Ajouter firewall-production.tf

2025-08-07 16:20:40 +02:00
parent 97b4962c47
commit e41e7f6a9e
1 changed files with 101 additions and 0 deletions
--- a/firewall-production.tf
+++ b/firewall-production.tf
@@ -0,0 +1,101 @@
+#********************************************************************************************
+#
+
+#
+resource "aws_security_group" "allow_all" {
+  name   = "allow_all"
+  vpc_id = aws_vpc.default.id
+  ingress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+#
+resource "aws_networkfirewall_rule_group" "stateful_group" {
+  capacity = 100
+  name     = "stateful-group"
+  type     = "STATEFUL"
+  rule_group {
+    rules_source {
+      stateful_rule {
+        action = "DROP"
+        header {
+          protocol          = "TCP"
+          source            = "ANY"
+          source_port       = "ANY"
+          direction         = "ANY"
+          destination       = "ANY"
+          destination_port  = "ANY"
+        }
+        rule_option {
+          keyword  = "sid"
+          settings = ["1"]
+        }
+      }
+      stateful_rule {
+        action = "PASS"
+        header {
+          protocol          = "TCP"
+          source            = "10.0.1.0/24"
+          source_port       = "ANY"
+          direction         = "ANY"
+          destination       = "ANY"
+          destination_port  = "80"
+        }
+        rule_option {
+          keyword  = "sid"
+          settings = ["2"]
+        }
+      }
+      stateful_rule {
+        action = "PASS"
+        header {
+          protocol          = "TCP"
+          source            = "ANY"
+          source_port       = "ANY"
+          direction         = "ANY"
+          destination       = "10.0.2.0/24"
+          destination_port  = "443"
+        }
+        rule_option {
+          keyword  = "sid"
+          settings = ["3"]
+        }
+      }
+    }
+  }
+}
+
+#
+resource "aws_networkfirewall_firewall_policy" "default_policy" {
+  name = "default-policy"
+  firewall_policy {
+    stateful_rule_group_reference {
+      resource_arn = aws_networkfirewall_rule_group.stateful_group.arn
+    }
+    stateless_default_actions          = ["aws:forward_to_sfe"]
+    stateless_fragment_default_actions = ["aws:forward_to_sfe"]
+  }
+}
+
+#
+resource "aws_networkfirewall_firewall" "default_firewall" {
+  name                = "default-firewall"
+  firewall_policy_arn = aws_networkfirewall_firewall_policy.default_policy.arn
+  vpc_id              = aws_vpc.default.id
+  subnet_mapping {
+    subnet_id = element(aws_subnet.public_subnet.*.id, count.index)
+  }
+  subnet_mapping {
+    subnet_id = element(aws_subnet.private_subnet.*.id, count.index)
+  }
+}