terraform-aws-vpc-nfw

Description

Terraform module which creates VPC (and optionally NFW) resources on AWS.

Dependencies

• terraform-aws-account-setup

Resource List

The following type of resources are supported:

• VPC
• Subnet
• Route
• Route table
• Internet Gateway
• NAT Gateway
• VPN Gateway
• VPC Endpoint ( S3 and DynamoDB)
• RDS DB Subnet Group
• ElastiCache Subnet Group
• Redshift Subnet Group
• DHCP Options Set
• Default VPC
• AWS NFW

Assumptions

• Networking resources, including VPCs, Transit Gateways and Network Firewalls, are designed to be deployed under a single state.
• Outputs of this module can be referenced via terraform state in the following manner:
  • module.mgmt_vpc.private_subnets["mvp-mgmt-compute-us-gov-west-1a"]
  • data.terraform_remote_state.network.outputs.public_subnets["mvp-mgmt-dmz-us-gov-west-1a"]
• This is designed to automatically reference the firewall subnets when opted to be created.
• Automatically adds AWS region to the subnet name upon creation.
• The private route table IDs includes the route table IDs from database subnets as well.

Replacing the Default Deny All NFW Policy

There will be a default Deny All NFW policy that is applied module.mgmt_vpc.module.aws_network_firewall.nfw-base-suricata-rule.json. If you are having networking problems, please follow the example below of how to pass a customized ruleset to the module. Any customized ruleset will overwrite the default policy.

1. Copy the test.rules.json file to the directory running terraform and name give it a name. For this example I will use suricata.json.
2. Populate this json file in a similar format to the test.rules.json, adding ports and domains that you need open based on tooling or client need.
3. In your nfw-policies.tf file, create a local variable called suricata_rule_group_shrd_svcs and populate values like this example:

  suricata_rule_group_shrd_svcs = [
    {
      capacity    = 1000
      name        = "SuricataDenyAll"
      description = "DenyAllRules"
      rules_file  = file("./suricata.json")
    }
  ]

4. In the file that you reference the module, add a line similar to the one shown in this example. This will pass your custom Suricata ruleset to the module, overwriting the default ruleset.

aws_nfw_suricata_stateful_rule_group = local.suricata_rule_group_shrd_svcs

5. After you have built your packer images, come back and remove the following line:

pass tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"Allow inbound SSH - ONLY FOR PACKER DISABLE AFTER IMAGES ARE BUILT"; flow:established; sid:103; rev:1;)

Custom Routes

There are variables provided for each subnet type:

• database_custom_routes
• elasticache_custom_routes
• firewall_custom_routes
• intra_custom_routes
• private_custom_routes
• public_custom_routes
• redshift_custom_routes

These variables are lists of objects.

Example of custom public routes:

public_custom_routes = [
    {
      destination_cidr_block = "8.8.8.8/32"
      internet_route              = true
    },
    {
      destination_cidr_block = "4.4.4.4/32"
      internet_route              = true
    }
  ]

An "internet_route" boolean sets a default to send traffic to the created IGW as a target (required), or to the NFW endpoint if created.

Some variables expose different expected values based on sensible assumptions. For example, a public custom route would not expose NAT gateway as a target, and likewise private subnets will not allow Internet Gateway to be a target.

The variables can be further inspected to see what parameters and types are expected.

Usage

If networks are being created with the goal of peering, it is best practice to build and deploy those resources within the same Terraform state. This allows for efficient referencing of peer subnets and CIDRs to facilitate a proper routing architecture. Please refer to the 'example' folder for example files needed on the parent module calling this PAK based on the deployment requirements. An example of 'mgmt.tf' usage is shown where VPC and AWS NFW resources are deployed, along with optional VPC endpoints:

module "mgmt_vpc" {
  source = "git::https://github.com/Coalfire-CF/terraform-aws-vpc-nfw.git?ref=vx.x.x"

  name = "${var.resource_prefix}-mgmt"
  cidr = var.mgmt_vpc_cidr
  azs = [data.aws_availability_zones.available.names[0], data.aws_availability_zones.available.names[1], data.aws_availability_zones.available.names[2]]

  private_subnets = local.private_subnets # Map of Name -> CIDR
  private_subnet_tags = { #please note this goes alphabetically in order
    "0" = "Compute"
    "1" = "Compute"
    "2" = "Compute"
    "3" = "Private"
    "4" = "Private"
    "5" = "Private"
  }

  tgw_subnets = local.tgw_subnets
# Example of using specific CIDRs for TGW:  
# tgw_subnets = [
#   "x.x.255.0/28",
#   "x.x.255.16/28"
# ]
  
  tgw_subnet_tags = {
    "0" = "TGW"
    "1" = "TGW"
    "2" = "TGW"
  }
  
  public_subnets       = local.public_subnets # Map of Name -> CIDR
  public_subnet_suffix = "public"

  single_nat_gateway     = var.single_nat_gateway # false
  enable_nat_gateway     = var.enable_nat_gateway # true
  one_nat_gateway_per_az = var.one_nat_gateway_per_az # true
  enable_vpn_gateway     = var.enable_vpn_gateway # false
  enable_dns_hostnames   = var.enable_dns_hostnames # true

  flow_log_destination_type              = "cloud-watch-logs"
  cloudwatch_log_group_retention_in_days = 30
  cloudwatch_log_group_kms_key_id        = data.terraform_remote_state.account-setup.outputs.cloudwatch_kms_key_arn

