Aws_networkfirewall_rule_group - Source IP CIDR ranges

jprouten · July 18, 2022, 2:06pm

I am trying to use aws_networkfirewall_rule_group to create a Domain list type rule group.

I can create the group, specifying the domain. But I can’t see any options to add Source IP CIDR ranges.

In the console there are 2 options that need defining:
Source IPs type - set to Defined
Source IP CIDR ranges - list IP’s/subnets.

Neither of them seem to be an option when deploying via Terraform. Hopefully I am missing something obvious.

I’m using AWS provider 4.22.0 & Terraform v1.1.3

Thanks

jprouten · July 28, 2022, 1:27pm

I have worked this out. It’s very different to the Console where you can just add IP ranges. Instead you have to update the HOME_NET value. Example below:

resource "aws_networkfirewall_rule_group" "this" {
  capacity = 100
  name     = "test2"
  type     = "STATEFUL"
  rule_group {
    rule_variables {
      ip_sets {
        key = "HOME_NET"
        ip_set {
          definition = ["x.x.x.x/16", "x.x.x.x/24"]
        }
      }
    }
    rules_source {
      rules_source_list {
        generated_rules_type = "ALLOWLIST"
        target_types         = ["TLS_SNI"]
        targets              = ["test.example.com"]
      }
    }
  }

  tags = var.tags
}

s.kolev · July 11, 2023, 10:24am

Hello,
I have the same issue. After I apply ip_sets rule variables I do not see the CIDR block enabled into the domain rule:

resource "aws_networkfirewall_rule_group" "domain_stateful_group" {
    for_each = local.domain_rule_groups

    type  = "STATEFUL"
    name  = each.value["name"]
    description = each.value["description"]
    capacity = each.value["capacity"]

    rule_group {
      rule_variables {
        dynamic "ip_sets" {
          for_each = each.value["rule_variables"]["ip_sets"]
          content {
            key = ip_sets.value["key"]
            ip_set {
              definition = ip_sets.value["ip_set"]
            }
          }
        }
      }

      rules_source {
        rules_source_list {
          generated_rules_type = each.value["actions"]
          target_types  = each.value["protocols"]
          targets = each.value["domain_list"]
        }
      }
    }
}

And here is the domain_rule_groups variable itself:

domain_rule_groups = {
    default_rule_group = {
      capacity    = 100
      name        = "${local.name}-domain-statefull-default-rule-group"
      description = "Domain Statefull Default Rule group"
      actions     = "ALLOWLIST"
      domain_list = [
        ".domain1.com",
        ".domain2.com"
      ]
      protocols = ["HTTP_HOST", "TLS_SNI"]
      rule_variables = {
        ip_sets = [
          {
            key    = "VPC_conected_networks"
            ip_set = ["10.253.0.0/16", "10.254.0.0/24"]
          }
        ]
        port_sets = [
          {
            key       = "HTTP_PORTS"
            port_sets = ["443", "80"]
          }
        ]
      }
    }
  }

Do you have any idea what I am missing?