Multiple values for parameters in aws_networkfirewall_rule_group

Hello,

Im trying to create a stateful rule for aws network firewall using terraform.
The problem that i face, is that im not able to put multiple values for such parameters as “destination”,“source”,“destination_port”,“source_port”.

The error that im receiving while trying to provide something like:
‘destination = [“$variable1”,“$variable2”]’
is:
“Inappropriate value for attribute “destination”: string required.”

From documentation - Terraform Registry , as i have understood it is possible to pass “An IP address or a block of IP addresses in CIDR notation” , but only for stateless rules?

Any advice is appreciated

Thank you.

@OneOfTheJohns The documentation (which is the same as that of AWS API reference) isn’t very clear on this, but you can indeed specify a list of IPs, CIDR ranges, or variable names (if defined in rule group) in the string notation. I had to look at a rule definition AWS CLI to cross-check… Here’s an example for a standard stateful rule:

resource "aws_networkfirewall_rule_group" "example" {
  capacity    = 50
  description = "Permits internal HTTP traffic from source"
  name        = "example"
  type        = "STATEFUL"
  rule_group {
    rules_source {
      stateful_rule {
        action = "PASS"
        header {
          protocol         = "HTTP"
          source           = "ANY"
          source_port      = "ANY"
          direction        = "FORWARD"
          destination      = "[10.0.0.0/16,10.10.0.0/16]"
          destination_port = "[80,443]"
        }
        rule_option {
          keyword  = "sid"
          settings = ["1"]
        }
      }
    }
  }
}

If you are maintaining IP addresses as list variables in Terraform, you should be able to use the jsonencode function to convert it into string and pass that as arguments in the resource.

1 Like

Thanks a lot, that answer helped me.

1 Like