Resource: aws_networkfirewall_rule_group

Provides an AWS Network Firewall Rule Group Resource

Example Usage

Stateful Inspection for denying access to a domain

resource "aws_networkfirewall_rule_group" "example" {
  capacity = 100
  name     = "example"
  type     = "STATEFUL"
  rule_group {
    rules_source {
      rules_source_list {
        generated_rules_type = "DENYLIST"
        target_types         = ["HTTP_HOST"]
        targets              = ["test.example.com"]
      }
    }
  }

  tags = {
    Tag1 = "Value1"
    Tag2 = "Value2"
  }
}

Stateful Inspection for permitting packets from a source IP address

resource "aws_networkfirewall_rule_group" "example" {
  capacity    = 50
  description = "Permits http traffic from source"
  name        = "example"
  type        = "STATEFUL"
  rule_group {
    rules_source {
      dynamic "stateful_rule" {
        for_each = local.ips
        content {
          action = "PASS"
          header {
            destination      = "ANY"
            destination_port = "ANY"
            protocol         = "HTTP"
            direction        = "ANY"
            source_port      = "ANY"
            source           = stateful_rule.value
          }
          rule_option {
            keyword  = "sid"
            settings = ["1"]
          }
        }
      }
    }
  }

  tags = {
    Name = "permit HTTP from source"
  }
}

locals {
  ips = ["1.1.1.1/32", "1.0.0.1/32"]
}

Stateful Inspection for blocking packets from going to an intended destination

resource "aws_networkfirewall_rule_group" "example" {
  capacity = 100
  name     = "example"
  type     = "STATEFUL"
  rule_group {
    rules_source {
      stateful_rule {
        action = "DROP"
        header {
          destination      = "124.1.1.24/32"
          destination_port = 53
          direction        = "ANY"
          protocol         = "TCP"
          source           = "1.2.3.4/32"
          source_port      = 53
        }
        rule_option {
          keyword  = "sid"
          settings = ["1"]
        }
      }
    }
  }

  tags = {
    Tag1 = "Value1"
    Tag2 = "Value2"
  }
}

Stateful Inspection from rules specifications defined in Suricata flat format

resource "aws_networkfirewall_rule_group" "example" {
  capacity = 100
  name     = "example"
  type     = "STATEFUL"
  rules    = file("example.rules")

  tags = {
    Tag1 = "Value1"
    Tag2 = "Value2"
  }
}

Stateful Inspection from rule group specifications using rule variables and Suricata format rules

resource "aws_networkfirewall_rule_group" "example" {
  capacity = 100
  name     = "example"
  type     = "STATEFUL"
  rule_group {
    rule_variables {
      ip_sets {
        key = "WEBSERVERS_HOSTS"
        ip_set {
          definition = ["10.0.0.0/16", "10.0.1.0/24", "192.168.0.0/16"]
        }
      }
      ip_sets {
        key = "EXTERNAL_HOST"
        ip_set {
          definition = ["1.2.3.4/32"]
        }
      }
      port_sets {
        key = "HTTP_PORTS"
        port_set {
          definition = ["443", "80"]
        }
      }
    }
    rules_source {
      rules_string = file("suricata_rules_file")
    }
  }
  tags = {
    Tag1 = "Value1"
    Tag2 = "Value2"
  }
}

Stateless Inspection with a Custom Action

resource "aws_networkfirewall_rule_group" "example" {
  description = "Stateless Rate Limiting Rule"
  capacity    = 100
  name        = "example"
  type        = "STATELESS"
  rule_group {
    rules_source {
      stateless_rules_and_custom_actions {
        custom_action {
          action_definition {
            publish_metric_action {
              dimension {
                value = "2"
              }
            }
          }
          action_name = "ExampleMetricsAction"
        }
        stateless_rule {
          priority = 1
          rule_definition {
            actions = ["aws:pass", "ExampleMetricsAction"]
            match_attributes {
              source {
                address_definition = "1.2.3.4/32"
              }
              source_port {
                from_port = 443
                to_port   = 443
              }
              destination {
                address_definition = "124.1.1.5/32"
              }
              destination_port {
                from_port = 443
                to_port   = 443
              }
              protocols = [6]
              tcp_flag {
                flags = ["SYN"]
                masks = ["SYN", "ACK"]
              }
            }
          }
        }
      }
    }
  }

  tags = {
    Tag1 = "Value1"
    Tag2 = "Value2"
  }
}

IP Set References to the Rule Group

resource "aws_networkfirewall_rule_group" "example" {
  capacity = 100
  name     = "example"
  type     = "STATEFUL"
  rule_group {
    rules_source {
      rules_source_list {
        generated_rules_type = "DENYLIST"
        target_types         = ["HTTP_HOST"]
        targets              = ["test.example.com"]
      }
    }
    reference_sets {
      ip_set_references {
        key = "example"
        ip_set_reference {
          reference_arn = aws_ec2_managed_prefix_list.this.arn
        }
      }
    }
  }

  tags = {
    Tag1 = "Value1"
    Tag2 = "Value2"
  }
}

Argument Reference

This resource supports the following arguments:

Encryption Configuration

encryption_configuration settings for customer managed KMS keys. Remove this block to use the default AWS-managed KMS encryption (rather than setting type to AWS_OWNED_KMS_KEY).

Rule Group

The rule_group block supports the following argument:

Reference Sets

The reference_sets block supports the following arguments:

Rule Variables

The rule_variables block supports the following arguments:

IP Sets

The ip_sets block supports the following arguments:

IP Set

The ip_set configuration block supports the following argument:

IP Set Reference

The ip_set_reference configuration block supports the following argument:

Port Sets

The port_sets block supports the following arguments:

Port Set

The port_set configuration block suppports the following argument:

Rules Source

The rules_source block supports the following arguments:

Stateful Rule Options

The stateful_rule_options block supports the following argument:

Rules Source List

The rules_source_list block supports the following arguments:

Stateful Rule

The stateful_rule block supports the following arguments:

Stateless Rules and Custom Actions

The stateless_rules_and_custom_actions block supports the following arguments:

The header block supports the following arguments:

Rule Option

The rule_option block supports the following arguments:

Custom Action

The custom_action block supports the following arguments:

Stateless Rule

The stateless_rule block supports the following arguments:

Rule Definition

The rule_definition block supports the following arguments:

Match Attributes

The match_attributes block supports the following arguments:

Action Definition

The action_definition block supports the following argument:

Publish Metric Action

The publish_metric_action block supports the following argument:

Dimension

The dimension block supports the following argument:

Destination

The destination block supports the following argument:

Destination Port

The destination_port block supports the following arguments:

Source

The source block supports the following argument:

Source Port

The source_port block supports the following arguments:

TCP Flag

The tcp_flag block supports the following arguments:

Attribute Reference

This resource exports the following attributes in addition to the arguments above:

Import

In Terraform v1.5.0 and later, use an import block to import Network Firewall Rule Groups using their arn. For example:

import {
  to = aws_networkfirewall_rule_group.example
  id = "arn:aws:network-firewall:us-west-1:123456789012:stateful-rulegroup/example"
}

Using terraform import, import Network Firewall Rule Groups using their arn. For example:

% terraform import aws_networkfirewall_rule_group.example arn:aws:network-firewall:us-west-1:123456789012:stateful-rulegroup/example