Skip to content

sourcefuse/terraform-aws-arc-network-firewall

Repository files navigation

Module Banner

Module: sourcefuse/arc-network-firewall/aws

Registry: https://registry.terraform.io/modules/sourcefuse/arc-network-firewall/aws

Category: Networking / Security

Source: https://github.com/sourcefuse/terraform-aws-arc-network-firewall

Latest Release Last Updated Terraform GitHub Actions

Quality gate

Tip

🤖 New: Use this module with AI assistants via the ARC IaC MCP Server — search, scaffold, and security-scan ARC modules from natural language. Quick setup ↓

Overview

Creates AWS Network Firewall with stateless and stateful rule groups, firewall policies, and logging configuration.

What It Does

  • Network Firewall with configurable VPC and subnets
  • Stateless rule groups for fast packet filtering
  • Stateful rule groups (Suricata-compatible rules)
  • Firewall policy with default actions
  • CloudWatch and S3 logging for flow and alert logs
  • Domain-based filtering with stateful rules

For more information about this repository and its usage, please see Terraform AWS NETWORK FIREWALL Usage Guide.

Quickstart

module "network_firewall" {
  source = "sourcefuse/arc-network-firewall/aws"

  name        = "my-network-firewall"
  description = "Basic Network Firewall"

  create_firewall = true
  vpc_id          = "vpc-12345678"
  subnet_ids      = ["subnet-12345678", "subnet-87654321"]

  firewall_policy_config = {
    create                             = true
    name                               = "my-firewall-policy"
    stateless_default_actions          = ["aws:forward_to_sfe"]
    stateless_fragment_default_actions = ["aws:forward_to_sfe"]
  }

  tags = {
    Environment = "production"
    Project     = "security"
  }
}

Transit Gateway-Attached Firewall

module "network_firewall" {
  source = "sourcefuse/arc-network-firewall/aws"

  name               = "tgw-firewall"
  availability_zones = ["use1-az1", "use1-az2"]

  create_firewall = true
  firewall_config = {
    transit_gateway_id = "tgw-12345678"
  }

  firewall_policy_config = {
    create                             = true
    name                               = "tgw-policy"
    stateless_default_actions          = ["aws:forward_to_sfe"]
    stateless_fragment_default_actions = ["aws:forward_to_sfe"]
  }

  tags = {
    Environment = "production"
    Project     = "security"
  }
}

Firewall with Resource Policy

module "network_firewall" {
  source = "sourcefuse/arc-network-firewall/aws"

  name        = "firewall-with-policy"
  description = "Network Firewall with resource policy"

  create_firewall = true
  vpc_id          = "vpc-12345678"
  subnet_ids      = ["subnet-12345678", "subnet-87654321"]

  firewall_policy_config = {
    create                             = true
    name                               = "shared-policy"
    stateless_default_actions          = ["aws:forward_to_sfe"]
    stateless_fragment_default_actions = ["aws:forward_to_sfe"]
  }

  create_firewall_policy_resource_policy = true
  firewall_policy_resource_policy = {
    statements = [
      {
        actions = [
          "network-firewall:ListFirewallPolicies",
          "network-firewall:CreateFirewall",
          "network-firewall:UpdateFirewall",
          "network-firewall:AssociateFirewallPolicy"
        ]
        effect = "Allow"
        principals = {
          aws = ["arn:aws:iam::123456789012:root"]
        }
      }
    ]
  }

  tags = {
    Environment = "production"
    Project     = "security"
  }
}

Required Inputs

Name Type Description
name string Firewall name
vpc_id string VPC ID
subnet_ids list(string) Subnet IDs for firewall endpoints
firewall_policy_config object Firewall policy configuration

Key Outputs

Name Description
firewall_arn Network Firewall ARN
firewall_status Firewall sync states per AZ

Full Variable & Output Reference

The complete inputs/outputs reference is auto-generated below.

Requirements

Name Version
terraform >= 1.3
aws >= 5.0, < 7.0

Providers

Name Version
aws 6.16.0

Modules

Name Source Version
s3_firewall_logs sourcefuse/arc-s3/aws 0.0.5

Resources

Name Type
aws_cloudwatch_log_group.firewall_logs resource
aws_networkfirewall_firewall.this resource
aws_networkfirewall_firewall_policy.this resource
aws_networkfirewall_logging_configuration.this resource
aws_networkfirewall_resource_policy.example resource
aws_networkfirewall_resource_policy.firewall_policy resource
aws_networkfirewall_rule_group.this resource
aws_networkfirewall_tls_inspection_configuration.this resource
aws_networkfirewall_vpc_endpoint_association.this resource

