From 4549a2ea83443e3a6405cd25cbb3ecbad7dde24b Mon Sep 17 00:00:00 2001 From: "pan-dev-content-sync-trigger[bot]" Date: Thu, 21 Nov 2024 03:11:45 +0000 Subject: [PATCH] Sync azure Terraform module documentation --- .../vmseries/examples/standalone_panorama.md | 97 ++++- .../docs/swfw/azure/vmseries/modules/appgw.md | 159 +++---- .../swfw/azure/vmseries/modules/bootstrap.md | 4 +- .../docs/swfw/azure/vmseries/modules/gwlb.md | 20 +- .../azure/vmseries/modules/loadbalancer.md | 80 ++-- .../docs/swfw/azure/vmseries/modules/natgw.md | 24 +- .../azure/vmseries/modules/ngfw_metrics.md | 4 +- .../swfw/azure/vmseries/modules/panorama.md | 9 +- .../swfw/azure/vmseries/modules/public_ip.md | 346 +++++++++++++++ .../modules/virtual_network_gateway.md | 147 ++++--- .../swfw/azure/vmseries/modules/vmseries.md | 16 +- .../docs/swfw/azure/vmseries/modules/vmss.md | 58 ++- .../docs/swfw/azure/vmseries/modules/vnet.md | 108 ++--- .../azure/vmseries/modules/vnet_peering.md | 4 +- .../common_vmseries.md | 208 +++++++-- .../common_vmseries_and_autoscale.md | 396 ++++++++++++++++-- .../dedicated_vmseries.md | 242 ++++++++--- .../dedicated_vmseries_and_autoscale.md | 396 ++++++++++++++++-- 18 files changed, 1831 insertions(+), 487 deletions(-) create mode 100644 products/terraform/docs/swfw/azure/vmseries/modules/public_ip.md diff --git a/products/terraform/docs/swfw/azure/vmseries/examples/standalone_panorama.md b/products/terraform/docs/swfw/azure/vmseries/examples/standalone_panorama.md index 9a665f1d4..c67134633 100644 --- a/products/terraform/docs/swfw/azure/vmseries/examples/standalone_panorama.md +++ b/products/terraform/docs/swfw/azure/vmseries/examples/standalone_panorama.md @@ -64,7 +64,10 @@ A list of requirements might vary depending on the platform used to deploy the i - checkout the code locally (if you haven't done so yet) - copy the [`example.tfvars`](./example.tfvars) file, rename it to `terraform.tfvars` and adjust it to your needs (take a closer look at the `TODO` markers) -- _(optional)_ authenticate to AzureRM, switch to the Subscription of your choice if necessary +- _(optional)_ authenticate to AzureRM, switch to the Subscription of your choice +- provide `subscription_id` either by creating an environment variable named `ARM_SUBSCRIPTION_ID` with Subscription ID as value + in your shell (recommended option) or by setting the value of `subscription_id` variable within your `tfvars` file (discouraged + option, we don't recommend putting the Subscription ID in clear text inside the code). - initialize the Terraform module: ```bash @@ -151,6 +154,7 @@ terraform destroy Name | Version | Source | Description --- | --- | --- | --- `vnet` | - | ../../modules/vnet | +`public_ip` | - | ../../modules/public_ip | `panorama` | - | ../../modules/panorama | ### Resources @@ -164,6 +168,7 @@ Name | Version | Source | Description Name | Type | Description --- | --- | --- +[`subscription_id`](#subscription_id) | `string` | Azure Subscription ID is a required argument since AzureRM provider v4. [`resource_group_name`](#resource_group_name) | `string` | Name of the Resource Group. [`region`](#region) | `string` | The Azure region to use. [`vnets`](#vnets) | `map` | A map defining VNETs. @@ -175,6 +180,7 @@ Name | Type | Description [`name_prefix`](#name_prefix) | `string` | A prefix that will be added to all created resources. [`create_resource_group`](#create_resource_group) | `bool` | When set to `true` it will cause a Resource Group creation. [`tags`](#tags) | `map` | Map of tags to assign to the created resources. +[`public_ips`](#public_ips) | `object` | A map defining Public IP Addresses and Prefixes. [`availability_sets`](#availability_sets) | `map` | A map defining availability sets. [`panoramas`](#panoramas) | `map` | A map defining Azure Virtual Machine based on Palo Alto Networks Panorama image. @@ -182,12 +188,25 @@ Name | Type | Description Name | Description --- | --- -`username` | Initial administrative username to use for VM-Series. -`password` | Initial administrative password to use for VM-Series. -`panorama_mgmt_ips` | +`username` | Initial administrative username to use for Panorama. +`password` | Initial administrative password to use for Panorama. +`panorama_mgmt_ips` | IP addresses for the Panorama management interface. ### Required Inputs details +#### subscription_id + +Azure Subscription ID is a required argument since AzureRM provider v4. + +**Note!** \ +Instead of putting the Subscription ID directly in the code, it's recommended to use an environment variable. Create an +environment variable named `ARM_SUBSCRIPTION_ID` with your Subscription ID as value and leave this variable set to `null`. + + +Type: string + +[back to list](#modules-required-inputs) + #### resource_group_name Name of the Resource Group. @@ -207,37 +226,38 @@ Type: string #### vnets A map defining VNETs. - + For detailed documentation on each property refer to [module documentation](../../modules/vnet) - `create_virtual_network` - (`bool`, optional, defaults to `true`) when set to `true` will create a VNET, `false` will source an existing VNET. - `name` - (`string`, required) a name of a VNET. In case `create_virtual_network = false` this should be a full resource name, including prefixes. +- `resource_group_name` - (`string`, optional, defaults to current RG) a name of an existing Resource Group in which the + VNET will reside or is sourced from. - `address_space` - (`list`, required when `create_virtual_network = false`) a list of CIDRs for a newly created VNET. +- `dns_servers` - (`list`, optional, defaults to module defaults) a list of IP addresses of custom DNS servers (by + default Azure DNS is used). - `vnet_encryption` - (`string`, optional, defaults to module default) enables Azure Virtual Network Encryption when set, only possible value at the moment is `AllowUnencrypted`. When set to `null`, the feature is disabled. -- `resource_group_name` - (`string`, optional, defaults to current RG) a name of an existing Resource Group in which the - VNET will reside or is sourced from. -- `create_subnets` - (`bool`, optional, defaults to `true`) if `true`, create Subnets inside the Virtual Network, - otherwise use source existing subnets. -- `subnets` - (`map`, optional) map of Subnets to create or source, for details see - [VNET module documentation](../../modules/vnet#subnets). - `network_security_groups` - (`map`, optional) map of Network Security Groups to create, for details see [VNET module documentation](../../modules/vnet#network_security_groups). - `route_tables` - (`map`, optional) map of Route Tables to create, for details see [VNET module documentation](../../modules/vnet#route_tables). +- `subnets` - (`map`, optional) map of Subnets to create or source, for details see + [VNET module documentation](../../modules/vnet#subnets). Type: ```hcl map(object({ + create_virtual_network = optional(bool, true) name = string resource_group_name = optional(string) - create_virtual_network = optional(bool, true) address_space = optional(list(string)) + dns_servers = optional(list(string)) vnet_encryption = optional(string) network_security_groups = optional(map(object({ name = string @@ -259,7 +279,7 @@ map(object({ })), {}) route_tables = optional(map(object({ name = string - disable_bgp_route_propagation = optional(bool) + bgp_route_propagation_enabled = optional(bool) routes = map(object({ name = string address_prefix = string @@ -267,13 +287,14 @@ map(object({ next_hop_ip_address = optional(string) })) })), {}) - create_subnets = optional(bool, true) subnets = optional(map(object({ + create = optional(bool, true) name = string address_prefixes = optional(list(string), []) network_security_group_key = optional(string) route_table_key = optional(string) - enable_storage_service_endpoint = optional(bool, false) + enable_storage_service_endpoint = optional(bool) + enable_cloudngfw_delegation = optional(bool) })), {}) })) ``` @@ -325,6 +346,49 @@ Map