Skip to content

Commit

Permalink
Network-Firewall Code
Browse files Browse the repository at this point in the history 
Network-Firewall Code
  • Loading branch information
@VinayKumar611
VinayKumar611 committed Sep 8, 2023
1 parent ad12617 commit 8be2587
Show file tree
Hide file tree
Showing 12 changed files with 547 additions and 0 deletions.
62 changes: 62 additions & 0 deletions Official_Documentation/OELZ_Baseline_Deployment/CONFIGURATION.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -492,6 +492,68 @@ On Premise Subnet route will not propagate over the RPC connection to the second
5. Apply the new Route Tables to the Attachments


## Network Firewall

The Network Firewall service offers simple setup and deployment and gives you visibility into traffic entering your cloud environment (North-south network traffic) as well traffic between subnets (East-west network traffic).

**Deployment Scenario**

1. **With Baseline**

1.1) By Default Network Firewall is disabled.
1.2) To Enable Network Firewall on Prod Environment.
1.3) Go to Folder templates/enterprise-landing-zone and tfvars file.\

**Required Arguments/Parameters For Baseline Deployment on Prod**:

| Descripation | TFVAR Variable |Default Value |
| :--------------------------------- | --------------------------------------- |---------------------------------- |
| Network Firewall Deployment | enable_network_firewall_prod | false (bool) |
| Enable NFW Threat and Traffic Log | enable_traffic_threat_log_prod | false (bool) |
| Enable NFW on Subnet | nfw_subnet_type_prod | "public"(string)(public\|private) |
| Network Firewall Name | nfw_instance_name_prod | "" (string) |
| Network Firewall Policy Name | nfw_instance_policy_prod | "" (string) |
| Network Firewall Subnet CIDR | nfw_subnet_cidr_block_prod | "" (string) |

1.3) To Enable Network Firewall on Prod Environment.

**Required Arguments/Parameters For Baseline Deployment on Non-Prod**:


| Descripation | TFVAR Variable |Default Value |
| :--------------------------------- | --------------------------------------- |---------------------------------- |
| Network Firewall Deployment | enable_network_firewall_nonprod | false (bool) |
| Enable NFW Threat and Traffic Log | enable_traffic_threat_log_nonprod | false (bool) |
| Enable NFW on Subnet | nfw_subnet_type_nonprod | "public"(string)(public\|private) |
| Network Firewall Name | nfw_instance_name_nonprod | "" (string) |
| Network Firewall Policy Name | nfw_instance_policy_nonprod | "" (string) |
| Network Firewall Subnet CIDR | nfw_subnet_cidr_block_nonprod | "" (string) |


2. **Without Baseline as Standlone**

2.1) Assumption : OELZ Baseline stack has been successfully deployed.\
2.2) Go to Folder templates/elz-network-firewall.\
2.3) **Required Varibales For Baseline Deployment**\

| Descripation | TFVAR Variable |Default Value |
| :--------------------------------- | --------------------------------------------- |-----------------------|
| Environment Prefix | nfw_environment_prefix | "" |
| Network Compartment OCID | nfw_compartment_ocid | "" |
| Hub VCN CIDR Block | nfw_hub_vcn_cidr_block | "" |
| Network Firewall Subnet | nfw_subnet_ocid | "" |
| DRG OCID | nfw_drg_ocid | "" |
| Hub VCN OCID | nfw_hub_vcn_ocid | "" |
| Spoke VCN OCID | nfw_spoke_vcn_ocid | "" |
| Network Firewall Subnet IP | nfw_subnet_ip | "" |
| Network Firewall Display Name | nfw_subnet_display_name | "" |
| Network Firewall DNS Label | nfw_subnet_dns_label_name | "" |
| Route Table OCID | nfw_route_table_ocid | "" |
| IDCS Endpoint | nfw_idcs_endpoint | "" |
| Internet Gateway OCID | nfw_igw_ocid | "" |



