Add terraform-aws-fw-vpc and terraform-aws-firewall modules (#89)

Signed-off-by: Jim Enright <[email protected]>

Author: jimright

README.md

@@ -12,10 +12,12 @@ This repository contains a number of Terraform modules for creation of the pre-r
 | [terraform-cdp-deploy](modules/terraform-cdp-deploy/README.md) | For deployment of CDP on AWS, Azure or GCP. |
 | [terraform-aws-cred-permissions](modules/terraform-aws-cred-permissions/README.md) | Module for creation of the Cross Account Credential pre-requisite on AWS. Note that this module is called from the terraform-cdp-aws-prereqs module. |
 | [terraform-aws-permissions](modules/terraform-aws-permissions/README.md) | Module for creation of the AWS IAM permissions required by the (CDP) Public Cloud environment and datalake deployment. Note that this module is called from the terraform-cdp-aws-prereqs module. |
-| [terraform-aws-vpc](modules/terraform-aws-vpc/README.md) | Module for creation of the VPC networking resources on AWS suitable. Can be used to create the CDP VPC and Subnets. Note that this module is called from the terraform-cdp-aws-prereqs module. |
+| [terraform-aws-vpc](modules/terraform-aws-vpc/README.md) | Module for creation of the VPC networking resources on AWS. Can be used to create the CDP VPC and Subnets. Note that this module is called from the terraform-cdp-aws-prereqs module. |
+| [terraform-aws-fw-vpc](modules/terraform-aws-fw-vpc/README.md) | Module for creation of the VPC networking resources on AWS suitable for running a Firewall in a distributed architecture on AWS. Can be used to create a networking VPC which runs the AWS Network Firewall and connects to a Cloudera on cloud full-private deployment. |
 | [terraform-aws-tgw](modules/terraform-aws-tgw/README.md) | Module for creation of AWS Transity Gateway (TGW) and attaching a specified list of VPCs via the TGW. This module can be used to assist in deploying Cloudera Data Platform (CDP) Public Cloud in a fully private networking configuration where a CDP VPC and Networking VPC are connected using the Transit Gateway. |
 | [terraform-aws-bastion](modules/terraform-aws-bastion/README.md) | Module to create a Bastion EC2 instance on AWS. This module can be used to assist in deploying Cloudera Data Platform (CDP) Public Cloud in a secure environment, where the CDP Environment requires a Bastion host. |
 | [terraform-aws-proxy](modules/terraform-aws-proxy/README.md) | Module to create and configure and EC2 Auto-Scaling Group for a highly available Squid Proxy service with Network Load Balancer (NLB) to forward traffic to the proxy instances. This module can be used to assist in deploying Cloudera Data Platform (CDP) Public Cloud in a fully private networking configuration where a the CDP Environments uses a proxy config via the NLB. |
+| [terraform-aws-firewall](modules/terraform-aws-firewall/README.md) | Module to create and configure to create and configure an AWS Network Firewall. This module can be used to assist in deploying Cloudera Data Platform (CDP) Public Cloud in a fully private networking configuration where the CDP Environment is connected to a Networking VPC running the Firewall. |
 | [terraform-azure-nfs](modules/terraform-azure-nfs/README.md) | Module for creation of Azure NFS File Share required for Cloudera Machine Learning (CML) Public Cloud. Also optionally creates a Virtual Machine which can be used to mount and set the required ownership for CML workspace's projects folder.|
 | [terraform-azure-cdw-permissions](modules/terraform-azure-cdw-permissions/README.md) | Module for creation of the Azure Kubernetes Service (AKS) managed identity required for the Cloudera Data Warehouse (CDW) service.|
 | [terraform-azure-storage-endpoints](modules/terraform-azure-storage-endpoints/README.md) | Module for creation creation of Azure private endpoints between specified storage accounts and VNet subnets.|

modules/terraform-aws-firewall/.terraform-docs.yaml

@@ -0,0 +1,21 @@
+formatter: markdown
+header-from: doc_fragments/header.md
+settings:
+  anchor: true
+  color: true
+  default: true
+  escape: true
+  html: true
+  indent: 2
+  required: true
+  sensitive: true
+  type: true
+
+
+sort:
+  enabled: true
+  by: required
+
+output:
+  file: README.md
+  mode: replace

modules/terraform-aws-firewall/README.md

@@ -0,0 +1,69 @@
+<!-- BEGIN_TF_DOCS -->
+# Terraform Module for AWS Network Firewall
+
+This module contains resource files and example variable definition files to create and configure an AWS Network Firewall. This module can be used to assist in deploying Cloudera Data Platform (CDP) Public Cloud in a fully private networking configuration where the CDP Environment is connected to a Networking VPC running the Firewall.
+
+## Usage
+
+The [examples](./examples) directory has example of using this module:
+
+* `ex01-minimal_inputs` demonstrates how this module can be used to within a networking VPC. The [terraform-aws-nfw-vpc](../../../terraform-aws-nfw-vpc/README.md) module is also used as part of this example.
+
+The sample `terraform.tfvars.sample` describes the required inputs for the example.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | > 1.3.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.30 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.30 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_group.nfw_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_networkfirewall_firewall.fw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall) | resource |
+| [aws_networkfirewall_firewall_policy.fw_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_firewall_policy) | resource |
+| [aws_networkfirewall_logging_configuration.nfw_log_config](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_logging_configuration) | resource |
+| [aws_networkfirewall_rule_group.cdp_env_fw_rg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/networkfirewall_rule_group) | resource |
+| [aws_route.vpc_tgw_route](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
+| [aws_vpc.cdp_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+| [aws_vpc.network_vpc](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_cdp_firewall_rule_group_name"></a> [cdp\_firewall\_rule\_group\_name](#input\_cdp\_firewall\_rule\_group\_name) | Name of the CDP Rule Group. | `string` | n/a | yes |
+| <a name="input_cdp_vpc_id"></a> [cdp\_vpc\_id](#input\_cdp\_vpc\_id) | VPC ID for where the CDP environment is running | `string` | n/a | yes |
+| <a name="input_firewall_name"></a> [firewall\_name](#input\_firewall\_name) | Name of the Firewall. | `string` | n/a | yes |
+| <a name="input_firewall_policy_name"></a> [firewall\_policy\_name](#input\_firewall\_policy\_name) | Name of the Firewall Policy. | `string` | n/a | yes |
+| <a name="input_firewall_subnet_ids"></a> [firewall\_subnet\_ids](#input\_firewall\_subnet\_ids) | List of subnet ids to assign to the Firewall. | `list(string)` | n/a | yes |
+| <a name="input_network_vpc_id"></a> [network\_vpc\_id](#input\_network\_vpc\_id) | VPC ID for where the Networking components are running | `string` | n/a | yes |
+| <a name="input_cdp_firewall_domain_allowlist"></a> [cdp\_firewall\_domain\_allowlist](#input\_cdp\_firewall\_domain\_allowlist) | Domain allowlist for CDP Rule Group. | `list(string)` | <pre>[<br>  "cloudera.com"<br>]</pre> | no |
+| <a name="input_cdp_fw_rule_group_capacity"></a> [cdp\_fw\_rule\_group\_capacity](#input\_cdp\_fw\_rule\_group\_capacity) | Capacity (maximum number of operating resources) for the CDP Firewall Rule Group | `number` | `300` | no |
+| <a name="input_firewall_logging_config"></a> [firewall\_logging\_config](#input\_firewall\_logging\_config) | Logging config for cloudwatch logs created for network Firewall | `map(any)` | <pre>{<br>  "alert": {<br>    "retention_in_days": 3<br>  },<br>  "flow": {<br>    "retention_in_days": 1<br>  }<br>}</pre> | no |
+| <a name="input_route_tables_to_update"></a> [route\_tables\_to\_update](#input\_route\_tables\_to\_update) | List of any route tables to update to target the Firewall Endpoint | <pre>list(object({<br>    route_tables           = list(string)<br>    availability_zones     = optional(list(string))<br>    destination_cidr_block = string<br>  }))</pre> | `[]` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Tags applied to provisioned resources | `map(any)` | `{}` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_nfw_arn"></a> [nfw\_arn](#output\_nfw\_arn) | The Amazon Resource Name (ARN) of the AWS Network Firewall |
+| <a name="output_nfw_id"></a> [nfw\_id](#output\_nfw\_id) | The Amazon Resource id of the AWS Network Firewall |
+| <a name="output_nfw_logging_configuration_ids"></a> [nfw\_logging\_configuration\_ids](#output\_nfw\_logging\_configuration\_ids) | The Amazon Resource id (ARN) of the logging configuration associated with the AWS Network Firewall |
+| <a name="output_nfw_policy_arn"></a> [nfw\_policy\_arn](#output\_nfw\_policy\_arn) | The Amazon Resource Name (ARN) that identifies the firewall policy |
+| <a name="output_nfw_policy_id"></a> [nfw\_policy\_id](#output\_nfw\_policy\_id) | The Amazon Resource id of the firewall policy for the AWS Network Firewall |
+<!-- END_TF_DOCS -->

