search

PaloAltoNetworks / terraform-aws-swfw-modules

Terraform Reusable Modules for Software Firewalls on AWS
https://registry.terraform.io/modules/PaloAltoNetworks/swfw-modules/aws
MIT License
14 stars 11 forks source link

Order of Operations TFVARS - Networking #55

Closed jollymahn closed 1 month ago

jollymahn commented 5 months ago

Is your feature request related to a problem?

No- its a simplification

instead of defining the CIDR then doing all the NACL's, security groups before the subnets are defined. define the CIDR, Subnets, routing, NACL's then security groups.

reorder the subnets to follow the packet flow from the transit gateway through the security VPC(or from the internet back to the TGW.

dont use a /16 for 2 firewalls.

Describe the solution you'd like

1: define the CIDR, Subnets, routing, NACL's then security groups. (see TFVARS below) 2: Make the subnets follow the packet flow from the TGW through the security VPC to the IGW (See TFVARS BELOW)

Packet Flow (Just refer to any of the architecture drawings) TGW > Security VPC > tgw-attach-subnet > Endpoint-subnets > GWLB > private-dataplane-subnet > MGMT-Subnet > Public-subnet

3: simplify the subnetting even though it doesn't match the reference architecture or deployment guide.

the defined subnetting using a /16 for 2-4 firewalls.... No customer will EVER deploy and infrastructure with a /16. just use a real world example that is easy to follow. assign a /22 or /23 for the CIDR and a /24 for each AZ path from the TGW

4: repeat order for application VPC's also. a /16 is stupid.

Describe alternatives you've considered.

vpcs = {

Do not use - in key for VPC as this character is used in concatation of VPC and subnet for module subnet_set in main.tf

security_vpc = { name = "security-vpc" cidr = "10.254.0.0/22" subnets = {

Do not modify value of set=, it is an internal identifier referenced by main.tf

  # Value of `nacl` must match key of objects stored in `nacls`
  #0-first-subnet
  "10.254.0.0/28" = { az = "us-west-2a", set = "tgw_attach", nacl = null }
  "10.254.1.0/28" = { az = "us-west-2b", set = "tgw_attach", nacl = null }
  #16-second-subnet
  "10.254.0.16/28" = { az = "us-west-2a", set = "gwlbe_outbound", nacl = null }
  "10.254.1.16/28" = { az = "us-west-2b", set = "gwlbe_outbound", nacl = null }
  #32-third-subnet
  "10.254.0.32/28" = { az = "us-west-2a", set = "gwlbe_eastwest", nacl = null }
  "10.254.1.32/28" = { az = "us-west-2b", set = "gwlbe_eastwest", nacl = null }
  #48-fourth-subnet
  "10.254.0.48/28" = { az = "us-west-2a", set = "gwlb", nacl = null }
  "10.254.1.48/28" = { az = "us-west-2b", set = "gwlb", nacl = null }
  #64-fifth-subnet
  "10.254.0.64/28" = { az = "us-west-2a", set = "private", nacl = "trusted_path_monitoring" }
  "10.254.1.64/28" = { az = "us-west-2b", set = "private", nacl = "trusted_path_monitoring" }
  #80-sixth-subnet
  "10.254.0.80/28" = { az = "us-west-2a", set = "mgmt", nacl = null }
  "10.254.1.80/28" = { az = "us-west-2b", set = "mgmt", nacl = null }
  #96-seventh-subnet
  "10.254.0.96/28" = { az = "us-west-2a", set = "public", nacl = null }
  "10.254.1.96/28" = { az = "us-west-2b", set = "public", nacl = null }

