Policy module needs update

[jonyroda97]

Is your request related to a new offering from AWS?

Is this functionality available in the AWS provider for Terraform? See CHANGELOG.md, too.

• Yes ✅: (all changes related to the firewall since version with changes identified to be in fault on the module - v5.10.0)
  • v5.10.0:
    • resource/aws_networkfirewall_firewall_policy: Add firewall_policy.policy_variables configuration block to support Suricata HOME_NET variable override
  • v5.11.0:
    • resource/aws_networkfirewall_rule_group: Add support for REJECT action in stateful rule actions
  • v5.32.0:
    • data-source/aws_networkfirewall_firewall_policy: Add firewall_policy.tls_inspection_configuration_arn attribute
  • v5.56.0:
    • New Resource: aws_networkfirewall_tls_inspection_configuration

Is your request related to a problem? Please describe.

Currently we can't use some aspects of the firewall resources with this module. The ones that I identified:

• Policy Module:
  • policy_variables configuration block -> to set HOME_NET variable override
  • TLS Inspection Configuration Implementation:
    • tls_inspection_configuration_arn argument in firewall_policy resource
    • aws_networkfirewall_tls_inspection_configuration resource

Describe the solution you'd like.

Update Module to be able to implement all those aspects of the firewall resources.

Check if nothing but these is in fault (didn't do an extensive lookup)

[irussak3]

@antonbabenko @jonyroda97 I’d like to propose adding support for policy_variables to the module. Below are the changes needed:

Updates to modules/policy:

main.tf
Add the following dynamic block to handle policy_variables conditionally:

dynamic "policy_variables" {
  for_each = var.policy_variable_enabled ? [1] : []
  content {
    rule_variables {
      key = var.rule_variable_key
      ip_set {
        definition = var.rule_variable_definition
      }
    }
  }
}

variables.tf
Define the necessary variables:

variable "policy_variable_enabled" {
  description = "Toggle to enable or disable the policy_variables block"
  type        = bool
  default     = false
}

variable "rule_variable_key" {
  description = "Key for the rule_variables block (e.g., HOME_NET)"
  type        = string
  default     = null
}

variable "rule_variable_definition" {
  description = "List of IP ranges to include in the rule"
  type        = list(string)
  default     = []
}

Updates to the Main Module:

main.tf

Pass the required variables to the policy module:

policy_variable_enabled      = var.policy_variable_enabled
rule_variable_key            = var.policy_rule_variable_key
rule_variable_definition     = var.policy_rule_variable_definition

variables.tf

Add the corresponding input variables:

variable "policy_variable_enabled" {
  description = "Toggle to enable or disable the policy_variables block"
  type        = bool
  default     = false
}

variable "policy_rule_variable_key" {
  description = "Key for the rule_variables block (e.g., HOME_NET)"
  type        = string
  default     = null
}

variable "policy_rule_variable_definition" {
  description = "List of IP ranges to include in the rule"
  type        = list(string)
  default     = []
}

Testing:

I’ve tested these changes locally, and the block works as expected. Let me know if you have any questions or need further clarification!

[irussak3]

I added it to the PR

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[jonyroda97]

(remove stale label)

[github-actions]

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

[github-actions]

This issue was automatically closed because of stale in 10 days

[antonbabenko]

This issue has been resolved in version 2.0.0 🎉