of tags to assign to the created resources. Type: map(string) +Default value: `map[]` + +[back to list](#modules-optional-inputs) + +#### public_ips + +A map defining Public IP Addresses and Prefixes. + +Following properties are available: + +- `public_ip_addresses` - (`map`, optional) map of objects describing Public IP Addresses, please refer to + [module documentation](../../modules/public_ip#public_ip_addresses) + for available properties. +- `public_ip_prefixes` - (`map`, optional) map of objects describing Public IP Prefixes, please refer to + [module documentation](../../modules/public_ip#public_ip_prefixes) + for available properties. + + +Type: + +```hcl +object({ + public_ip_addresses = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + domain_name_label = optional(string) + idle_timeout_in_minutes = optional(number) + prefix_name = optional(string) + prefix_resource_group_name = optional(string) + })), {}) + public_ip_prefixes = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + length = optional(number) + })), {}) + }) +``` + + Default value: `map[]` [back to list](#modules-optional-inputs) @@ -458,10 +522,11 @@ map(object({ interfaces = list(object({ name = string subnet_key = string - private_ip_address = optional(string) create_public_ip = optional(bool, false) public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + private_ip_address = optional(string) })) logging_disks = optional(map(object({ name = string diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/appgw.md b/products/terraform/docs/swfw/azure/vmseries/modules/appgw.md index bf2755500..936b0c8f7 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/appgw.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/appgw.md @@ -30,7 +30,7 @@ In order to use module `appgw`, you need to deploy `azurerm_resource_group` and Then you can use below code as an example of calling module to create Application Gateway: ```hcl -# Create Application Gateay +# Create Application Gateway module "appgw" { source = "PaloAltoNetworks/swfw-modules/azurerm//modules/appgw" @@ -101,6 +101,13 @@ appgws = { port = 80 } } + backend_settings = { + minimum = { + name = "http-backend" + port = 80 + protocol = "Http" + } + } rewrites = { minimum = { name = "minimum-set" @@ -119,9 +126,9 @@ appgws = { minimum = { name = "minimum-rule" priority = 1 - backend = "minimum" - listener = "minimum" - rewrite = "minimum" + backend_key = "minimum" + listener_key = "minimum" + rewrite_key = "minimum" } } } @@ -151,13 +158,11 @@ appgws = { capacity = { static = 2 } - backends = { + backend_settings = { existing = { name = "http-backend" port = 80 protocol = "Http" - timeout = 60 - cookie_based_affinity = "Enabled" } } listeners = { @@ -184,9 +189,9 @@ appgws = { existing = { name = "existing-rule" priority = 1 - backend = "existing" - listener = "existing" - rewrite = "existing" + backend_key = "existing" + listener_key = "existing" + rewrite_key = "existing" } } } @@ -217,13 +222,11 @@ appgws = { max = 20 } } - backends = { + backend_settings = { http = { name = "http-backend" port = 80 protocol = "Http" - timeout = 60 - cookie_based_affinity = "Enabled" } } listeners = { @@ -236,8 +239,8 @@ appgws = { http = { name = "http-rule" priority = 1 - backend = "http" - listener = "http" + backend_key = "http" + listener_key = "http" } } } @@ -272,13 +275,11 @@ appgws = { rule_set_type = "OWASP" rule_set_version = "3.2" } - backends = { + backend_settings = { waf = { name = "waf-backend" port = 80 protocol = "Http" - timeout = 60 - cookie_based_affinity = "Enabled" } } listeners = { @@ -305,9 +306,9 @@ appgws = { minimum = { name = "waf-rule" priority = 1 - backend = "waf" - listener = "waf" - rewrite = "waf" + backend_key = "waf" + listener_key = "waf" + rewrite_key = "waf" } } } @@ -364,9 +365,9 @@ appgws = { capacity = { static = 2 } - ssl_global = { - ssl_policy_type = "Predefined" - ssl_policy_name = "AppGwSslPolicy20170401" + global_ssl_policy = { + type = "Predefined" + name = "AppGwSslPolicy20170401" } ssl_profiles = { profile1 = { @@ -382,7 +383,7 @@ appgws = { protocol = "Https" ssl_profile_name = "appgw-ssl-profile1" ssl_certificate_path = "./files/test1.pfx" - ssl_certificate_pass = "" + ssl_certificate_pass = "123abc" host_names = ["test1.appgw.local"] } https2 = { @@ -390,20 +391,20 @@ appgws = { port = 443 protocol = "Https" ssl_certificate_path = "./files/test2.pfx" - ssl_certificate_pass = "" + ssl_certificate_pass = "123abc" host_names = ["test2.appgw.local"] } } backend_pool = { name = "vmseries-pool" } - backends = { + backend_settings = { https1 = { name = "https1-settings" port = 481 protocol = "Https" timeout = 60 - cookie_based_affinity = "Enabled" + use_cookie_based_affinity = true hostname_from_backend = false hostname = "test1.appgw.local" root_certs = { @@ -418,7 +419,7 @@ appgws = { port = 482 protocol = "Https" timeout = 60 - cookie_based_affinity = "Enabled" + use_cookie_based_affinity = true hostname_from_backend = false hostname = "test2.appgw.local" root_certs = { @@ -475,16 +476,16 @@ appgws = { https1 = { name = "https1-rule" priority = 2 - backend = "https1" - listener = "https1" - rewrite = "https1" + backend_key = "https1" + listener_key = "https1" + rewrite_key = "https1" } https2 = { name = "https2-rule" priority = 3 - backend = "https2" - listener = "https2" - rewrite = "https2" + backend_key = "https2" + listener_key = "https2" + rewrite_key = "https2" } } } @@ -520,10 +521,10 @@ appgws = { capacity = { static = 2 } - ssl_global = { - ssl_policy_type = "Custom" - ssl_policy_min_protocol_version = "TLSv1_0" - ssl_policy_cipher_suites = ["TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", + global_ssl_policy = { + type = "Custom" + min_protocol_version = "TLSv1_0" + cipher_suites = ["TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", @@ -605,21 +606,21 @@ appgws = { backend_pool = { name = "vmseries-pool" } - backends = { + backend_settings = { http = { name = "http-settings" port = 80 protocol = "Http" timeout = 60 - cookie_based_affinity = "Enabled" - probe = "http" + use_cookie_based_affinity = true + probe_key = "http" } https1 = { name = "https1-settings" port = 481 protocol = "Https" timeout = 60 - cookie_based_affinity = "Enabled" + use_cookie_based_affinity = true hostname_from_backend = false hostname = "test1.appgw.local" root_certs = { @@ -628,14 +629,14 @@ appgws = { path = "./files/ca-cert1.pem" } } - probe = "https1" + probe_key = "https1" } https2 = { name = "https2-settings" port = 482 protocol = "Https" timeout = 60 - cookie_based_affinity = "Enabled" + use_cookie_based_affinity = true hostname_from_backend = false hostname = "test2.appgw.local" root_certs = { @@ -644,7 +645,7 @@ appgws = { path = "./files/ca-cert2.pem" } } - probe = "https2" + probe_key = "https2" } } probes = { @@ -726,60 +727,60 @@ appgws = { http = { name = "http-rule" priority = 1 - backend = "http" - listener = "http" - rewrite = "http" + backend_key = "http" + listener_key = "http" + rewrite_key = "http" } https1 = { name = "https1-rule" priority = 2 - backend = "https1" - listener = "https1" - rewrite = "https1" + backend_key = "https1" + listener_key = "https1" + rewrite_key = "https1" } https2 = { name = "https2-rule" priority = 3 - backend = "https2" - listener = "https2" - rewrite = "https2" + backend_key = "https2" + listener_key = "https2" + rewrite_key = "https2" } redirect_listener = { name = "redirect-listener-rule" priority = 4 - listener = "redirect_listener" - redirect = "redirect_listener" + listener_key = "redirect_listener" + redirect_key = "redirect_listener" } redirect_url = { name = "redirect-url-rule" priority = 5 - listener = "redirect_url" - redirect = "redirect_url" + listener_key = "redirect_url" + redirect_key = "redirect_url" } path_based_backend = { name = "path-based-backend-rule" priority = 6 - listener = "path_based_backend" - url_path_map = "path_based_backend" + listener_key = "path_based_backend" + url_path_map_key = "path_based_backend" } path_based_redirect_listener = { name = "path-redirect-listener-rule" priority = 7 - listener = "path_based_redirect_listener" - url_path_map = "path_based_redirect_listener" + listener_key = "path_based_redirect_listener" + url_path_map_key = "path_based_redirect_listener" } path_based_redirect_url = { name = "path-redirect-rul-rule" priority = 8 - listener = "path_based_redirect_url" - url_path_map = "path_based_redirect_url" + listener_key = "path_based_redirect_url" + url_path_map_key = "path_based_redirect_url" } } redirects = { redirect_listener = { name = "listener-redirect" type = "Permanent" - target_listener = "http" + target_listener_key = "http" include_path = true include_query_string = true } @@ -794,35 +795,35 @@ appgws = { url_path_maps = { path_based_backend = { name = "backend-map" - backend = "http" + backend_key = "http" path_rules = { http = { paths = ["/plaintext"] - backend = "http" + backend_key = "http" } https = { paths = ["/secure"] - backend = "https1" + backend_key = "https1" } } } path_based_redirect_listener = { name = "redirect-listener-map" - backend = "http" + backend_key = "http" path_rules = { http = { paths = ["/redirect"] - redirect = "redirect_listener" + redirect_key = "redirect_listener" } } } path_based_redirect_url = { name = "redirect-url-map" - backend = "http" + backend_key = "http" path_rules = { http = { paths = ["/redirect"] - redirect = "redirect_url" + redirect_key = "redirect_url" } } } @@ -836,11 +837,11 @@ appgws = { ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 @@ -930,19 +931,23 @@ Type: string A map defining listener's public IP configuration. Following properties are available: -- `name` - (`string`, required) name of the Public IP resource. - `create` - (`bool`, optional, defaults to `true`) controls if the Public IP resource is created or sourced. +- `name` - (`string`, optional) name of the Public IP resource, required unless `public_ip` module and `id` + property are used. - `resource_group_name` - (`string`, optional, defaults to `null`) name of the Resource Group hosting the Public IP resource, used only for sourced resources. +- `id` - (`string`, optional, defaults to `null`) ID of the Public IP to associate with the Listener. + Property is used when Public IP is not created or sourced within this module. Type: ```hcl object({ - name = string create = optional(bool, true) + name = optional(string) resource_group_name = optional(string) + id = optional(string) }) ``` diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/bootstrap.md b/products/terraform/docs/swfw/azure/vmseries/modules/bootstrap.md index b440fd917..2924e0222 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/bootstrap.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/bootstrap.md @@ -154,11 +154,11 @@ details refer to the [var.file_shares](#file_shares) variable documentation. ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/gwlb.md b/products/terraform/docs/swfw/azure/vmseries/modules/gwlb.md index bec4c5fd8..4b0f0a7d3 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/gwlb.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/gwlb.md @@ -37,11 +37,12 @@ In order to use GWLB, below minimal definition of Gateway Load Balancer can be u ```hcl gwlb = { - name = "vmseries-gwlb" - - frontend_ip = { - vnet_key = "security" - subnet_key = "data" + vmseries_gwlb = { + name = "vmseries-gwlb" + frontend_ip = { + vnet_key = "security" + subnet_key = "data" + } } } ``` @@ -55,7 +56,8 @@ For more customized requirements, below extended definition of GWLB can be appli - 2 backends are defined (external and internal) ```hcl - gwlb2 = { + gwlb = { + vmseries_gwlb = { name = "vmseries-gwlb2" zones = [] @@ -73,6 +75,7 @@ For more customized requirements, below extended definition of GWLB can be appli health_probe = { name = "custom-name-health-probe" port = 80 + protocol = "Tcp" } backends = { @@ -100,6 +103,7 @@ For more customized requirements, below extended definition of GWLB can be appli } } } +} ``` ## Reference @@ -107,11 +111,11 @@ For more customized requirements, below extended definition of GWLB can be appli ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/loadbalancer.md b/products/terraform/docs/swfw/azure/vmseries/modules/loadbalancer.md index 6f4662424..a7a723d0a 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/loadbalancer.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/loadbalancer.md @@ -54,6 +54,7 @@ module "lbi" { name = "private-lb" region = "West Europe" resource_group_name = "existing-rg" + backend_name = "vmseries_backend" frontend_ips = { ha = { @@ -86,6 +87,7 @@ module "lbe" { name = "public-lb" region = "West Europe" resource_group_name = "existing-rg" + backend_name = "vmseries_backend" frontend_ips = { web = { @@ -96,7 +98,7 @@ module "lbe" { http = { name = "http" port = 80 - protocol = "TCP" + protocol = "Tcp" } } } @@ -109,11 +111,11 @@ module "lbe" { ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 @@ -153,8 +155,8 @@ Name | Description --- | --- `id` | The identifier of the Load Balancer resource. `backend_pool_id` | The identifier of the backend pool. -`frontend_ip_configs` | Map of IP addresses, one per each entry of `frontend_ips` input. Contains public IP address for the frontends that have it, -private IP address otherwise. +`frontend_ip_configs` | Map of IP prefixes/addresses, one per each entry of `frontend_ips` input. Contains public IP prefix/address for the frontends +that have it, private IP address otherwise. `health_probe` | The health probe object. @@ -204,35 +206,44 @@ To ease configuration they were grouped per Load Balancer type. Private Load Balancer: -- `name` - (`string`, required) name of a frontend IP configuration -- `subnet_id` - (`string`, required) an ID of an existing subnet that will host the private Load Balancer -- `private_ip_address` - (`string`, required) the IP address of the Load Balancer -- `in_rules` - (`map`, optional, defaults to `{}`) a map defining inbound rules, see details below -- `gwlb_fip_id` - (`string`, optional, defaults to `null`) an ID of a frontend IP configuration - of a Gateway Load Balancer +- `name` - (`string`, required) name of a frontend IP configuration. +- `subnet_id` - (`string`, required) an ID of an existing subnet that will host the private Load Balancer. +- `private_ip_address` - (`string`, required) the IP address of the Load Balancer. +- `in_rules` - (`map`, optional, defaults to `{}`) a map defining inbound rules, see details below. +- `gwlb_fip_id` - (`string`, optional, defaults to `null`) an ID of a frontend IP configuration of a + Gateway Load Balancer. Public Load Balancer: -- `name` - (`string`, required) name of a frontend IP configuration -- `public_ip_name` - (`string`, required) name of a public IP resource -- `create_public_ip` - (`bool`, optional, defaults to `false`) when set to `true` a new public IP will be +- `name` - (`string`, required) name of a frontend IP configuration. +- `create_public_ip` - (`bool`, optional, defaults to `false`) when set to `true` a new Public IP will be created, otherwise an existing resource will be used; - in both cases the name of the resource is controlled by `public_ip_name` property + in both cases the name of the resource is controlled by `public_ip_name` property. +- `public_ip_name` - (`string`, optional) name of a Public IP resource, required unless `public_ip` module and + `public_ip_id` property are used. - `public_ip_resource_group_name` - (`string`, optional, defaults to the Load Balancer's RG) name of a Resource Group - hosting an existing public IP resource -- `in_rules` - (`map`, optional, defaults to `{}`) a map defining inbound rules, see details below -- `out_rules` - (`map`, optional, defaults to `{}`) a map defining outbound rules, see details below + hosting an existing Public IP resource. +- `public_ip_id` - (`string`, optional, defaults to `null`) ID of the Public IP Address