Deployment of Network Firewall and Resource Sharing in YAML Configuration #627
Labels
bug
Something isn't working
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Summary:
Deployment does not properly provision Network Firewall resources and other cross-account resources using shareTargets, causing resources to be missing in specific accounts or regions.
Steps to Reproduce:
Configure the AWS Accelerator deployment with a YAML file specifying:
transitGateways with shareTargets for cross-account sharing.
networkFirewall policies and rules configured with shareTargets.
VPCs and subnets within a transit VPC for network inspection.
Additional centralNetworkServices and gatewayLoadBalancers.
Run the deployment in AWS CodeBuild.
Observe deployment logs for successful execution or differences between expected and deployed resources.
Expected Behavior:
All specified resources, including the network firewall, gateway load balancers, transit gateways, and associated route tables, should be deployed and configured according to the YAML file.
shareTargets should allow resources to be accessible across specified organizational units and accounts without deployment errors.
Actual Behavior:
Deployment completes without critical errors, but network firewall , gatewayLoadBalancers resources and some cross-account sharing configurations do not appear in the expected accounts.
Any insights into dependencies or order-of-declaration requirements for shareTargets and cross-account network resources would be helpful.
homeRegion: &HOME_REGION us-west-2
defaultVpc:
delete: false
excludeAccounts: []
transitGateways:
account: Transit
region: *HOME_REGION
shareTargets:
organizationalUnits:
- Infrastructure
asn: 65521
dnsSupport: enable
vpnEcmpSupport: enable
defaultRouteTableAssociation: disable
defaultRouteTablePropagation: disable
autoAcceptSharingAttachments: enable
routeTables:
routes: []
routes: []
routes: []
routes: []
endpointPolicies:
document: vpc-endpoint-policies/default.json
vpcs:
account: Transit
region: *HOME_REGION
cidrs:
routeTables:
routes: []
routes: []
routes: []
routes: []
routes:
destination: 0.0.0.0/0
type: transitGateway
target: Transit-Main
routes:
destination: 0.0.0.0/0
type: transitGateway
target: Transit-Main
subnets:
availabilityZone: a
routeTable: Transit-Inspection-Firewall-A
ipv4CidrBlock: 10.10.0.0/28
availabilityZone: b
routeTable: Transit-Inspection-Firewall-B
ipv4CidrBlock: 10.10.0.16/28
availabilityZone: a
routeTable: Transit-Inspection-TgwAttach-A
ipv4CidrBlock: 10.10.0.32/28
availabilityZone: b
routeTable: Transit-Inspection-TgwAttach-B
ipv4CidrBlock: 10.10.0.48/28
availabilityZone: a
routeTable: Transit-Inspection-GwlbEndpoint-A
ipv4CidrBlock: 10.10.0.64/28
availabilityZone: b
routeTable: Transit-Inspection-GwlbEndpoint-B
ipv4CidrBlock: 10.10.0.80/28
transitGatewayAttachments:
transitGateway:
name: Transit-Main
account: Transit
options:
applianceModeSupport: enable
routeTableAssociations:
routeTablePropagations:
subnets:
gatewayLoadBalancers:
subnets:
vpc: Transit-Inspection-Vpc
deletionProtection: true
endpoints:
account: Transit
subnet: Transit-Inspection-GwlbEndpoint-A
vpc: Transit-Inspection-Vpc
account: Transit
subnet: Transit-Inspection-GwlbEndpoint-B
vpc: Transit-Inspection-Vpc
centralNetworkServices:
delegatedAdminAccount: Transit
networkFirewall:
firewalls:
description: Firewall Endpoint for traffic inspection in the transit account
firewallPolicy: Transit-Inspection-FwPolicy
subnets:
vpc: Transit-Inspection-Vpc
tags: []
policies:
description: Firewall Policy for the transit inspection network firewall
firewallPolicy:
statelessDefaultActions: ['aws:forward_to_sfe']
statelessFragmentDefaultActions: ['aws:forward_to_sfe']
statefulDefaultActions:
- 'aws:alert_strict'
- 'aws:alert_established'
statefulRuleGroups:
- name: Transit-Inspection-Fw-Stateful-Group
priority: 100
rules:
regions:
capacity: 1300
type: STATEFUL
ruleGroup:
rulesSource:
rulesFile: firewall-rules/rules.txt
shareTargets:
organizationalUnits:
The text was updated successfully, but these errors were encountered: