From 8be258778c45fea1f74dd63b0a417f92eb403391 Mon Sep 17 00:00:00 2001 From: vinaykumar-oci Date: Fri, 8 Sep 2023 00:14:03 -0700 Subject: [PATCH] Network-Firewall Code Network-Firewall Code --- .../OELZ_Baseline_Deployment/CONFIGURATION.md | 62 +++++++++++++ .../network-firewall-variables.tf | 24 +++++ templates/elz-environment/network-firewall.tf | 22 +++++ templates/elz-network-firewall/README.md | 52 +++++++++++ templates/elz-network-firewall/datasources.tf | 12 +++ templates/elz-network-firewall/main.tf | 88 +++++++++++++++++++ templates/elz-network-firewall/nfw.tfvars | 20 +++++ templates/elz-network-firewall/provider.tf | 72 +++++++++++++++ templates/elz-network-firewall/tagging.tf | 41 +++++++++ templates/elz-network-firewall/variables.tf | 56 ++++++++++++ .../enterprise-landing-zone/environment.tf | 14 +++ .../network-firewall-variables.tf | 84 ++++++++++++++++++ 12 files changed, 547 insertions(+) create mode 100644 templates/elz-environment/network-firewall-variables.tf create mode 100644 templates/elz-environment/network-firewall.tf create mode 100644 templates/elz-network-firewall/README.md create mode 100644 templates/elz-network-firewall/datasources.tf create mode 100644 templates/elz-network-firewall/main.tf create mode 100644 templates/elz-network-firewall/nfw.tfvars create mode 100644 templates/elz-network-firewall/provider.tf create mode 100644 templates/elz-network-firewall/tagging.tf create mode 100644 templates/elz-network-firewall/variables.tf create mode 100644 templates/enterprise-landing-zone/network-firewall-variables.tf diff --git a/Official_Documentation/OELZ_Baseline_Deployment/CONFIGURATION.md b/Official_Documentation/OELZ_Baseline_Deployment/CONFIGURATION.md index 326bf490..1c4717fa 100644 --- a/Official_Documentation/OELZ_Baseline_Deployment/CONFIGURATION.md +++ b/Official_Documentation/OELZ_Baseline_Deployment/CONFIGURATION.md @@ -492,6 +492,68 @@ On Premise Subnet route will not propagate over the RPC connection to the second 5. Apply the new Route Tables to the Attachments +## Network Firewall + +The Network Firewall service offers simple setup and deployment and gives you visibility into traffic entering your cloud environment (North-south network traffic) as well traffic between subnets (East-west network traffic). + +**Deployment Scenario** + +1. **With Baseline** + + 1.1) By Default Network Firewall is disabled. + 1.2) To Enable Network Firewall on Prod Environment. + 1.3) Go to Folder templates/enterprise-landing-zone and tfvars file.\ + +**Required Arguments/Parameters For Baseline Deployment on Prod**: + +| Descripation | TFVAR Variable |Default Value | +| :--------------------------------- | --------------------------------------- |---------------------------------- | +| Network Firewall Deployment | enable_network_firewall_prod | false (bool) | +| Enable NFW Threat and Traffic Log | enable_traffic_threat_log_prod | false (bool) | +| Enable NFW on Subnet | nfw_subnet_type_prod | "public"(string)(public\|private) | +| Network Firewall Name | nfw_instance_name_prod | "" (string) | +| Network Firewall Policy Name | nfw_instance_policy_prod | "" (string) | +| Network Firewall Subnet CIDR | nfw_subnet_cidr_block_prod | "" (string) | + + 1.3) To Enable Network Firewall on Prod Environment. + +**Required Arguments/Parameters For Baseline Deployment on Non-Prod**: + + +| Descripation | TFVAR Variable |Default Value | +| :--------------------------------- | --------------------------------------- |---------------------------------- | +| Network Firewall Deployment | enable_network_firewall_nonprod | false (bool) | +| Enable NFW Threat and Traffic Log | enable_traffic_threat_log_nonprod | false (bool) | +| Enable NFW on Subnet | nfw_subnet_type_nonprod | "public"(string)(public\|private) | +| Network Firewall Name | nfw_instance_name_nonprod | "" (string) | +| Network Firewall Policy Name | nfw_instance_policy_nonprod | "" (string) | +| Network Firewall Subnet CIDR | nfw_subnet_cidr_block_nonprod | "" (string) | + + +2. **Without Baseline as Standlone** + + 2.1) Assumption : OELZ Baseline stack has been successfully deployed.\ + 2.2) Go to Folder templates/elz-network-firewall.