Terraform module which creates VPC (and optionally NFW) resources on AWS.
- terraform-aws-account-setup
The following type of resources are supported:
- VPC
- Subnet
- Route
- Route table
- Internet Gateway
- NAT Gateway
- VPN Gateway
- VPC Endpoint ( S3 and DynamoDB)
- RDS DB Subnet Group
- ElastiCache Subnet Group
- Redshift Subnet Group
- DHCP Options Set
- Default VPC
- AWS NFW
- Networking resources, including VPCs, Transit Gateways and Network Firewalls, are designed to be deployed under a single state.
- Outputs of this module can be referenced via terraform state in the following manner:
module.mgmt_vpc.private_subnets["mvp-mgmt-compute-us-gov-west-1a"]data.terraform_remote_state.network.outputs.public_subnets["mvp-mgmt-dmz-us-gov-west-1a"]
- This is designed to automatically reference the firewall subnets when opted to be created.
- AWS region is appended to the subnet name by default.
- The private route table IDs includes the route table IDs from database subnets as well.
For a detailed example of module usage and structure, see the example/vpc-nfw folder.
A simplified module call is given below to demonstrate general format/syntax and structure:
module "mgmt_vpc" {
source = "git::https://github.com/Coalfire-CF/terraform-aws-vpc-nfw.git?ref=vx.x.x"
name = "example-mgmt"
cidr = "x.x.x.x/xx"
azs = [data.aws_availability_zones.available.names[0], data.aws_availability_zones.available.names[1]]
subnets = [
{
tag = "subnet1"
cidr = "10.0.0.0/24"
type = "firewall"
availability_zone = "us-gov-west-1a"
},
{
tag = "subnet2"
cidr = "10.0.1.0/24"
type = "public"
availability_zone = "us-gov-west-1b"
}
]
single_nat_gateway = false
enable_nat_gateway = true
one_nat_gateway_per_az = true
enable_vpn_gateway = false
enable_dns_hostnames = true
flow_log_destination_type = "cloud-watch-logs"
cloudwatch_log_group_retention_in_days = 30
cloudwatch_log_group_kms_key_id = "arn:aws-us-gov:kms:your-cloudwatch-kms-key-arn"
deploy_aws_nfw = true
delete_protection = true
aws_nfw_prefix = "example"
aws_nfw_name = "example-nfw"
aws_nfw_fivetuple_stateful_rule_group = local.fivetuple_rule_group
aws_nfw_suricata_stateful_rule_group = local.suricata_rule_group_shrd_svcs
nfw_kms_key_arn = "arn:aws-us-gov:kms:your-nfw-kms-key-arn"
}Note: If networks are being created with the goal of peering, it is best practice to build and deploy those resources within the same Terraform state. This allows for efficient referencing of peer subnets and CIDRs to facilitate a proper routing architecture. Please refer to the 'example' folder for example files needed on the parent module calling this PAK based on the deployment requirements.
| Input | Description | Example |
|---|---|---|
| resource_prefix | Deployment-wide identifier prepended to resource names (excluding any explicitly-defined or custom resource names) | "prod" |
| vpc_name | Name to assign to the VPC resource | "mgmt-prod-vpc" |
| cidr | The CIDR block to assign to the VPC. See the AWS User Guide for more info on defining VPC CIDRs. | "10.0.0.0/16" |
| azs | This variable defines the Availability Zones in your environment. You may use a terraform data call to retrieve these values dynamically from the AWS provider. |
[data.aws_availability_zones.available.names[0], data.aws_availability_zones.available.names[1]] |
| subnets | A block of subnet definitions. | See subnets |
| enable_nat_gateway | Whether to deploy NAT gateway(s) | true |
| single_nat_gateway | If true, only deploys a single NAT gateway, shared between all private subnets |
false |
| one_nat_gateway_per_az | If true, deploys only one NAT gateway per Availability Zone, shared between all private subnets in that AZ |
true |
| enable_vpn_gateway | If true, creates a VPN gateway resource attached to the VPC |
false |
| vpn_gateway_custom_name | (Optional) If set, this replaces the default generated name of the AWS VPN with the provided value | "mgmt-prod-vpn" |
| enable_dns_hostnames | If true, enables DNS hostnames in the Default VPC |
false |
| flow_log_destination_type | The type of flow log destination. msut be one of "s3" or "cloud-watch-logs" |
"cloud-watch-logs" |
| cloudwatch_log_group_retention_in_days | The length of time, in days, to retain CloudWatch logs | 30 |
| cloudwatch_log_group_kms_key_arn | ARN of the KMS key to use for the cloudwatch log group encryption. | "arn:aws-us-gov:kms:your-kms-key-arn" |
| deploy_aws_nfw | If true, deploys AWS Network Firewall |
true |
| delete_protection | If true, prevents deletion of the AWS Network Firewall. |
true |
| aws_nfw_name | Name to assign to the NFW resource | "mgmt-prod-nfw" |
| aws_nfw_fivetuple_stateful_rule_group | Object block containing config for Suricata 5-tuple type stateful rule group | See Replacing the Default Deny All NFW Policy |
| aws_nfw_suricata_stateful_rule_group | Object block containing config for Suricata type stateful rule group | See Replacing the Default Deny All NFW Policy |
| nfw_kms_key_arn | ARN of the KMS key to use for firewall encryption | "arn:aws-us-gov:kms:your-kms-key-arn" |
Subnets are specified via the subnets block:
subnets = [
{
tag = "fw1"
cidr = "10.0.0.0/24"
type = "firewall"
availability_zone = "us-gov-west-1a"
},
{
tag = "fw2"
cidr = "10.0.1.0/24"
type = "firewall"
availability_zone = "us-gov-west-1b"
}
]Each subnet must be defined with the following Attributes:
| Attribute | Description | Example |
|---|---|---|
| tag | An arbitrary identifier (freindly name) which will be combined with resource_prefix variable and the subnet's availability_zone to form the subnet Name tag. For example, for a deployment with resource_prefix "example", setting tag = "secops" and availability_zone = us-gov-west-1a will result in the subnet name example-secops-us-gov-west-1a |
siem |
| cidr | Defines the CIDR block for the subnet. Subnet CIDR blocks must not overlap, and no two subnets can have the same CIDR block. See the AWS User Guide for more information on defining CIDR blocks for VPC subnets. | 10.0.3.0/24 |
| type | Determines the type of subnet to deploy. Allowed values are firewall, public, private, tgw, database, redshift, elasticache, or intra |
private |
| availability_zone | The availability zone in which to create the subnet. The AZ specified here must be available in your environment. | us-gov-west-1b |
| custom_name | (Optional, supersedes tag) If your environment has strict requirements for resource naming, you may specify custom_name in place of tag to define the exact string to assign to the subnet's Name tag. |
aws-subnet-private-secops-west-1a |
Note: You may specify any number of subnets, in any order, and of any combination of types, availability zones, and CIDR blocks. Note that you may arbitrarily destroy or create subnets as the need arises, without affecting other subnets. (Always check the output of
terraform planbefore applying changes)
If desired, you may define subnet CIDRs dynamically using Hashicorp's Terraform CIDR Subnets Module:
module "cidr_blocks" {
source = "hashicorp/subnets/cidr"
version = "v1.0.0"
base_cidr_block = var.mgmt_vpc_cidr
networks = [
{
name = "block1"
new_bits = 8
},
{
name = "block2"
new_bits = 8
}
]
}
module "mgmt_vpc" {
cidr = var.mgmt_vpc_cidr
...
subnets = [
{
tag = "firewall1"
cidr = module.cidr_blocks.network_cidr_blocks["block1"]
type = "firewall"
availability_zone = "us-gov-west-1a"
},
{
tag = "firewall1"
cidr = module.cidr_blocks.network_cidr_blocks["block2"]
type = "firewall"
availability_zone = "us-gov-west-1b"
}
]
...
}
⚠️ WARNING: due to the way the module Hashicorp subnetting module generates CIDRs, it is likely that removing, adding, or otherwise changing one subnet in the module can cause all other subnet CIDRs to be updated, potentially generating cascading effects across your deployment. If using this method, it is highly recommended to define all subnets during your first deployment, and excercise extreme caution when making any updates.
There will be a default Deny All NFW policy that is applied module.mgmt_vpc.module.aws_network_firewall.nfw-base-suricata-rule.json. If you are having networking problems, please follow the example below of how to pass a customized ruleset to the module. Any customized ruleset will overwrite the default policy.
- Copy the
test.rules.jsonfile to the directory running terraform and name give it a name. For this example I will usesuricata.json. - Populate this json file in a similar format to the
test.rules.json, adding ports and domains that you need open based on tooling or client need. - In your
nfw-policies.tffile, create a local variable calledsuricata_rule_group_shrd_svcsand populate values like this example:
suricata_rule_group_shrd_svcs = [
{
capacity = 1000
name = "SuricataDenyAll"
description = "DenyAllRules"
rules_file = file("./suricata.json")
}
]
- In the file that you reference the module, add a line similar to the one shown in this example. This will pass your custom Suricata ruleset to the module, overwriting the default ruleset.
aws_nfw_suricata_stateful_rule_group = local.suricata_rule_group_shrd_svcs
- After you have built your packer images, come back and remove the following line:
pass tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"Allow inbound SSH - ONLY FOR PACKER DISABLE AFTER IMAGES ARE BUILT"; flow:established; sid:103; rev:1;)
There are variables provided for each subnet type:
- database_custom_routes
- elasticache_custom_routes
- firewall_custom_routes
- intra_custom_routes
- private_custom_routes
- public_custom_routes
- redshift_custom_routes
These variables are lists of objects.
Example of custom public routes:
public_custom_routes = [
{
destination_cidr_block = "8.8.8.8/32"
internet_route = true
},
{
destination_cidr_block = "4.4.4.4/32"
internet_route = true
}
]An "internet_route" boolean sets a default to send traffic to the created IGW as a target (required), or to the NFW endpoint if created.
Some variables expose different expected values based on sensible assumptions. For example, a public custom route would not expose NAT gateway as a target, and likewise private subnets will not allow Internet Gateway to be a target.
The variables can be further inspected to see what parameters and types are expected.
IAM user authentication:
- Download and install the AWS CLI (https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html)
- Log into the AWS Console and create AWS CLI Credentials (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html)
- Configure the named profile used for the project, such as 'aws configure --profile example-mgmt'
SSO-based authentication (via IAM Identity Center SSO):
- Login to the AWS IAM Identity Center console, select the permission set for MGMT, and select the 'Access Keys' link.
- Choose the 'IAM Identity Center credentials' method to get the SSO Start URL and SSO Region values.
- Run the setup command 'aws configure sso --profile example-mgmt' and follow the prompts.
- Verify you can run AWS commands successfully, for example 'aws s3 ls --profile example-mgmt'.
- Run 'export AWS_PROFILE=example-mgmt' in your terminal to use the specific profile and avoid having to use '--profile' option.These deployments steps assume you will be deploying this PAK (including AWS NFW) on the Management plane VPC.
NOTE: Please use the code under the 'Usage' section on this README for the most up-to-date code while referring to the 'example' folder for previous deployment examples only.
-
Navigate to the Terraform project and create a parent directory in the upper level code, for example:
../{CLOUD}/terraform/{REGION}/management-account/example
If multi-account management plane:
../{CLOUD}/terraform/{REGION}/{ACCOUNT_TYPE}-mgmt-account/example
-
Create a properly defined main.tf file via the template found under 'Usage' while adjusting 'auto.tfvars' as needed. Note that many provided variables are outputs from other modules. Example parent directory:
├── Example/ │ ├── example.auto.tfvars │ ├── locals.tf │ ├── mgmt.tf │ ├── nfw_policies.tf │ ├── outputs.tf │ ├── providers.tf │ ├── remote-data.tf │ ├── required-providers.tf │ ├── subnets.tf │ ├── suricata.json │ ├── variables.tf │ ├── ...
Make sure that 'remote-data.tf' defines the S3 backend which is on the Management account state bucket. For example:
terraform { backend "s3" { bucket = "${var.resource_prefix}-us-gov-west-1-tf-state" region = "us-gov-west-1" key = "${var.resource_prefix}-us-gov-west-1-vpc-setup.tfstate" encrypt = true use_lockfile = true } }
-
Review and update 'nfw_policies.tf', 'subnets.tf', and 'suricata.json' if needed.
-
Initialize the Terraform working directory:
terraform init
Create an execution plan and verify the resources being created:
terraform plan
Apply the configuration:
terraform apply
| Name | Version |
|---|---|
| terraform | ~>1.5 |
| aws | >= 5.15.0, < 6.0 |
| Name | Version |
|---|---|
| aws | 5.64.0 |
| Name | Source | Version |
|---|---|---|
| aws_network_firewall | ./modules/aws-network-firewall | n/a |
| vpc_endpoints | ./modules/vpc-endpoint | n/a |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| assign_generated_ipv6_cidr_block | Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block | bool |
false |
no |
| associate_with_private_route_tables | Whether to associate Gateway endpoints with private route tables | bool |
true |
no |
| associate_with_public_route_tables | Whether to associate Gateway endpoints with public route tables | bool |
false |
no |
| aws_nfw_domain_stateful_rule_group | Config for domain type stateful rule group | list(object({ |
[] |
no |
| aws_nfw_fivetuple_stateful_rule_group | Config for 5-tuple type stateful rule group | list(object({ |
[] |
no |
| aws_nfw_name | AWS NFW Name | string |
"" |
no |
| aws_nfw_stateless_rule_group | AWS NFW sateless rule group | list(object({ |
[] |
no |
| aws_nfw_suricata_stateful_rule_group | Config for Suricata type stateful rule group | list(object({ |
[] |
no |
| azs | A list of availability zones in the region | list(string) |
[] |
no |
| cidr | The CIDR block for the VPC. | string |
n/a | yes |
| cloudwatch_log_group_kms_key_arn | Customer KMS Key ARN for Cloudwatch Log encryption | string |
"" |
no |
| cloudwatch_log_group_retention_in_days | Number of days to retain Cloudwatch logs | number |
365 |
no |
| create_database_subnet_group | Controls if database subnet group should be created | bool |
true |
no |
| create_database_subnet_route_table | Controls if separate route table for database should be created | bool |
false |
no |
| create_elasticache_subnet_route_table | Controls if separate route table for elasticache should be created | bool |
false |
no |
| create_redshift_subnet_route_table | Controls if separate route table for redshift should be created | bool |
false |
no |
| create_vpc_endpoints | Whether to create VPC endpoints | bool |
false |
no |
| database_custom_routes | Custom routes for Database Subnets | list(object({ |
[] |
no |
| database_route_table_tags | Additional tags for the database route tables | map(string) |
{} |
no |
| database_subnet_group_name | Optional custom resource name for the database subnet group | string |
null |
no |
| database_subnet_group_tags | Additional tags for the database subnet group | map(string) |
{} |
no |
| database_subnet_tags | Additional tags for the database subnets | map(string) |
{} |
no |
| default_vpc_enable_dns_hostnames | Should be true to enable DNS hostnames in the Default VPC | bool |
false |
no |
| default_vpc_enable_dns_support | Should be true to enable DNS support in the Default VPC | bool |
true |
no |
| default_vpc_name | Name to be used on the Default VPC | string |
"" |
no |
| default_vpc_tags | Additional tags for the Default VPC | map(string) |
{} |
no |
| delete_protection | Whether or not to enable deletion protection of NFW | bool |
true |
no |
| deploy_aws_nfw | enable nfw true/false | bool |
false |
no |
| dhcp_options_domain_name | Specifies DNS name for DHCP options set | string |
"" |
no |
| dhcp_options_domain_name_servers | Specify a list of DNS server addresses for DHCP options set, default to AWS provided | list(string) |
[ |
no |
| dhcp_options_netbios_name_servers | Specify a list of netbios servers for DHCP options set | list(string) |
[] |
no |
| dhcp_options_netbios_node_type | Specify netbios node_type for DHCP options set | string |
"" |
no |
| dhcp_options_ntp_servers | Specify a list of NTP servers for DHCP options set | list(string) |
[] |
no |
| dhcp_options_tags | Additional tags for the DHCP option set | map(string) |
{} |
no |
| elasticache_custom_routes | Custom routes for Elasticache Subnets | list(object({ |
[] |
no |
| elasticache_route_table_tags | Additional tags for the elasticache route tables | map(string) |
{} |
no |
| elasticache_subnet_group_name | Optional custom resource name for the Elasticache subnet group | string |
null |
no |
| elasticache_subnet_tags | Additional tags for the elasticache subnets | map(string) |
{} |
no |
| enable_dhcp_options | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | bool |
false |
no |
| enable_dns_hostnames | Should be true to enable DNS hostnames in the VPC | bool |
false |
no |
| enable_dns_support | Should be true to enable DNS support in the VPC | bool |
true |
no |
| enable_nat_gateway | Should be true if you want to provision NAT Gateways for each of your private networks | bool |
false |
no |
| enable_tls_inspection | enable nfw tls inspection true/false. deploy_aws_nfw must be true to enable this | bool |
false |
no |
| enable_vpn_gateway | Should be true if you want to create a new VPN Gateway resource and attach it to the VPC | bool |
false |
no |
| external_nat_ip_ids | List of EIP IDs to be assigned to the NAT Gateways (used in combination with reuse_nat_ips) | list(string) |
[] |
no |
| firewall_custom_routes | Custom routes for Firewall Subnets | list(map(string)) |
[] |
no |
| firewall_route_table_tags | Additional tags for the firewall route tables | map(string) |
{} |
no |
| firewall_subnet_name_tag | Additional name tag for the firewall subnets | map(string) |
{} |
no |
| flow_log_destination_arn | The ARN of the Cloudwatch log destination for Flow Logs | string |
null |
no |
| flow_log_destination_type | Type of flow log destination. Can be s3 or cloud-watch-logs | string |
n/a | yes |
| igw_tags | Additional tags for the internet gateway | map(string) |
{} |
no |
| instance_tenancy | A tenancy option for instances launched into the VPC | string |
"default" |
no |
| intra_custom_routes | Custom routes for Intra Subnets | list(object({ |
[] |
no |
| intra_route_table_tags | Additional tags for the intra route tables | map(string) |
{} |
no |
| intra_subnet_tags | Additional tags for the intra subnets | map(string) |
{} |
no |
| manage_default_vpc | Should be true to adopt and manage Default VPC | bool |
false |
no |
| map_public_ip_on_launch | Should be false if you do not want to auto-assign public IP on launch | bool |
true |
no |
| nat_eip_tags | Additional tags for the NAT EIP | map(string) |
{} |
no |
| nat_gateway_tags | Additional tags for the NAT gateways | map(string) |
{} |
no |
| nfw_kms_key_arn | ARN of the KMS key to use for NFW encryption | string |
null |
no |
| one_nat_gateway_per_az | Should be true if you want only one NAT Gateway per availability zone. Requires var.azs to be set, and the number of public_subnets created to be greater than or equal to the number of availability zones specified in var.azs. |
bool |
false |
no |
| private_custom_routes | Custom routes for Private Subnets | list(object({ |
[] |
no |
| private_eks_tags | A map of tags to add to all privage subnets resources to support EKS | map(string) |
{} |
no |
| private_route_table_tags | Additional tags for the private route tables | map(string) |
{} |
no |
| propagate_private_route_tables_vgw | Should be true if you want route table propagation | bool |
false |
no |
| propagate_public_route_tables_vgw | Should be true if you want route table propagation | bool |
false |
no |
| public_custom_routes | Custom routes for Public Subnets | list(object({ |
[] |
no |
| public_eks_tags | A map of tags to add to all public subnets resources to support EKS | map(string) |
{} |
no |
| public_route_table_tags | Additional tags for the public route tables | map(string) |
{} |
no |
| redshift_custom_routes | Custom routes for Redshift Subnets | list(object({ |
