aws_networkfirewall_firewall - expose VPC endpoints to terraform

[dthvt]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

The aws_networkfirewall_firewall resource needs to expose the VPC endpoints created by the firewall for use in routing tables in order to actually use it. These endpoints are exposed in the FirewallStatus structure returned by the API.

For example:

$ aws --region us-east-1 network-firewall describe-firewall --firewall-name dhagan-2020-11-20-002
{
    "UpdateToken": "29c6147b-e772-4c46-8d78-7aa5f2b71aaf",
    "Firewall": {
        "FirewallName": "dhagan-2020-11-20-002",
        "FirewallArn": "arn:aws:network-firewall:us-east-1:xxx:firewall/dhagan-2020-11-20-002",
        "FirewallPolicyArn": "arn:aws:network-firewall:us-east-1:xxxx:firewall-policy/example-inspection-vpc-policy",
        "VpcId": "vpc-0b857b1a3686ae36d",
        "SubnetMappings": [
            {
                "SubnetId": "subnet-0f96d5471222feb28"
            },
            {
                "SubnetId": "subnet-0f55ba6bdcc7357ca"
            },
            {
                "SubnetId": "subnet-03c8e80f3c807fd2e"
            },
            {
                "SubnetId": "subnet-05d7d553643f36d0e"
            },
            {
                "SubnetId": "subnet-02e8df98316b27054"
            }
        ],
        "DeleteProtection": false,
        "SubnetChangeProtection": false,
        "FirewallPolicyChangeProtection": false,
        "FirewallId": "b70bc32e-9753-4d7e-bb82-febfb362b72b",
        "Tags": []
    },
    "FirewallStatus": {
        "Status": "READY",
        "ConfigurationSyncStateSummary": "IN_SYNC",
        "SyncStates": {
            "us-east-1a": {
                "Attachment": {
                    "SubnetId": "subnet-05d7d553643f36d0e",
                    "EndpointId": "vpce-0394425be976920e3",
                    "Status": "READY"
                },
                "Config": {
                    "arn:aws:network-firewall:us-east-1:xxxx:firewall-policy/example-inspection-vpc-policy": {
                        "SyncStatus": "IN_SYNC"
                    }
                }
            },
            "us-east-1b": {
                "Attachment": {
                    "SubnetId": "subnet-0f96d5471222feb28",
                    "EndpointId": "vpce-073e44a76dab0949e",
                    "Status": "READY"
                },
                "Config": {
                    "arn:aws:network-firewall:us-east-1:xxxx:firewall-policy/example-inspection-vpc-policy": {
                        "SyncStatus": "IN_SYNC"
                    }
                }
            },
            "us-east-1c": {
                "Attachment": {
                    "SubnetId": "subnet-0f55ba6bdcc7357ca",
                    "EndpointId": "vpce-0ae3a6d2b2c886215",
                    "Status": "READY"
                },
                "Config": {
                    "arn:aws:network-firewall:us-east-1:xxxx:firewall-policy/example-inspection-vpc-policy": {
                        "SyncStatus": "IN_SYNC"
                    }
                }
            },
            "us-east-1d": {
                "Attachment": {
                    "SubnetId": "subnet-02e8df98316b27054",
                    "EndpointId": "vpce-0006b35c0f00be77c",
                    "Status": "READY"
                },
                "Config": {
                    "arn:aws:network-firewall:us-east-1:xxxxx:firewall-policy/example-inspection-vpc-policy": {
                        "SyncStatus": "IN_SYNC"
                    }
                }
            },
            "us-east-1f": {
                "Attachment": {
                    "SubnetId": "subnet-03c8e80f3c807fd2e",
                    "EndpointId": "vpce-0552034c8ae2b92ce",
                    "Status": "READY"
                },
                "Config": {
                    "arn:aws:network-firewall:us-east-1:xxxxx:firewall-policy/example-inspection-vpc-policy": {
                        "SyncStatus": "IN_SYNC"
                    }
                }
            }
        }
    }
}

New or Affected Resource(s)

• aws_networkfirewall_firewall

Potential Terraform Configuration

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

References

• https://docs.aws.amazon.com/network-firewall/latest/APIReference/API_FirewallStatus.html

[dthvt]

Super hyped about this new service and gratified to see the rapid support from terraform! Thanks!

[USA-RedDragon]

I have a support customer with similar needs. I think I have a temporary workaround with something like this:

data "aws_vpc_endpoint" "firewall" {
  vpc_id       = aws_vpc.example.id

  tags = {
    "AWSNetworkFirewallManaged" = "true"
    "Firewall" = aws_networkfirewall_firewall.example.arn
  }

  depends_on = [aws_networkfirewall_firewall.example]
}

then in the route table I can add:

resource "aws_route_table" "gateway" {
  vpc_id = aws_vpc.example.id

  route {
    cidr_block           = aws_subnet.application.cidr_block
    vpc_endpoint_id = data.aws_vpc_endpoint.firewall.id
  }
}

[dthvt]

Thanks for the workaround example @USA-RedDragon . I hadn't gotten that far yet, but planned to do something similar.

[USA-RedDragon]

Scratch that, the data source won't work in this case as there is no way to filter the endpoints (all filter options we have are the same between all endpoints), and we just get a simple Error: multiple VPC Endpoints matched; use additional constraints to reduce matches to a single VPC Endpoint.

[dthvt]

@USA-RedDragon Yup, just got to trying it and had the same issue myself. Guess I'm at a roadblock for now. :-(

[USA-RedDragon]

Luckily this is about to get an actual bug report to the engineering team so there's some potential we see a fix for this soon!

[jhnomi]

I had reported the exact same issue and there is an internal bug id assigned to it.

[ghost]

This has been released in version 3.18.0 of the Terraform AWS provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template for triage. Thanks!

[dthvt]

Thanks @anGie44 ! Looking forward to trying this out next week.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!