Module:
sourcefuse/arc-network-firewall/aws
Registry: https://registry.terraform.io/modules/sourcefuse/arc-network-firewall/aws
Category: Networking / Security
Source: https://github.com/sourcefuse/terraform-aws-arc-network-firewall
Tip
🤖 New: Use this module with AI assistants via the ARC IaC MCP Server — search, scaffold, and security-scan ARC modules from natural language. Quick setup ↓
Creates AWS Network Firewall with stateless and stateful rule groups, firewall policies, and logging configuration.
- Network Firewall with configurable VPC and subnets
- Stateless rule groups for fast packet filtering
- Stateful rule groups (Suricata-compatible rules)
- Firewall policy with default actions
- CloudWatch and S3 logging for flow and alert logs
- Domain-based filtering with stateful rules
For more information about this repository and its usage, please see Terraform AWS NETWORK FIREWALL Usage Guide.
module "network_firewall" {
source = "sourcefuse/arc-network-firewall/aws"
name = "my-network-firewall"
description = "Basic Network Firewall"
create_firewall = true
vpc_id = "vpc-12345678"
subnet_ids = ["subnet-12345678", "subnet-87654321"]
firewall_policy_config = {
create = true
name = "my-firewall-policy"
stateless_default_actions = ["aws:forward_to_sfe"]
stateless_fragment_default_actions = ["aws:forward_to_sfe"]
}
tags = {
Environment = "production"
Project = "security"
}
}module "network_firewall" {
source = "sourcefuse/arc-network-firewall/aws"
name = "tgw-firewall"
availability_zones = ["use1-az1", "use1-az2"]
create_firewall = true
firewall_config = {
transit_gateway_id = "tgw-12345678"
}
firewall_policy_config = {
create = true
name = "tgw-policy"
stateless_default_actions = ["aws:forward_to_sfe"]
stateless_fragment_default_actions = ["aws:forward_to_sfe"]
}
tags = {
Environment = "production"
Project = "security"
}
}module "network_firewall" {
source = "sourcefuse/arc-network-firewall/aws"
name = "firewall-with-policy"
description = "Network Firewall with resource policy"
create_firewall = true
vpc_id = "vpc-12345678"
subnet_ids = ["subnet-12345678", "subnet-87654321"]
firewall_policy_config = {
create = true
name = "shared-policy"
stateless_default_actions = ["aws:forward_to_sfe"]
stateless_fragment_default_actions = ["aws:forward_to_sfe"]
}
create_firewall_policy_resource_policy = true
firewall_policy_resource_policy = {
statements = [
{
actions = [
"network-firewall:ListFirewallPolicies",
"network-firewall:CreateFirewall",
"network-firewall:UpdateFirewall",
"network-firewall:AssociateFirewallPolicy"
]
effect = "Allow"
principals = {
aws = ["arn:aws:iam::123456789012:root"]
}
}
]
}
tags = {
Environment = "production"
Project = "security"
}
}| Name | Type | Description |
|---|---|---|
name |
string |
Firewall name |
vpc_id |
string |
VPC ID |
subnet_ids |
list(string) |
Subnet IDs for firewall endpoints |
firewall_policy_config |
object |
Firewall policy configuration |
| Name | Description |
|---|---|
firewall_arn |
Network Firewall ARN |
firewall_status |
Firewall sync states per AZ |
The complete inputs/outputs reference is auto-generated below.