  ### Network Firewall ###
  deploy_aws_nfw                        = var.deploy_aws_nfw
  delete_protection                     = var.delete_protection
  aws_nfw_prefix                        = var.resource_prefix
  aws_nfw_name                          = "${var.resource_prefix}-nfw"
  aws_nfw_fivetuple_stateful_rule_group = local.fivetuple_rule_group
  aws_nfw_suricata_stateful_rule_group  = local.suricata_rule_group_shrd_svcs
  nfw_kms_key_id                        = data.terraform_remote_state.account-setup.outputs.nfw_kms_key_id

  # When deploying NFW, firewall_subnets must be specified
  firewall_subnets       = local.firewall_subnets
  firewall_subnet_suffix = "firewall"

  # TLS Outbound Inspection (Optional)
  enable_tls_inspection = var.enable_tls_inspection # deploy_aws_nfw must be set to true to enable this
  tls_cert_arn          = var.tls_cert_arn
  tls_destination_cidrs = var.tls_destination_cidrs # Set these to the NAT gateways to filter outbound traffic without affecting the hosted VPN

  ### VPC Endpoints ### (Optional)
  create_vpc_endpoints = true

  # Control where gateway endpoints are associated
  associate_with_private_route_tables = true  # Associate with private subnets (default)
  associate_with_public_route_tables  = false # Don't associate with public subnets

  vpc_endpoints = {
    # S3 Gateway endpoint
    s3 = {
      service_type = "Gateway"
      service_name = "com.amazonaws.${var.aws_region}.s3"
      tags         = { Name = "${var.resource_prefix}-s3-gateway-endpoint" }
    }

    # DynamoDB Gateway endpoint
    dynamodb = {
      service_type = "Gateway"
      service_name = "com.amazonaws.${var.aws_region}.dynamodb"
      tags         = { Name = "${var.resource_prefix}-dynamodb-endpoint" }
    }

    # KMS Interface endpoint (for encryption operations)
    kms = {
      service_type        = "Interface"
      service_name        = "com.amazonaws.${var.aws_region}.kms-fips"
      subnet_ids          = [module.mgmt_vpc.private_subnets["vpc-compute-us-gov-west-1a"], module.mgmt_vpc.private_subnets["vpc-compute-us-gov-west-1b"], module.mgmt_vpc.private_subnets["vpc-compute-us-gov-west-1c"]]
      private_dns_enabled = true
      tags                = { Name = "${var.resource_prefix}-kms-endpoint" }
    }

    # SSM Interface endpoint
    ssm = {
      service_type        = "Interface"
      service_name        = "com.amazonaws.${var.aws_region}.ssm"
      subnet_ids          = [module.mgmt_vpc.private_subnets["vpc-compute-us-gov-west-1a"], module.mgmt_vpc.private_subnets["vpc-compute-us-gov-west-1b"], module.mgmt_vpc.private_subnets["vpc-compute-us-gov-west-1c"]]
      private_dns_enabled = true
      tags                = { Name = "${var.resource_prefix}-ssm-endpoint" }
    }

    # SSM Messages Interface endpoint
    ssmmessages = {
      service_type        = "Interface"
      service_name        = "com.amazonaws.${var.aws_region}.ssmmessages"
      subnet_ids          = [module.mgmt_vpc.private_subnets["vpc-compute-us-gov-west-1a"], module.mgmt_vpc.private_subnets["vpc-compute-us-gov-west-1b"], module.mgmt_vpc.private_subnets["vpc-compute-us-gov-west-1c"]]
      private_dns_enabled = true
      tags                = { Name = "${var.resource_prefix}-ssmmessages-endpoint" }
    }

    # EC2 Messages Interface endpoint
    ec2messages = {
      service_type        = "Interface"
      service_name        = "com.amazonaws.${var.aws_region}.ec2messages"
      subnet_ids          = [module.mgmt_vpc.private_subnets["vpc-compute-us-gov-west-1a"], module.mgmt_vpc.private_subnets["vpc-compute-us-gov-west-1b"], module.mgmt_vpc.private_subnets["vpc-compute-us-gov-west-1c"]]
      private_dns_enabled = true
      tags                = { Name = "${var.resource_prefix}-ec2messages-endpoint" }
    }

