Feat/sc 49849/add network firewall support

examples/network-firewall/README.md

@@ -0,0 +1,64 @@
+VPC with Network Firewall
+
+This configuration creates a VPC with the following resources across multiple AZs
+
+- Internet gateway
+- NAT gateway per AZ
+- public, private and firewall subnets
+- AWS network firewall
+
+The routing tables for such a deployment model follows the [AWS blog suggestion](https://aws.amazon.com/blogs/networking-and-content-delivery/deployment-models-for-aws-network-firewall/), particularly "2) AWS Network Firewall is deployed to protect traffic between an AWS service in a public subnet and IGW"
+
+## Usage
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example may create resources which can cost money (AWS Elastic IP, for example). Run `terraform destroy` when you don't need these resources.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.46 |
+| <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_random"></a> [random](#provider\_random) | >= 3.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_kms"></a> [kms](#module\_kms) | git::https://github.com/withclutch/terraform-modules-registry | aws-kms_v1.204 |
+| <a name="module_vpc"></a> [vpc](#module\_vpc) | ../../ | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [random_pet.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) | resource |
+
+## Inputs
+
+No inputs.
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_firewall_subnets"></a> [firewall\_subnets](#output\_firewall\_subnets) | List of IDs of firewall subnets |
+| <a name="output_nat_public_ips"></a> [nat\_public\_ips](#output\_nat\_public\_ips) | List of public Elastic IPs created for AWS NAT Gateway |
+| <a name="output_network_firewall_arn"></a> [network\_firewall\_arn](#output\_network\_firewall\_arn) | ARN of the Network Firewall |
+| <a name="output_private_subnets"></a> [private\_subnets](#output\_private\_subnets) | List of IDs of private subnets |
+| <a name="output_public_subnets"></a> [public\_subnets](#output\_public\_subnets) | List of IDs of public subnets |
+| <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | The ID of the VPC |

examples/network-firewall/main.tf

@@ -0,0 +1,88 @@
+provider "aws" {
+  region = local.region
+}
+
+locals {
+  region      = "us-east-2"
+  name_prefix = random_pet.this.id
+  environment = "test"
+}
+
+resource "random_pet" "this" {
+  length    = 2
+  separator = "-"
+}
+
+################################################################################
+# KMS Module
+################################################################################
+
+module "kms" {
+  source = "git::https://github.com/withclutch/terraform-modules-registry?ref=aws-kms_v1.204"
+
+  name                              = "${local.name_prefix}-kms"
+  environment                       = "test"
+  description                       = "KMS key used to test the ${local.name_prefix} AWS Network Firewall"
+  allow_usage_in_network_log_groups = true
+}
+
+################################################################################
+# VPC Module
+################################################################################
+
+module "vpc" {
+  source = "../../"
+
+  environment = "test"
+  name        = "nf-example"
+
+  ######### VPC ##########
+  cidr = "10.0.0.0/16"
+  azs  = ["${local.region}a", "${local.region}b", "${local.region}c"]
+
+  ######### Subnets ##########
+  private_subnets  = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"]
+  public_subnets   = ["10.0.4.0/24", "10.0.5.0/24", "10.0.6.0/24"]
+  firewall_subnets = ["10.0.3.0/28", "10.0.3.16/28", "10.0.3.32/28"]
+
+  create_multiple_public_route_tables = true
+
+  ######### NAT Gateway ##########
+  enable_nat_gateway     = true
+  one_nat_gateway_per_az = true
+
+  ########## Firewall ##########
+  create_network_firewall = true
+  enable_network_firewall = true
+
+  ######### Firewall Logs ##########
+  firewall_logs_retention_in_days = 14
+  firewall_logs_kms_key_arn       = module.kms.key_arn
+  create_logging_configuration    = true
+
+  ######### Firewall Rules and Filter ##########
+  firewall_log_types = ["FLOW", "ALERT"]
+  firewall_managed_rules = [
+    "AbusedLegitMalwareDomainsStrictOrder",
+    "BotNetCommandAndControlDomainsStrictOrder",
+    "AbusedLegitBotNetCommandAndControlDomainsStrictOrder",
+    "MalwareDomainsStrictOrder",
+    "ThreatSignaturesIOCStrictOrder",
+    "ThreatSignaturesPhishingStrictOrder",
+    "ThreatSignaturesBotnetWebStrictOrder",
+    "ThreatSignaturesEmergingEventsStrictOrder",
+    "ThreatSignaturesDoSStrictOrder",
+    "ThreatSignaturesMalwareWebStrictOrder",
+    "ThreatSignaturesExploitsStrictOrder",
+    "ThreatSignaturesWebAttacksStrictOrder",
+    "ThreatSignaturesScannersStrictOrder",
+    "ThreatSignaturesBotnetStrictOrder",
+    "ThreatSignaturesMalwareStrictOrder",
+    "ThreatSignaturesMalwareCoinminingStrictOrder",
+    "ThreatSignaturesFUPStrictOrder",
+    "ThreatSignaturesSuspectStrictOrder",
+    "ThreatSignaturesBotnetWindowsStrictOrder",
+  ]
+
+  depends_on = [module.kms]
+}

examples/network-firewall/outputs.tf

@@ -0,0 +1,41 @@
+################################################################################
+# VPC
+################################################################################
+
+output "vpc_id" {
+  description = "The ID of the VPC"
+  value       = module.vpc.vpc_id
+}
+
+################################################################################
+# Subnets
+################################################################################
+
+output "private_subnets" {
+  description = "List of IDs of private subnets"
+  value       = module.vpc.private_subnets
+}
+
+output "public_subnets" {
+  description = "List of IDs of public subnets"
+  value       = module.vpc.public_subnets
+}
+
+output "firewall_subnets" {
+  description = "List of IDs of firewall subnets"
+  value       = module.vpc.firewall_subnets
+}
+
+################################################################################
+# NAT Gateway
+################################################################################
+
+output "nat_public_ips" {
+  description = "List of public Elastic IPs created for AWS NAT Gateway"
+  value       = module.vpc.nat_public_ips
+}
+
+output "network_firewall_arn" {
+  description = "ARN of the Network Firewall"
+  value       = module.vpc.network_firewall_arn
+}

examples/network-firewall/versions.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 5.46"
+    }
+    random = {
+      source  = "hashicorp/random"
+      version = ">= 3.0"
+    }
+  }
+}