\ + 2.3) **Required Varibales For Baseline Deployment**\ + +| Descripation | TFVAR Variable |Default Value | +| :--------------------------------- | --------------------------------------------- |-----------------------| +| Environment Prefix | nfw_environment_prefix | "" | +| Network Compartment OCID | nfw_compartment_ocid | "" | +| Hub VCN CIDR Block | nfw_hub_vcn_cidr_block | "" | +| Network Firewall Subnet | nfw_subnet_ocid | "" | +| DRG OCID | nfw_drg_ocid | "" | +| Hub VCN OCID | nfw_hub_vcn_ocid | "" | +| Spoke VCN OCID | nfw_spoke_vcn_ocid | "" | +| Network Firewall Subnet IP | nfw_subnet_ip | "" | +| Network Firewall Display Name | nfw_subnet_display_name | "" | +| Network Firewall DNS Label | nfw_subnet_dns_label_name | "" | +| Route Table OCID | nfw_route_table_ocid | "" | +| IDCS Endpoint | nfw_idcs_endpoint | "" | +| Internet Gateway OCID | nfw_igw_ocid | "" | + + + ## Security To provide for a secure environment, the OELZ deploys several Oracle security services, such as CloudGuard to monitor for insecure cloud resource deployments, Vulnerability Scanning Service to scan compute instances for open ports and known vulnerabilities, and OS Management Service to manage updates and patches. diff --git a/templates/elz-environment/network-firewall-variables.tf b/templates/elz-environment/network-firewall-variables.tf new file mode 100644 index 00000000..1fc99aaa --- /dev/null +++ b/templates/elz-environment/network-firewall-variables.tf @@ -0,0 +1,24 @@ +variable "enable_network_firewall" { + type = bool + description = "Enable Network Firewall in Enviornment." +} +variable "enable_traffic_threat_log" { + type = bool + description = "Enable Network Firewall Threat and Traffic Logs in Enviornment." +} +variable "nfw_subnet_type" { + type = string + description = "Network Firewall Subnet Type." +} +variable "nfw_instance_name" { + type = string + description = "Network Firewall Instance Name." +} +variable "nfw_instance_policy" { + type = string + description = "Network Firewall Instance Policy Name." +} +variable "nfw_subnet_cidr_block" { + type = string + description = "Network Firewall Subnet CIDR IP Block." +} \ No newline at end of file diff --git a/templates/elz-environment/network-firewall.tf b/templates/elz-environment/network-firewall.tf new file mode 100644 index 00000000..db4a3256 --- /dev/null +++ b/templates/elz-environment/network-firewall.tf @@ -0,0 +1,22 @@ +module "network-firewall" { + source = "../elz-network-firewall" + tenancy_ocid = var.tenancy_ocid + region = var.region + environment_prefix = var.environment_prefix + + network_compartment_id = module.compartment.compartments.network.id + home_compartment_id = var.home_compartment_id + is_baseline_deploy = var.is_baseline_deploy + + enable_network_firewall = var.enable_network_firewall + enable_traffic_threat_log = var.enable_traffic_threat_log + nfw_subnet_type = var.nfw_subnet_type + nfw_instance_name = var.nfw_instance_name + nfw_instance_policy = var.nfw_instance_policy + nfw_subnet_cidr_block = var.nfw_subnet_cidr_block + + providers = { + oci = oci + oci.home_region = oci.home_region + } +} diff --git a/templates/elz-network-firewall/README.md b/templates/elz-network-firewall/README.md new file mode 100644 index 00000000..e32e5ea8 --- /dev/null +++ b/templates/elz-network-firewall/README.md @@ -0,0 +1,52 @@ + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.0.0 | +| [oci](#requirement\_oci) | 5.1.0 | + +## Providers + +| Name | Version | +|------|---------| +| [oci](#provider\_oci) | 5.1.0 | +| [random](#provider\_random) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [architecture\_tag](#module\_architecture\_tag) | ../../modules/tag | n/a | +| [firewall\_threat\_log](#module\_firewall\_threat\_log) | ../../modules/service-log | n/a | +| [firewall\_traffic\_log](#module\_firewall\_traffic\_log) | ../../modules/service-log | n/a | +| [network\_firewall](#module\_network\_firewall) | ../../modules/network-firewall | n/a | + +## Resources + +| Name | Type | +|------|------| +| [oci_core_subnet.oci_network_firewall_subnet](https://registry.terraform.io/providers/oracle/oci/5.1.0/docs/resources/core_subnet) | resource | +| [random_id.tag](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource | +| [oci_identity_region_subscriptions.regions](https://registry.terraform.io/providers/oracle/oci/5.1.0/docs/data-sources/identity_region_subscriptions) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [enable\_network\_firewall](#input\_enable\_network\_firewall) | Enable Network Firewall in Enviornment. | `bool` | n/a | yes | +| [enable\_traffic\_threat\_log](#input\_enable\_traffic\_threat\_log) | Enable Network Firewall Threat and Traffic Logs in Enviornment. | `bool` | n/a | yes | +| [environment\_prefix](#input\_environment\_prefix) | the 1 character string representing the environment eg. P (prod), N (non-prod), D, T, U | `string` | n/a | yes | +| [home\_compartment\_id](#input\_home\_compartment\_id) | Home Compartment ID | `string` | n/a | yes | +| [is\_baseline\_deploy](#input\_is\_baseline\_deploy) | TagNameSpace Optimization: Enable this flag to disable dependent module TagNameSpace Tag Creation. | `bool` | n/a | yes | +| [nfw\_instance\_name](#input\_nfw\_instance\_name) | Network Firewall Instance Name. | `string` | n/a | yes | +| [nfw\_instance\_policy](#input\_nfw\_instance\_policy) | Network Firewall Instance Policy Name. | `string` | n/a | yes | +| [nfw\_subnet\_cidr\_block](#input\_nfw\_subnet\_cidr\_block) | Network Firewall Subnet CIDR IP Block. | `string` | n/a | yes | +| [nfw\_subnet\_type](#input\_nfw\_subnet\_type) | Network Firewall Subnet Type. | `string` | n/a | yes | +| [region](#input\_region) | The OCI region | `string` | n/a | yes | +| [tenancy\_ocid](#input\_tenancy\_ocid) | The OCID of tenancy | `string` | n/a | yes | + +## Outputs + +No outputs. + \ No newline at end of file diff --git a/templates/elz-network-firewall/datasources.tf b/templates/elz-network-firewall/datasources.tf new file mode 100644 index 00000000..3e483838 --- /dev/null +++ b/templates/elz-network-firewall/datasources.tf @@ -0,0 +1,12 @@ +# ----------------------------------------------------------------------------- +# Support for multi-region deployments +# ----------------------------------------------------------------------------- +locals { + region_subscriptions = data.oci_identity_region_subscriptions.regions.region_subscriptions + home_region = [for region in local.region_subscriptions : region.region_name if region.is_home_region == true] + region_key = [for region in local.region_subscriptions : region.region_key if region.region_name == var.region] +} + +data "oci_identity_region_subscriptions" "regions" { + tenancy_id = var.tenancy_ocid +} diff --git a/templates/elz-network-firewall/main.tf b/templates/elz-network-firewall/main.tf new file mode 100644 index 00000000..162bd75a --- /dev/null +++ b/templates/elz-network-firewall/main.tf @@ -0,0 +1,88 @@ +locals { + network_firewall = { + network_firewall_name = var.nfw_instance_name != "" ? var.nfw_instance_name : "OCI-ELZ-NFW-${var.environment_prefix}" + network_firewall_policy_name = var.nfw_instance_policy != "" ? var.nfw_instance_name : "OCI-ELZ-NFW-Policy-${var.environment_prefix}" + #drg_id = module.hub.drg_id + nfw_policy_action = "ALLOW" + } + firewall_threat_log = { + log_display_name = "OCI-ELZ-NFW-THREAT-LOG-${var.environment_prefix}" + log_type = "SERVICE" + log_source_category = "threatlog" + log_source_resource = module.network_firewall.firewall_id + log_source_service = "ocinetworkfirewall" + log_source_type = "OCISERVICE" + } + firewall_traffic_log = { + log_display_name = "OCI-ELZ-NFW-TRAFFIC-LOG-${var.environment_prefix}" + log_type = "SERVICE" + log_source_category = "trafficlog" + log_source_resource = module.network_firewall.firewall_id + log_source_service = "ocinetworkfirewall" + log_source_type = "OCISERVICE" + } +} + +############################################################################## +########### CREATE NETWORK FIREWALL ########## +############################################################################## + +module "network_firewall" { + count = var.enable_network_firewall == "true" ? 