Announcing Support for AWS Network Firewall in the Terraform AWS Provider
The Terraform AWS provider has added support for the newly released AWS Network Firewall service.
In partnership with AWS, we are pleased to announce launch day support for the AWS Network Firewall service within the Terraform AWS Provider. AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs).
»How It Works
AWS Network Firewall can be set up via the AWS console with just a few clicks and scales automatically with your network traffic so you don't have to worry about deploying and managing any infrastructure. AWS Network Firewall’s flexible rules engine lets you define firewall rules that provide fine-grained control over network traffic, such as blocking outbound Server Message Block (SMB) requests to prevent the spread of malicious activity. You can also import rules you’ve already written in common open source rule formats as well as enable integrations with managed intelligence feeds sourced by AWS partners. AWS Network Firewall works together with AWS Firewall Manager so you can build policies based on AWS Network Firewall rules and then centrally apply those policies across your VPCs and accounts.
For additional information regarding AWS Network Firewall, please consult the blog post from AWS as well as the AWS Network Firewall service documentation.
»Using AWS Network Firewall in the Terraform AWS Provider
In order to use AWS Network Firewall in the Terraform AWS provider, you will need to employ three new resources, aws_networkfirewall_firewall_policy, aws_networkfirewall_firewall, and aws_networkfirewall_rule_group, along with additional attributes to existing resources.
In order to try out this feature, you will need:
- Terraform v0.12 or greater installed.
- The latest version of the Terraform AWS provider.
The Terraform configuration below demonstrates how the Terraform AWS provider can be used to configure an AWS Network Firewall VPC Firewall, Firewall Policy, and Firewall Rule Group with the proper settings and attributes. In addition to these new resources you will need a VPC, Subnet, Route Table, Route Table Association, and Internet Gateway.
data "aws_availability_zones" "available" {
state = "available"
}
resource "aws_vpc" "example" {
cidr_block = "10.0.0.0/16"
}
resource "aws_internet_gateway" "example" {
vpc_id = aws_vpc.example.id
}
resource "aws_subnet" "application" {
availability_zone = data.aws_availability_zones.available.names[0]
cidr_block = "10.0.1.0/24"
vpc_id = aws_vpc.example.id
}
resource "aws_subnet" "firewall" {
availability_zone = data.aws_availability_zones.available.names[0]
cidr_block = "10.0.0.0/24"
vpc_id = aws_vpc.example.id
}
resource "aws_networkfirewall_rule_group" "example" {
capacity = 1000
name = "example"
type = "STATELESS"
rule_group {
rules_source {
stateless_rules_and_custom_actions {
stateless_rule {
priority = 5
rule_definition {
actions = ["aws:pass"]
match_attributes {
source {
address_definition = "10.0.0.0/8"
}
source {
address_definition = "192.168.0.0/16"
}
}
}
}
}
}
}
}
resource "aws_networkfirewall_firewall_policy" "example" {
name = "example"
firewall_policy {
stateless_default_actions = ["aws:drop"]
stateless_fragment_default_actions = ["aws:drop"]
stateless_rule_group_reference {
priority = 20
resource_arn = aws_networkfirewall_rule_group.example.arn
}
}
}
resource "aws_networkfirewall_firewall" "example" {
firewall_policy_arn = aws_networkfirewall_firewall_policy.example.arn
name = "example"
vpc_id = aws_vpc.example.id
subnet_mapping {
subnet_id = aws_subnet.firewall.id
}
}
resource "aws_network_interface" "firewall" {
subnet_id = aws_subnet.firewall.id
}
resource "aws_network_interface" "application" {
subnet_id = aws_subnet.application.id
}
data "aws_network_interface" "firewall" {
id = aws_network_interface.firewall.id
}
data "aws_network_interface" "application" {
id = aws_network_interface.application.id
}
resource "aws_route_table" "application" {
vpc_id = aws_vpc.example.id
route {
cidr_block = "0.0.0.0/0"
network_interface_id = data.aws_network_interface.application.id
}
}
resource "aws_route_table_association" "application" {
route_table_id = aws_route_table.application.id
subnet_id = aws_subnet.application.id
}
resource "aws_route_table" "gateway" {
vpc_id = aws_vpc.example.id
route {
cidr_block = aws_subnet.application.cidr_block
network_interface_id = data.aws_network_interface.firewall.id
}
}
resource "aws_route_table_association" "gateway" {
gateway_id = aws_internet_gateway.example.id
route_table_id = aws_route_table.gateway.id
}
To learn more about how to use AWS Network Firewall in Terraform, consult the provider documentation in the Terraform Registry.
To report bugs and request enhancements for this feature, open an issue on the Terraform AWS Provider repository on GitHub. We would love to hear your feedback!
Sign up for the latest HashiCorp news
More blog posts like this one
Terraform delivers launch-day support for Amazon S3 Express
HashiCorp’s Terraform provider for AWS now enables users to manage their S3 Express buckets.
Terraform extension for VS Code adds Terraform Cloud view
A new view in the HashiCorp Terraform extension for Visual Studio Code shows your Terraform Cloud workspaces and runs, reducing context-switching.
HashiCorp at re:Invent 2023: A year of collaboration with AWS
A recap of HashiCorp infrastructure and security news and developments on AWS from the past year, from self-service provisioning to fighting secrets sprawl and more.