#******************************************************************************************** # # resource "aws_security_group" "allow_all" { name = "allow_all" vpc_id = aws_vpc.default.id ingress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } } # resource "aws_networkfirewall_rule_group" "default_group" { capacity = 100 name = "default-group" type = "STATEFUL" rule_group { rules_source { stateful_rule { action = "DROP" header { protocol = "TCP" source = "ANY" source_port = "ANY" direction = "ANY" destination = "ANY" destination_port = "ANY" } rule_option { keyword = "sid" settings = ["1"] } } stateful_rule { action = "PASS" header { protocol = "TCP" source = "10.0.1.0/24" source_port = "ANY" direction = "ANY" destination = "ANY" destination_port = "80" } rule_option { keyword = "sid" settings = ["2"] } } stateful_rule { action = "PASS" header { protocol = "TCP" source = "ANY" source_port = "ANY" direction = "ANY" destination = "10.0.2.0/24" destination_port = "443" } rule_option { keyword = "sid" settings = ["3"] } } } } } # resource "aws_networkfirewall_firewall_policy" "default_policy" { name = "default-policy" firewall_policy { stateful_rule_group_reference { resource_arn = aws_networkfirewall_rule_group.default_group.arn } stateless_default_actions = ["aws:forward_to_sfe"] stateless_fragment_default_actions = ["aws:forward_to_sfe"] } } # resource "aws_networkfirewall_firewall" "default_firewall" { name = "default-firewall" firewall_policy_arn = aws_networkfirewall_firewall_policy.default_policy.arn vpc_id = aws_vpc.default.id dynamic "subnet_mapping" { for_each = aws_subnet.public_subnet[*].id content { subnet_id = subnet_mapping.value } } # subnet_mapping { # count = length(var.public_subnets_cidr) # subnet_id = element(aws_subnet.public_subnet.*.id, count.index) # } # subnet_mapping { # count = length(var.private_subnets_cidr) # subnet_id = element(aws_subnet.private_subnet.*.id, count.index) # } }