Merge pull request #33 from DNXLabs/firewall/stateful-rule

add a bool that allows the default stateful rule to be on or off

README.md

@@ -59,6 +59,7 @@ module "network" {
 | byoip | Enable module to use your own Elastic IPs (Bring Your Own IP) | `bool` | `false` | no |
 | cf\_export\_name | Name prefix for the export resources of the cloud formation output | `string` | `""` | no |
 | eip\_allocation\_ids | User-specified primary or secondary private IP address to associate with the Elastic IP address | `list(string)` | `[]` | no |
+| enable\_firewall\_default\_rule | Enable or disable the default stateful rule. | `bool` | `true` | no |
 | firewall\_custom\_rules | The stateful rule group rules specifications in Suricata file format, with one rule per line | `list(string)` | `[]` | no |
 | firewall\_domain\_list | List the domain names you want to take action on. | `list(any)` | <pre>[<br>  ".amazonaws.com",<br>  ".github.com"<br>]</pre> | no |
 | firewall\_netnum\_offset | Start with this subnet for secure ones, plus number of AZs | `number` | `14` | no |

_variables.tf

@@ -174,6 +174,12 @@ variable "firewall_domain_list" {
   description = "List the domain names you want to take action on."
 }
 
+variable "enable_firewall_default_rule" {
+  type        = bool
+  default     = true
+  description = "Enable or disable the default stateful rule."
+}
+
 locals {
   kubernetes_clusters = zipmap(
     formatlist("kubernetes.io/cluster/%s", var.kubernetes_clusters),

network-firewall.tf

@@ -119,7 +119,7 @@ resource "aws_networkfirewall_rule_group" "stateful_custom" {
 
 # Statefull rule to block any TCP
 resource "aws_networkfirewall_rule_group" "stateful_default" {
-  count    = var.network_firewall ? 1 : 0
+  count    = var.network_firewall && var.enable_firewall_default_rule ? 1 : 0
   capacity = 100
   name     = "${var.name}-Stateful-Default"
   type     = "STATEFUL"