Inputs

Name Description Type Default Required
availability_zones List of availability zone IDs for transit gateway-attached firewall list(string) [] no
create_firewall Controls whether the Network Firewall should be created bool true no
create_firewall_policy_resource_policy Whether to create a resource policy for the firewall policy bool false no
create_rule_group_resource_policy Whether to attach a resource policy to the Rule Group bool false no
description Description of the Network Firewall string null no
firewall_config Combined firewall settings
object({
transit_gateway_id = optional(string)
delete_protection = optional(bool, false)
subnet_change_protection = optional(bool, false)
firewall_policy_change_protection = optional(bool, false)
availability_zone_change_protection = optional(bool, false)
enabled_analysis_types = optional(list(string), [])
encryption_configuration = optional(object({
type = string
key_id = optional(string)
}))
timeouts = optional(object({
create = optional(string)
update = optional(string)
delete = optional(string)
}))
})
{} no
firewall_policy_config # Firewall Policy Configuration
object({
create = optional(bool, false)
arn = optional(string)
name = optional(string)
description = optional(string)
encryption_configuration = optional(object({
type = string
key_id = optional(string)
}))
stateless_default_actions = optional(list(string), ["aws:forward_to_sfe"])
stateless_fragment_default_actions = optional(list(string), ["aws:forward_to_sfe"])
stateful_default_actions = optional(list(string))
stateful_engine_options = optional(object({
rule_order = optional(string, "DEFAULT_ACTION_ORDER")
stream_exception_policy = optional(string, "DROP")
flow_timeouts = optional(object({
tcp_idle_timeout_seconds = optional(number, 350)
}))
}))
policy_variables = optional(object({
rule_variables = optional(map(object({
definition = list(string)
})), {})
}), {})
stateless_rule_groups = optional(list(object({
resource_arn = string
priority = number
})), [])
stateful_rule_groups = optional(list(object({
resource_arn = string
priority = number
deep_threat_inspection = optional(bool)
override = optional(object({
action = string
}))
})), [])
stateless_custom_actions = optional(list(object({
action_name = string
action_definition = object({
publish_metric_action = object({
dimensions = list(object({
value = string
}))
})
})
})), [])
tls_inspection_configuration_arn = optional(string)
create_tls_inspection_configuration = optional(bool, false)
})
{} no
firewall_policy_resource_policy Resource policy configuration for the firewall policy
object({
statements = list(object({
actions = list(string)
effect = string
principals = object({
aws = list(string)
})
}))
})
{
"statements": []
}
no
logging_config List of logging destinations to configure.
Example:
[
{
log_type = "FLOW"
log_destination_type = "S3"
log_destination_name = "firewall-logs-bucket"
},
{
log_type = "ALERT"
log_destination_type = "CloudWatchLogs"
log_destination_name = "firewall-alerts-loggroup"
}
]
object({
enable = optional(bool, true)
log_retention_days = optional(number, 7)
destinations = optional(list(object({
log_type = string
log_destination_type = string # S3
CloudWatchLogs KinesisDataFirehose
log_destination_name = string # bucket name or log group name
})), [])
})
name Name of the Network Firewall string n/a yes
rule_group_config Complete rule group configuration in one object
object({
create = optional(bool, false)
description = optional(string)
capacity = optional(number)
type = optional(string)
encryption_configuration = optional(object({
type = string
key_id = optional(string)
}))
rules = optional(string)
rule_variables = optional(object({
ip_sets = optional(list(object({
key = string
definition = list(string)
})))
port_sets = optional(list(object({
key = string
definition = list(string)
})))
}))
rules_source = optional(object({
rules_source_list = optional(list(object({
generated_rules_type = string
target_types = list(string)
targets = list(string)
})))
rules_string = optional(string)
stateful_rules = optional(list(object({
action = string
header = object({
destination = string
destination_port = string
direction = string
protocol = string
source = string
source_port = string
})
rule_options = optional(list(object({
keyword = string
settings = optional(list(string))
})))
})))
stateless = optional(list(object({
custom_actions = optional(list(object({
action_name = string
dimension = string
})))
rules = list(object({
priority = number
actions = list(string)
match = object({
destination = string
destination_port = object({
from = number
to = number
})
source = string
source_port = object({
from = number
to = number
})
protocols = optional(list(number))
})
}))
})))
}))
stateful_rule_options = optional(object({
rule_order = string
}))
reference_sets = optional(list(object({
key = string
arn = string
})))
})
{} no
rule_group_resource_policy IAM-style resource policy for Network Firewall Rule Group
object({
statements = list(object({
actions = list(string)
effect = string
principals = object({
aws = list(string)
})
}))
})
{
"statements": []
}
no
subnet_ids List of subnet IDs for firewall endpoints list(string) [] no
tags Tags to apply to all resources map(string) {} no
tls_inspection_configuration TLS inspection configuration
object({
create = optional(bool, false)
name = optional(string)
description = optional(string)
encryption_configuration = optional(object({
key_id = optional(string)
type = optional(string, "AWS_OWNED_KMS_KEY")
}))
server_certificate_configurations = optional(list(object({
certificate_authority_arn = optional(string)
check_certificate_revocation_status = optional(object({
revoked_status_action = optional(string, "REJECT")
unknown_status_action = optional(string, "PASS")
}))
server_certificates = optional(list(object({
resource_arn = string
})), [])
scopes = list(object({
protocols = optional(list(number), [6])
destinations = list(object({
address_definition = string
}))
destination_ports = optional(list(object({
from_port = number
to_port = optional(number)
})), [])
sources = optional(list(object({
address_definition = string
})), [])
source_ports = optional(list(object({
from_port = number
to_port = optional(number)
})), [])
}))
})), [])
timeouts = optional(object({
create = optional(string)
update = optional(string)
delete = optional(string)
}))
})
{} no
vpc_endpoint_association Configuration for VPC Endpoint Association
object({
create = optional(bool, false)
description = optional(string)
subnet_mappings = optional(list(object({
subnet_id = string
ip_address_type = optional(string) # IPV4 or DUALSTACK
})), [])
})
{} no
vpc_id VPC ID where the firewall will be deployed string null no

