aws-samples / aws-network-firewall-terraform Goto Github PK
View Code? Open in Web Editor NEWThis repository contains terraform code to deploy the necessary resources to get started to test AWS Network Firewall.
License: MIT No Attribution
aws-network-firewall-terraform's People
Contributors
Stargazers
Watchers
Forkers
nikolabravo stevekim-git jclarke-00 sre-redrocket manikantanandyala 0ni0nrings maverick029 npalm djekom felixtp asmtal masuikohei ecogit-stage bridgecrew-perf4 sarada-mohanty anitakumar wenesak philiptran melraidin manidevi07 the-aws-terraform-samples rodrigocesar-bashrc wafuwafu13 dimdung80 christopher-ogbunuzor ddericco itsamemario0o ashahbazi58 mkol5222 l0risaws-network-firewall-terraform's Issues
flow logs not available
hey there,
i was just testing the code and it seems that the output of flow-logs to s3 is not working.
i can successfully deploy the terraformcode and everything works as expected, but within the s3 bucket now flowlogs are appearing.
Is there maybe a permission missing that must be deployed via terraform as stated in the docs?
https://docs.aws.amazon.com/network-firewall/latest/developerguide/logging-s3.html
kind regards,
Thomas
Feature request "Add centralized ingress VPC with NFW"
Hi
Will be really helpful for everyone to test end to end if you can add "Add centralized ingress VPC with NFW"
web-service.tf uses deprecated `template` provider, fails on M1 CPU
The web service configuration file web-service.tf uses the template_file data source to populate the userdata for the EC2 web host instances. This provider is no longer supported and will not work on newer device architectures like M1 Mac processors.
Expected behavior
Terraform provider will initializer successfully on M1 Mac
Actual behavior
See example output
Example output
$ terraform init
Initializing the backend...
Initializing provider plugins...
- Finding hashicorp/aws versions matching ">= 3.28.0"...
- Finding hashicorp/random versions matching ">= 2.3.0"...
- Finding latest version of hashicorp/template...
- Installing hashicorp/aws v5.17.0...
- Installed hashicorp/aws v5.17.0 (signed by HashiCorp)
- Installing hashicorp/random v3.5.1...
- Installed hashicorp/random v3.5.1 (signed by HashiCorp)
╷
│ Error: Incompatible provider version
│
│ Provider registry.terraform.io/hashicorp/template v2.2.0 does not have a package available for your current platform, darwin_arm64.
│
│ Provider releases are separate from Terraform CLI releases, so not all providers are available for all platforms. Other versions of this provider
│ may have different platforms supported.
Related items
Relates #7
References
hashicorp/terraform-provider-template#85
https://registry.terraform.io/providers/hashicorp/template/latest/docs
Missing support for regions other than eu-west-1 (Ireland)
The current template doesn't support deploying to regions other than eu-west-1. This is due to the region-specific service names specified in the aws_vpc_endpoint resources used to enable access to the EC2 instances via SSM.
Note this appears to be a duplicate of #4, but the current main branch doesn't include the fixes from related PR #5.
Expected behavior
- VPC endpoints will deploy in the desired region specified in
provider.tf, e.g.:
provider "aws" {
region = "us-east-2"
}
Actual behavior
- VPC endpoints attempt to deploy into the
eu-west-1region, regardless of the region specified in the provider configuration. If using a different region, the deployment fails.
Example output
$ cat provider.tf
// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: MIT-0
terraform {
required_providers {
aws = {
version = ">= 3.28.0"
source = "hashicorp/aws"
}
random = {
source = "hashicorp/random"
version = ">=2.3.0"
}
}
}
provider "aws" {
region = "us-east-2"
}
$ terraform apply
...
