" {
id = aws_network_interface.firewall.id
}
data "aws_network_interface" "application" {
id = aws_network_interface.application.id
}
resource "aws_route_table" "application" {
vpc_id = aws_vpc.example.id
route {
cidr_block = "0.0.0.0/0"
network_interface_id = data.aws_network_interface.application.id
}
}
resource "aws_route_table_association" "application" {
route_table_id = aws_route_table.application.id
subnet_id = aws_subnet.application.id
}
resource "aws_route_table" "gateway" {
vpc_id = aws_vpc.example.id
route {
cidr_block = aws_subnet.application.cidr_block
network_interface_id = data.aws_network_interface.firewall.id
}
}
resource "aws_route_table_association" "gateway" {
gateway_id = aws_internet_gateway.example.id
route_table_id = aws_route_table.gateway.id
}
To learn more about how to use AWS Network Firewall in Terraform, consult the provider documentation in the Terraform Registry.
To report bugs and request enhancements for this feature, open an issue on the Terraform AWS Provider repository on GitHub. We would love to hear your feedback!
Version 5.0 of the HashiCorp Terraform AWS provider brings improvements to default tags, allowing practitioners to set tags at the provider level.
Learn how HashiCorp Terraform supports the deployment of Azure Linux container host for Azure Kubernetes Service (AKS).
New CI/CD pipeline templates for GitHub Actions and GitLab CI provide prescriptive guides for integrating with Terraform Cloud, and a new integration tool can help build workflows with other CI/CD platforms.