    # Logs Interface endpoint
    logs = {
      service_type        = "Interface"
      service_name        = "com.amazonaws.${var.aws_region}.logs"
      subnet_ids          = [module.mgmt_vpc.private_subnets["vpc-compute-us-gov-west-1a"], module.mgmt_vpc.private_subnets["vpc-compute-us-gov-west-1b"], module.mgmt_vpc.private_subnets["vpc-compute-us-gov-west-1c"]]
      private_dns_enabled = true
      tags                = { Name = "${var.resource_prefix}-logs-endpoint" }
    }

    dockerregistry = {
      service_type        = "Interface"
      service_name        = "com.amazonaws.${var.aws_region}.ecr.dkr"
      subnet_ids          = [module.mgmt_vpc.private_subnets["vpc-compute-us-gov-west-1a"], module.mgmt_vpc.private_subnets["vpc-compute-us-gov-west-1b"], module.mgmt_vpc.private_subnets["vpc-compute-us-gov-west-1c"]]
      private_dns_enabled = true
      tags                = { Name = "${var.resource_prefix}-ecr-dkr" }
    }

    ecr = {
      service_type        = "Interface"
      service_name        = "com.amazonaws.${var.aws_region}.ecr.api"
      subnet_ids          = [module.mgmt_vpc.private_subnets["vpc-compute-us-gov-west-1a"], module.mgmt_vpc.private_subnets["vpc-compute-us-gov-west-1b"], module.mgmt_vpc.private_subnets["vpc-compute-us-gov-west-1c"]]
      private_dns_enabled = true
      tags                = { Name = "${var.resource_prefix}-ecr-api" }
    }

  }

 # Define security groups for VPC endpoints
  vpc_endpoint_security_groups = {
    common_sg = {
      name        = "common-endpoint-sg"
      description = "Common security group for all VPC endpoint"
      ingress_rules = [
        {
          from_port   = 443
          to_port     = 443
          protocol    = "tcp"
          cidr_blocks = ["${var.ip_network_fedramp_mgmt}.0.0/16"]
        }
      ]

      egress_rules = [
        {
          from_port   = 0
          to_port     = 0
          protocol    = "-1"
          cidr_blocks = ["0.0.0.0/0"]
        }
      ]
    }
  }
  
  /* Add Additional tags here */
  tags = {
    Owner       = var.resource_prefix
    Environment = "mgmt"
    createdBy   = "terraform"
  }
}

AWS Networking deployment without AWS Network Firewall:

module "mgmt_vpc" {
  source = "git::https://github.com/Coalfire-CF/terraform-aws-vpc-nfw.git?ref=vx.x.x"
  
  name = "${var.resource_prefix}-mgmt"
  cidr = var.mgmt_vpc_cidr
  azs = [data.aws_availability_zones.available.names[0], data.aws_availability_zones.available.names[1], data.aws_availability_zones.available.names[2]]

  private_subnets = local.private_subnets # Map of Name -> CIDR, please note this goes alphabetically in order
  private_subnet_tags = {
    "0" = "Compute"
    "1" = "Compute"
    "2" = "Compute"
    "3" = "Private"
    "4" = "Private"
    "5" = "Private"
  }

  tgw_subnets = local.tgw_subnets
  tgw_subnet_tags = {
    "0" = "TGW"
    "1" = "TGW"
    "2" = "TGW"
  }

  firewall_subnets       = local.firewall_subnets
  firewall_subnet_suffix = "firewall"

  public_subnets       = local.public_subnets # Map of Name -> CIDR
  public_subnet_suffix = "public"

  single_nat_gateway     = var.single_nat_gateway # false
  enable_nat_gateway     = var.enable_nat_gateway # true
  one_nat_gateway_per_az = var.one_nat_gateway_per_az # true
  enable_vpn_gateway     = var.enable_vpn_gateway # false
  enable_dns_hostnames   = var.enable_dns_hostnames # true

  flow_log_destination_type              = "cloud-watch-logs"
  cloudwatch_log_group_retention_in_days = 30
  cloudwatch_log_group_kms_key_id        = data.terraform_remote_state.account-setup.outputs.cloudwatch_kms_key_arn

  /* Add Additional tags here */
  tags = {
    Owner       = var.resource_prefix
    Environment = "mgmt"
    createdBy   = "terraform"
  }
}

Environment Setup

IAM user authentication:

- Download and install the AWS CLI (https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
- Log into the AWS Console and create AWS CLI Credentials (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html)
- Configure the named profile used for the project, such as 'aws configure --profile example-mgmt'

SSO-based authentication (via IAM Identity Center SSO):

- Login to the AWS IAM Identity Center console, select the permission set for MGMT, and select the 'Access Keys' link.
- Choose the 'IAM Identity Center credentials' method to get the SSO Start URL and SSO Region values.
- Run the setup command 'aws configure sso --profile example-mgmt' and follow the prompts.
- Verify you can run AWS commands successfully, for example 'aws s3 ls --profile example-mgmt'.
- Run 'export AWS_PROFILE=example-mgmt' in your terminal to use the specific profile and avoid having to use '--profile' option.