[] |
no |
| redshift_route_table_tags | Additional tags for the redshift route tables | map(string) |
{} |
no |
| redshift_subnet_group_name | Optional custom resource name for the Redshift subnet group | string |
null |
no |
| redshift_subnet_group_tags | Additional tags for the redshift subnet group | map(string) |
{} |
no |
| redshift_subnet_tags | Additional tags for the redshift subnets | map(string) |
{} |
no |
| resource_prefix | Prefix to be added to resource names as identifier | string |
"" |
no |
| reuse_nat_ips | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external_nat_ip_ids' variable | bool |
false |
no |
| s3_access_logs_bucket | bucket id for s3 access logs bucket | string |
"" |
no |
| s3_kms_key_arn | Customer KMS Key id for Cloudwatch Log encryption | string |
"" |
no |
| secondary_cidr_blocks | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | list(string) |
[] |
no |
| single_nat_gateway | Should be true if you want to provision a single shared NAT Gateway across all of your private networks | bool |
false |
no |
| subnet_az_mapping | Optional explicit mapping of subnets to AZs - defaults to distributing across AZs | map(string) |
{} |
no |
| subnets | n/a | list(object({ |
n/a | yes |
| tags | A map of tags to add to all resources | map(string) |
{} |
no |
| tgw_custom_routes | Custom routes for TGW Subnets | list(object({ |
[] |
no |
| tgw_route_table_tags | Additional tags for the tgw route tables | map(string) |
{} |
no |
| tls_cert_arn | TLS Certificate ARN | string |
"" |
no |
| tls_description | Description for the TLS Inspection | string |
"TLS Oubound Inspection" |
no |
| tls_destination_cidrs | Destination CIDRs for TLS Inspection | list(string) |
[ |
no |
| tls_destination_from_port | Destination Port for TLS Inspection | number |
443 |
no |
| tls_destination_to_port | Destination Port for TLS Inspection | number |
443 |
no |
| tls_source_cidr | Source CIDR for TLS Inspection | string |
"0.0.0.0/0" |
no |
| tls_source_from_port | Source Port for TLS Inspection | number |
0 |
no |
| tls_source_to_port | Source Port for TLS Inspection | number |
65535 |
no |
| vpc_endpoint_security_groups | Map of security groups to create for VPC endpoints | map(object({ |
{} |
no |
| vpc_endpoints | Map of VPC endpoint definitions to create | map(object({ |
{} |
no |
| vpc_name | Name to assign to the AWS VPC | string |
n/a | yes |
| vpc_tags | Additional tags for the VPC | map(string) |
{} |
no |
| vpn_gateway_custom_name | Specifies a custom name to assign to the VPN; if not set, a name will be generated from var.resource_prefix | any |
null |
no |
| vpn_gateway_id | ID of VPN Gateway to attach to the VPC | string |
"" |
no |
| vpn_gateway_tags | Additional tags for the VPN gateway | map(string) |
{} |
no |
| Name | Description |
|---|---|
| aws_nfw_endpoint_ids | List of IDs of AWS NFW endpoints |
| database_subnet_group | ID of database subnet group |
| database_subnets | List of IDs of database subnets |
| database_subnets_cidr_blocks | List of cidr_blocks of database subnets |
| default_network_acl_id | The ID of the default network ACL |
| default_route_table_id | The ID of the default route table |
| default_security_group_id | The ID of the security group created by default on VPC creation |
| default_vpc_cidr_block | The CIDR block of the VPC |
| default_vpc_default_network_acl_id | The ID of the default network ACL |
| default_vpc_default_route_table_id | The ID of the default route table |
| default_vpc_default_security_group_id | The ID of the security group created by default on VPC creation |
| default_vpc_enable_dns_hostnames | Whether or not the VPC has DNS hostname support |
| default_vpc_enable_dns_support | Whether or not the VPC has DNS support |
| default_vpc_id | The ID of the VPC |
| default_vpc_instance_tenancy | Tenancy of instances spin up within VPC |
