NFW Related Changes

NFW Related Changes

Official_Documentation/OELZ_Baseline_Deployment/Architecture_Guide.md

@@ -387,12 +387,18 @@ The security lists implemented during the OELZ v2.0 deployment are CIS 1.2.0 com
 
 ## **_Network Firewall Module_**
 
-Oracle Cloud InfrastructureNetwork Firewall is a next-generation managed network firewall and intrusion detection and prevention service for your Oracle Cloud Infrastructure VCN. The Network Firewall service offers simple setup and deployment and gives you visibility into traffic entering your cloud environment (North-south network traffic) as well traffic between subnets (East-west network traffic).
+Oracle Cloud Infrastructure Network Firewall is a next-generation managed network firewall and intrusion detection and prevention service for your Oracle Cloud Infrastructure VCN. The Network Firewall service offers simple setup and deployment and gives you visibility into traffic entering your cloud environment (North-south network traffic) as well traffic between subnets (East-west network traffic). We are using combined architesture where are using Dynmamic Routing Gateway with OCI Network Firewall running in the Furewall VCN(Hub VCAN). This architecture has a central component (Hub) that's connected to multipe networks around it like Spoke. To learn more about teh architecture check the offical [Reference Architecture doc](https://docs.oracle.com/en/solutions/oci-network-firewall/#GUID-F4B62BD0-EAD4-4763-B06F-6ACAC758BD69).
+
+## **_Network Firewall Architecture_**
+
+![Architecture](<../../images/OCI-NFW.jpg> "Architecture")
+
+**Network Firewall Feature**
 
 - The customer should be able to deploy the OCI Network Firewall during the OELZ v2 deployment in Production and/or No-Production.
-- The customer should be able to deploy the OCI Network Firewall using its module in a standalone mode.
 - The customer should be able to deploy the OCI Network Firewall in a private or public subnet part of the HUB Network.
 - The customer should be able to inspect the North-South and East-West (inter and intra VCN) traffic in the OELZ v2 Hub and Spoke topology using OCI Network Firewall.
+- The customer should be able to enable or not Traffic Log and Threat Log.
 
 
 ## **_Security Module_**

Official_Documentation/OELZ_Baseline_Deployment/CONFIGURATION.md

@@ -500,9 +500,9 @@ The Network Firewall service offers simple setup and deployment and gives you vi
 
 1. **With Baseline**
 
-    1.1) By Default Network Firewall is disabled. 
-    1.2) To Enable Network Firewall on Prod Environment.
-    1.3) Go to Folder templates/enterprise-landing-zone and tfvars file.\
+    1.1) By Default Network Firewall is disabled.<br /> 
+    1.2) To Enable Network Firewall on Prod Environment.<br />
+    1.3) Go to Folder templates/enterprise-landing-zone and tfvars file.<br />
 
 **Required Arguments/Parameters For Baseline Deployment on Prod**:
 
@@ -532,9 +532,9 @@ The Network Firewall service offers simple setup and deployment and gives you vi
 
 2. **Without Baseline as Standlone**
 
-    2.1) Assumption : OELZ Baseline stack has been successfully deployed.\
-    2.2) Go to Folder templates/elz-network-firewall.\
-    2.3) **Required Varibales For Baseline Deployment**\
+    2.1) Assumption : OELZ Baseline stack has been successfully deployed.<br />
+    2.2) Go to Folder templates/elz-network-firewall.<br />
+    2.3) **Required Varibales For Baseline Deployment**
 
 | Descripation                       | TFVAR Variable                                |Default Value          | 
 | :--------------------------------- | --------------------------------------------- |-----------------------|

