terraform-aws-panos-bootstrap

This Terraform Module creates a PAN-OS bootstrap package in an AWS S3 bucket to be used for bootstrapping Palo Alto Networks VM-Series virtual firewall instances. A bootstrap package must include an init-cfg.txt file that provides the basic configuration details to configure the VM-Series instance and register it with its Panorama management console. This file will be generated by this module using the variables provided.

The bootstrap package may optionally include a PAN-OS software image, application and threat signature updates, VM-Series plug-ins, and/or license files.

Directory and file structure

The root directory of the Terraform plan calling this module should include a files directory containing a subdirectory structure similar to the one below.

files
├── config
├── content
├── license
├── plugins
└── software

Example

#
# main.tf
#

provider "aws" {
  region      = var.bootstrap_region
}

module "panos-bootstrap" {
  source  = "PaloAltoNetworks/panos-bootstrap/aws"
  version = "1.0.0"

  bootstrap_region      = var.bootstrap_region

  hostname         = "my-firewall"
  panorama-server  = "panorama1.example.org"
  panorama-server2 = "panorama2.example.org"
  tplname          = "My Firewall Template"
  dgname           = "My Firewalls"
  vm-auth-key      = "supersecretauthkey"
}

Instructions

1. Define a main.tf file that calls the module and provides any required and optional variables.
2. Define a variables.tf file that declares the variables that will be utilized.
3. (OPTIONAL) Define an output.tf file to capture and display the module return values.
4. Create the directories files/config, files/software, files/content, files/license, and files/plugins.
5. (OPTIONAL) Add software images, content updates, plugins, and license files to their respective subdirectories.
6. (OPTIONAL) Define a terraform.tfvars file containing the required variables and associated values.
7. Initialize the providers and modules with the terraform init command.
8. Validate the plan using the terraform plan command.
9. Apply the plan using the terraform apply command.

Utilization

The module output will provide values for the bucket_id and instance_profile_name. The bucket_id value can then be used in a aws_instance resource to instantiate a VM-Series instance. It is used in the user-data parameter. The instance_profile_name value is used in the iam_instance_profile parameter. Both are neeeded to define the location of the S3 bootstrap bucket and the permissions needed to access it.

resource "aws_instance" "fw" {
  ami           = "${data.aws_ami.fw_ami.id}"
  instance_type = "${var.fw_instance_type}"
  key_name      = "${var.ssh_key_name}"

  disable_api_termination              = false
  instance_initiated_shutdown_behavior = "stop"

  ebs_optimized = true

  root_block_device {
    volume_type           = "gp2"
    delete_on_termination = true
  }

  network_interface {
    device_index         = 0
    network_interface_id = "${aws_network_interface.fw_mgmt.id}"
  }

  network_interface {
    device_index         = 1
    network_interface_id = "${aws_network_interface.fw_eth1.id}"
  }

  network_interface {
    device_index         = 2
    network_interface_id = "${aws_network_interface.fw_eth2.id}"
  }

  network_interface {
    device_index         = 3
    network_interface_id = "${aws_network_interface.fw_eth3.id}"
  }

  iam_instance_profile = "${module.panos-bootstrap.instance_profile_name}"
  user_data            = "${base64encode(join("", list("vmseries-bootstrap-aws-s3bucket=", module.panos-bootstrap.bootstrap_id)))}"

  tags = "${merge(map("Name", format("%s", var.name)), var.tags)}"
}

References

• VM-Series Firewall Bootstrap Workflow
• Bootstrap the VM-Series Firewall on AWS
• Prepare the Bootstrap Package