Skip to content

[02-scale] Adding firewall communication #226

Open
Open
[02-scale] Adding firewall communication#226
Labels
security
@carlosrodlop

Description

@carlosrodlop
carlosrodlop
opened on Mar 30, 2025

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

What is the outcome that you are trying to reach?

Describe the solution you would like

provider "aws" {
  region = "us-east-1"  # Change as needed
}

# Get the Public IP of the Terraform Execution Host
data "http" "my_ip" {
  url = "https://checkip.amazonaws.com/"
}

locals {
  my_ip = "${chomp(data.http.my_ip.body)}/32"  # Converts to CIDR format
}

# Get GitHub IP ranges
data "http" "github_ips" {
  url = "https://api.github.com/meta"
}

locals {
  github_ips = [for ip in jsondecode(data.http.github_ips.body).git: "${ip}/32"]
}

# Create a VPC
resource "aws_vpc" "main" {
  cidr_block = "10.0.0.0/16"
}

# Create Subnets
resource "aws_subnet" "firewall_subnet" {
  vpc_id            = aws_vpc.main.id
  cidr_block        = "10.0.1.0/24"
  availability_zone = "us-east-1a"
}

# Create AWS Network Firewall
resource "aws_networkfirewall_firewall" "firewall" {
  name                = "my-firewall"
  firewall_policy_arn = aws_networkfirewall_firewall_policy.policy.arn
  vpc_id              = aws_vpc.main.id

  subnet_mapping {
    subnet_id = aws_subnet.firewall_subnet.id
  }
}

# Define Firewall Rule Group
resource "aws_networkfirewall_rule_group" "https_my_ip_github" {
  capacity = 100
  name     = "https-my-ip-github"
  type     = "STATELESS"

  rule_group {
    rules_source {
      stateless_rules_and_custom_actions {
        stateless_rule {
          priority = 1
          rule_definition {
            actions = ["aws:pass"]
            match_attributes {
              sources {
                address_definition = local.my_ip
              }
              destinations {
                address_definition = "0.0.0.0/0"
              }
            }
          }
        }

        stateless_rule {
          priority = 2
          rule_definition {
            actions = ["aws:pass"]
            match_attributes {
              sources {
                address_definition = local.github_ips[*]
              }
              destinations {
                address_definition = "0.0.0.0/0"
              }
            }
          }
        }

        stateless_rule {
          priority = 3
          rule_definition {
            actions = ["aws:pass"]
            match_attributes {
              sources {
                address_definition = "0.0.0.0/0"
              }
              destinations {
                address_definition = "0.0.0.0/0"
              }
              protocols = [6]  # TCP
              destination_ports {
                from_port = 443
                to_port   = 443
              }
            }
          }
        }
      }
    }
  }
}

# Create Firewall Policy
resource "aws_networkfirewall_firewall_policy" "policy" {
  name = "firewall-policy"

  firewall_policy {
    stateless_rule_group_references {
      resource_arn = aws_networkfirewall_rule_group.https_my_ip_github.arn
      priority     = 10
    }
    stateless_default_actions = ["aws:drop"]
  }
}

Describe alternatives you have considered

Additional context

Metadata

Metadata

Assignees

No one assigned

    Labels

    security

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions