v0.3.2

🚀 Enhancements

Update firewall rule group @aknysh (#5)

what

• Update firewall rule group
• Simplify some dynamic blocks

why

• stateful_rule.rule_option, custom_action and stateless_rule are sets of dynamic blocks, not single blocks

v0.3.1

🚀 Enhancements

Add `az_subnet_endpoint_stats` output @aknysh (#4)

what

• Add az_subnet_endpoint_stats output

why

• The az_subnet_endpoint_stats output is a list of objects with each object having three items: AZ, subnet ID, firewall VPC endpoint ID
• Expose subnets and firewall VPC endpoints per AZ
• Useful when creating routes in an inspection VPC TGW route tables to send traffic to the firewall subnets VPC endpoints for inspection
• Use this format

az_subnet_endpoint_stats = tolist([
  {
    "az" = "us-east-1a"
    "endpoint_id" = "vpce-xxxxxxxxxxxx"
    "subnet_id" = "subnet-xxxxxxxxxxxx"
  },
  {
    "az" = "us-east-1b"
    "endpoint_id" = "vpce-xxxxxxxxxxxx"
    "subnet_id" = "subnet-xxxxxxxxxxxx"
  },
  {
    "az" = "us-east-1c"
    "endpoint_id" = "vpce-xxxxxxxxxxxx"
    "subnet_id" = "subnet-xxxxxxxxxxxx"
  },
])

instead of the more complicated

network_firewall_status = tolist([
  {
    "sync_states" = toset([
      {
        "attachment" = tolist([
          {
            "endpoint_id" = "vpce-xxxxxxxxxxxx"
            "subnet_id" = "subnet-xxxxxxxxxxxx"
          },
        ])
        "availability_zone" = "us-east-1a"
      },
      {
        "attachment" = tolist([
          {
            "endpoint_id" = "vpce-xxxxxxxxxxxx"
            "subnet_id" = "subnet-xxxxxxxxxxxx"
          },
        ])
        "availability_zone" = "us-east-1b"
      },
      {
        "attachment" = tolist([
          {
            "endpoint_id" = "vpce-xxxxxxxxxxxx"
            "subnet_id" = "subnet-xxxxxxxxxxxx"
          },
        ])
        "availability_zone" = "us-east-1c"
      },
    ])
  },
])

v0.3.0

Fix Network Firewall logging configuration @aknysh (#3)

what

• Fix Network Firewall logging configuration
• Update example

why

• log_destination_config in the networkfirewall_logging_configuration resources needs to be dynamic since it accepts a set of configuration blocks describing the logging details for a firewall. At most, only two blocks can be specified; one for FLOW logs and one for ALERT logs

references

• https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_logging_configuration

v0.2.0

Initial implementation of `terraform-aws-network-firewall` module @aknysh (#1)

what

• Initial implementation of terraform-aws-network-firewall module

why

• Terraform module to provision and manage AWS Network Firewall resources
  • Network Firewall
  • Rule Groups
  • Network Firewall Policy
  • Logging configuration

refeences

• https://aws.amazon.com/network-firewall

test

network_firewall_arn = "arn:aws:network-firewall:us-east-2:xxxxxxxxxxxxxx:firewall/eg-test-network-firewall"
network_firewall_name = "eg-test-network-firewall"
network_firewall_policy_arn = "arn:aws:network-firewall:us-east-2:xxxxxxxxxxx:firewall-policy/eg-test-network-firewall"
network_firewall_policy_name = "eg-test-network-firewall"
network_firewall_status = tolist([
  {
    "sync_states" = toset([
      {
        "attachment" = tolist([
          {
            "endpoint_id" = "vpce-07088a01a7f4001f7"
            "subnet_id" = "subnet-0c879e14a609aac8b"
          },
        ])
        "availability_zone" = "us-east-2b"
      },
      {
        "attachment" = tolist([
          {
            "endpoint_id" = "vpce-0f3184fc9e47d1557"
            "subnet_id" = "subnet-049af40a0ad81a296"
          },
        ])
        "availability_zone" = "us-east-2a"
      },
    ])
  },
])
private_subnet_cidrs = tolist([
  "172.19.0.0/19",
  "172.19.32.0/19",
])
public_subnet_cidrs = tolist([
  "172.19.96.0/19",
  "172.19.128.0/19",
])
vpc_cidr = "172.19.0.0/16"

v0.1.0

• No changes