to associate with the + Frontend. Property is used when Public IP is not created or sourced within this module. +- `public_ip_address` - (`string`, optional, defaults to `null`) IP address of the Public IP to associate with the + Frontend. Property is used when Public IP is not created or sourced within this module. +- `public_ip_prefix_id` - (`string`, optional, defaults to `null`) ID of the Public IP Prefix to associate with the + Frontend. Property is used when you need to source Public IP Prefix. +- `public_ip_prefix_address` - (`string`, optional, defaults to `null`) IP address of the Public IP Prefix to associate + with the Frontend. Property is used when you need to source Public IP Prefix. +- `in_rules` - (`map`, optional, defaults to `{}`) a map defining inbound rules, see details below. +- `out_rules` - (`map`, optional, defaults to `{}`) a map defining outbound rules, see details below. Below are the properties for the `in_rules` map: -- `name` - (`string`, required) a name of an inbound rule +- `name` - (`string`, required) a name of an inbound rule. - `protocol` - (`string`, required) communication protocol, either 'Tcp', 'Udp' or 'All'. - `port` - (`number`, required) communication port, this is both the front- and the backend port - if `backend_port` is not set; value of `0` means all ports + if `backend_port` is not set; value of `0` means all ports. - `backend_port` - (`number`, optional, defaults to `null`) this is the backend port to forward traffic - to in the backend pool + to in the backend pool. - `health_probe_key` - (`string`, optional, defaults to `default`) a key from the `var.health_probes` map defining - a health probe to use with this rule + a health probe to use with this rule. - `floating_ip` - (`bool`, optional, defaults to `true`) enables floating IP for this rule. - `session_persistence` - (`string`, optional, defaults to `Default`) controls session persistance/load distribution, three values are possible: @@ -250,21 +261,20 @@ Setting at least one `out_rule` switches the outgoing traffic from SNAT to outbo single backend, and you cannot mix SNAT and outbound rules traffic in rules using the same backend, setting one `out_rule` switches the outgoing traffic route for **ALL** `in_rules`. -- `name` - (`string`, required) a name of an outbound rule -- `protocol` - (`string`, required) protocol used by the rule. One of `All`, `Tcp` or `Udp` is accepted +- `name` - (`string`, required) a name of an outbound rule. +- `protocol` - (`string`, required) protocol used by the rule. One of `All`, `Tcp` or `Udp` is accepted. - `allocated_outbound_ports` - (`number`, optional, defaults to `null`) number of ports allocated per instance, when skipped provider defaults will be used (`1024`), when set to `0` port allocation will be set to default number (Azure defaults); - maximum value is `64000` -- `enable_tcp_reset` - (`bool`, optional, defaults to Azure defaults) ignored when `protocol` is set to `Udp` -- `idle_timeout_in_minutes` - (`number`, optional, defaults to Azure defaults) TCP connection timeout in minutes - (between 4 and 120) - in case the connection is idle, ignored when `protocol` is set to `Udp` + maximum value is `64000`. +- `enable_tcp_reset` - (`bool`, optional, defaults to Azure defaults) ignored when `protocol` is set to `Udp`. +- `idle_timeout_in_minutes` - (`number`, optional, defaults to Azure defaults) TCP connection timeout in minutes (between 4 + and 120) in case the connection is idle, ignored when `protocol` is set to `Udp`. Examples ```hcl -# rules for a public Load Balancer, reusing an existing public IP and doing port translation +# rules for a public Load Balancer, reusing an existing Public IP and doing port translation frontend_ips = { pip_existing = { create_public_ip = false @@ -323,9 +333,13 @@ Type: ```hcl map(object({ name = string - public_ip_name = optional(string) create_public_ip = optional(bool, false) + public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_id = optional(string) + public_ip_address = optional(string) + public_ip_prefix_id = optional(string) + public_ip_prefix_address = optional(string) subnet_id = optional(string) private_ip_address = optional(string) gwlb_fip_id = optional(string) @@ -370,14 +384,14 @@ Controls zones for Load Balancer's fronted IP configurations. For: -- public IPs - these are zones in which the public IP resource is available. +- public IPs - these are zones in which the Public IP resource is available. - private IPs - these are zones to which Azure will deploy paths leading to Load Balancer frontend IPs (all frontends are affected). Setting this variable to explicit `null` disables a zonal deployment. This can be helpful in regions where Availability Zones are not available. -For public Load Balancers, since this setting controls also Availability Zones for public IPs, you need to specify all zones +For public Load Balancers, since this setting controls also Availability Zones for Public IPs, you need to specify all zones available in a region (typically 3): `["1","2","3"]`. diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/natgw.md b/products/terraform/docs/swfw/azure/vmseries/modules/natgw.md index 6a2ac2eba..0aaecd442 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/natgw.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/natgw.md @@ -52,8 +52,8 @@ module "natgw" { name = "NATGW_name" resource_group_name = "resource_group_name" location = "region_name" - subnet_ids = { "a_subnet_name" = -module.vnet.subnet_ids["a_subnet_name"] } + subnet_ids = { "subnet_name" = "/subscription/xxxx/......." } + idle_timeout = 120 } ``` @@ -65,11 +65,11 @@ by Azure. ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 @@ -211,9 +211,12 @@ A map defining a Public IP resource. List of available properties: - `create` - (`bool`, required) controls whether a Public IP is created, sourced, or not used at all. -- `name` - (`string`, required) name of a created or sourced Public IP. +- `name` - (`string`, optional) name of a created or sourced Public IP, required unless `public_ip` module and + `id` property are used. - `resource_group_name` - (`string`, optional) name of a resource group hosting the sourced Public IP resource, ignored when `create = true`. +- `id` - (`string`, optional, defaults to `null`) ID of the Public IP to associate with the NAT Gateway. + Property is used when Public IP Address is not created or sourced within this module. The module operates in 3 modes, depending on combination of `create` and `name` properties: @@ -247,8 +250,9 @@ Type: ```hcl object({ create = bool - name = string + name = optional(string) resource_group_name = optional(string) + id = optional(string) }) ``` @@ -264,11 +268,14 @@ A map defining a Public IP Prefix resource. List of available properties: - `create` - (`bool`, required) controls whether a Public IP Prefix is created, sourced, or not used at all. -- `name` - (`string`, required) name of a created or sourced Public IP Prefix. +- `name` - (`string`, optional) name of a created or sourced Public IP Prefix, required unless `public_ip` + module and `id` property are used. - `resource_group_name` - (`string`, optional) name of a resource group hosting the sourced Public IP Prefix resource, ignored when `create = true`. - `length` - (`number`, optional, defaults to `28`) number of bits of the Public IP Prefix, this value can be between `0` and `31` but can be limited on subscription level (Azure default is `/28`). +- `id` - (`string`, optional, defaults to `null`) ID of the Public IP Prefix to associate with the NAT Gateway. + Property is used when Public IP Prefix is not created or sourced within this module. The module operates in 3 modes, depending on combination of `create` and `name` properties: @@ -302,9 +309,10 @@ Type: ```hcl object({ create = bool - name = string + name = optional(string) resource_group_name = optional(string) length = optional(number, 28) + id = optional(string) }) ``` diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/ngfw_metrics.md b/products/terraform/docs/swfw/azure/vmseries/modules/ngfw_metrics.md index d53a1aefb..549c2a772 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/ngfw_metrics.