modules/network-firewall/README.md

@@ -0,0 +1,42 @@
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_oci"></a> [oci](#provider\_oci) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [oci_network_firewall_network_firewall.network_firewall](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/network_firewall_network_firewall) | resource |
+| [oci_network_firewall_network_firewall_policy.network_firewall_policy](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/network_firewall_network_firewall_policy) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_ip_address_lists"></a> [ip\_address\_lists](#input\_ip\_address\_lists) | The list of ip address. | `map(any)` | n/a | yes |
+| <a name="input_network_compartment_ocid"></a> [network\_compartment\_ocid](#input\_network\_compartment\_ocid) | The OCID of the compartment containing the Network Firewall. | `string` | n/a | yes |
+| <a name="input_network_firewall_name"></a> [network\_firewall\_name](#input\_network\_firewall\_name) | OCI Network Firewall Name. | `string` | n/a | yes |
+| <a name="input_network_firewall_policy_action"></a> [network\_firewall\_policy\_action](#input\_network\_firewall\_policy\_action) | Network Firewall Policy Action. | `string` | n/a | yes |
+| <a name="input_network_firewall_policy_name"></a> [network\_firewall\_policy\_name](#input\_network\_firewall\_policy\_name) | The name of network firewall policy. | `string` | n/a | yes |
+| <a name="input_network_firewall_subnet_id"></a> [network\_firewall\_subnet\_id](#input\_network\_firewall\_subnet\_id) | The OCID of the subnet associated with the Network Firewall. | `string` | n/a | yes |
+| <a name="input_security_rules"></a> [security\_rules](#input\_security\_rules) | The list of security rules. | `map(any)` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_firewall_id"></a> [firewall\_id](#output\_firewall\_id) | The OCID of network firewall |
+| <a name="output_firewall_ip"></a> [firewall\_ip](#output\_firewall\_ip) | The IP address network firewall |
+| <a name="output_firewall_ip_id"></a> [firewall\_ip\_id](#output\_firewall\_ip\_id) | The OCID of network firewall ip |
+<!-- END_TF_DOCS -->

modules/network-firewall/datasources.tf

@@ -0,0 +1,11 @@
+data "oci_core_private_ips" "firewall_subnet_private_ip" {
+  subnet_id = var.network_firewall_subnet_id
+  depends_on = [
+    time_sleep.network_firewall_ip_delay
+  ]
+
+  filter {
+    name   = "display_name"
+    values = [var.network_firewall_name]
+  }
+}

modules/network-firewall/main.tf

@@ -0,0 +1,51 @@
+terraform {
+  required_providers {
+    oci = {
+      source = "oracle/oci"
+    }
+  }
+}
+resource "time_sleep" "network_firewall_ip_delay" {
+  depends_on = [oci_network_firewall_network_firewall.network_firewall]
+  create_duration = "90s"
+}
+######################################################################
+#                      OCI NETWORK FIREWALL                          #
+######################################################################
+resource "oci_network_firewall_network_firewall" "network_firewall" {
+  compartment_id             = var.network_compartment_ocid
+  network_firewall_policy_id = oci_network_firewall_network_firewall_policy.network_firewall_policy.id
+  subnet_id                  = var.network_firewall_subnet_id
+  display_name               = var.network_firewall_name
+}
+
+######################################################################
+#                  OCI NETWORK FIREWALL POLICY                       #
+######################################################################
+
+resource "oci_network_firewall_network_firewall_policy" "network_firewall_policy" {
+  display_name   = var.network_firewall_policy_name
+  compartment_id = var.network_compartment_ocid
+
+  dynamic "ip_address_lists" {
+    for_each = var.ip_address_lists
+    content {
+      ip_address_list_name  = ip_address_lists.key
+      ip_address_list_value = ip_address_lists.value
+    }
+  }  
+  dynamic "security_rules" {
+    for_each = var.security_rules
+    content {
+      name   = security_rules.key
+      action = security_rules.value.security_rules_action
+      condition {
+        applications = security_rules.value.security_rules_condition_applications
+        destinations = security_rules.value.security_rules_condition_destinations
+        sources      = security_rules.value.security_rules_condition_sources
+        urls         = security_rules.value.security_rules_condition_urls
+      }
+    }
+  }
+}
+

modules/network-firewall/outputs.tf

@@ -0,0 +1,14 @@
+output "firewall_id" {
+  value       = oci_network_firewall_network_firewall.network_firewall.id
+  description = "The OCID of network firewall"
+}
+
+output "firewall_ip_id" {
+  value       = data.oci_core_private_ips.firewall_subnet_private_ip.private_ips[0].id
+  description = "The OCID of network firewall ip"
+}
+
+output "firewall_ip" {
+  value       = oci_network_firewall_network_firewall.network_firewall.ipv4address
+  description = "The IP address network firewall"
+}

modules/network-firewall/variables.tf

@@ -0,0 +1,32 @@
+variable "network_compartment_ocid" {
+  type        = string
+  description = "The OCID of the compartment containing the Network Firewall."
+}
+
+variable "network_firewall_name" {
+  type        = string
+  description = "OCI Network Firewall Name."
+}
+
+variable "network_firewall_subnet_id" {
+  type        = string
+  description = "The OCID of the subnet associated with the Network Firewall."
+}
+
+variable "network_firewall_policy_name" {
+  type        = string
+  description = "The name of network firewall policy."
+}
+
+variable "network_firewall_policy_action" {
+  type        = string
+  description = "Network Firewall Policy Action."
+}
+variable "ip_address_lists" {
+  type        = map(any)
+  description = "The list of ip address."
+}
+variable "security_rules" {
+  type        = map(any)
+  description = "The list of security rules."
+}

modules/subnet/outputs.tf

@@ -4,4 +4,3 @@ output "subnets" {
   }
   description = "The subnet OCID"
 }
-

templates/elz-environment/logging.tf

@@ -15,8 +15,6 @@ module "logging" {
   subnets_map                         = module.network.subnets
   is_baseline_deploy                  = var.is_baseline_deploy
 
