aws-samples / aws-network-firewall-terraform Goto Github PK
View Code? Open in Web Editor NEWThis repository contains terraform code to deploy the necessary resources to get started to test AWS Network Firewall.
License: MIT No Attribution
This repository contains terraform code to deploy the necessary resources to get started to test AWS Network Firewall.
License: MIT No Attribution
hey there,
i was just testing the code and it seems that the output of flow-logs to s3 is not working.
i can successfully deploy the terraformcode and everything works as expected, but within the s3 bucket now flowlogs are appearing.
Is there maybe a permission missing that must be deployed via terraform as stated in the docs?
https://docs.aws.amazon.com/network-firewall/latest/developerguide/logging-s3.html
kind regards,
Thomas
Hi
Will be really helpful for everyone to test end to end if you can add "Add centralized ingress VPC with NFW"
The web service configuration file web-service.tf
uses the template_file
data source to populate the userdata for the EC2 web host instances. This provider is no longer supported and will not work on newer device architectures like M1 Mac processors.
Terraform provider will initializer successfully on M1 Mac
See example output
$ terraform init
Initializing the backend...
Initializing provider plugins...
- Finding hashicorp/aws versions matching ">= 3.28.0"...
- Finding hashicorp/random versions matching ">= 2.3.0"...
- Finding latest version of hashicorp/template...
- Installing hashicorp/aws v5.17.0...
- Installed hashicorp/aws v5.17.0 (signed by HashiCorp)
- Installing hashicorp/random v3.5.1...
- Installed hashicorp/random v3.5.1 (signed by HashiCorp)
╷
│ Error: Incompatible provider version
│
│ Provider registry.terraform.io/hashicorp/template v2.2.0 does not have a package available for your current platform, darwin_arm64.
│
│ Provider releases are separate from Terraform CLI releases, so not all providers are available for all platforms. Other versions of this provider
│ may have different platforms supported.
Relates #7
hashicorp/terraform-provider-template#85
https://registry.terraform.io/providers/hashicorp/template/latest/docs
The current template doesn't support deploying to regions other than eu-west-1
. This is due to the region-specific service names specified in the aws_vpc_endpoint
resources used to enable access to the EC2 instances via SSM.
Note this appears to be a duplicate of #4, but the current main branch doesn't include the fixes from related PR #5.
provider.tf
, e.g.:provider "aws" {
region = "us-east-2"
}
eu-west-1
region, regardless of the region specified in the provider configuration. If using a different region, the deployment fails.$ cat provider.tf
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: MIT-0
terraform {
required_providers {
aws = {
version = ">= 3.28.0"
source = "hashicorp/aws"
}
random = {
source = "hashicorp/random"
version = ">=2.3.0"
}
}
}
provider "aws" {
region = "us-east-2"
}
$ terraform apply
...
│ Error: creating EC2 VPC Endpoint (com.amazonaws.eu-west-1.ssm): InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ssm' does not exist
│ status code: 400, request id: 2c59303c-1baa-4888-905c-fb5e7cc9ef2c
│
│ with aws_vpc_endpoint.spoke_vpc_a_ssm_endpoint,
│ on vpc-endpoints.tf line 36, in resource "aws_vpc_endpoint" "spoke_vpc_a_ssm_endpoint":
│ 36: resource "aws_vpc_endpoint" "spoke_vpc_a_ssm_endpoint" {
│
╵
╷
│ Error: creating EC2 VPC Endpoint (com.amazonaws.eu-west-1.ssmmessages): InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ssmmessages' does not exist
│ status code: 400, request id: a3b93362-9d28-438b-8790-2c70990b02d0
│
│ with aws_vpc_endpoint.spoke_vpc_a_ssm_messages_endpoint,
│ on vpc-endpoints.tf line 47, in resource "aws_vpc_endpoint" "spoke_vpc_a_ssm_messages_endpoint":
│ 47: resource "aws_vpc_endpoint" "spoke_vpc_a_ssm_messages_endpoint" {
│
╵
╷
│ Error: creating EC2 VPC Endpoint (com.amazonaws.eu-west-1.ec2messages): InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ec2messages' does not exist
│ status code: 400, request id: 01fec6c1-53bd-459f-b4a0-5898eacee797
│
│ with aws_vpc_endpoint.spoke_vpc_a_ec2_messages_endpoint,
│ on vpc-endpoints.tf line 58, in resource "aws_vpc_endpoint" "spoke_vpc_a_ec2_messages_endpoint":
│ 58: resource "aws_vpc_endpoint" "spoke_vpc_a_ec2_messages_endpoint" {
│
╵
╷
│ Error: creating EC2 VPC Endpoint (com.amazonaws.eu-west-1.ssm): InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ssm' does not exist
│ status code: 400, request id: 96b7094e-8d63-468c-80f6-894b03006851
│
│ with aws_vpc_endpoint.spoke_vpc_b_ssm_endpoint,
│ on vpc-endpoints.tf line 69, in resource "aws_vpc_endpoint" "spoke_vpc_b_ssm_endpoint":
│ 69: resource "aws_vpc_endpoint" "spoke_vpc_b_ssm_endpoint" {
│
╵
╷
│ Error: creating EC2 VPC Endpoint (com.amazonaws.eu-west-1.ssmmessages): InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ssmmessages' does not exist
│ status code: 400, request id: d3f35104-87b3-48cc-bf32-4533a378f437
│
│ with aws_vpc_endpoint.spoke_vpc_b_ssm_messages_endpoint,
│ on vpc-endpoints.tf line 80, in resource "aws_vpc_endpoint" "spoke_vpc_b_ssm_messages_endpoint":
│ 80: resource "aws_vpc_endpoint" "spoke_vpc_b_ssm_messages_endpoint" {
│
╵
╷
│ Error: creating EC2 VPC Endpoint (com.amazonaws.eu-west-1.ec2messages): InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ec2messages' does not exist
│ status code: 400, request id: 94219d4d-1df8-4475-9394-f05e3a78eb40
│
│ with aws_vpc_endpoint.spoke_vpc_b_ec2_messages_endpoint,
│ on vpc-endpoints.tf line 91, in resource "aws_vpc_endpoint" "spoke_vpc_b_ec2_messages_endpoint":
│ 91: resource "aws_vpc_endpoint" "spoke_vpc_b_ec2_messages_endpoint" {
Hello,
unfortunatly, nginx is not started during terraform deployment.