Deployment

These deployments steps assume you will be deploying this PAK (including AWS NFW) on the Management plane VPC.

NOTE: Please use the code under the 'Usage' section on this README for the most up-to-date code while referring to the 'example' folder for previous deployment examples only.

1. Navigate to the Terraform project and create a parent directory in the upper level code, for example:

   ../{CLOUD}/terraform/{REGION}/management-account/example

   If multi-account management plane:

   ../{CLOUD}/terraform/{REGION}/{ACCOUNT_TYPE}-mgmt-account/example

2. Create a properly defined main.tf file via the template found under 'Usage' while adjusting 'auto.tfvars' as needed. Note that many provided variables are outputs from other modules. Example parent directory:

   ├── Example/
   │   ├── example.auto.tfvars   
   │   ├── locals.tf
   │   ├── mgmt.tf
   │   ├── nfw_policies.tf
   │   ├── outputs.tf
   │   ├── providers.tf
   │   ├── remote-data.tf
   │   ├── required-providers.tf
   │   ├── subnets.tf
   │   ├── suricata.json
   │   ├── variables.tf
   │   ├── ...

   Make sure that 'remote-data.tf' defines the S3 backend which is on the Management account state bucket. For example:

   terraform {
     backend "s3" {
       bucket       = "${var.resource_prefix}-us-gov-west-1-tf-state"
       region       = "us-gov-west-1"
       key          = "${var.resource_prefix}-us-gov-west-1-vpc-setup.tfstate"
       encrypt      = true
       use_lockfile = true
     }
   }

3. Review and update 'nfw_policies.tf', 'subnets.tf', and 'suricata.json' if needed.

4. Initialize the Terraform working directory:

   terraform init

   Create an execution plan and verify the resources being created:

   terraform plan

   Apply the configuration:

   terraform apply

Requirements

Name	Version
terraform	~>1.5
aws	>= 5.15.0, < 6.0

Providers

Name	Version
aws	5.64.0

Modules

Name	Source	Version
aws_network_firewall	./modules/aws-network-firewall	n/a
vpc_endpoints	./modules/vpc-endpoint	n/a

Resources

Name	Type
aws_cloudwatch_log_group.this	resource
aws_db_subnet_group.database	resource
aws_default_security_group.default	resource
aws_default_vpc.this	resource
aws_eip.nat	resource
aws_elasticache_subnet_group.elasticache	resource
aws_flow_log.s3	resource
aws_flow_log.this	resource
aws_iam_policy.flowlogs_policy	resource
aws_iam_role.flowlogs_role	resource
aws_iam_role_policy_attachment.flowlogs_policy	resource
aws_internet_gateway.this	resource
aws_nat_gateway.this	resource
aws_redshift_subnet_group.redshift	resource
aws_route.aws_nfw_igw_rt	resource
aws_route.aws_nfw_public_internet	resource
aws_route.database_custom	resource
aws_route.elasticache_custom	resource
aws_route.firewall_custom	resource
aws_route.intra_custom	resource
aws_route.nfw_public_custom	resource
aws_route.nfw_public_internet_gateway	resource
aws_route.private_custom	resource
aws_route.private_nat_gateway	resource
aws_route.public_custom	resource
aws_route.public_internet_gateway	resource
aws_route.redshift_custom	resource
aws_route.tgw_custom	resource
aws_route_table.aws_nfw_igw_rtb	resource
aws_route_table.database	resource
aws_route_table.elasticache	resource
aws_route_table.firewall	resource
aws_route_table.intra	resource
aws_route_table.private	resource
aws_route_table.public	resource
aws_route_table.redshift	resource
aws_route_table.tgw	resource
aws_route_table_association.database	resource
aws_route_table_association.elasticache	resource
aws_route_table_association.firewall	resource
aws_route_table_association.intra	resource
aws_route_table_association.nfw_igw	resource
aws_route_table_association.nfw_public	resource
aws_route_table_association.private	resource
aws_route_table_association.public	resource
aws_route_table_association.redshift	resource
aws_route_table_association.tgw	resource
aws_s3_bucket.flowlogs	resource
aws_s3_bucket_logging.flowlogs	resource
aws_s3_bucket_policy.flowlogs_bucket_policy	resource
aws_s3_bucket_public_access_block.flowlogs	resource
aws_s3_bucket_server_side_encryption_configuration.flowlogs-encryption	resource
aws_subnet.database	resource
aws_subnet.elasticache	resource
aws_subnet.firewall	resource
aws_subnet.intra	resource
aws_subnet.private	resource
aws_subnet.public	resource
aws_subnet.redshift	resource
aws_subnet.tgw	resource
aws_vpc.this	resource
aws_vpc_dhcp_options.this	resource
aws_vpc_dhcp_options_association.this	resource
aws_vpc_ipv4_cidr_block_association.this	resource
aws_vpn_gateway.this	resource
aws_vpn_gateway_attachment.this	resource
aws_vpn_gateway_route_propagation.private	resource
aws_vpn_gateway_route_propagation.public	resource
aws_iam_policy_document.flow_log_cloudwatch_assume_role	data source
aws_iam_policy_document.flowlogs_policy	data source
aws_iam_policy_document.vpc_flow_log_cloudwatch	data source
aws_region.current	data source

Inputs

Name	Description	Type	Default	Required
assign_generated_ipv6_cidr_block	Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block	bool	false	no
associate_with_private_route_tables	Whether to associate Gateway endpoints with private route tables	bool	true	no
associate_with_public_route_tables	Whether to associate Gateway endpoints with public route tables	bool	false	no
aws_nfw_domain_stateful_rule_group	Config for domain type stateful rule group	list(object({ name = string description = string capacity = number domain_list = list(string) actions = string protocols = list(string) rules_file = optional(string, "") rule_variables = optional(object({ ip_sets = list(object({ key = string ip_set = list(string) })) port_sets = list(object({ key = string port_sets = list(string) })) }), { ip_sets = [] port_sets = [] }) }))	[]	no
aws_nfw_fivetuple_stateful_rule_group	Config for 5-tuple type stateful rule group	list(object({ name = string description = string capacity = number rule_config = list(object({ description = string protocol = string source_ipaddress = string source_port = string direction = string destination_port = string destination_ipaddress = string sid = number actions = map(string) })) }))	[]	no
aws_nfw_name	AWS NFW Name	string	""	no
aws_nfw_prefix	AWS NFW Prefix	string	""	no
aws_nfw_stateless_rule_group	AWS NFW sateless rule group	list(object({ name = string description = string capacity = number rule_config = list(object({ protocols_number = list(number) source_ipaddress = string source_to_port = string destination_to_port = string destination_ipaddress = string tcp_flag = object({ flags = list(string) masks = list(string) }) actions = map(string) })) }))	[]	no
aws_nfw_suricata_stateful_rule_group	Config for Suricata type stateful rule group	list(object({ name = string description = string capacity = number rules_file = optional(string, "") rule_variables = optional(object({ ip_sets = list(object({ key = string ip_set = list(string) })) port_sets = list(object({ key = string port_sets = list(string) })) }), { ip_sets = [] port_sets = [] }) }))	[]	no
azs	A list of availability zones in the region	list(string)	[]	no
cidr	The CIDR block for the VPC.	string	n/a	yes
cloudwatch_log_group_kms_key_id	Customer KMS Key id for Cloudwatch Log encryption	string	""	no
cloudwatch_log_group_retention_in_days	Number of days to retain Cloudwatch logs	number	365	no
create_database_subnet_group	Controls if database subnet group should be created	bool	true	no
create_database_subnet_route_table	Controls if separate route table for database should be created	bool	false	no
create_elasticache_subnet_route_table	Controls if separate route table for elasticache should be created	bool	false	no
create_redshift_subnet_route_table	Controls if separate route table for redshift should be created	bool	false	no
create_vpc_endpoints	Whether to create VPC endpoints	bool	false	no
database_custom_routes	Custom routes for Database Subnets	list(object({ destination_cidr_block = optional(string, null) destination_prefix_list_id = optional(string, null) network_interface_id = optional(string, null) transit_gateway_id = optional(string, null) vpc_endpoint_id = optional(string, null) }))	[]	no
database_route_table_tags	Additional tags for the database route tables	map(string)	{}	no
database_subnet_group_tags	Additional tags for the database subnet group	map(string)	{}	no
database_subnet_suffix	Suffix to append to database subnets name	string	"db"	no
database_subnet_tags	Additional tags for the database subnets	map(string)	{}	no
database_subnets	A list of database subnets	list	[]	no
default_vpc_enable_dns_hostnames	Should be true to enable DNS hostnames in the Default VPC	bool	false	no
default_vpc_enable_dns_support	Should be true to enable DNS support in the Default VPC	bool	true	no
default_vpc_name	Name to be used on the Default VPC	string	""	no
default_vpc_tags	Additional tags for the Default VPC	map(string)	{}	no
delete_protection	Whether or not to enable deletion protection of NFW	bool	true	no
deploy_aws_nfw	enable nfw true/false	bool	false	no
dhcp_options_domain_name	Specifies DNS name for DHCP options set	string	""	no
dhcp_options_domain_name_servers	Specify a list of DNS server addresses for DHCP options set, default to AWS provided	list(string)	[ "AmazonProvidedDNS" ]	no
dhcp_options_netbios_name_servers	Specify a list of netbios servers for DHCP options set	list(string)	[]	no
dhcp_options_netbios_node_type	Specify netbios node_type for DHCP options set	string	""	no
dhcp_options_ntp_servers	Specify a list of NTP servers for DHCP options set	list(string)	[]	no
dhcp_options_tags	Additional tags for the DHCP option set	map(string)	{}	no
elasticache_custom_routes	Custom routes for Elasticache Subnets	list(object({ destination_cidr_block = optional(string, null) destination_prefix_list_id = optional(string, null) network_interface_id = optional(string, null) transit_gateway_id = optional(string, null) vpc_endpoint_id = optional(string, null) }))	[]	no
elasticache_route_table_tags	Additional tags for the elasticache route tables	map(string)	{}	no
elasticache_subnet_suffix	Suffix to append to elasticache subnets name	string	"elasticache"	no
elasticache_subnet_tags	Additional tags for the elasticache subnets	map(string)	{}	no
elasticache_subnets	A list of elasticache subnets	list	[]	no
enable_dhcp_options	Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type	bool	false	no
enable_dns_hostnames	Should be true to enable DNS hostnames in the VPC	bool	false	no
enable_dns_support	Should be true to enable DNS support in the VPC	bool	true	no
enable_nat_gateway	Should be true if you want to provision NAT Gateways for each of your private networks	bool	false	no
enable_tls_inspection	enable nfw tls inspection true/false. deploy_aws_nfw must be true to enable this	bool	false	no
enable_vpn_gateway	Should be true if you want to create a new VPN Gateway resource and attach it to the VPC	bool	false	no
external_nat_ip_ids	List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips)	list(string)	[]	no
firewall_custom_routes	Custom routes for Firewall Subnets	list(map(string))	[]	no
firewall_route_table_tags	Additional tags for the firewall route tables	map(string)	{}	no
firewall_subnet_name_tag	Additional name tag for the firewall subnets	map(string)	{}	no
firewall_subnet_suffix	Suffix to append to firewall subnets name	string	"firewall"	no
firewall_subnets	A list of firewall subnets inside the VPC	list	[]	no
flow_log_destination_arn	The ARN of the Cloudwatch log destination for Flow Logs	string	null	no
flow_log_destination_type	Type of flow log destination. Can be s3 or cloud-watch-logs	string	n/a	yes
igw_tags	Additional tags for the internet gateway	map(string)	{}	no
instance_tenancy	A tenancy option for instances launched into the VPC	string	"default"	no
intra_custom_routes	Custom routes for Intra Subnets	list(object({ destination_cidr_block = optional(string, null) destination_prefix_list_id = optional(string, null) network_interface_id = optional(string, null) transit_gateway_id = optional(string, null) vpc_endpoint_id = optional(string, null) }))	[]	no
intra_route_table_tags	Additional tags for the intra route tables	map(string)	{}	no
intra_subnet_tags	Additional tags for the intra subnets	map(string)	{}	no
intra_subnets	A list of intra subnets	map	{}	no
manage_default_vpc	Should be true to adopt and manage Default VPC	bool	false	no
map_public_ip_on_launch	Should be false if you do not want to auto-assign public IP on launch	bool	true	no
name	Name to be used on all the resources as identifier	string	""	no
nat_eip_tags	Additional tags for the NAT EIP	map(string)	{}	no
nat_gateway_tags	Additional tags for the NAT gateways	map(string)	{}	no
nfw_kms_key_id	NFW KMS Key Id for encryption	string	null	no
one_nat_gateway_per_az	Should be true if you want only one NAT Gateway per availability zone. Requires var.azs to be set, and the number of public_subnets created to be greater than or equal to the number of availability zones specified in var.azs.	bool	false	no
private_custom_routes	Custom routes for Private Subnets	list(object({ destination_cidr_block = optional(string, null) destination_prefix_list_id = optional(string, null) network_interface_id = optional(string, null) transit_gateway_id = optional(string, null) vpc_peering_connection_id = optional(string, null) vpc_endpoint_id = optional(string, null) }))	[]	no
private_eks_tags	A map of tags to add to all privage subnets resources to support EKS	map(string)	{}	no
private_route_table_tags	Additional tags for the private route tables	map(string)	{}	no
private_subnet_suffix	Suffix to append to private subnets name	string	"private"	no
private_subnet_tags	Additional tags for the private subnets	map(string)	{}	no
private_subnets	A list of private subnets inside the VPC	list	[]	no
propagate_private_route_tables_vgw	Should be true if you want route table propagation	bool	false	no
propagate_public_route_tables_vgw	Should be true if you want route table propagation	bool	false	no
public_custom_routes	Custom routes for Public Subnets	list(object({ destination_cidr_block = optional(string, null) destination_prefix_list_id = optional(string, null) network_interface_id = optional(string, null) internet_route = optional(bool, null) transit_gateway_id = optional(string, null) }))	[]	no
public_eks_tags	A map of tags to add to all public subnets resources to support EKS	map(string)	{}	no
public_route_table_tags	Additional tags for the public route tables	map(string)	{}	no
public_subnet_suffix	Suffix to append to public subnets name	string	"public"	no
public_subnet_tags	Additional tags for the public subnets	map(string)	{}	no
public_subnets	A list of public subnets inside the VPC	list	[]	no
redshift_custom_routes	Custom routes for Redshift Subnets	list(object({ destination_cidr_block = optional(string, null) destination_prefix_list_id = optional(string, null) network_interface_id = optional(string, null) transit_gateway_id = optional(string, null) vpc_endpoint_id = optional(string, null) }))	[]	no
redshift_route_table_tags	Additional tags for the redshift route tables	map(string)	{}	no
redshift_subnet_group_tags	Additional tags for the redshift subnet group	map(string)	{}	no
redshift_subnet_suffix	Suffix to append to redshift subnets name	string	"redshift"	no
redshift_subnet_tags	Additional tags for the redshift subnets	map(string)	{}	no
redshift_subnets	A list of redshift subnets	list	[]	no
reuse_nat_ips	Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable	bool	false	no
s3_access_logs_bucket	bucket id for s3 access logs bucket	string	""	no
s3_kms_key_arn	Customer KMS Key id for Cloudwatch Log encryption	string	""	no
secondary_cidr_blocks	List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool	list(string)	[]	no
single_nat_gateway	Should be true if you want to provision a single shared NAT Gateway across all of your private networks	bool	false	no
subnet_az_mapping	Optional explicit mapping of subnets to AZs - defaults to distributing across AZs	map(string)	{}	no
tags	A map of tags to add to all resources	map(string)	{}	no
tgw_custom_routes	Custom routes for TGW Subnets	list(object({ destination_cidr_block = optional(string, null) destination_prefix_list_id = optional(string, null) network_interface_id = optional(string, null) transit_gateway_id = optional(string, null) vpc_endpoint_id = optional(string, null) }))	[]	no
tgw_route_table_tags	Additional tags for the tgw route tables	map(string)	{}	no
tgw_subnet_suffix	Suffix to append to tgw subnets name	string	"tgw"	no
tgw_subnet_tags	Additional tags for the tgw subnets	map(string)	{}	no
tgw_subnets	A list of tgw subnets inside the VPC	list	[]	no
tls_cert_arn	TLS Certificate ARN	string	""	no
tls_description	Description for the TLS Inspection	string	"TLS Oubound Inspection"	no
tls_destination_cidrs	Destination CIDRs for TLS Inspection	list(string)	[ "0.0.0.0/0" ]	no
tls_destination_from_port	Destination Port for TLS Inspection	number	443	no
tls_destination_to_port	Destination Port for TLS Inspection	number	443	no
tls_source_cidr	Source CIDR for TLS Inspection	string	"0.0.0.0/0"	no
tls_source_from_port	Source Port for TLS Inspection	number	0	no
tls_source_to_port	Source Port for TLS Inspection	number	65535	no
vpc_endpoint_security_groups	Map of security groups to create for VPC endpoints	map(object({ name = string description = optional(string, "Security group for VPC endpoint") ingress_rules = optional(list(object({ description = optional(string) from_port = number to_port = number protocol = string cidr_blocks = optional(list(string), []) ipv6_cidr_blocks = optional(list(string), []) security_groups = optional(list(string), []) self = optional(bool, false) })), []) egress_rules = optional(list(object({ description = optional(string) from_port = number to_port = number protocol = string cidr_blocks = optional(list(string), []) ipv6_cidr_blocks = optional(list(string), []) security_groups = optional(list(string), []) self = optional(bool, false) })), []) tags = optional(map(string), {}) }))	{}	no
vpc_endpoints	Map of VPC endpoint definitions to create	map(object({ service_name = optional(string) # If not provided, standard AWS service name will be constructed service_type = string # "Interface", "Gateway", or "GatewayLoadBalancer" private_dns_enabled = optional(bool, true) # Only applicable for Interface endpoints auto_accept = optional(bool, false) policy = optional(string) # JSON policy document security_group_ids = optional(list(string), []) tags = optional(map(string), {}) subnet_ids = optional(list(string)) # Override default subnet_ids if needed # Required only for GatewayLoadBalancer endpoints ip_address_type = optional(string) # "ipv4" or "dualstack" }))	{}	no
vpc_tags	Additional tags for the VPC	map(string)	{}	no
vpn_gateway_id	ID of VPN Gateway to attach to the VPC	string	""	no
vpn_gateway_tags	Additional tags for the VPN gateway	map(string)	{}	no