## Security

To provide for a secure environment, the OELZ deploys several Oracle security services, such as CloudGuard to monitor for insecure cloud resource deployments, Vulnerability Scanning Service to scan compute instances for open ports and known vulnerabilities, and OS Management Service to manage updates and patches.
Expand Down
24 changes: 24 additions & 0 deletions templates/elz-environment/network-firewall-variables.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
variable "enable_network_firewall" {
type = bool
description = "Enable Network Firewall in Enviornment."
}
variable "enable_traffic_threat_log" {
type = bool
description = "Enable Network Firewall Threat and Traffic Logs in Enviornment."
}
variable "nfw_subnet_type" {
type = string
description = "Network Firewall Subnet Type."
}
variable "nfw_instance_name" {
type = string
description = "Network Firewall Instance Name."
}
variable "nfw_instance_policy" {
type = string
description = "Network Firewall Instance Policy Name."
}
variable "nfw_subnet_cidr_block" {
type = string
description = "Network Firewall Subnet CIDR IP Block."
}
22 changes: 22 additions & 0 deletions templates/elz-environment/network-firewall.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
module "network-firewall" {
source = "../elz-network-firewall"
tenancy_ocid = var.tenancy_ocid
region = var.region
environment_prefix = var.environment_prefix

network_compartment_id = module.compartment.compartments.network.id
home_compartment_id = var.home_compartment_id
is_baseline_deploy = var.is_baseline_deploy

enable_network_firewall = var.enable_network_firewall
enable_traffic_threat_log = var.enable_traffic_threat_log
nfw_subnet_type = var.nfw_subnet_type
nfw_instance_name = var.nfw_instance_name
nfw_instance_policy = var.nfw_instance_policy
nfw_subnet_cidr_block = var.nfw_subnet_cidr_block

providers = {
oci = oci
oci.home_region = oci.home_region
}
}
52 changes: 52 additions & 0 deletions templates/elz-network-firewall/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
<!-- BEGIN_TF_DOCS -->
## Requirements

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0 |
| <a name="requirement_oci"></a> [oci](#requirement\_oci) | 5.1.0 |

## Providers

| Name | Version |
|------|---------|
| <a name="provider_oci"></a> [oci](#provider\_oci) | 5.1.0 |
| <a name="provider_random"></a> [random](#provider\_random) | n/a |

## Modules

| Name | Source | Version |
|------|--------|---------|
| <a name="module_architecture_tag"></a> [architecture\_tag](#module\_architecture\_tag) | ../../modules/tag | n/a |
| <a name="module_firewall_threat_log"></a> [firewall\_threat\_log](#module\_firewall\_threat\_log) | ../../modules/service-log | n/a |
| <a name="module_firewall_traffic_log"></a> [firewall\_traffic\_log](#module\_firewall\_traffic\_log) | ../../modules/service-log | n/a |
| <a name="module_network_firewall"></a> [network\_firewall](#module\_network\_firewall) | ../../modules/network-firewall | n/a |

## Resources

| Name | Type |
|------|------|
| [oci_core_subnet.oci_network_firewall_subnet](https://registry.terraform.io/providers/oracle/oci/5.1.0/docs/resources/core_subnet) | resource |
| [random_id.tag](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
| [oci_identity_region_subscriptions.regions](https://registry.terraform.io/providers/oracle/oci/5.1.0/docs/data-sources/identity_region_subscriptions) | data source |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| <a name="input_enable_network_firewall"></a> [enable\_network\_firewall](#input\_enable\_network\_firewall) | Enable Network Firewall in Enviornment. | `bool` | n/a | yes |
| <a name="input_enable_traffic_threat_log"></a> [enable\_traffic\_threat\_log](#input\_enable\_traffic\_threat\_log) | Enable Network Firewall Threat and Traffic Logs in Enviornment. | `bool` | n/a | yes |
| <a name="input_environment_prefix"></a> [environment\_prefix](#input\_environment\_prefix) | the 1 character string representing the environment eg. P (prod), N (non-prod), D, T, U | `string` | n/a | yes |
| <a name="input_home_compartment_id"></a> [home\_compartment\_id](#input\_home\_compartment\_id) | Home Compartment ID | `string` | n/a | yes |
| <a name="input_is_baseline_deploy"></a> [is\_baseline\_deploy](#input\_is\_baseline\_deploy) | TagNameSpace Optimization: Enable this flag to disable dependent module TagNameSpace Tag Creation. | `bool` | n/a | yes |
| <a name="input_nfw_instance_name"></a> [nfw\_instance\_name](#input\_nfw\_instance\_name) | Network Firewall Instance Name. | `string` | n/a | yes |
| <a name="input_nfw_instance_policy"></a> [nfw\_instance\_policy](#input\_nfw\_instance\_policy) | Network Firewall Instance Policy Name. | `string` | n/a | yes |
| <a name="input_nfw_subnet_cidr_block"></a> [nfw\_subnet\_cidr\_block](#input\_nfw\_subnet\_cidr\_block) | Network Firewall Subnet CIDR IP Block. | `string` | n/a | yes |
| <a name="input_nfw_subnet_type"></a> [nfw\_subnet\_type](#input\_nfw\_subnet\_type) | Network Firewall Subnet Type. | `string` | n/a | yes |
| <a name="input_region"></a> [region](#input\_region) | The OCI region | `string` | n/a | yes |
| <a name="input_tenancy_ocid"></a> [tenancy\_ocid](#input\_tenancy\_ocid) | The OCID of tenancy | `string` | n/a | yes |