}
routes = {
  # Value of `vpc_subnet` is built from key of VPCs concatenate with `-` and key of subnet in format: `VPCKEY-SUBNETKEY`
  # Value of `next_hop_key` must match keys use to create TGW attachment, IGW, GWLB endpoint or other resources
  # Value of `next_hop_type` is internet_gateway, nat_gateway, transit_gateway_attachment or gwlbe_endpoint
  mgmt_default = {
    vpc_subnet    = "security_vpc-mgmt"
    to_cidr       = "0.0.0.0/0"
    next_hop_key  = "security_vpc"
    next_hop_type = "internet_gateway"
  }
  mgmt_panorama = {
    vpc_subnet    = "security_vpc-mgmt"
    to_cidr       = "10.255.0.0/16"
    next_hop_key  = "security"
    next_hop_type = "transit_gateway_attachment"
  }
  mgmt_rfc1918 = {
    vpc_subnet    = "security_vpc-mgmt"
    to_cidr       = "10.0.0.0/8"
    next_hop_key  = "security"
    next_hop_type = "transit_gateway_attachment"
  }
  tgw_rfc1918 = {
    vpc_subnet    = "security_vpc-tgw_attach"
    to_cidr       = "10.0.0.0/8"
    next_hop_key  = "security_gwlb_eastwest"
    next_hop_type = "gwlbe_endpoint"
  }
  tgw_default = {
    vpc_subnet    = "security_vpc-tgw_attach"
    to_cidr       = "0.0.0.0/0"
    next_hop_key  = "security_gwlb_outbound"
    next_hop_type = "gwlbe_endpoint"
  }
  public_default = {
    vpc_subnet    = "security_vpc-public"
    to_cidr       = "0.0.0.0/0"
    next_hop_key  = "security_vpc"
    next_hop_type = "internet_gateway"
  }
  gwlbe_outbound_rfc1918 = {
    vpc_subnet    = "security_vpc-gwlbe_outbound"
    to_cidr       = "0.0.0.0/0"
    next_hop_key  = "security"
    next_hop_type = "transit_gateway_attachment"
  }
  gwlbe_eastwest_rfc1918 = {
    vpc_subnet    = "security_vpc-gwlbe_eastwest"
    to_cidr       = "10.0.0.0/8"
    next_hop_key  = "security"
    next_hop_type = "transit_gateway_attachment"
  }
}
nacls = {
  trusted_path_monitoring = {
    name = "trusted-path-monitoring"
    rules = {
      block_outbound_icmp_1 = {
        rule_number = 110
        egress      = true
        protocol    = "icmp"
        rule_action = "deny"
        cidr_block  = "10.254.0.64/28"
        from_port   = null
        to_port     = null
      }
      block_outbound_icmp_2 = {
        rule_number = 120
        egress      = true
        protocol    = "icmp"
        rule_action = "deny"
        cidr_block  = "10.254.1.64/28"
        from_port   = null
        to_port     = null
      }
      allow_other_outbound = {
        rule_number = 200
        egress      = true
        protocol    = "-1"
        rule_action = "allow"
        cidr_block  = "0.0.0.0/0"
        from_port   = null
        to_port     = null
      }
      allow_inbound = {
        rule_number = 300
        egress      = false
        protocol    = "-1"
        rule_action = "allow"
        cidr_block  = "0.0.0.0/0"
        from_port   = null
        to_port     = null
      }
    }
  }
}
security_groups = {
  vmseries_private = {
    name = "vmseries_private"
    rules = {
      all_outbound = {
        description = "Permit All traffic outbound"
        type        = "egress", from_port = "0", to_port = "0", protocol = "-1"
        cidr_blocks = ["0.0.0.0/0"]
      }
      geneve = {
        description = "Permit GENEVE to GWLB subnets"
        type        = "ingress", from_port = "6081", to_port = "6081", protocol = "udp"
        cidr_blocks = [
          "10.254.0.48/28", "10.254.1.48/28"
        ]
      }
      health_probe_80 = {
        description = "Permit Port 80 Health Probe to GWLB subnets"
        type        = "ingress", from_port = "80", to_port = "80", protocol = "tcp"
        cidr_blocks = [
          "10.254.0.48/28", "10.254.1.48/28"
        ]
      }
      health_probe_443 = {
        description = "Permit Port 443 Health Probe to GWLB subnets"
        type        = "ingress", from_port = "443", to_port = "443", protocol = "tcp"
        cidr_blocks = [
          "10.254.0.48/28", "10.254.1.48/28"
        ]
      }
    }
  }
  vmseries_mgmt = {
    name = "vmseries_mgmt"
    rules = {
      all_outbound = {
        description = "Permit All traffic outbound"
        type        = "egress", from_port = "0", to_port = "0", protocol = "-1"
        cidr_blocks = ["0.0.0.0/0"]
      }
      https = {
        description = "Permit HTTPS-public"
        type        = "ingress", from_port = "443", to_port = "443", protocol = "tcp"
        cidr_blocks = ["199.167.52.5/32"] # TODO: update here (replace 0.0.0.0/0 by your IP range)
      }
      https = {
        description = "Permit HTTPS-internal"
        type        = "ingress", from_port = "443", to_port = "443", protocol = "tcp"
        cidr_blocks = ["10.0.0.0/8"] # TODO: update here (replace 0.0.0.0/0 by your IP range)
      }
      ssh = {
        description = "Permit SSH-public"
        type        = "ingress", from_port = "22", to_port = "22", protocol = "tcp"
        cidr_blocks = ["199.167.52.5/32"] # TODO: update here (replace 0.0.0.0/0 by your IP range)
      }
      panorama_ssh = {
        description = "Permit Panorama SSH-internal"
        type        = "ingress", from_port = "22", to_port = "22", protocol = "tcp"
        cidr_blocks = ["10.0.0.0/8"]
      }
      panorama_mgmt = {
        description = "Permit Panorama Management"
        type        = "ingress", from_port = "3978", to_port = "3978", protocol = "tcp"
        cidr_blocks = ["10.0.0.0/8"]
      }
      panorama_content = {
        description = "Permit Panorama Content"
        type        = "ingress", from_port = "28443", to_port = "28443", protocol = "tcp"
        cidr_blocks = ["10.0.0.0/8"]
      }
    }
  }
  vmseries_public = {
    name = "vmseries_public"
    rules = {
      all_outbound = {
        description = "Permit All traffic outbound"
        type        = "egress", from_port = "0", to_port = "0", protocol = "-1"
        cidr_blocks = ["0.0.0.0/0"]
      }
      ssh = {
        description = "Permit SSH"
        type        = "ingress", from_port = "22", to_port = "22", protocol = "tcp"
        cidr_blocks = ["199.167.52.5/32", "10.104.0.0/23", "10.105.0.0/23"] # TODO: update here (replace 0.0.0.0/0 by your IP range)
      }
      https = {
        description = "Permit HTTPS"
        type        = "ingress", from_port = "443", to_port = "443", protocol = "tcp"
        cidr_blocks = ["199.167.52.5/32", "10.104.0.0/23", "10.105.0.0/23"] # TODO: update here (replace 0.0.0.0/0 by your IP range)
      }
      http = {
        description = "Permit HTTP"
        type        = "ingress", from_port = "80", to_port = "80", protocol = "tcp"
        cidr_blocks = ["199.167.52.5/32", "10.104.0.0/23", "10.105.0.0/23"] # TODO: update here (replace 0.0.0.0/0 by your IP range)
      }
    }
  }
}

}

Additional context

No response

migara commented 4 months ago

We will rename set to subnet_group

slawomir-kaczmarek commented 1 month ago

subnet_group parameter introduced in the code. Do not use dash (-) character in VPC name dependency removed