Resource: aws_networkfirewall_firewall_policy

Provides an AWS Network Firewall Firewall Policy Resource

Example Usage

resource "aws_networkfirewall_firewall_policy" "example" {
  name = "example"

  firewall_policy {
    stateless_default_actions          = ["aws:pass"]
    stateless_fragment_default_actions = ["aws:drop"]
    stateless_rule_group_reference {
      priority     = 1
      resource_arn = aws_networkfirewall_rule_group.example.arn
    }
    tls_inspection_configuration_arn = "arn:aws:network-firewall:REGION:ACCT:tls-configuration/example"
  }

  tags = {
    Tag1 = "Value1"
    Tag2 = "Value2"
  }
}

Policy with a HOME_NET Override

resource "aws_networkfirewall_firewall_policy" "example" {
  name = "example"

  firewall_policy {
    policy_variables {
      rule_variables {
        key = "HOME_NET"
        ip_set {
          definition = ["10.0.0.0/16", "10.1.0.0/24"]
        }
      }
    }
    stateless_default_actions          = ["aws:pass"]
    stateless_fragment_default_actions = ["aws:drop"]
    stateless_rule_group_reference {
      priority     = 1
      resource_arn = aws_networkfirewall_rule_group.example.arn
    }
  }

  tags = {
    Tag1 = "Value1"
    Tag2 = "Value2"
  }
}

Policy with a Custom Action for Stateless Inspection

resource "aws_networkfirewall_firewall_policy" "test" {
  name = "example"

  firewall_policy {
    stateless_default_actions          = ["aws:pass", "ExampleCustomAction"]
    stateless_fragment_default_actions = ["aws:drop"]

    stateless_custom_action {
      action_definition {
        publish_metric_action {
          dimension {
            value = "1"
          }
        }
      }
      action_name = "ExampleCustomAction"
    }
  }
}

Argument Reference

This resource supports the following arguments:

Encryption Configuration

encryption_configuration settings for customer managed KMS keys. Remove this block to use the default AWS-managed KMS encryption (rather than setting type to AWS_OWNED_KMS_KEY).

Firewall Policy

The firewall_policy block supports the following arguments:

Rule Variables

The rule_variables block supports the following arguments:

IP Set

The ip_set block supports the following argument:

Stateful Engine Options

The stateful_engine_options block supports the following argument:

Stateful Rule Group Reference

The stateful_rule_group_reference block supports the following arguments:

Override

Stateless Custom Action

The stateless_custom_action block supports the following arguments:

Stateless Rule Group Reference

The stateless_rule_group_reference block supports the following arguments:

Action Definition

The action_definition block supports the following argument:

Publish Metric Action

The publish_metric_action block supports the following argument:

Dimension

The dimension block supports the following argument:

Attribute Reference

This resource exports the following attributes in addition to the arguments above:

Import

In Terraform v1.5.0 and later, use an import block to import Network Firewall Policies using their arn. For example:

import {
  to = aws_networkfirewall_firewall_policy.example
  id = "arn:aws:network-firewall:us-west-1:123456789012:firewall-policy/example"
}

Using terraform import, import Network Firewall Policies using their arn. For example:

% terraform import aws_networkfirewall_firewall_policy.example arn:aws:network-firewall:us-west-1:123456789012:firewall-policy/example