AWS Network Firewall Terraform module
Upstream version 2.1.0
0 controls from Registry requirements
Terraform Module Source
registry.compliance.tf/terraform-aws-modules/network-firewall/aws37 unique
| Name | Type | Default | Description |
|---|---|---|---|
| Optional | |||
availability_zone_change_protection | bool | null | A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. When set to true, you must first disable this protection before adding or removing Availability Zones |
availability_zone_mapping | list({...}) | null | Required when creating a transit gateway-attached firewall. Set of configuration blocks describing the avaiability availability where you want to create firewall endpoints for a transit gateway-attached firewall |
create | bool | true | Controls if resources should be created |
create_logging_configuration | bool | null | Controls if a Logging Configuration should be created |
create_policy | bool | true | Controls if policy should be created |
create_policy_resource_policy | bool | null | Controls if a resource policy should be created |
delete_protection | bool | true | A boolean flag indicating whether it is possible to delete the firewall. Defaults to `true` |
description | string | "" | A friendly description of the firewall |
enabled_analysis_types | list(string) | null | Set of types for which to collect analysis metrics. Valid values: `TLS_SNI`, `HTTP_HOST`. Defaults to `[]` |
encryption_configuration | object({...}) | null | KMS encryption configuration settings |
firewall_policy_arn | string | "" | The ARN of the Firewall Policy to use |
firewall_policy_change_protection | bool | null | A boolean flag indicating whether it is possible to change the associated firewall policy. Defaults to `false` |
logging_configuration_destination_config | list({...}) | null | A list of min 1, max 2 configuration blocks describing the destination for the logging configuration |
name | string | "" | A friendly name of the firewall |
policy_attach_resource_policy | bool | null | Controls if a resource policy should be attached to the firewall policy |
policy_description | string | null | A friendly description of the firewall policy |
policy_encryption_configuration | object({...}) | null | KMS encryption configuration settings |
policy_name | string | "" | A friendly name of the firewall policy |
policy_ram_resource_associations | map(string) | null | A map of RAM resource associations for the created firewall policy |
policy_resource_policy | string | "" | The policy JSON to use for the resource policy; required when `create_resource_policy` is `false` |
policy_resource_policy_actions | list(string) | null | A list of IAM actions allowed in the resource policy |
policy_resource_policy_principals | list(string) | null | A list of IAM principals allowed in the resource policy |
policy_stateful_default_actions | list(string) | null | Set of actions to take on a packet if it does not match any stateful rules in the policy. This can only be specified if the policy has a `stateful_engine_options` block with a rule_order value of `STRICT_ORDER`. You can specify one of either or neither values of `aws:drop_strict` or `aws:drop_established`, as well as any combination of `aws:alert_strict` and `aws:alert_established` |
policy_stateful_engine_options | object({...}) | null | A configuration block that defines options on how the policy handles stateful rules. See [Stateful Engine Options](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy#stateful-engine-options) for details |
policy_stateful_rule_group_reference | map({...}) | null | Set of configuration blocks containing references to the stateful rule groups that are used in the policy. See [Stateful Rule Group Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy#stateful-rule-group-reference) for details |
policy_stateless_custom_action | map({...}) | null | Set of configuration blocks describing the custom action definitions that are available for use in the firewall policy's `stateless_default_actions` |
policy_stateless_default_actions | list(string) | null | Set of actions to take on a packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: `aws:drop`, `aws:pass`, or `aws:forward_to_sfe` |
policy_stateless_fragment_default_actions | list(string) | null | Set of actions to take on a fragmented packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: `aws:drop`, `aws:pass`, or `aws:forward_to_sfe` |
policy_stateless_rule_group_reference | map({...}) | null | Set of configuration blocks containing references to the stateless rule groups that are used in the policy. See [Stateless Rule Group Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy#stateless-rule-group-reference) for details |
policy_tags | map(string) | {} | A map of tags to add to all resources |
policy_variables | object({...}) | null | Contains variables that you can use to override default Suricata settings in your firewall policy |
region | string | null | Region where the resource(s) will be managed. Defaults to the Region set in the provider configuration |
subnet_change_protection | bool | true | A boolean flag indicating whether it is possible to change the associated subnet(s). Defaults to `true` |
subnet_mapping | map({...}) | null | Set of configuration blocks describing the public subnets. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet |
tags | map(string) | {} | A map of tags to add to all resources |
transit_gateway_id | string | null | The ID of the transit gateway to which the firewall is attached. Required when creating a transit gateway-attached firewall |
vpc_id | string | null | The unique identifier of the VPC where AWS Network Firewall should create the firewall |