forked from aws-ia/terraform-aws-networkfirewall
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.tf
115 lines (93 loc) · 5.44 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
# --- root/variables.tf ---
# santizes tags for both aws / awscc providers
# aws tags = module.tags.tags_aws
# awscc tags = module.tags.tags
module "tags" {
source = "aws-ia/label/aws"
version = "0.0.5"
tags = var.tags
}
# Local values
locals {
# Number of Availability Zones used by the user (taken from the number of subnets defined)
availability_zones = keys(var.vpc_subnets)
# Obtaining the key of the routing configuration chosen: "single_vpc", "single_vpc_intra_subnet", "centralized_inspection_without_egress", or "centralized_inspection_with_egress"
vpc_type = keys(var.routing_configuration)[0]
# Map: key (availability zone ID) => value (firewall endpoint ID)
networkfirewall_endpoints = { for i in aws_networkfirewall_firewall.anfw.firewall_status[0].sync_states : i.availability_zone => i.attachment[0].endpoint_id }
}
# AWS NETWORK FIREWALL RESOURCE
resource "aws_networkfirewall_firewall" "anfw" {
name = var.network_firewall_name
description = var.network_firewall_description
firewall_policy_arn = var.network_firewall_policy
delete_protection = var.network_firewall_delete_protection
firewall_policy_change_protection = var.network_firewall_policy_change_protection
subnet_change_protection = var.network_firewall_subnet_change_protection
vpc_id = var.vpc_id
dynamic "subnet_mapping" {
for_each = values(var.vpc_subnets)
content {
subnet_id = subnet_mapping.value
ip_address_type = "IPV4"
}
}
tags = module.tags.tags_aws
}
# ROUTES: SINGLE VPC
# Route from the Internet gateway route table to the specified CIDR blocks via the firewall endpoints
resource "aws_route" "igw_route_table_to_protected_subnets" {
count = local.vpc_type == "single_vpc" ? var.number_azs : 0
route_table_id = var.routing_configuration.single_vpc.igw_route_table
destination_cidr_block = var.routing_configuration.single_vpc.protected_subnet_cidr_blocks[local.availability_zones[count.index]]
vpc_endpoint_id = local.networkfirewall_endpoints[local.availability_zones[count.index]]
}
# Route from the "protected" subnets to 0.0.0.0/0 via the firewall endpoints
resource "aws_route" "protected_route_table_to_internet" {
count = local.vpc_type == "single_vpc" ? var.number_azs : 0
route_table_id = var.routing_configuration.single_vpc.protected_subnet_route_tables[local.availability_zones[count.index]]
destination_cidr_block = "0.0.0.0/0"
vpc_endpoint_id = local.networkfirewall_endpoints[local.availability_zones[count.index]]
}
# ROUTES: SINGLE VPC INTRA ROUTING
module "intra_vpc_routing" {
count = local.vpc_type == "intra_vpc_inspection" ? var.routing_configuration.intra_vpc_inspection.number_routes : 0
source = "./modules/intra_vpc_routing"
number_azs = var.number_azs
availability_zones = local.availability_zones
route_tables = var.routing_configuration.intra_vpc_inspection.routes[count.index].source_subnet_route_tables
cidr_blocks = var.routing_configuration.intra_vpc_inspection.routes[count.index].destination_subnet_cidr_blocks
firewall_endpoints = local.networkfirewall_endpoints
}
# ROUTES: Central Inspection VPC (without egress)
# Route from the connectivity subnets (Transit Gateway or Cloud WAN's core network) to 0.0.0.0/0 via the firewall endpoints
resource "aws_route" "connectivity_to_firewall_endpoint_without_egress" {
count = local.vpc_type == "centralized_inspection_without_egress" ? var.number_azs : 0
route_table_id = var.routing_configuration.centralized_inspection_without_egress.connectivity_subnet_route_tables[local.availability_zones[count.index]]
destination_cidr_block = "0.0.0.0/0"
vpc_endpoint_id = local.networkfirewall_endpoints[local.availability_zones[count.index]]
}
# ROUTES: Central Inspection VPC (with egress)
# Route from the connectivity subnets (Transit Gateway or Cloud WAN's core network) to 0.0.0.0/0 via the firewall endpoints
resource "aws_route" "connectivity_to_firewall_endpoint" {
count = local.vpc_type == "centralized_inspection_with_egress" ? var.number_azs : 0
route_table_id = var.routing_configuration.centralized_inspection_with_egress.connectivity_subnet_route_tables[local.availability_zones[count.index]]
destination_cidr_block = "0.0.0.0/0"
vpc_endpoint_id = local.networkfirewall_endpoints[local.availability_zones[count.index]]
}
# Route from the public subnets to the AWS network via the firewall endpoints
# Several routes can be configured in each AZ, so we need to call the vpc_route module for each AZ in place. The module creates an aws_route resource per each CIDR block configured.
module "central_inspection_with_egress_routing" {
count = local.vpc_type == "centralized_inspection_with_egress" ? var.number_azs : 0
source = "./modules/central_inspection_with_egress_routing"
route_table_id = var.routing_configuration.centralized_inspection_with_egress.public_subnet_route_tables[local.availability_zones[count.index]]
cidr_blocks = var.routing_configuration.centralized_inspection_with_egress.network_cidr_blocks
vpc_endpoint_id = local.networkfirewall_endpoints[local.availability_zones[count.index]]
}
# LOGGING: Module will be used when a logging_configuration is defined
module "logging" {
count = length(var.logging_configuration) != 0 ? 1 : 0
source = "./modules/logging"
firewall_arn = aws_networkfirewall_firewall.anfw.arn
logging_configuration = var.logging_configuration
}