│ Error: creating EC2 VPC Endpoint (com.amazonaws.eu-west-1.ssm): InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ssm' does not exist
│ status code: 400, request id: 2c59303c-1baa-4888-905c-fb5e7cc9ef2c
│
│ with aws_vpc_endpoint.spoke_vpc_a_ssm_endpoint,
│ on vpc-endpoints.tf line 36, in resource "aws_vpc_endpoint" "spoke_vpc_a_ssm_endpoint":
│ 36: resource "aws_vpc_endpoint" "spoke_vpc_a_ssm_endpoint" {
│
╵
╷
│ Error: creating EC2 VPC Endpoint (com.amazonaws.eu-west-1.ssmmessages): InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ssmmessages' does not exist
│ status code: 400, request id: a3b93362-9d28-438b-8790-2c70990b02d0
│
│ with aws_vpc_endpoint.spoke_vpc_a_ssm_messages_endpoint,
│ on vpc-endpoints.tf line 47, in resource "aws_vpc_endpoint" "spoke_vpc_a_ssm_messages_endpoint":
│ 47: resource "aws_vpc_endpoint" "spoke_vpc_a_ssm_messages_endpoint" {
│
╵
╷
│ Error: creating EC2 VPC Endpoint (com.amazonaws.eu-west-1.ec2messages): InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ec2messages' does not exist
│ status code: 400, request id: 01fec6c1-53bd-459f-b4a0-5898eacee797
│
│ with aws_vpc_endpoint.spoke_vpc_a_ec2_messages_endpoint,
│ on vpc-endpoints.tf line 58, in resource "aws_vpc_endpoint" "spoke_vpc_a_ec2_messages_endpoint":
│ 58: resource "aws_vpc_endpoint" "spoke_vpc_a_ec2_messages_endpoint" {
│
╵
╷
│ Error: creating EC2 VPC Endpoint (com.amazonaws.eu-west-1.ssm): InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ssm' does not exist
│ status code: 400, request id: 96b7094e-8d63-468c-80f6-894b03006851
│
│ with aws_vpc_endpoint.spoke_vpc_b_ssm_endpoint,
│ on vpc-endpoints.tf line 69, in resource "aws_vpc_endpoint" "spoke_vpc_b_ssm_endpoint":
│ 69: resource "aws_vpc_endpoint" "spoke_vpc_b_ssm_endpoint" {
│
╵
╷
│ Error: creating EC2 VPC Endpoint (com.amazonaws.eu-west-1.ssmmessages): InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ssmmessages' does not exist
│ status code: 400, request id: d3f35104-87b3-48cc-bf32-4533a378f437
│
│ with aws_vpc_endpoint.spoke_vpc_b_ssm_messages_endpoint,
│ on vpc-endpoints.tf line 80, in resource "aws_vpc_endpoint" "spoke_vpc_b_ssm_messages_endpoint":
│ 80: resource "aws_vpc_endpoint" "spoke_vpc_b_ssm_messages_endpoint" {
│
╵
╷
│ Error: creating EC2 VPC Endpoint (com.amazonaws.eu-west-1.ec2messages): InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ec2messages' does not exist
│ status code: 400, request id: 94219d4d-1df8-4475-9394-f05e3a78eb40
│
│ with aws_vpc_endpoint.spoke_vpc_b_ec2_messages_endpoint,
│ on vpc-endpoints.tf line 91, in resource "aws_vpc_endpoint" "spoke_vpc_b_ec2_messages_endpoint":
│ 91: resource "aws_vpc_endpoint" "spoke_vpc_b_ec2_messages_endpoint" {
Related items
NGINX not active
Hello,
unfortunatly, nginx is not started during terraform deployment.
As a result, curl to machine in other vpc does not work.
Can you probably fix this?
Error creating VPC Endpoint
Description
The README.md suggest the following:
By default, the templates deploy in the eu-west-1 AWS Region. If you wish to deploy in any other AWS Region, edit the corresponding setting in the provider.tf file.
In practice changing only the provider.tf region results in errors related to creating VPC endpoints in the eu-west-1 region still:
Expand to See Errors
│ Error: Error creating VPC Endpoint: InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ssm' does not exist
│ status code: 400, request id: 111bccab-2e0f-4f6e-b257-12ef88e70567
│
│ with aws_vpc_endpoint.spoke_vpc_a_ssm_endpoint,
│ on instances.tf line 83, in resource "aws_vpc_endpoint" "spoke_vpc_a_ssm_endpoint":
│ 83: resource "aws_vpc_endpoint" "spoke_vpc_a_ssm_endpoint" {
│
╵
╷
│ Error: Error creating VPC Endpoint: InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ssmmessages' does not exist
│ status code: 400, request id: ecadf264-e47b-4628-8398-9f2802648c1a
│
│ with aws_vpc_endpoint.spoke_vpc_a_ssm_messages_endpoint,
│ on instances.tf line 94, in resource "aws_vpc_endpoint" "spoke_vpc_a_ssm_messages_endpoint":
│ 94: resource "aws_vpc_endpoint" "spoke_vpc_a_ssm_messages_endpoint" {
│
╵
╷
│ Error: Error creating VPC Endpoint: InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ec2messages' does not exist
│ status code: 400, request id: 53aa1671-6095-48f8-bdd5-4f0eaa355054
│
│ with aws_vpc_endpoint.spoke_vpc_a_ec2_messages_endpoint,
│ on instances.tf line 105, in resource "aws_vpc_endpoint" "spoke_vpc_a_ec2_messages_endpoint":
│ 105: resource "aws_vpc_endpoint" "spoke_vpc_a_ec2_messages_endpoint" {
│
╵
╷
│ Error: Error creating VPC Endpoint: InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ssm' does not exist
│ status code: 400, request id: 374adeff-c710-4148-b045-fbf08dccc7c9
│
│ with aws_vpc_endpoint.spoke_vpc_b_ssm_endpoint,
│ on instances.tf line 116, in resource "aws_vpc_endpoint" "spoke_vpc_b_ssm_endpoint":
│ 116: resource "aws_vpc_endpoint" "spoke_vpc_b_ssm_endpoint" {
│
╵
╷
│ Error: Error creating VPC Endpoint: InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ssmmessages' does not exist
│ status code: 400, request id: f883b8c7-d7b3-4de1-b59f-5733b87c408e
│
│ with aws_vpc_endpoint.spoke_vpc_b_ssm_messages_endpoint,
│ on instances.tf line 127, in resource "aws_vpc_endpoint" "spoke_vpc_b_ssm_messages_endpoint":
│ 127: resource "aws_vpc_endpoint" "spoke_vpc_b_ssm_messages_endpoint" {
│
╵
╷
│ Error: Error creating VPC Endpoint: InvalidServiceName: The Vpc Endpoint Service 'com.amazonaws.eu-west-1.ec2messages' does not exist
│ status code: 400, request id: 5024fa06-3191-4848-aa3d-f1ff10d843f1
│
│ with aws_vpc_endpoint.spoke_vpc_b_ec2_messages_endpoint,
│ on instances.tf line 138, in resource "aws_vpc_endpoint" "spoke_vpc_b_ec2_messages_endpoint":
│ 138: resource "aws_vpc_endpoint" "spoke_vpc_b_ec2_messages_endpoint" {Fix: Enable ACLs on anfw_flow_bucket
Enable ACLs on anfw_flow_bucket, if those are not enabled tf apply fails on "Error: error creating S3 bucket ACL for network-firewall-flow-bucket-xxxxx: AccessControlListNotSupported: The bucket does not allow ACLs"
diff aws-network-firewall-terraform/firewall.tf aws-network-firewall-terraform_modified/firewall.tf
165a166
depends_on = [aws_s3_bucket_ownership_controls.s3_bucket_acl_ownership]
167a169,175
resource "aws_s3_bucket_ownership_controls" "s3_bucket_acl_ownership" {
bucket = aws_s3_bucket.anfw_flow_bucket.id
rule {
object_ownership = "BucketOwnerPreferred"
}
}
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.