added firewall_endpoint_per_az variable

For non-prod environments we may want a firewall but not across all availabilitty zones because it increse costs. This is similiar to vpc_nat_gateway_per_az where a NAT gateway is only created in the first AZ
Ensono · Jan 7, 2025 · 814c2d9 · 814c2d9
1 parent 7a22c74
commit 814c2d9
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/aws/modules/infrastructure_modules/vpc/firewall.tf b/aws/modules/infrastructure_modules/vpc/firewall.tf
@@ -8,7 +8,7 @@ resource "aws_networkfirewall_firewall" "firewall" {
   vpc_id              = module.vpc.vpc_id
 
   dynamic "subnet_mapping" {
-    for_each = aws_subnet.network_firewall[*].id
+    for_each = var.firewall_endpoint_per_az ? aws_subnet.network_firewall[*].id : [aws_subnet.network_firewall[0].id]
 
     content {
       subnet_id = subnet_mapping.value

diff --git a/aws/modules/infrastructure_modules/vpc/variables.tf b/aws/modules/infrastructure_modules/vpc/variables.tf
@@ -146,6 +146,13 @@ variable "domain_allow_capacity" {
   description = "Capacity for Domain allow rule group"
 }
 
+variable "firewall_endpoint_per_az" {
+  type        = bool
+  description = "Whether to create a firewall endpoint per-AZ or just use one. Note: There are running costs associated with Firewall Endpoints. For Production-like environments this should be true"
+
+  default = true
+}
+
 # Subnet ACLs
 variable "create_public_dedicated_network_acl" {
   description = "Whether to use dedicated network ACL (not default) and custom rules for public subnets"