Merge pull request #10 from GovTechSG/chore/000-enable-delete-protection

add delete protection
GovTechSG · Nov 25, 2024 · 75a8e3f · 75a8e3f
2 parents 866907a + 4d8889c
commit 75a8e3f
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -83,6 +83,7 @@ No modules.
 | <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | Subnets used to create network firewall. | `set(string)` | `[]` | no |
 | <a name="input_tags"></a> [tags](#input\_tags) | A map of tags to add to all resources | `map(any)` | `{}` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | n/a | `string` | `""` | no |
+| <a name="input_delete_protection"></a> [delete\_protection](#input\_delete\_protection) | n/a | `bool` | true | no |
 
 ## Outputs
 

diff --git a/main.tf b/main.tf
@@ -15,6 +15,7 @@ resource "aws_networkfirewall_firewall" "main" {
   name                = local.dashed_name
   firewall_policy_arn = aws_networkfirewall_firewall_policy.main.arn
   vpc_id              = var.vpc_id
+  delete_protection   = var.delete_protection
 
   dynamic "subnet_mapping" {
     for_each = var.subnet_ids

diff --git a/variables.tf b/variables.tf
@@ -87,3 +87,10 @@ variable "block_everything_capacity" {
   type        = number
   default     = 25
 }
+
+variable "delete_protection" {
+  description = "Toggle to enable or disable deletion protection"
+  type        = bool 
+  default     = true  
+  # defaults to true to resolve https://docs.aws.amazon.com/securityhub/latest/userguide/networkfirewall-controls.html#networkfirewall-9
+}