Outputs

Name	Description
aws_nfw_endpoint_ids	List of IDs of AWS NFW endpoints
database_subnet_group	ID of database subnet group
database_subnets	List of IDs of database subnets
database_subnets_cidr_blocks	List of cidr_blocks of database subnets
default_network_acl_id	The ID of the default network ACL
default_route_table_id	The ID of the default route table
default_security_group_id	The ID of the security group created by default on VPC creation
default_vpc_cidr_block	The CIDR block of the VPC
default_vpc_default_network_acl_id	The ID of the default network ACL
default_vpc_default_route_table_id	The ID of the default route table
default_vpc_default_security_group_id	The ID of the security group created by default on VPC creation
default_vpc_enable_dns_hostnames	Whether or not the VPC has DNS hostname support
default_vpc_enable_dns_support	Whether or not the VPC has DNS support
default_vpc_id	The ID of the VPC
default_vpc_instance_tenancy	Tenancy of instances spin up within VPC
default_vpc_main_route_table_id	The ID of the main route table associated with this VPC
elasticache_route_table_ids	List of IDs of elasticache route tables
elasticache_subnet_group	ID of elasticache subnet group
elasticache_subnet_group_name	Name of elasticache subnet group
elasticache_subnets	List of IDs of elasticache subnets
elasticache_subnets_cidr_blocks	List of cidr_blocks of elasticache subnets
firewall_route_table_ids	List of IDs of firewall route tables
firewall_subnets	List of IDs of firewall subnets
firewall_subnets_cidr_blocks	List of cidr_blocks of firewall subnets
igw_id	The ID of the Internet Gateway
intra_route_table_ids	List of IDs of intra route tables
intra_subnets	List of IDs of intra subnets
intra_subnets_cidr_blocks	List of cidr_blocks of intra subnets
nat_ids	List of allocation ID of Elastic IPs created for AWS NAT Gateway
nat_public_ips	List of public Elastic IPs created for AWS NAT Gateway
natgw_ids	List of NAT Gateway IDs
private_route_table_ids	List of IDs of private route tables - including database route table IDs, as the database uses the private route tables
private_subnets	List of IDs of private subnets
private_subnets_cidr_blocks	List of cidr_blocks of private subnets
public_route_table_ids	List of IDs of public route tables
public_subnets	List of IDs of public subnets
public_subnets_cidr_blocks	List of cidr_blocks of public subnets
redshift_route_table_ids	List of IDs of redshift route tables
redshift_subnet_group	ID of redshift subnet group
redshift_subnets	List of IDs of redshift subnets
redshift_subnets_cidr_blocks	List of cidr_blocks of redshift subnets
tgw_route_table_ids	List of IDs of tgw route tables
tgw_subnets	List of IDs of tgw subnets
tgw_subnets_cidr_blocks	List of cidr_blocks of tgw subnets
vgw_id	The ID of the VPN Gateway
vpc_cidr_block	The CIDR block of the VPC
vpc_enable_dns_hostnames	Whether or not the VPC has DNS hostname support
vpc_enable_dns_support	Whether or not the VPC has DNS support
vpc_endpoint_security_groups	Map of security group IDs created for VPC endpoints
vpc_endpoints	Map of VPC endpoint IDs
vpc_id	The ID of the VPC
vpc_instance_tenancy	Tenancy of instances spin up within VPC
vpc_main_route_table_id	The ID of the main route table associated with this VPC
vpc_secondary_cidr_blocks	List of secondary CIDR blocks of the VPC

Tree

.
|-- CONTRIBUTING.md
|-- LICENSE
|-- License.md
|-- README.md
|-- coalfire_logo.png
|-- example
|   |-- vpc-app-account
|   |   |-- app-networking.auto.tfvars
|   |   |-- locals.tf
|   |   |-- mgmt.tf
|   |   |-- outputs.tf
|   |   |-- providers.tf
|   |   |-- remote-data.tf
|   |   |-- required_providers.tf
|   |   |-- variables.tf
|   |-- vpc-nfw
|       |-- locals.tf
|       |-- mgmt.tf
|       |-- nfw_policies.tf
|       |-- outputs.tf
|       |-- providers.tf
|       |-- remote-data.tf
|       |-- required_providers.tf
|       |-- subnets.tf
|       |-- suricata.json
|       |-- variables.tf
|       |-- vpc_nfw.auto.tfvars
|-- flowlog.tf
|-- main.tf
|-- modules
|   |-- aws-network-firewall
|   |   |-- README.md
|   |   |-- coalfire_logo.png
|   |   |-- locals.tf
|   |   |-- main.tf
|   |   |-- nfw-base-suricata-rules.json
|   |   |-- output.tf
|   |   |-- required_providers.tf
|   |   |-- tls.tf
|   |   |-- variables.tf
|   |-- vpc-endpoint
|       |-- README.md
|       |-- locals.tf
|       |-- main.tf
|       |-- outputs.tf
|       |-- variables.tf
|-- outputs.tf
|-- required_providers.tf
|-- routes.tf
|-- subnets.tf
|-- test
|   |-- src
|       |-- vpc_endpoints_with_nfw_test.go
|-- update-readme-tree.sh
|-- variables.tf