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/ngfw_metrics.md @@ -81,11 +81,11 @@ module "ngfw_metrics" { ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/panorama.md b/products/terraform/docs/swfw/azure/vmseries/modules/panorama.md index e5a5f6640..4d7cf33cd 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/panorama.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/panorama.md @@ -44,11 +44,11 @@ The acceptance applies to the entirety of your Azure Subscription. ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 @@ -270,10 +270,12 @@ Following configuration options are available: - `public_ip_name` - (`string`, optional, defaults to `null`) name of the public IP to associate with the interface. When `create_public_ip` is set to `true` this will become a name of a newly created Public IP interface. Otherwise this is a name of an existing interfaces that will - be sourced and attached to the interface. + be sourced and attached to the interface. Not used when using `public_ip` module. - `public_ip_resource_group_name` - (`string`, optional, defaults to `var.resource_group_name`) name of a Resource Group that contains public IP that that will be associated with the interface. Used only when `create_public_ip` is `false`. +- `public_ip_id` - (`string`, optional, defaults to `null`) ID of the public IP to associate with the + interface. Property is used when public IP is not created or sourced within this module. Example: @@ -307,6 +309,7 @@ list(object({ create_public_ip = optional(bool, false) public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_id = optional(string) })) ``` diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/public_ip.md b/products/terraform/docs/swfw/azure/vmseries/modules/public_ip.md new file mode 100644 index 000000000..a2288c4ff --- /dev/null +++ b/products/terraform/docs/swfw/azure/vmseries/modules/public_ip.md @@ -0,0 +1,346 @@ +--- +hide_title: true +id: public_ip +keywords: +- pan-os +- panos +- firewall +- configuration +- terraform +- vmseries +- vm-series +- swfw +- software-firewalls +- azure +pagination_next: null +pagination_prev: null +sidebar_label: Public Ip +title: Palo Alto Networks Public IP Module for Azure +--- + +# Palo Alto Networks Public IP Module for Azure + +A Terraform module for deploying Public IP Addresses and Prefixes required for the VM-Series firewalls and other infrastructure +components in Azure. + +[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-azurerm-swfw-modules/tree/main/modules/public_ip) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/swfw-modules/azurerm/latest/submodules/public_ip) + +## Purpose + +All other modules that may require a Public IP Address resource support simple creation of it. This module allows more advanced +creation of Public IP Addresses and Prefixes, including: +- Specifying Availability Zones for Public IPs separately from the main resource +- Specifying Domain Name Label and Idle Timeout for Public IPs +- Allocating Public IP Addresses from an existing Public IP Prefix (e.g. Custom non-Microsoft IP Prefix) + +## Usage + +In order to use module `public_ip`, you need to deploy `azurerm_resource_group` as a prerequisite. Then you can use below code as +an example of calling module to create Public IP Addresses and Prefixes: + +```hcl +module "public_ip" { + source = ""PaloAltoNetworks/swfw-modules/azurerm//modules/public_ip" + + region = var.region + public_ip_addresses = { + for k, v in var.public_ips.public_ip_addresses : k => merge(v, { + name = "${var.name_prefix}${v.name}" + resource_group_name = coalesce(v.resource_group_name, local.resource_group.name) + }) + } + public_ip_prefixes = { + for k, v in var.public_ips.public_ip_prefixes : k => merge(v, { + name = "${var.name_prefix}${v.name}" + resource_group_name = coalesce(v.resource_group_name, local.resource_group.name) + }) + } + + tags = var.tags +} +``` + +Below there are provided sample values for `public_ips` map: + +```hcl +public_ips = { + public_ip_addresses = { + # create a new public ip address in zone 1, with domain name label "domainname" and idle timeout of 10 minutes + pip1 = { + create = true + name = "new-public-ip-name1" + resource_group_name = "pip-rg-name" + zones = ["1"] + domain_name_label = "domainname" + idle_timeout_in_minutes = 10 + } + # create a new public ip address in all zones (default) and allocate it from an existing ip prefix + pip2 = { + create = true + name = "new-public-ip-name2" + resource_group_name = "pip-rg-name" + prefix_name = "public-ip-prefix-name" + prefix_resource_group_name = "ippre-rg-name" + } + # source an existing public ip address + pip3 = { + create = false + name = "existing-public-ip-name" + resource_group_name = "pip-rg-name" + } + } + public_ip_prefixes = { + # create a new public ip prefix in zone 1 with a prefix length of /28 (default) + ippre1 = { + create = true + name = "new-public-ip-prefix-name1" + resource_group_name = "ippre-rg-name" + zones = ["1"] + } + # create a new public ip prefix in all zones (default) with a prefix length of /30 + ippre2 = { + create = true + name = "new-public-ip-prefix-name2" + resource_group_name = "ippre-rg-name" + length = 30 + } + # source and existing public ip prefix + ippre3 = { + create = false + name = "existing-public-ip-prefix-name" + resource_group_name = "ippre-rg-name" + } + } +} +``` + +To make defining the Public IPs easy, you can use the following variable in the _glue_ code: + +```hcl +variable "public_ips" { + description = "A map defining Public IP Addresses and Prefixes." + default = {} + type = object({ + public_ip_addresses = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + domain_name_label = optional(string) + idle_timeout_in_minutes = optional(number) + prefix_name = optional(string) + prefix_resource_group_name = optional(string) + })), {}) + public_ip_prefixes = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + length = optional(number) + })), {}) + }) +} +``` + +## Reference + +### Requirements + +- `terraform`, version: >= 1.5, < 2.0 +- `azurerm`, version: ~> 4.0 + +### Providers + +- `azurerm`, version: ~> 4.0 + + + +### Resources + +- `public_ip` (managed) +- `public_ip_prefix` (managed) +- `public_ip` (data) +- `public_ip_prefix` (data) +- `public_ip_prefix` (data) + +### Required Inputs + +Name | Type | Description +--- | --- | --- +[`region`](#region) | `string` | The name of the Azure region to deploy the resources in. + +### Optional Inputs + +Name | Type | Description +--- | --- | --- +[`tags`](#tags) | `map` | The map of tags to assign to all created resources. +[`public_ip_addresses`](#public_ip_addresses) | `map` | Map of objects describing Public IP Addresses. +[`public_ip_prefixes`](#public_ip_prefixes) | `map` | Map of objects describing Public IP Prefixes. + +### Outputs + +Name | Description +--- | --- +`pip_ids` | The identifiers of the created or sourced Public IP Addresses. +`pip_ip_addresses` | The IP values of the created or sourced Public IP Addresses. +`ippre_ids` | The identifiers of the created or sourced Public IP Prefixes. +`ippre_ip_prefixes` | The IP values of the created or sourced Public IP Prefixes. + +### Required Inputs details + +#### region + +The name of the Azure region to deploy the resources in. + +Type: string + +[back to list](#modules-required-inputs) + +### Optional Inputs details + +#### tags + +The map of tags to assign to all created resources. + +Type: map(string) + +Default value: `map[]` + +[back to list](#modules-optional-inputs) + +#### public_ip_addresses + +Map of objects describing Public IP Addresses. + +List of available properties: + +- `create` - (`bool`, required) controls whether a Public IP Address is