terraform-google-panos-bootstrap 
terraform-google-panos-bootstrap
This Terraform Module creates a PAN-OS bootstrap package in a Google Cloud Storage bucket to be used for bootstrapping Palo Alto Networks VM-Series virtual firewall instances. A bootstrap package must include an init-cfg.txt file that provides the basic configuration details to configure the VM-Series instance and register it with its Panorama management console. This file will be generated by this module using the variables provided.
The bootstrap package may optionally include a PAN-OS software image, application and threat signature updates, VM-Series plug-ins, and/or license files.
Directory and file structure
The root directory of the Terraform plan calling this module should include a files directory containing a subdirectory structure similar to the one below.
files
├── config
├── content
├── license
├── plugins
└── software
Example
#
# main.tf
#
provider "google" {
credentials = file("account.json")
project = var.bootstrap_project
region = var.bootstrap_region
}
module "panos-bootstrap" {
source = "PaloAltoNetworks/panos-bootstrap/google"
version = "1.0.0"
bootstrap_project = var.bootstrap_project
bootstrap_region = var.bootstrap_region
hostname = "my-firewall"
panorama-server = "panorama1.example.org"
panorama-server2 = "panorama2.example.org"
tplname = "My Firewall Template"
dgname = "My Firewalls"
vm-auth-key = "supersecretauthkey"
}
Instructions
- Define a
main.tffile that calls the module and provides any required and optional variables. - Define a
variables.tffile that declares the variables that will be utilized. - (OPTIONAL) Define an
output.tffile to capture and display the module return values. - Create the directories
files/config,files/software,files/content,files/license, andfiles/plugins. - (OPTIONAL) Add software images, content updates, plugins, and license files to their respective subdirectories.
- (OPTIONAL) Define a
terraform.tfvarsfile containing the required variables and associated values. - Initialize the providers and modules with the
terraform initcommand. - Validate the plan using the
terraform plancommand. - Apply the plan using the
terraform applycommand.
Utilization
The module output will provide values for the bootstrap_name and bootstrap_url, and share_name. The bootstrap_name value can then be used in a google_compute_instance resource to instantiate a VM-Series instance. It is used in the metadata{vmseries-bootstrap-gce-storagebucket} parameter.
resource "google_compute_instance" "firewall" {
name = var.fw_name
zone = var.fw_zone
machine_type = var.fw_machine_type
min_cpu_platform = var.fw_machine_cpu
can_ip_forward = true
allow_stopping_for_update = true
count = 1
boot_disk {
initialize_params {
image = var.fw_image
}
}
metadata = {
vmseries-bootstrap-gce-storagebucket = module.panos-bootstrap.bootstrap_name
serial-port-enable = true
block-project-ssh-keys = true
ssh-keys = var.fw_ssh_key
}
service_account {
scopes = ["cloud-platform"]
}
network_interface {
subnetwork = var.fw_mgmt_subnet
network_ip = var.fw_mgmt_ip
access_config {
// Needed to get a public IP address
}
}
network_interface {
subnetwork = var.fw_untrust_subnet
network_ip = var.fw_untrust_ip
access_config {
// Needed to get a public IP address
}
}
network_interface {
subnetwork = var.fw_web_subnet
network_ip = var.fw_web_ip
}
network_interface {
subnetwork = var.fw_db_subnet
network_ip = var.fw_db_ip
}
}