Add Network Firewall Policies

binbashar · Sep 21, 2021 · 103d83d · 103d83d
1 parent 50fd511
commit 103d83d
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 8 deletions.
diff --git a/security/base-identities/role_policies.tf b/security/base-identities/role_policies.tf
@@ -153,6 +153,8 @@ resource "aws_iam_policy" "secops_access" {
                 "kms:*",
                 "lambda:*",
                 "logs:*",
+                "network-firewall:*",
+                "networkmanager:*",
                 "organizations:Describe*",
                 "organizations:List*",
                 "route53:*",

diff --git a/security/firewall-manager/fms.tf b/security/firewall-manager/fms.tf
@@ -59,22 +59,22 @@ module "fms" {
   network_firewall_policies = [
     {
       name                        = "nfw-policy"
-      delete_all_policy_resources = false
+      delete_all_policy_resources = true
       exclude_resource_tags       = false
-      remediation_enabled         = true
+      remediation_enabled         = true # Must be set to `true`
       resource_type_list          = ["AWS::EC2::VPC"]
       resource_tags               = null
       include_account_ids         = { accounts = [var.network_account_id] }
       exclude_account_ids         = {}
 
       policy_data = {
-        stateless_rule_group_references     = []
-        stateless_default_actions           = ["aws:pass"]
-        stateless_fragment_default_actions  = ["aws:drop"]
-        stateless_custom_actions            = []
-        stateful_rule_group_references_arns = null
+        stateless_default_actions           = lookup(module.firewall.network_firewall_policy[0]["firewall_policy"][0], "stateless_default_actions", [])
+        stateless_fragment_default_actions  = lookup(module.firewall.network_firewall_policy[0]["firewall_policy"][0], "stateless_fragment_default_actions", [])
+        stateless_rule_group_references     = [for v in lookup(module.firewall.network_firewall_policy[0]["firewall_policy"][0], "stateless_rule_group_reference", []) : { "resourceARN" = v["resource_arn"], "priority" = v["priority"] }]
+        stateless_custom_actions            = lookup(module.firewall.network_firewall_policy[0]["firewall_policy"][0], "stateless_custom_actions", [])
+        stateful_rule_group_references_arns = [for v in lookup(module.firewall.network_firewall_policy[0]["firewall_policy"][0], "stateful_rule_group_reference", []) : v["resource_arn"]]
         orchestration_config = {
-          single_firewall_endpoint_per_vpc = false
+          single_firewall_endpoint_per_vpc = true # Set to `false` for deploying a NFW per subnet
           allowed_ipv4_cidrs               = []
         }
       }