Add first implementation for Firewall Manager

binbashar · Sep 13, 2021 · 2eeb783 · 2eeb783
1 parent f002d03
commit 2eeb783
Show file tree

Hide file tree

Showing 4 changed files with 181 additions and 0 deletions.
diff --git a/security/firewall-manager/config.tf b/security/firewall-manager/config.tf
@@ -0,0 +1,23 @@
+#=============================#
+# AWS Provider Settings       #
+#=============================#
+provider "aws" {
+  region                  = var.region
+  profile                 = var.profile
+  shared_credentials_file = "~/.aws/${var.project}/config"
+}
+
+#=============================#
+# Backend Config (partial)    #
+#=============================#
+terraform {
+  required_version = ">= 0.14.11"
+
+  required_providers {
+    aws = "~> 3.2"
+  }
+
+  backend "s3" {
+    key = "security/firewall-manager/terraform.tfstate"
+  }
+}
diff --git a/security/firewall-manager/fms.tf b/security/firewall-manager/fms.tf
@@ -0,0 +1,34 @@
+# Associate an AWS Firewall Manager administrator account.
+resource "aws_fms_admin_account" "fms" {
+  account_id = var.security_account_id
+}
+
+#
+module "fms" {
+  source = "github.com/binbashar/terraform-aws-firewall-manager.git?ref=v0.2.0"
+
+  # Network Firewall Rules
+  # Refeferences:
+  #  - https://github.com/binbashar/terraform-aws-firewall-manager#input_network_firewall_policies
+  #  - https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_Policy.html#:~:text=Required%3A%20No-,ResourceType,-The%20type%20of
+  network_firewall_policies = [
+    {
+      name                        = "nfw-policy"
+      delete_all_policy_resources = false
+      exclude_resource_tags       = false
+      remediation_enabled         = false
+      resource_type_list          = ["AWS::EC2::VPC"]
+      resource_tags               = null
+      include_account_ids         = null
+      exclude_account_ids         = null
+
+      policy_data = {
+        stateless_rule_group_references     = []
+        tateless_default_actions            = []
+        stateless_fragment_default_actions  = []
+        stateless_custom_actions            = []
+        stateful_rule_group_references_arns = null
+      }
+    }
+  ]
+}
diff --git a/security/firewall-manager/locals.tf b/security/firewall-manager/locals.tf
@@ -0,0 +1,6 @@
+locals {
+  tags = {
+    Terraform   = "true"
+    Environment = var.environment
+  }
+}
diff --git a/security/firewall-manager/variables.tf b/security/firewall-manager/variables.tf
@@ -0,0 +1,118 @@
+#
+# config/backend.config
+#
+#================================#
+# Terraform AWS Backend Settings #
+#================================#
+variable "region" {
+  type        = string
+  description = "AWS Region"
+}
+
+variable "profile" {
+  type        = string
+  description = "AWS Profile (required by the backend but also used for other resources)"
+}
+
+variable "bucket" {
+  type        = string
+  description = "AWS S3 TF State Backend Bucket"
+}
+
+variable "dynamodb_table" {
+  type        = string
+  description = "AWS DynamoDB TF Lock state table name"
+}
+
+variable "encrypt" {
+  type        = bool
+  description = "Enable AWS DynamoDB with server side encryption"
+}
+
+#=============================#
+# Project Variables           #
+#=============================#
+variable "project" {
+  type        = string
+  description = "Project Name"
+}
+
+variable "project_long" {
+  type        = string
+  description = "Project Long Name"
+}
+
+variable "environment" {
+  type        = string
+  description = "Environment Name"
+}
+
+#=============================#
+# Accounts & Extra Vars       #
+#=============================#
+variable "region_secondary" {
+  type        = string
+  description = "AWS Scondary Region for HA"
+}
+
+variable "root_account_id" {
+  type        = string
+  description = "Account: Root"
+}
+
+variable "security_account_id" {
+  type        = string
+  description = "Account: Security & Users Management"
+}
+
+variable "shared_account_id" {
+  type        = string
+  description = "Account: Shared Resources"
+}
+
+variable "network_account_id" {
+  type        = string
+  description = "Account: Networking Resources"
+}
+
+variable "appsdevstg_account_id" {
+  type        = string
+  description = "Account: Dev Modules & Libs"
+}
+
+variable "appsprd_account_id" {
+  type        = string
+  description = "Account: Prod Modules & Libs"
+}
+
+#=============================#
+# Notifications               #
+#=============================#
+#
+# AWS SNS -> Lambda -> Slack: tools-monitoring
+#
+variable "sns_topic_name_monitoring" {
+  description = ""
+  default     = "sns-topic-slack-notify-monitoring"
+}
+
+#
+# AWS SNS -> Lambda -> Slack: tools-monitoring-sec
+#
+variable "sns_topic_name_monitoring_sec" {
+  description = ""
+  default     = "sns-topic-slack-notify-monitoring-sec"
+}
+
+#=============================#
+# Hashicorp Vault Vars        #
+#=============================#
+variable "vault_address" {
+  type        = string
+  description = "Hashicorp vault api endpoint address"
+}
+
+variable "vault_token" {
+  type        = string
+  description = "Hashicorp vault admin token"
+}