As a result, curl to machine in other vpc does not work.
Can you probably fix this?
The README.md
suggest the following:
By default, the templates deploy in the eu-west-1 AWS Region. If you wish to deploy in any other AWS Region, edit the corresponding setting in the provider.tf file.
In practice changing only the provider.tf
region results in errors related to creating VPC endpoints in the eu-west-1
region still:
│ Error: Error creating VPC Endpoint: InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ssm' does not exist
│ status code: 400, request id: 111bccab-2e0f-4f6e-b257-12ef88e70567
│
│ with aws_vpc_endpoint.spoke_vpc_a_ssm_endpoint,
│ on instances.tf line 83, in resource "aws_vpc_endpoint" "spoke_vpc_a_ssm_endpoint":
│ 83: resource "aws_vpc_endpoint" "spoke_vpc_a_ssm_endpoint" {
│
╵
╷
│ Error: Error creating VPC Endpoint: InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ssmmessages' does not exist
│ status code: 400, request id: ecadf264-e47b-4628-8398-9f2802648c1a
│
│ with aws_vpc_endpoint.spoke_vpc_a_ssm_messages_endpoint,
│ on instances.tf line 94, in resource "aws_vpc_endpoint" "spoke_vpc_a_ssm_messages_endpoint":
│ 94: resource "aws_vpc_endpoint" "spoke_vpc_a_ssm_messages_endpoint" {
│
╵
╷
│ Error: Error creating VPC Endpoint: InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ec2messages' does not exist
│ status code: 400, request id: 53aa1671-6095-48f8-bdd5-4f0eaa355054
│
│ with aws_vpc_endpoint.spoke_vpc_a_ec2_messages_endpoint,
│ on instances.tf line 105, in resource "aws_vpc_endpoint" "spoke_vpc_a_ec2_messages_endpoint":
│ 105: resource "aws_vpc_endpoint" "spoke_vpc_a_ec2_messages_endpoint" {
│
╵
╷
│ Error: Error creating VPC Endpoint: InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ssm' does not exist
│ status code: 400, request id: 374adeff-c710-4148-b045-fbf08dccc7c9
│
│ with aws_vpc_endpoint.spoke_vpc_b_ssm_endpoint,
│ on instances.tf line 116, in resource "aws_vpc_endpoint" "spoke_vpc_b_ssm_endpoint":
│ 116: resource "aws_vpc_endpoint" "spoke_vpc_b_ssm_endpoint" {
│
╵
╷
│ Error: Error creating VPC Endpoint: InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ssmmessages' does not exist
│ status code: 400, request id: f883b8c7-d7b3-4de1-b59f-5733b87c408e
│
│ with aws_vpc_endpoint.spoke_vpc_b_ssm_messages_endpoint,
│ on instances.tf line 127, in resource "aws_vpc_endpoint" "spoke_vpc_b_ssm_messages_endpoint":
│ 127: resource "aws_vpc_endpoint" "spoke_vpc_b_ssm_messages_endpoint" {
│
╵
╷
│ Error: Error creating VPC Endpoint: InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ec2messages' does not exist
│ status code: 400, request id: 5024fa06-3191-4848-aa3d-f1ff10d843f1
│
│ with aws_vpc_endpoint.spoke_vpc_b_ec2_messages_endpoint,
│ on instances.tf line 138, in resource "aws_vpc_endpoint" "spoke_vpc_b_ec2_messages_endpoint":
│ 138: resource "aws_vpc_endpoint" "spoke_vpc_b_ec2_messages_endpoint" {
Enable ACLs on anfw_flow_bucket, if those are not enabled tf apply fails on "Error: error creating S3 bucket ACL for network-firewall-flow-bucket-xxxxx: AccessControlListNotSupported: The bucket does not allow ACLs"
diff aws-network-firewall-terraform/firewall.tf aws-network-firewall-terraform_modified/firewall.tf
165a166
depends_on = [aws_s3_bucket_ownership_controls.s3_bucket_acl_ownership]
167a169,175
resource "aws_s3_bucket_ownership_controls" "s3_bucket_acl_ownership" {
bucket = aws_s3_bucket.anfw_flow_bucket.id
rule {
object_ownership = "BucketOwnerPreferred"
}
}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.