modules/terraform-aws-firewall/data.tf

@@ -0,0 +1,22 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Find details of the CDP and Networking VPCs
+data "aws_vpc" "network_vpc" {
+  id = var.network_vpc_id
+}
+
+data "aws_vpc" "cdp_vpc" {
+  id = var.cdp_vpc_id
+}

modules/terraform-aws-firewall/defaults.tf

@@ -0,0 +1,30 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+locals {
+
+  # Local variables to determine route table to Firewall VPC Endpoint mapping
+  route_tables_to_update = flatten([
+    for route in var.route_tables_to_update :
+    [
+      for rti, rt in route.route_tables :
+      {
+        route_table            = rt
+        availability_zone      = try(route.availability_zones[rti], null)
+        destination_cidr_block = route.destination_cidr_block
+      }
+    ]
+  ])
+
+}

modules/terraform-aws-firewall/doc_fragments/header.md

@@ -0,0 +1,11 @@
+# Terraform Module for AWS Network Firewall
+
+This module contains resource files and example variable definition files to create and configure an AWS Network Firewall. This module can be used to assist in deploying Cloudera Data Platform (CDP) Public Cloud in a fully private networking configuration where the CDP Environment is connected to a Networking VPC running the Firewall.
+
+## Usage
+
+The [examples](./examples) directory has example of using this module:
+
+* `ex01-minimal_inputs` demonstrates how this module can be used to within a networking VPC. The [terraform-aws-nfw-vpc](../../../terraform-aws-nfw-vpc/README.md) module is also used as part of this example.
+
+The sample `terraform.tfvars.sample` describes the required inputs for the example.

modules/terraform-aws-firewall/examples/ex01-minimal_inputs/main.tf

@@ -0,0 +1,51 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+provider "aws" {
+  region = var.aws_region
+}
+
+module "ex01_network_vpc" {
+  source = "../../../terraform-aws-nfw-vpc"
+
+  vpc_name = "${var.name_prefix}-network-vpc"
+
+  subnet_name_prefix      = var.name_prefix
+  nat_gateway_name_prefix = var.name_prefix
+  route_table_name_prefix = var.name_prefix
+
+  vpc_cidr = var.vpc_cidr
+
+  tags = var.env_tags
+
+}
+
+module "ex01_nfw" {
+  source = "../.."
+
+  cdp_firewall_rule_group_name = "${var.name_prefix}-cdp-rg"
+  firewall_policy_name         = "${var.name_prefix}-fwp"
+  firewall_name                = "${var.name_prefix}-fw"
+
+  cdp_vpc_id     = module.ex01_network_vpc.vpc_id
+  network_vpc_id = module.ex01_network_vpc.vpc_id
+
+  firewall_subnet_ids = module.ex01_network_vpc.fw_subnet_ids
+
+  # route_tables_to_update = []
+
+  tags = var.env_tags
+
+
+}

modules/terraform-aws-firewall/examples/ex01-minimal_inputs/terraform.tfvars.sample

@@ -0,0 +1,23 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# ------- Global Settings -------
+name_prefix = "<ENTER_VALUE>"
+
+# ------- Cloud Settings -------
+aws_region = "<ENTER_VALUE>" # Change this to specify Cloud Provider region, e.g. eu-west-1
+
+# ------- VPC Settings -------
+
+vpc_cidr = "10.11.0.0/16" # Change CIDR value if needed

modules/terraform-aws-firewall/examples/ex01-minimal_inputs/variables.tf

@@ -0,0 +1,38 @@
+# Copyright 2025 Cloudera, Inc. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# ------- Global settings -------
+variable "aws_region" {
+  type        = string
+  description = "Region which Cloud resources will be created"
+}
+
+variable "env_tags" {
+  type        = map(any)
+  description = "Tags applied to provised resources"
+
+  default = null
+}
+
+variable "name_prefix" {
+  type        = string
+  description = "Shorthand name to use when naming resources."
+}
+
+# ------- Network Resources -------
+variable "vpc_cidr" {
+  type        = string
+  description = "VPC CIDR Block. Required if create_vpc is true."
+
+}