1 : 0 + source = "../../modules/network-firewall" + + network_compartment_ocid = var.network_compartment_ocid + network_firewall_subnet_id = var.network_firewall_subnet_id + network_firewall_name = local.network_firewall.network_firewall_name + network_firewall_policy_name = local.network_firewall.network_firewall_policy_name + network_firewall_policy_action = local.network_firewall.nfw_policy_action +} + +############################################################################## +########### Create Firewall VCN: Firewall subnet ########## +############################################################################## + + +resource "oci_core_subnet" "oci_network_firewall_subnet" { + #count = local.use_existing_network ? 0 : 1 + count = var.enable_network_firewall == "true" ? 1 : 0 + compartment_id = var.network_compartment_ocid + vcn_id = var.hub_vcn_id + cidr_block = var.nfw_subnet_cidr_block + display_name = var.nfw_subnet_display_name + dns_label = var.nfw_subnet_dns_label + prohibit_public_ip_on_vnic = false +} + +############################################################################## +########### Create Firewall Firewall Threat and Traffic Log ########## +############################################################################## +module "firewall_threat_log" { + count = var.enable_network_firewall == "true" ? 1 : 0 + source = "../../modules/service-log" + + log_display_name = local.firewall_threat_log.log_display_name + log_type = local.firewall_threat_log.log_type + log_group_id = module.default_log_group.log_group_id + log_source_category = local.firewall_threat_log.log_source_category + log_source_resource = local.firewall_threat_log.log_source_resource + log_source_service = local.firewall_threat_log.log_source_service + log_source_type = local.firewall_threat_log.log_source_type + + depends_on = [ module.network_firewall, module.default_log_group ] +} + +module "firewall_traffic_log" { + count = var.enable_network_firewall == "true" ? 1 : 0 + source = "../../modules/service-log" + + log_display_name = local.firewall_traffic_log.log_display_name + log_type = local.firewall_traffic_log.log_type + log_group_id = module.default_log_group.log_group_id + log_source_category = local.firewall_traffic_log.log_source_category + log_source_resource = local.firewall_traffic_log.log_source_resource + log_source_service = local.firewall_traffic_log.log_source_service + log_source_type = local.firewall_traffic_log.log_source_type + + depends_on = [ module.network_firewall, module.default_log_group ] +} diff --git a/templates/elz-network-firewall/nfw.tfvars b/templates/elz-network-firewall/nfw.tfvars new file mode 100644 index 00000000..c0429573 --- /dev/null +++ b/templates/elz-network-firewall/nfw.tfvars @@ -0,0 +1,20 @@ +#current_user_ocid = "" +#region = "" +#tenancy_ocid = "" +#api_fingerprint = "" +#api_private_key_path = "" + +environment_prefix = "" +network_compartment_ocid = "" +hub_vcn_cidr_block = "" +network_firewall_subnet_id = "" +drg_id = "" +hub_vcn_id = "" +spoke_vcn_id = "" + +nfw_subnet_cidr_block = "" +nfw_subnet_display_name = "" +nfw_subnet_dns_label = "" +route_table_id = "" +idcs_endpoint = "" +igw_id = "" diff --git a/templates/elz-network-firewall/provider.tf b/templates/elz-network-firewall/provider.tf new file mode 100644 index 00000000..fc80c0d0 --- /dev/null +++ b/templates/elz-network-firewall/provider.tf @@ -0,0 +1,72 @@ +# ----------------------------------------------------------------------------- +# Provider Requirements if using stack as a module +# ----------------------------------------------------------------------------- +terraform { + required_version = ">= 1.0.0" + + required_providers { + oci = { + source = "oracle/oci" + version = "5.1.0" + configuration_aliases = [oci, oci.home_region] + } + } +} + +# # ----------------------------------------------------------------------------- +# # WARNING! +# # UNCOMMENT EVERYTHING BELOW AND COMMENT EVERYTHING ABOVE IF YOU WISH TO USE THIS +# # STACK AS A STANDALONE - DO NOT TOUCH IF USING THIS STACK IN A MODULE CALL +# # Provider Requirements if using stack as standalone +# # ----------------------------------------------------------------------------- +# terraform { +# required_version = ">= 1.0.0" + +# required_providers { +# oci = { +# source = "oracle/oci" +# version = "5.1.0" +# } +# } +# } + +# # ----------------------------------------------------------------------------- +# # Provider