# --- examples/central_inspection_without_egress/policy.tf ---

resource "aws_networkfirewall_firewall_policy" "anfw_policy" {
  name = "firewall-policy-${var.identifier}"

  firewall_policy {

    # Stateless configuration
    stateless_default_actions          = ["aws:forward_to_sfe"]
    stateless_fragment_default_actions = ["aws:forward_to_sfe"]

    stateless_rule_group_reference {
      priority     = 10
      resource_arn = aws_networkfirewall_rule_group.drop_remote.arn
    }

    # Stateful configuration
    stateful_engine_options {
      rule_order = "STRICT_ORDER"
    }
    stateful_default_actions = ["aws:drop_strict", "aws:alert_strict"]
    stateful_rule_group_reference {
      priority     = 10
      resource_arn = aws_networkfirewall_rule_group.allow_icmp_1_to_2.arn
    }
    stateful_rule_group_reference {
      priority     = 20
      resource_arn = aws_networkfirewall_rule_group.allow_icmp_2_to_3.arn
    }
  }
}

# Stateless Rule Group - Dropping any SSH or RDP connection
resource "aws_networkfirewall_rule_group" "drop_remote" {
  capacity = 2
  name     = "drop-remote-${var.identifier}"
  type     = "STATELESS"
  rule_group {
    rules_source {
      stateless_rules_and_custom_actions {

        stateless_rule {
          priority = 1
          rule_definition {
            actions = ["aws:drop"]
            match_attributes {
              protocols = [6]
              source {
                address_definition = "0.0.0.0/0"
              }
              source_port {
                from_port = 22
                to_port   = 22
              }
              destination {
                address_definition = "0.0.0.0/0"
              }
              destination_port {
                from_port = 22
                to_port   = 22
              }
            }
          }
        }

        stateless_rule {
          priority = 2
          rule_definition {
            actions = ["aws:drop"]
            match_attributes {
              protocols = [27]
              source {
                address_definition = "0.0.0.0/0"
              }
              destination {
                address_definition = "0.0.0.0/0"
              }
            }
          }
        }
      }
    }
  }
}

# Stateful Rule Group 1 - Allowing ICMP traffic from Spoke VPC 1 to 2
resource "aws_networkfirewall_rule_group" "allow_icmp_1_to_2" {
  capacity = 100
  name     = "allow-icmp-12-${var.identifier}"
  type     = "STATEFUL"
  rule_group {
    rule_variables {
      ip_sets {
        key = "SPOKE1"
        ip_set {
          definition = ["10.0.0.0/24"]
        }
      }
      ip_sets {
        key = "SPOKE2"
        ip_set {
          definition = ["10.0.1.0/24"]
        }
      }
    }
    rules_source {
      rules_string = <<EOF
      pass icmp $SPOKE1 any -> $SPOKE2 any (msg: "Allowing ICMP packets from Spoke VPC 1 to 2"; sid:2; rev:1;)
      EOF
    }
    stateful_rule_options {
      rule_order = "STRICT_ORDER"
    }
  }
}

# Stateful Rule Group 2 - Allowing ICMP traffic from Spoke VPC 2 to 3
resource "aws_networkfirewall_rule_group" "allow_icmp_2_to_3" {
  capacity = 100
  name     = "allow-icmp-23-${var.identifier}"
  type     = "STATEFUL"
  rule_group {
    rule_variables {
      ip_sets {
        key = "SPOKE2"
        ip_set {
          definition = ["10.0.1.0/24"]
        }
      }
      ip_sets {
        key = "SPOKE3"
        ip_set {
          definition = ["10.0.2.0/24"]
        }
      }
    }
    rules_source {
      rules_string = <<EOF
      pass icmp $SPOKE2 any -> $SPOKE3 any (msg: "Allowing ICMP packets from Spoke VPC 2 to 3"; sid:2; rev:1;)
      EOF
    }
    stateful_rule_options {
      rule_order = "STRICT_ORDER"
    }
  }
}