Aws_networkfirewall_rule_group - Source IP CIDR ranges

jprouten · July 18, 2022, 2:06pm

I am trying to use aws_networkfirewall_rule_group to create a Domain list type rule group.

I can create the group, specifying the domain. But I can’t see any options to add Source IP CIDR ranges.

In the console there are 2 options that need defining:
Source IPs type - set to Defined
Source IP CIDR ranges - list IP’s/subnets.

Neither of them seem to be an option when deploying via Terraform. Hopefully I am missing something obvious.

I’m using AWS provider 4.22.0 & Terraform v1.1.3

Thanks

jprouten · July 28, 2022, 1:27pm

I have worked this out. It’s very different to the Console where you can just add IP ranges. Instead you have to update the HOME_NET value. Example below:

resource "aws_networkfirewall_rule_group" "this" {
  capacity = 100
  name     = "test2"
  type     = "STATEFUL"
  rule_group {
    rule_variables {
      ip_sets {
        key = "HOME_NET"
        ip_set {
          definition = ["x.x.x.x/16", "x.x.x.x/24"]
        }
      }
    }
    rules_source {
      rules_source_list {
        generated_rules_type = "ALLOWLIST"
        target_types         = ["TLS_SNI"]
        targets              = ["test.example.com"]
      }
    }
  }

  tags = var.tags
}