Is AWS Firewall still being worked on?

[ryanoolala]

Hello @antonbabenko, @bryantbiggs is the Firewall module still being worked on?

Understand that its being developed in https://github.com/clowdhaus/terraform-aws-vpc-v5/tree/main/modules/network-firewall, am curious on the backlog priority for this task if you're able to share.

Additional context

https://github.com/terraform-aws-modules/terraform-aws-vpc/pull/672

[bryantbiggs]

yes, its high on the list of priorities. Currently waiting on this "soft" breaking change to land first https://github.com/terraform-aws-modules/terraform-aws-vpc/pull/838

[jseiser]

@bryantbiggs

Just want to make sure I understand, v4 of this module will include the Firewall changes, correct? We currently use v3 of this module and disable all the public settings, and then load in your beta v4, to do the firewall stuff.

Really hoping we can get back into the main release of this module with v4. Since I know v5 will be more breaking.

Thanks,

[bryantbiggs]

part of the reason why we haven't been able to add a lot of the new networking features is because they are coming under the v4.0+ of the AWS provider which means it would be a breaking change here (going from AWS provider v3.x to v4.x). So while the bits from https://github.com/clowdhaus/terraform-aws-vpc-v5 are not included in the initial v4.0 PR, that PR will now allow us to start bringing over a lot of those sub-modules

The v5.x breaking change that will be more disruptive here, that will mostly come from the changes to the way subnets are created/managed in the module today, and moving over to the new modular approach. If you look at the root module of the new/proposed module, you can think of it as mostly a "container" for which users can build out and extend through the various sub-modules provided (create n-number of subnet groups with their own specific routing, attach network firewall, setup IPAM pools to vend CIDRs to the VPCs created, etc.). The v5.x changes here will mostly center around changes to get to this extendable "container" approach

[jseiser]

@bryantbiggs

Im probably being dense here, but want to confirm. v4 release will not allow the network firewall stuff, correct? We will have to keep shimming this until v5?

Thanks,

[bryantbiggs]

Once #838 lands, we can move over the network-firewall module here as part of something like v4.1.0 - does that cover the scenario you are looking for?

[jseiser]

@bryantbiggs

You would make my work life so much easier if that happened :D

[bryantbiggs]

then yes, that is the plan. Once we've upgraded the Terraform and AWS provider versions in #838, we can move over (nearly) all of the sub-modules in https://github.com/clowdhaus/terraform-aws-vpc-v5 as part of v4.x changes (nothing breaking in adding those, we just need the supported versions in place)

[github-actions[bot]]

This issue has been automatically marked as stale because it has been open 30 days with no activity. Remove stale label or comment or this issue will be closed in 10 days

[bryantbiggs]

will be adding shortly

[nparfait]

@bryantbiggs - any rough ETA on this? deciding if i wait on this update (ideally) or use the forked version.

[cgill27]

It's been a couple of weeks, any updates on this issue?

[nparfait]

Any updates/progress here?

[nparfait]

Has anyone tried using this aws module for network firewall (https://registry.terraform.io/modules/aws-ia/networkfirewall/aws/latest) I've added an intra subnet to my egress vpc (to host the network firewall) created using the terraform-aws-vpc module and configured the aws network firewall with the relevant details. I haven't run yet, but terraform plan looks ok. I'll try and run in a sandbox account and see if it works ok.

[jseiser]

@bryantbiggs

Sorry to be a pain, can we at least get a rough update, so I can pass something back up the chain. We are holding off on a prod re-deploy, since the firewall is a hard regulatory requirement and id rather not deviate from this mainstream module and then you guys release and im kind of half in half out.

If there is anything, work wise, we can assist with, please let me know.

[bryantbiggs]

yes, apologies for the delay. After reviewing the network firewall usage patterns with some folks, I have decided to split it out into its own repository instead of nested under the VPC module. I have created that initial module here https://github.com/clowdhaus/terraform-aws-network-firewall

Please take a look and let me know if there is any initial feedback. Depending on feedback, we can get a version cut, repo transferred, and put it on the registry between today and Monday

[jseiser]

Looks good to me. I am passing it back up to our sec team to see if they have any Qs

[bryantbiggs]

Thank you, I appreciate! And thanks for your patience

[roccato]

Also eagerly awaiting network firewall support. Thanks all the hard work @bryantbiggs

[bryantbiggs]

ok this is now on the registry and the repo is here https://github.com/terraform-aws-modules/terraform-aws-network-firewall

I'll close out this issue for now, thanks ya'll!

[ryanoolala]

hello @bryantbiggs

I see the new module for firewall, however for firewall to work, it requires a number of changes to the VPC, such as creating new subnets which should be named differently(not using public_subnet_suffix) for identification, as well as significant changes to the public subnet route table and creation of a new route table for IGW.

These changes i believe belong to the VPC module, without it creating the network firewall alone doesn't inspect any traffic.

[jseiser]

@ryanoolala

Is what im reporting here, your issue as well??

https://github.com/terraform-aws-modules/terraform-aws-network-firewall/issues/1

[ryanoolala]

Hi @jseiser

yes it is. The VPC and Firewall module needs more integration otherwise it is unusable.

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.