From 814c2d972fae4949db937ad099234dc82aa3ebf2 Mon Sep 17 00:00:00 2001 From: Bal Purewal Date: Tue, 7 Jan 2025 16:03:41 +0000 Subject: [PATCH] added firewall_endpoint_per_az variable For non-prod environments we may want a firewall but not across all availabilitty zones because it increse costs. This is similiar to vpc_nat_gateway_per_az where a NAT gateway is only created in the first AZ --- aws/modules/infrastructure_modules/vpc/firewall.tf | 2 +- aws/modules/infrastructure_modules/vpc/variables.tf | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/aws/modules/infrastructure_modules/vpc/firewall.tf b/aws/modules/infrastructure_modules/vpc/firewall.tf index 818aa677..99ec555c 100644 --- a/aws/modules/infrastructure_modules/vpc/firewall.tf +++ b/aws/modules/infrastructure_modules/vpc/firewall.tf @@ -8,7 +8,7 @@ resource "aws_networkfirewall_firewall" "firewall" { vpc_id = module.vpc.vpc_id dynamic "subnet_mapping" { - for_each = aws_subnet.network_firewall[*].id + for_each = var.firewall_endpoint_per_az ? aws_subnet.network_firewall[*].id : [aws_subnet.network_firewall[0].id] content { subnet_id = subnet_mapping.value diff --git a/aws/modules/infrastructure_modules/vpc/variables.tf b/aws/modules/infrastructure_modules/vpc/variables.tf index c4ef5c73..f32f5a81 100644 --- a/aws/modules/infrastructure_modules/vpc/variables.tf +++ b/aws/modules/infrastructure_modules/vpc/variables.tf @@ -146,6 +146,13 @@ variable "domain_allow_capacity" { description = "Capacity for Domain allow rule group" } +variable "firewall_endpoint_per_az" { + type = bool + description = "Whether to create a firewall endpoint per-AZ or just use one. Note: There are running costs associated with Firewall Endpoints. For Production-like environments this should be true" + + default = true +} + # Subnet ACLs variable "create_public_dedicated_network_acl" { description = "Whether to use dedicated network ACL (not default) and custom rules for public subnets"