created or sourced. +- `name` - (`string`, required) name of a created or sourced Public IP Address. +- `resource_group_name` - (`string`, required) name of a Resource Group for created Public IP Address or hosting an + existing Public IP Address. +- `zones` - (`list`, optional, defaults to ["1", "2", "3"]) list of Availability Zones in which the Public + IP Address is available, setting this variable to explicit `null` disables a zonal deployment. +- `domain_name_label` - (`string`, optional, defaults to `null`) a label for the Domain Name, will be used to make up + the FQDN. If a domain name label is specified, an A DNS record is created for the Public IP in + the Microsoft Azure DNS system. +- `idle_timeout_in_minutes` - (`number`, optional, defaults to Azure default) the Idle Timeout in minutes for the Public IP + Address, possible values are in the range from 4 to 32. +- `prefix_name` - (`string`, optional) the name of an existing Public IP Prefix from where Public IP Addresses + should be allocated. +- `prefix_resource_group_name` - (`string`, optional, defaults to the PIP's RG) name of a Resource Group hosting an existing + Public IP Prefix resource. + +Example: + +```hcl +# create two new Public IP Addresses, where the first IP is only in Availability Zone 1 +# and the second IP is in all 3 Availability Zones (default) and is allocated from a specific Public IP Prefix +public_ip_addresses = { + pip1 = { + create = true + name = "new-public-ip-name1" + resource_group_name = "pip-rg-name" + zones = ["1"] + } + pip2 = { + create = true + name = "new-public-ip-name2" + resource_group_name = "pip-rg-name" + prefix_name = "public-ip-prefix-name" + prefix_resource_group_name = "ippre-rg-name" + } +} + +# source an existing Public IP +public_ip_addresses = { + pip1 = { + create = false + name = "existing-public-ip-name" + resource_group_name = "pip-rg-name" + } +} +``` + + +Type: + +```hcl +map(object({ + create = bool + name = string + resource_group_name = string + zones = optional(list(string), ["1", "2", "3"]) + domain_name_label = optional(string) + idle_timeout_in_minutes = optional(number) + prefix_name = optional(string) + prefix_resource_group_name = optional(string) + })) +``` + + +Default value: `&{}` + +[back to list](#modules-optional-inputs) + +#### public_ip_prefixes + +Map of objects describing Public IP Prefixes. + +List of available properties: + +- `create` - (`bool`, required) controls whether a Public IP Prefix is created or sourced. +- `name` - (`string`, required) name of a created or sourced Public IP Prefix. +- `resource_group_name` - (`string`, required) name of a Resource Group for created Public IP Prefix or hosting an existing + Public IP Prefix. +- `zones` - (`list`, optional, defaults to ["1", "2", "3"]) list of Availability Zones in which the Public IP + Address is available, setting this variable to explicit `null` disables a zonal deployment. +- `length` - (`number`, optional, defaults to `28`) number of bits of the Public IP Prefix, this value can be + between `0` and `31` but can be limited on subscription level (Azure default is `/28`). + +Example: + +```hcl +# create two new Public IP Prefixes, where the first one is only in Availability Zone 1 and with default prefix length of `/28` +# and the second one is in all 3 Availability Zones (default) and with prefix length of `/30` +public_ip_prefixes = { + ippre1 = { + create = true + name = "new-public-ip-prefix-name1" + resource_group_name = "ippre-rg-name" + zones = ["1"] + } + ippre2 = { + create = true + name = "new-public-ip-prefix-name2" + resource_group_name = "ippre-rg-name" + length = 30 + } +} + +# source an existing Public IP Prefix +public_ip_prefixes = { + ippre1 = { + create = false + name = "existing-public-ip-prefix-name" + resource_group_name = "ippre-rg-name" + } +} +``` + + +Type: + +```hcl +map(object({ + create = bool + name = string + resource_group_name = string + zones = optional(list(string), ["1", "2", "3"]) + length = optional(number, 28) + })) +``` + + +Default value: `&{}` + +[back to list](#modules-optional-inputs) \ No newline at end of file diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/virtual_network_gateway.md b/products/terraform/docs/swfw/azure/vmseries/modules/virtual_network_gateway.md index 51558ae32..5c738d1c0 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/virtual_network_gateway.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/virtual_network_gateway.md @@ -37,13 +37,13 @@ module "vng" { for_each = var.virtual_network_gateways name = "${var.name_prefix}${each.value.name}" - location = var.region + region = var.region resource_group_name = local.resource_group.name - network = each.value.network - subnet_id = module.vnet[each.value.vnet_key].subnet_ids[each.value.subnet_key] + ip_configurations = each.value.ip_configurations + instance_settings = each.value.instance_settings + subnet_id = "/subscription/xxxx/......." - virtual_network_gateway = each.value.virtual_network_gateway azure_bgp_peer_addresses = each.value.azure_bgp_peer_addresses bgp = each.value.bgp local_network_gateways = each.value.local_network_gateways @@ -59,7 +59,7 @@ Below there are provided sample values for `virtual_network_gateways` map: virtual_network_gateways = { expressroute = { name = "expressroute" - virtual_network_gateway = { + instance_settings = { type = "ExpressRoute" # vpn_type = "PolicyBased" sku = "Standard" @@ -67,20 +67,18 @@ virtual_network_gateways = { } vnet_key = "transit" subnet_key = "vpn" - network = { - public_ip_zones = ["1"] - ip_configurations = { - primary = { - create_public_ip = true - name = "primary" - public_ip_name = "expressroute_pip" - } + ip_configurations = { + primary = { + create_public_ip = true + name = "primary" + public_ip_name = "expressroute_pip" } } + } expressroute_policy_based = { name = "er_policy" - virtual_network_gateway = { + instance_settings = { type = "ExpressRoute" vpn_type = "PolicyBased" sku = "Standard" @@ -88,20 +86,18 @@ virtual_network_gateways = { } vnet_key = "er" subnet_key = "vpn" - network = { - public_ip_zones = ["1"] - ip_configurations = { - primary = { - create_public_ip = true - name = "primary" - public_ip_name = "er_policy_pip" - } + ip_configurations = { + primary = { + create_public_ip = true + name = "primary" + public_ip_name = "er_policy_pip" } } + } vpn_simple = { name = "simple-vpn" - virtual_network_gateway = { + instance_settings = { type = "Vpn" # vpn_type = "PolicyBased" sku = "VpnGw1" @@ -109,20 +105,18 @@ virtual_network_gateways = { } vnet_key = "er" subnet_key = "vpn" - network = { - public_ip_zones = [] - ip_configurations = { - primary = { - create_public_ip = true - name = "primary" - public_ip_name = "simple_vpn_pip" - } + ip_configurations = { + primary = { + create_public_ip = true + name = "primary" + public_ip_name = "simple_vpn_pip" } } + } "vng" = { name = "vng" - virtual_network_gateway = { + instance_settings = { type = "Vpn" sku = "VpnGw2AZ" generation = "Generation2" @@ -130,21 +124,19 @@ virtual_network_gateways = { } vnet_key = "transit" subnet_key = "vpn" - network = { - public_ip_zones = ["1", "2", "3"] - ip_configurations = { - primary = { - name = "primary" - create_public_ip = true - public_ip_name = "vng-primary-pip" - } - secondary = { - name = "secondary" - create_public_ip = true - public_ip_name = "vng-secondary-pip" - } + ip_configurations = { + primary = { + name = "primary" + create_public_ip = true + public_ip_name = "vng-primary-pip" + } + secondary = { + name = "secondary" + create_public_ip = true + public_ip_name = "vng-secondary-pip" } } + azure_bgp_peer_addresses = { one_primary = "169.254.21.2" one_secondary = "169.254.22.2" @@ -240,36 +232,31 @@ variable "virtual_network_gateways" { nullable = false type = map(object({ name = string - virtual_network_gateway = object({ + instance_settings = object({ type = optional(string) vpn_type = optional(string) sku = optional(string) active_active = optional(bool) generation = optional(string) - custom_routes = optional(map(list(string))) }) vnet_key = string subnet_key = string - network = object({ - public_ip_zones = optional(list(string)) - ip_configurations = object({ - primary = object({ - name = string - create_public_ip = optional(bool) - public_ip_name = string - private_ip_address_allocation = optional(string) - }) - secondary = optional(object({ - name = string - create_public_ip = optional(bool) - public_ip_name = string - private_ip_address_allocation = optional(string) - })) + + ip_configurations = object({ + primary = object({ + name = string + create_public_ip = optional(bool) + public_ip_name = string + private_ip_address_allocation = optional(string) }) - private_ip_address_enabled = optional(bool) - default_local_network_gateway_id = optional(string) - edge_zone = optional(string) + secondary = optional(object({ + name = string + create_public_ip = optional(bool) + public_ip_name = string + private_ip_address_allocation = optional(string) + })) }) + azure_bgp_peer_addresses = optional(map(string)) bgp = optional(object({ enable = optional(bool, false) @@ -339,11 +326,11 @@ variable "virtual_network_gateways" { ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 @@ -503,13 +490,18 @@ A map defining the Public IPs used by the Virtual Network Gateway. Following properties are available: - `primary` - (`map`, required) a map defining the primary Public IP address, following properties are available: - - `name` - (`string`, required) name of the IP config. - - `create_public_ip` - (`bool`, optional, defaults to `true`) controls if a Public IP is created or sourced. - - `public_ip_name` - (`string`, required) name of a Public IP resource, depending on the value of - `create_public_ip` property this will be a name of a newly create or existing resource - (for values of `true` and `false` accordingly). - - `dynamic_private_ip_allocation` - (`bool`, optional, defaults to `true`) controls if the private IP address is assigned - dynamically or statically. + - `name` - (`string`, required) name of the IP config. + - `create_public_ip` - (`bool`, optional, defaults to `true`) controls if a Public IP is created or sourced. + - `public_ip_name` - (`string`, optional) name of a Public IP resource, required unless `public_ip` module + and `public_ip_id` property are used. Depending on the value of `create_public_ip` + property, this will be a name of a newly created or existing resource (for values of + `true` and `false` accordingly). + - `public_ip_resource_group_name` - (`string`, optional, defaults to the Load Balancer's RG) name of a Resource Group + hosting an existing Public IP resource. + - `public_ip_id` - (`string`, optional, defaults to `null`) ID of the public IP to associate with the + interface. Property is used when public IP is not created or sourced within this module. + - `dynamic_private_ip_allocation` - (`bool`, optional, defaults to `true`) controls if the private IP address is assigned + dynamically or statically. - `secondary` - (`map`, optional, defaults to `null`) a map defining the secondary Public IP address resource. Required only for `type` set to `Vpn` and `active-active` set to `true`. Same properties available as for `primary` property. @@ -522,13 +514,16 @@ object({ primary = object({ name = string create_public_ip = optional(bool, true) - public_ip_name = string + public_ip_name = optional(string) + public_ip_resource_group_name = optional(string) + public_ip_id = optional(string) private_ip_address_allocation = optional(string, "Dynamic") }) secondary = optional(object({ name = string create_public_ip = optional(bool, true) - public_ip_name = string + public_ip_name = optional(string) + public_ip_id = optional(string) private_ip_address_allocation = optional(string, "Dynamic") })) }) diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/vmseries.md b/products/terraform/docs/swfw/azure/vmseries/modules/vmseries.md index fe895a96b..ba2283a85 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/vmseries.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/vmseries.md @@ -58,11 +58,11 @@ If your Region doesn't, use an alternative mechanism of Availability Set, which ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 @@ -70,6 +70,7 @@ If your Region doesn't, use an alternative mechanism of Availability Set, which - `linux_virtual_machine` (managed) - `network_interface` (managed) +- `network_interface_application_gateway_backend_address_pool_association` (managed) - `network_interface_backend_address_pool_association` (managed) - `public_ip` (managed) - `public_ip` (data) @@ -299,14 +300,20 @@ Following configuration options are available: - `public_ip_name` - (`string`, optional, defaults to `null`) name of the public IP to associate with the interface. When `create_public_ip` is set to `true` this will become a name of a newly created Public IP interface. Otherwise this is a name of an existing interfaces that will - be sourced and attached to the interface. + be sourced and attached to the interface. Not used when using `public_ip` module. - `public_ip_resource_group_name` - (`string`, optional, defaults to `var.resource_group_name`) name of a Resource Group that contains public IP that that will be associated with the interface. Used only when `create_public_ip` is `false`. +- `public_ip_id` - (`string`, optional, defaults to `null`) ID of the public IP to associate with the + interface. Property is used when public IP is not created or sourced within this module. - `attach_to_lb_backend_pool` - (`bool`, optional, defaults to `false`) set to `true` if you would like to associate this interface with a Load Balancer backend pool. - `lb_backend_pool_id` - (`string`, optional, defaults to `null`) ID of an existing backend pool to associate the interface with. +- `appgw_backend_pool_id` - (`string`, optional, defaults to `null`) ID of an existing Application Gateway backend pool + to associate the interface with. +- `attach_to_appgw_backend_pool` - (`bool`, optional, defaults to `false`) set to `true` if you would like to associate this + interface with an Application Gateway backend pool. Example: @@ -341,9 +348,12 @@ list(object({ create_public_ip = optional(bool, false) public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_id = optional(string) private_ip_address = optional(string) lb_backend_pool_id = optional(string) attach_to_lb_backend_pool = optional(bool, false) + appgw_backend_pool_id = optional(string) + attach_to_appgw_backend_pool = optional(bool, false) })) ``` diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/vmss.md b/products/terraform/docs/swfw/azure/vmseries/modules/vmss.md index 7943a4218..f4c64ce56 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/vmss.