| default_vpc_main_route_table_id | The ID of the main route table associated with this VPC |
| elasticache_route_table_ids | List of IDs of elasticache route tables |
| elasticache_subnet_group | ID of elasticache subnet group |
| elasticache_subnet_group_name | Name of elasticache subnet group |
| elasticache_subnets | List of IDs of elasticache subnets |
| elasticache_subnets_cidr_blocks | List of cidr_blocks of elasticache subnets |
| firewall_route_table_ids | List of IDs of firewall route tables |
| firewall_subnets | List of IDs of firewall subnets |
| firewall_subnets_cidr_blocks | List of cidr_blocks of firewall subnets |
| igw_id | The ID of the Internet Gateway |
| intra_route_table_ids | List of IDs of intra route tables |
| intra_subnets | List of IDs of intra subnets |
| intra_subnets_cidr_blocks | List of cidr_blocks of intra subnets |
| nat_ids | List of allocation ID of Elastic IPs created for AWS NAT Gateway |
| nat_public_ips | List of public Elastic IPs created for AWS NAT Gateway |
| natgw_ids | List of NAT Gateway IDs |
| private_route_table_ids | List of IDs of private route tables - including database route table IDs, as the database uses the private route tables |
| private_subnets | List of IDs of private subnets |
| private_subnets_cidr_blocks | List of cidr_blocks of private subnets |
| public_route_table_ids | List of IDs of public route tables |
| public_subnets | List of IDs of public subnets |
| public_subnets_cidr_blocks | List of cidr_blocks of public subnets |
| redshift_route_table_ids | List of IDs of redshift route tables |
| redshift_subnet_group | ID of redshift subnet group |
| redshift_subnets | List of IDs of redshift subnets |
| redshift_subnets_cidr_blocks | List of cidr_blocks of redshift subnets |
| subnets | List of objects containing all subnet IDs and CIDRs by name |
| tgw_route_table_ids | List of IDs of tgw route tables |
| tgw_subnets | List of IDs of tgw subnets |
| tgw_subnets_cidr_blocks | List of cidr_blocks of tgw subnets |
| vgw_id | The ID of the VPN Gateway |
| vpc_cidr_block | The CIDR block of the VPC |
| vpc_enable_dns_hostnames | Whether or not the VPC has DNS hostname support |
| vpc_enable_dns_support | Whether or not the VPC has DNS support |
| vpc_endpoint_security_groups | Map of security group IDs created for VPC endpoints |
| vpc_endpoints | Map of VPC endpoint IDs |
| vpc_id | The ID of the VPC |
| vpc_instance_tenancy | Tenancy of instances spin up within VPC |
| vpc_main_route_table_id | The ID of the main route table associated with this VPC |
| vpc_secondary_cidr_blocks | List of secondary CIDR blocks of the VPC |
.
|-- CONTRIBUTING.md
|-- LICENSE
|-- License.md
|-- README.md
|-- coalfire_logo.png
|-- example
| |-- prior-versions
| | |-- README.md
| | |-- other-examples
| | | |-- example-with-tls-inspection.tf
| | | |-- example-without-network-firewall.tf
| | |-- vpc-app-account
| | |-- app-networking.auto.tfvars
| | |-- locals.tf
| | |-- mgmt.tf
| | |-- outputs.tf
| | |-- providers.tf
| | |-- remote-data.tf
| | |-- required_providers.tf
| | |-- variables.tf
| |-- vpc-nfw
| |-- locals.tf
| |-- mgmt.tf
| |-- nfw_policies.tf
| |-- outputs.tf
| |-- providers.tf
| |-- remote-data.tf
| |-- required_providers.tf
| |-- suricata.json
| |-- variables.tf
| |-- vpc_nfw.auto.tfvars
|-- flowlog.tf
|-- locals.tf
|-- main.tf
|-- modules
| |-- aws-network-firewall
| | |-- README.md
| | |-- coalfire_logo.png
| | |-- locals.tf
| | |-- main.tf
| | |-- nfw-base-suricata-rules.json
| | |-- output.tf
| | |-- required_providers.tf
| | |-- tls.tf
| | |-- variables.tf
| |-- vpc-endpoint
| |-- README.md
| |-- locals.tf
| |-- main.tf
| |-- outputs.tf
| |-- variables.tf
|-- outputs.tf
|-- release-please-config.json
|-- required_providers.tf
|-- routes.tf
|-- subnets.tf
|-- test
| |-- src
| |-- vpc_endpoints_with_nfw_test.go
|-- update-readme-tree.sh
|-- variables.tf