blocks for home region and alternate region(s) +# # ----------------------------------------------------------------------------- +# provider "oci" { +# tenancy_ocid = var.tenancy_ocid +# user_ocid = var.current_user_ocid +# fingerprint = var.api_fingerprint +# private_key_path = var.api_private_key_path +# region = var.region +# } + +# provider "oci" { +# alias = "home_region" +# tenancy_ocid = var.tenancy_ocid +# user_ocid = var.current_user_ocid +# fingerprint = var.api_fingerprint +# private_key_path = var.api_private_key_path +# region = local.home_region[0] +# } + +# # ----------------------------------------------------------------------------- +# # Provider Variables +# # ----------------------------------------------------------------------------- +# variable "current_user_ocid" { +# type = string +# description = "The OCID of the current user" +# default = "" +# } + +# variable "api_fingerprint" { +# type = string +# description = "The fingerprint of API" +# default = "" +# } + +# variable "api_private_key_path" { +# type = string +# description = "The local path to the API private key" +# default = "" +# } diff --git a/templates/elz-network-firewall/tagging.tf b/templates/elz-network-firewall/tagging.tf new file mode 100644 index 00000000..982ab460 --- /dev/null +++ b/templates/elz-network-firewall/tagging.tf @@ -0,0 +1,41 @@ + +locals { + architecture_tag = { + tag_namespace_description = "ArchitectureCenterTagNamespace" + tag_namespace_name = "ArchitectureCenter\\oracle-enterprise-landing-zone-v2-${random_id.tag.hex}" + is_namespace_retired = false + tag_map = { + architecture_tag = { + description = "ArchitectureCenterTag" + name = "release" + validator_type = "ENUM" + validator_values = ["release", "1.0.0", "2.0.0"] + is_cost_tracking = false + is_retired = false + } + } + tag_default_map = { + architecture_tag = { + compartment_id = var.home_compartment_id + tag_definition_name = "architecture_tag" + value = "2.0.0" + is_required = false + } + } + } +} + +resource "random_id" "tag" { + byte_length = 2 +} + +module "architecture_tag" { + count = var.is_baseline_deploy ? 0 : 1 + source = "../../modules/tag" + compartment_id = var.tenancy_ocid + tag_namespace_description = local.architecture_tag.tag_namespace_description + tag_namespace_name = local.architecture_tag.tag_namespace_name + is_namespace_retired = local.architecture_tag.is_namespace_retired + tag_map = local.architecture_tag.tag_map + tag_default_map = local.architecture_tag.tag_default_map +} diff --git a/templates/elz-network-firewall/variables.tf b/templates/elz-network-firewall/variables.tf new file mode 100644 index 00000000..34f7ce08 --- /dev/null +++ b/templates/elz-network-firewall/variables.tf @@ -0,0 +1,56 @@ +# ----------------------------------------------------------------------------- +# Common Variables +# ----------------------------------------------------------------------------- +variable "tenancy_ocid" { + type = string + description = "The OCID of tenancy" +} + +variable "region" { + type = string + description = "The OCI region" +} + +variable "environment_prefix" { + type = string + description = "the 1 character string representing the environment eg. P (prod), N (non-prod), D, T, U" +} + +variable "home_compartment_id" { + type = string + description = "Home Compartment ID" +} +variable "is_baseline_deploy" { + type = bool + description = "TagNameSpace Optimization: Enable this flag to disable dependent module TagNameSpace Tag Creation." +} + +# ----------------------------------------------------------------------------- +# Network Firewall Variables +# ----------------------------------------------------------------------------- + +variable "enable_network_firewall" { + type = bool + description = "Enable Network Firewall in Enviornment." +} +variable "enable_traffic_threat_log" { + type = bool + description = "Enable Network Firewall Threat and Traffic Logs in Enviornment." +} +variable "nfw_subnet_type" { + type = string + description = "Network Firewall Subnet Type." +} +variable "nfw_instance_name" { + type = string + description = "Network Firewall Instance Name." +} +variable "nfw_instance_policy" { + type = string + description = "Network Firewall Instance Policy Name." +} +variable "nfw_subnet_cidr_block" { + type = string + description = "Network Firewall Subnet CIDR IP Block." +} + diff --git a/templates/enterprise-landing-zone/environment.tf b/templates/enterprise-landing-zone/environment.tf index 9420796f..524556b8 100644 --- a/templates/enterprise-landing-zone/environment.tf +++ b/templates/enterprise-landing-zone/environment.tf @@ -98,6 +98,13 @@ module "prod_environment" { private_spoke_subnet_app_cidr_block = var.prod_spoke_subnet_app_cidr_block private_spoke_subnet_db_cidr_block = var.prod_spoke_subnet_db_cidr_block + enable_network_firewall = var.enable_network_firewall_prod + enable_traffic_threat_log = var.enable_traffic_threat_log_prod + nfw_subnet_type = var.nfw_subnet_type_prod + nfw_instance_name = var.nfw_instance_name_prod + nfw_instance_policy = var.nfw_instance_policy_prod + nfw_subnet_cidr_block = var.nfw_subnet_cidr_block_prod + enable_bastion = var.prod_enable_bastion bastion_client_cidr_block_allow_list = var.prod_bastion_client_cidr_block_allow_list vault_type = var.prod_vault_type @@ -237,6 +244,13 @@ module "nonprod_environment" { private_spoke_subnet_app_cidr_block = var.nonprod_spoke_subnet_app_cidr_block private_spoke_subnet_db_cidr_block = var.nonprod_spoke_subnet_db_cidr_block + enable_network_firewall = var.enable_network_firewall_nonprod + enable_traffic_threat_log = var.enable_traffic_threat_log_nonprod + nfw_subnet_type = var.nfw_subnet_type_nonprod + nfw_instance_name = var.nfw_instance_name_nonprod + nfw_instance_policy = var.nfw_instance_policy_nonprod + nfw_subnet_cidr_block = var.nfw_subnet_cidr_block_nonprod + enable_bastion = var.nonprod_enable_bastion bastion_client_cidr_block_allow_list = var.nonprod_bastion_client_cidr_block_allow_list vault_type = var.nonprod_vault_type diff --git a/templates/enterprise-landing-zone/network-firewall-variables.tf b/templates/enterprise-landing-zone/network-firewall-variables.tf new file mode 100644 index 00000000..d5aae195 --- /dev/null +++ b/templates/enterprise-landing-zone/network-firewall-variables.tf @@ -0,0 +1,84 @@ +variable "enable_network_firewall_prod" { + type = bool + description = "Enable Network Firewall in Prod Enviornment." + default = false +} +variable "enable_network_firewall_nonprod" { + type = bool + description = "Enable Network Firewall in Non-Prod Enviornment." + default = false +} + +#enable_network_firewall_env + +variable "enable_network_firewall_env_prod" { + type = bool + description = "Enable Network Firewall in Prod Enviornment." + default = false +} +variable "enable_network_firewall_env_nonprod" { + type = bool + description = "Enable Network Firewall in Non-Prod Enviornment." + default = false +} + +#enable_traffic_threat_log + +variable "enable_traffic_threat_log_prod" { + type = bool + description = "Enable Network Firewall Threat and Traffic Logs in Prod Enviornment." + default = false +} + +variable "enable_traffic_threat_log_nonprod" { + type = bool + description = "Enable Network Firewall Threat and Traffic Logs in Non-Prod Enviornment." + default = false +} + +#enable_nfw_subnet_type + +variable "nfw_subnet_type_prod" { + type = string + description = "Network Firewall Subnet Type." + default = "public" +} +variable "nfw_subnet_type_nonprod" { + type = string + description = "Network Firewall Subnet Type." + default = "public" +} + +variable "nfw_instance_name_prod" { + type = string + description = "Network Firewall Instance Name." + default = "" +} +variable "nfw_instance_name_nonprod" { + type = string + description = "Network Firewall Instance Name." + default = "" +} + +variable "nfw_instance_policy_prod" { + type = string + description = "Network Firewall Instance Policy Name." + default = "" +} +variable "nfw_instance_policy_nonprod" { + type = string + description = "Network Firewall Instance Policy Name." + default = "" +} + +#nfw_subnet_cidr_block +variable "nfw_subnet_cidr_block_prod" { + type = string + description = "Network Firewall Subnet IP CIDR Block." + default = "" +} +variable "nfw_subnet_cidr_block_nonprod" { + type = string + description = "Network Firewall Subnet IP CIDR Block." + default = "" +}