| Name | Version |
|---|---|
| terraform | >= 1.3 |
| aws | >= 5.0, < 7.0 |
| Name | Version |
|---|---|
| aws | 6.16.0 |
| Name | Source | Version |
|---|---|---|
| s3_firewall_logs | sourcefuse/arc-s3/aws | 0.0.5 |
| Name | Type |
|---|---|
| aws_cloudwatch_log_group.firewall_logs | resource |
| aws_networkfirewall_firewall.this | resource |
| aws_networkfirewall_firewall_policy.this | resource |
| aws_networkfirewall_logging_configuration.this | resource |
| aws_networkfirewall_resource_policy.example | resource |
| aws_networkfirewall_resource_policy.firewall_policy | resource |
| aws_networkfirewall_rule_group.this | resource |
| aws_networkfirewall_tls_inspection_configuration.this | resource |
| aws_networkfirewall_vpc_endpoint_association.this | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| availability_zones | List of availability zone IDs for transit gateway-attached firewall | list(string) |
[] |
no |
| create_firewall | Controls whether the Network Firewall should be created | bool |
true |
no |
| create_firewall_policy_resource_policy | Whether to create a resource policy for the firewall policy | bool |
false |
no |
| create_rule_group_resource_policy | Whether to attach a resource policy to the Rule Group | bool |
false |
no |
| description | Description of the Network Firewall | string |
null |
no |
| firewall_config | Combined firewall settings | object({ |
{} |
no |
| firewall_policy_config | # Firewall Policy Configuration | object({ |
{} |
no |
| firewall_policy_resource_policy | Resource policy configuration for the firewall policy | object({ |
{ |
no |
| logging_config | List of logging destinations to configure. Example: [ { log_type = "FLOW" log_destination_type = "S3" log_destination_name = "firewall-logs-bucket" }, { log_type = "ALERT" log_destination_type = "CloudWatchLogs" log_destination_name = "firewall-alerts-loggroup" } ] |
object({ |
CloudWatchLogs | KinesisDataFirehose log_destination_name = string # bucket name or log group name })), []) }) |
| name | Name of the Network Firewall | string |
n/a | yes |
| rule_group_config | Complete rule group configuration in one object | object({ |
{} |
no |
| rule_group_resource_policy | IAM-style resource policy for Network Firewall Rule Group | object({ |
{ |
no |
| subnet_ids | List of subnet IDs for firewall endpoints | list(string) |
[] |
no |
| tags | Tags to apply to all resources | map(string) |
{} |
no |
| tls_inspection_configuration | TLS inspection configuration | object({ |
{} |
no |
| vpc_endpoint_association | Configuration for VPC Endpoint Association | object({ |
{} |
no |
| vpc_id | VPC ID where the firewall will be deployed | string |
null |
no |
| Name | Description |
|---|---|
| arn | ARN of the rule group |
| availability_zones | Availability zones where firewall endpoints are created |
| firewall_arn | The firewall ARN |
| firewall_endpoint_ids | Map of endpoint IDs per AZ |
| firewall_id | The firewall ID |
| firewall_name | Firewall name |
| firewall_policy_arn | The Amazon Resource Name (ARN) that identifies the firewall policy |
| firewall_policy_id | The Amazon Resource Name (ARN) that identifies the firewall policy |
| firewall_policy_name | The name of the firewall policy |
| firewall_policy_resource_policy_id | ID of the firewall policy resource policy |
| firewall_policy_update_token | A string token used when updating the firewall policy |
| firewall_status | Firewall status |
| id | ID of the rule group |
| logging_configuration_id | The Amazon Resource Name (ARN) of the associated firewall for logging |
| resource_policy_ids | List of resource policy IDs |
| subnet_ids | List of subnet IDs where firewall endpoints are created |
| tags_all | All tags for the firewall |
| tls_inspection_configuration_arn | ARN of the TLS inspection configuration |
| tls_inspection_configuration_certificate_authority | Certificate authority information |
| tls_inspection_configuration_certificates | Certificates information |
| tls_inspection_configuration_id | ID of the TLS inspection configuration |
| tls_inspection_configuration_update_token | Update token of the TLS inspection configuration |
| transit_gateway_id | The Transit Gateway ID for transit gateway-attached firewall |
| update_token | Update token of the rule group |
| vpc_id | The VPC ID where the firewall is deployed |
The ARC IaC MCP Server is a hosted Model Context Protocol service that lets AI assistants browse, search, scaffold, compare, and security-scan any of the SourceFuse ARC Terraform modules — directly from natural language.
What you can do with it:
- Discover — search and filter modules by keyword or AWS resource type.
- Understand — get inputs, outputs, and resources for any module without leaving your editor.
- Scaffold — generate production-ready, multi-file Terraform with cross-module wiring already done.
- Secure — scan generated or existing HCL for misconfigurations before it hits a PR.
- Compare — diff modules side-by-side to make informed architectural decisions.
The MCP endpoint is https://arc-iac-mcp.sourcef.us/mcp. Pick your client:
Claude Code CLI:
claude mcp add arc-iac --transport http https://arc-iac-mcp.sourcef.us/mcpClaude Desktop — edit ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"arc-iac": {
"url": "https://arc-iac-mcp.sourcef.us/mcp"
}
}
}Cursor / Windsurf / Kiro — add the same block to .cursor/mcp.json (or the equivalent for your client).
- "List all ARC modules sorted by downloads"
- "What inputs does
arc-ecsrequire?" - "Scaffold a production-ready
arc-dbAurora setup with Secrets Manager" - "Compare
arc-eksandarc-ecsfor running 10 microservices" - "Scan this Terraform before I raise a PR:
<paste HCL>"
See the ARC IaC MCP repo for the full tool reference, troubleshooting tips, and local-development instructions.
See CONTRIBUTING.md for commit conventions and development setup.
This project is authored by:
- SourceFuse