Outputs

Name Description
arn ARN of the rule group
availability_zones Availability zones where firewall endpoints are created
firewall_arn The firewall ARN
firewall_endpoint_ids Map of endpoint IDs per AZ
firewall_id The firewall ID
firewall_name Firewall name
firewall_policy_arn The Amazon Resource Name (ARN) that identifies the firewall policy
firewall_policy_id The Amazon Resource Name (ARN) that identifies the firewall policy
firewall_policy_name The name of the firewall policy
firewall_policy_resource_policy_id ID of the firewall policy resource policy
firewall_policy_update_token A string token used when updating the firewall policy
firewall_status Firewall status
id ID of the rule group
logging_configuration_id The Amazon Resource Name (ARN) of the associated firewall for logging
resource_policy_ids List of resource policy IDs
subnet_ids List of subnet IDs where firewall endpoints are created
tags_all All tags for the firewall
tls_inspection_configuration_arn ARN of the TLS inspection configuration
tls_inspection_configuration_certificate_authority Certificate authority information
tls_inspection_configuration_certificates Certificates information
tls_inspection_configuration_id ID of the TLS inspection configuration
tls_inspection_configuration_update_token Update token of the TLS inspection configuration
transit_gateway_id The Transit Gateway ID for transit gateway-attached firewall
update_token Update token of the rule group
vpc_id The VPC ID where the firewall is deployed

AI Assistant Integration (ARC IaC MCP)

The ARC IaC MCP Server is a hosted Model Context Protocol service that lets AI assistants browse, search, scaffold, compare, and security-scan any of the SourceFuse ARC Terraform modules — directly from natural language.

What you can do with it:

  • Discover — search and filter modules by keyword or AWS resource type.
  • Understand — get inputs, outputs, and resources for any module without leaving your editor.
  • Scaffold — generate production-ready, multi-file Terraform with cross-module wiring already done.
  • Secure — scan generated or existing HCL for misconfigurations before it hits a PR.
  • Compare — diff modules side-by-side to make informed architectural decisions.

Setup (one minute)

The MCP endpoint is https://arc-iac-mcp.sourcef.us/mcp. Pick your client:

Claude Code CLI:

claude mcp add arc-iac --transport http https://arc-iac-mcp.sourcef.us/mcp

Claude Desktop — edit ~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "arc-iac": {
      "url": "https://arc-iac-mcp.sourcef.us/mcp"
    }
  }
}

Cursor / Windsurf / Kiro — add the same block to .cursor/mcp.json (or the equivalent for your client).

Example prompts to try

  • "List all ARC modules sorted by downloads"
  • "What inputs does arc-ecs require?"
  • "Scaffold a production-ready arc-db Aurora setup with Secrets Manager"
  • "Compare arc-eks and arc-ecs for running 10 microservices"
  • "Scan this Terraform before I raise a PR: <paste HCL>"

See the ARC IaC MCP repo for the full tool reference, troubleshooting tips, and local-development instructions.

Contributing

See CONTRIBUTING.md for commit conventions and development setup.

Authors

This project is authored by:

  • SourceFuse

About

Provisions AWS Network Firewall with firewall policies, stateless and stateful rule groups, and subnet associations. Enables deep packet inspection and centralized network traffic filtering across VPCs.

Resources

License

Contributing

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors