AWS network firewall: Ability to attach a firewall policy to a firewall within the same resource

ramramhariram commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Primary feature request - For AWS network firewall provider, need the ability to attach a firewall policy to an existing firewall within the same resource. For example, while using TF to create a firewall policy, include an option to provide the firewall ARN/ID to which this firewall policy needs to be attached

New or Affected Resource(s)

Resource: aws_networkfirewall_firewall Resource: aws_networkfirewall_firewall_policy

Potential Terraform Configuration

Option to specify firewall ID/ARN in the firewall policy resource as follows -

resource "aws_networkfirewall_firewall_policy" "fw-policy" {
  name = "fw-policy"
  firewall_policy {
    stateless_default_actions = ["aws:forward_to_sfe"]
    stateless_fragment_default_actions = ["aws:forward_to_sfe"]
    stateful_rule_group_reference {
      #priority     = 255
      resource_arn = aws_networkfirewall_rule_group.fw-rg-sful.arn
    }
    stateful_engine_options { 
      rule_order = "DEFAULT_ACTION_ORDER"
    }
  }
  firewall_arn = aws_networkfirewall_firewall.fw.arn
}

References

An existing example is when creating a security group rule, we have the option to specify the security group id.

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule#example-usage

justinretzolk commented 2 years ago

Hey @ramramhariram 👋 Thank you for taking the time to raise this! Regarding the aws_security_group_rule, this is a similar situation as I described in my comment on 25351.

In this case, the aws_networkfirewall_firewall_policy resource uses networkfirewall.CreateFirewallPolicyWithContext to create these resources. This function takes a networkfirewall.CreateFirewallPolicyInput type, which does not have a field for specifying the ARN of an existing network firewall, so we're limited by the underlying API, similar to how we are in the information I gave in the aforementioned comment.

That said, the AWS Go SDK does have a function called networkfirewall.AssociateFirewallPolicy, which I believe may be useful for creating a separate resource (perhaps aws_networkfirewall_firewall_policy_association), similar to what is done with the aws_eip_association resource, so I'd like to leave this request open so that someone from the team or community can take look and determine if that's a viable option.

In the meantime, if the aws_networkfirewall_firewall resource is being created outside of Terraform, you could define it's configuration, import the resource, and then update the firewall_policy_arn argument of that resource definition to point to your aws_networkfirewall_firewall_policy resource to achieve similar functionality.

michaelrechani commented 11 months ago

Any updates on if this feature will be available in the near future or not? Thanks!

skelleyton commented 8 months ago

I would like to work on this.

hashicorp / terraform-provider-aws