-  depends_on = [ module.network ]
-
   providers = {
     oci             = oci
     oci.home_region = oci.home_region

templates/elz-environment/main.tf

@@ -123,7 +123,7 @@ module "network" {
   environment_prefix     = var.environment_prefix
   region                 = var.region
   network_compartment_id = module.compartment.compartments.network.id
-  home_compartment_id          = var.home_compartment_id
+  home_compartment_id      = var.home_compartment_id
   is_baseline_deploy           = var.is_baseline_deploy
 
   enable_internet_gateway_hub  = var.enable_internet_gateway_hub
@@ -153,12 +153,21 @@ module "network" {
   enable_fastconnect_on_environment   = var.enable_fastconnect_on_environment
   customer_onprem_ip_cidr             = var.customer_onprem_ip_cidr
 
+  log_group_id                      = module.logging.log_group_id
+  enable_network_firewall           = var.enable_network_firewall
+  enable_traffic_threat_log         = var.enable_traffic_threat_log
+  nfw_subnet_type                   = var.nfw_subnet_type
+  nfw_instance_name                 = var.nfw_instance_name
+  nfw_instance_policy               = var.nfw_instance_policy
+  nfw_use_existing_network          = var.nfw_use_existing_network
+
   additional_workload_subnets_cidr_blocks = var.additional_workload_subnets_cidr_blocks
 
   providers = {
     oci             = oci
     oci.home_region = oci.home_region
   }
+  #depends_on = [ module.prod_environment.module.logging, module.nonprod_environment.module.logging ]
 }
 
 module "tagging" {

templates/elz-environment/network-firewall-variables.tf

@@ -18,7 +18,7 @@ variable "nfw_instance_policy" {
   type        = string
   description = "Network Firewall Instance Policy Name."
 }
-variable "nfw_subnet_cidr_block" {
-  type        = string
-  description = "Network Firewall Subnet CIDR IP Block."
+variable "nfw_use_existing_network" {
+  type        = bool
+  description = "Use Existing VCN in place Network Firewall."
 }

templates/elz-environment/variables.tf

@@ -399,4 +399,7 @@ variable "workload_name_prefix" {
 variable "additional_workload_subnets_cidr_blocks" {
   type        = list(string)
   description = "A list of subnets cidr blocks in additional workload stack"
+}
+variable "enable_datasafe" {
+  type    = bool
 }

templates/elz-environment/workload.tf

@@ -42,7 +42,7 @@ module "workload" {
   workload_private_spoke_subnet_db_cidr_block  = var.private_spoke_subnet_db_cidr_block
   workload_private_spoke_subnet_web_cidr_block = var.private_spoke_subnet_web_cidr_block
   workload_spoke_vcn_cidr                      = var.spoke_vcn_cidr
-
+  enable_datasafe                              = var.enable_datasafe
 
   providers = {
     oci             = oci

templates/elz-hub/datasources.tf

@@ -1,12 +1,25 @@
-# -----------------------------------------------------------------------------
-# Support for multi-region deployments
-# -----------------------------------------------------------------------------
+######################################################################
+#                Support for multi-region deployments                #
+######################################################################
 locals {
   region_subscriptions = data.oci_identity_region_subscriptions.regions.region_subscriptions
   home_region          = [for region in local.region_subscriptions : region.region_name if region.is_home_region == true]
   region_key           = [for region in local.region_subscriptions : region.region_key if region.region_name == var.region]
 }
-
+######################################################################
+#                    Get Tenancy OCID From the Region                #
+######################################################################
 data "oci_identity_region_subscriptions" "regions" {
   tenancy_id = var.tenancy_ocid
 }
+
+######################################################################
+#              Get the Private IPs using Trust Subnet                #
+######################################################################
+data "oci_core_private_ips" "firewall_subnet_private_ip" {
+  subnet_id = local.public_subnet_id
+  filter {
+    name   = "display_name"
+    values = [local.network_firewall_info.network_firewall_name]
+  }
+}