## Outputs

No outputs.
<!-- END_TF_DOCS -->
12 changes: 12 additions & 0 deletions templates/elz-network-firewall/datasources.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
# -----------------------------------------------------------------------------
# Support for multi-region deployments
# -----------------------------------------------------------------------------
locals {
region_subscriptions = data.oci_identity_region_subscriptions.regions.region_subscriptions
home_region = [for region in local.region_subscriptions : region.region_name if region.is_home_region == true]
region_key = [for region in local.region_subscriptions : region.region_key if region.region_name == var.region]
}

data "oci_identity_region_subscriptions" "regions" {
tenancy_id = var.tenancy_ocid
}
88 changes: 88 additions & 0 deletions templates/elz-network-firewall/main.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
locals {
network_firewall = {
network_firewall_name = var.nfw_instance_name != "" ? var.nfw_instance_name : "OCI-ELZ-NFW-${var.environment_prefix}"
network_firewall_policy_name = var.nfw_instance_policy != "" ? var.nfw_instance_name : "OCI-ELZ-NFW-Policy-${var.environment_prefix}"
#drg_id = module.hub.drg_id
nfw_policy_action = "ALLOW"
}
firewall_threat_log = {
log_display_name = "OCI-ELZ-NFW-THREAT-LOG-${var.environment_prefix}"
log_type = "SERVICE"
log_source_category = "threatlog"
log_source_resource = module.network_firewall.firewall_id
log_source_service = "ocinetworkfirewall"
log_source_type = "OCISERVICE"
}
firewall_traffic_log = {
log_display_name = "OCI-ELZ-NFW-TRAFFIC-LOG-${var.environment_prefix}"
log_type = "SERVICE"
log_source_category = "trafficlog"
log_source_resource = module.network_firewall.firewall_id
log_source_service = "ocinetworkfirewall"
log_source_type = "OCISERVICE"
}
}

##############################################################################
########### CREATE NETWORK FIREWALL ##########
##############################################################################

module "network_firewall" {
count = var.enable_network_firewall == "true" ? 1 : 0
source = "../../modules/network-firewall"

network_compartment_ocid = var.network_compartment_ocid
network_firewall_subnet_id = var.network_firewall_subnet_id
network_firewall_name = local.network_firewall.network_firewall_name
network_firewall_policy_name = local.network_firewall.network_firewall_policy_name
network_firewall_policy_action = local.network_firewall.nfw_policy_action
}

##############################################################################
########### Create Firewall VCN: Firewall subnet ##########
##############################################################################


resource "oci_core_subnet" "oci_network_firewall_subnet" {
#count = local.use_existing_network ? 0 : 1
count = var.enable_network_firewall == "true" ? 1 : 0
compartment_id = var.network_compartment_ocid
vcn_id = var.hub_vcn_id
cidr_block = var.nfw_subnet_cidr_block
display_name = var.nfw_subnet_display_name
dns_label = var.nfw_subnet_dns_label
prohibit_public_ip_on_vnic = false
}

##############################################################################
########### Create Firewall Firewall Threat and Traffic Log ##########
##############################################################################
module "firewall_threat_log" {
count = var.enable_network_firewall == "true" ? 1 : 0
source = "../../modules/service-log"

log_display_name = local.firewall_threat_log.log_display_name
log_type = local.firewall_threat_log.log_type
log_group_id = module.default_log_group.log_group_id
log_source_category = local.firewall_threat_log.log_source_category
log_source_resource = local.firewall_threat_log.log_source_resource
log_source_service = local.firewall_threat_log.log_source_service
log_source_type = local.firewall_threat_log.log_source_type

depends_on = [ module.network_firewall, module.default_log_group ]
}

module "firewall_traffic_log" {
count = var.enable_network_firewall == "true" ? 1 : 0
source = "../../modules/service-log"

log_display_name = local.firewall_traffic_log.log_display_name
log_type = local.firewall_traffic_log.log_type
log_group_id = module.default_log_group.log_group_id
log_source_category = local.firewall_traffic_log.log_source_category
log_source_resource = local.firewall_traffic_log.log_source_resource
log_source_service = local.firewall_traffic_log.log_source_service
log_source_type = local.firewall_traffic_log.log_source_type

depends_on = [ module.network_firewall, module.default_log_group ]
}
20 changes: 20 additions & 0 deletions templates/elz-network-firewall/nfw.tfvars
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
#current_user_ocid = ""
#region = ""
#tenancy_ocid = ""
#api_fingerprint = ""
#api_private_key_path = ""

environment_prefix = ""
network_compartment_ocid = ""
hub_vcn_cidr_block = ""
network_firewall_subnet_id = ""
drg_id = ""
hub_vcn_id = ""
spoke_vcn_id = ""

nfw_subnet_cidr_block = ""
nfw_subnet_display_name = ""
nfw_subnet_dns_label = ""
route_table_id = ""
idcs_endpoint = ""
igw_id = ""
72 changes: 72 additions & 0 deletions templates/elz-network-firewall/provider.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
# -----------------------------------------------------------------------------
# Provider Requirements if using stack as a module
# -----------------------------------------------------------------------------
terraform {
required_version = ">= 1.0.0"

required_providers {
oci = {
source = "oracle/oci"
version = "5.1.0"
configuration_aliases = [oci, oci.home_region]
}
}
}

# # -----------------------------------------------------------------------------
# # WARNING!
# # UNCOMMENT EVERYTHING BELOW AND COMMENT EVERYTHING ABOVE IF YOU WISH TO USE THIS
# # STACK AS A STANDALONE - DO NOT TOUCH IF USING THIS STACK IN A MODULE CALL
# # Provider Requirements if using stack as standalone
# # -----------------------------------------------------------------------------
# terraform {
# required_version = ">= 1.0.0"

# required_providers {
# oci = {
# source = "oracle/oci"
# version = "5.1.0"
# }
# }
# }

# # -----------------------------------------------------------------------------
# # Provider blocks for home region and alternate region(s)
# # -----------------------------------------------------------------------------
# provider "oci" {
# tenancy_ocid = var.tenancy_ocid
# user_ocid = var.current_user_ocid
# fingerprint = var.api_fingerprint
# private_key_path = var.api_private_key_path
# region = var.region
# }

# provider "oci" {
# alias = "home_region"
# tenancy_ocid = var.tenancy_ocid
# user_ocid = var.current_user_ocid
# fingerprint = var.api_fingerprint
# private_key_path = var.api_private_key_path
# region = local.home_region[0]
# }

# # -----------------------------------------------------------------------------
# # Provider Variables
# # -----------------------------------------------------------------------------
# variable "current_user_ocid" {
# type = string
# description = "The OCID of the current user"
# default = ""
# }

# variable "api_fingerprint" {
# type = string
# description = "The fingerprint of API"
# default = ""
# }

# variable "api_private_key_path" {
# type = string
# description = "The local path to the API private key"
# default = ""
# }
Loading

0 comments on commit 8be2587

Please sign in to comment.