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/vmss.md @@ -88,15 +88,19 @@ module "vmss" { resource_group_name = "hub-rg" region = "West Europe" + image = { + version = "10.2.901" + publisher = "paloaltonetworks" + offer = "vmseries-flex" + sku = "byol" + } + authentication = { username = "panadmin" password = "c0mpl1c@t3d" - disable_password_authentication = true + disable_password_authentication = false } - vm_image_configuration = { - img_version = "10.2.4" - } - scale_set_configuration = {} + interfaces = [ { name = "managmeent" @@ -125,11 +129,11 @@ module "vmss" { ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Modules Name | Version | Source | Description @@ -140,6 +144,7 @@ Name | Version | Source | Description - `linux_virtual_machine_scale_set` (managed) - `monitor_autoscale_setting` (managed) +- `public_ip_prefix` (data) ### Required Inputs @@ -282,15 +287,21 @@ Interfaces will be attached to VM in the order you define here, therefore: Following configuration options are available: -- `name` - (`string`, required) the interface name. -- `subnet_id` - (`string`, required) ID of an existing subnet to create the interface in. -- `create_public_ip` - (`bool`, optional, defaults to `false`) if `true`, create a public IP for the interface. -- `lb_backend_pool_ids` - (`list`, optional, defaults to `[]`) a list of identifiers of existing Load Balancer backend pools - to associate the interface with. -- `appgw_backend_pool_ids` - (`list`, optional, defaults to `[]`) a list of identifier of Application Gateway's backend pools - to associate the interface with. -- `pip_domain_name_label` - (`string`, optional, defaults to `null`) the IP Prefix which should be used for the Domain Name - Label for each Virtual Machine Instance. +- `name` - (`string`, required) the interface name. +- `subnet_id` - (`string`, required) ID of an existing subnet to create the interface in. +- `create_public_ip` - (`bool`, optional, defaults to `false`) if `true`, create a public IP for the interface. +- `pip_domain_name_label` - (`string`, optional, defaults to `null`) the Prefix which should be used for the Domain + Name Label for each Virtual Machine Instance. +- `pip_idle_timeout_in_minutes` - (`number`, optional, defaults to Azure default) the Idle Timeout in minutes for the Public + IP Address, possible values are in the range from 4 to 32. +- `pip_prefix_name` - (`string`, optional) the name of an existing Public IP Address Prefix from where Public IP + Addresses should be allocated. +- `pip_prefix_resource_group_name` - (`string`, optional, defaults to the VMSS's RG) name of a Resource Group hosting an + existing Public IP Prefix resource. +- `lb_backend_pool_ids` - (`list`, optional, defaults to `[]`) a list of identifiers of existing Load Balancer + backend pools to associate the interface with. +- `appgw_backend_pool_ids` - (`list`, optional, defaults to `[]`) a list of identifier of Application Gateway's backend + pools to associate the interface with. Example: @@ -318,12 +329,15 @@ Type: ```hcl list(object({ - name = string - subnet_id = string - create_public_ip = optional(bool, false) - lb_backend_pool_ids = optional(list(string), []) - appgw_backend_pool_ids = optional(list(string), []) - pip_domain_name_label = optional(string) + name = string + subnet_id = string + create_public_ip = optional(bool, false) + pip_domain_name_label = optional(string) + pip_idle_timeout_in_minutes = optional(number) + pip_prefix_name = optional(string) + pip_prefix_resource_group_name = optional(string) + lb_backend_pool_ids = optional(list(string), []) + appgw_backend_pool_ids = optional(list(string), []) })) ``` diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/vnet.md b/products/terraform/docs/swfw/azure/vmseries/modules/vnet.md index fb0a3d645..15158f641 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/vnet.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/vnet.md @@ -33,6 +33,7 @@ This module is designed to work in several *modes* depending on which variables name = "transit" resource_group_name = "existing-rg" address_space = ["10.0.0.0/25"] + region = "North Europe" network_security_groups = { inbound = { name = "inbound-nsg" @@ -56,42 +57,53 @@ This module is designed to work in several *modes* depending on which variables name = "default-rt" routes = { "default" = { - name = "default-udr" - address_prefix = "0.0.0.0/0" - next_hop_type = "VirtualAppliance" - next_hop_in_ip_address = "5.6.7.8" + name = "default-udr" + address_prefix = "0.0.0.0/0" + next_hop_type = "VirtualAppliance" + next_hop_ip_address = "5.6.7.8" } } } } subnets = { "subnet" = { - name = "snet" - address_prefixes = ["10.0.0.0/28"] - network_security_group = "inbound" - route_table = "default" + name = "snet" + address_prefixes = ["10.0.0.0/28"] + network_security_group_key = "inbound" + route_table_key = "default" } } ``` -- source a VNET but create Subnets, NSGs and Route Tables. This is a similar example to the above one, NSG and Route Table are empty this time: +- source a VNET but create Subnets, NSGs and Route Tables. This is a similar example to the above one, NSG is empty this time: ```hcl create_virtual_network = false name = "existing-vnet" resource_group_name = "existing-rg" + region = "North Europe" network_security_groups = { inbound = { name = "inbound-nsg" } } route_tables = { - default = { name = "default-rt" } + default = { + name = "default-rt" + routes = { + "default" = { + name = "default-udr" + address_prefix = "0.0.0.0/0" + next_hop_type = "VirtualAppliance" + next_hop_ip_address = "5.6.7.8" + } + } + } } subnets = { "subnet" = { - name = "snet" - address_prefixes = ["10.0.0.0/28"] - network_security_group = "inbound" - route_table = "default" + name = "snet" + address_prefixes = ["10.0.0.0/28"] + network_security_group_key = "inbound" + route_table_key = "default" } } ``` @@ -102,6 +114,7 @@ This module is designed to work in several *modes* depending on which variables create_virtual_network = false name = "existing-vnet" resource_group_name = "existing-rg" + region = "North Europe" network_security_groups = { inbound = { name = "inbound-nsg" @@ -125,10 +138,10 @@ This module is designed to work in several *modes* depending on which variables name = "default-rt" routes = { "default" = { - name = "default-udr" - address_prefix = "0.0.0.0/0" - next_hop_type = "VirtualAppliance" - next_hop_in_ip_address = "5.6.7.8" + name = "default-udr" + address_prefix = "0.0.0.0/0" + next_hop_type = "VirtualAppliance" + next_hop_ip_address = "5.6.7.8" } } } @@ -136,9 +149,9 @@ This module is designed to work in several *modes* depending on which variables create_subnets = false subnets = { "subnet" = { - name = "snet" - network_security_group = "inbound" - route_table = "default" + name = "snet" + network_security_group_key = "inbound" + route_table_key = "default" } } ``` @@ -148,11 +161,11 @@ This module is designed to work in several *modes* depending on which variables ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 @@ -184,10 +197,10 @@ Name | Type | Description [`tags`](#tags) | `map` | The map of tags to assign to all created resources. [`create_virtual_network`](#create_virtual_network) | `bool` | Controls Virtual Network creation. [`address_space`](#address_space) | `list` | The address space used by the virtual network. +[`dns_servers`](#dns_servers) | `list` | List of IP addresses of custom DNS servers (by default Azure DNS is used). [`vnet_encryption`](#vnet_encryption) | `string` | Enables Azure Virtual Network encryption feature (in `AllowUnencrypted` mode by default). [`network_security_groups`](#network_security_groups) | `map` | Map of objects describing Network Security Groups. [`route_tables`](#route_tables) | `map` | Map of objects describing a Route Tables. -[`create_subnets`](#create_subnets) | `bool` | Controls subnet creation. [`subnets`](#subnets) | `map` | Map of objects describing subnets to manage. ### Outputs @@ -259,6 +272,16 @@ The address space used by the virtual network. You can supply more than one address space. Required only when you create a VNET. +Type: list(string) + +Default value: `&{}` + +[back to list](#modules-optional-inputs) + +#### dns_servers + +List of IP addresses of custom DNS servers (by default Azure DNS is used). + Type: list(string) Default value: `&{}` @@ -406,7 +429,7 @@ Map of objects describing a Route Tables. List of available properties: - `name` - (`string`, required) name of a Route Table. -- `disable_bgp_route_propagation` - (`bool`, optional, defaults to `false`) controls propagation of routes learned by BGP. +- `bgp_route_propagation_enabled` - (`bool`, optional, defaults to `true`) controls propagation of routes learned by BGP. - `routes` - (`map`, required) a map of Route Table entries (UDRs): - `name` - (`string`, required) a name of a UDR. - `address_prefix` - (`string`, required) the destination CIDR to which the route applies, such as `10.1.0.0/16`. @@ -453,7 +476,7 @@ Type: ```hcl map(object({ name = string - disable_bgp_route_propagation = optional(bool, false) + bgp_route_propagation_enabled = optional(bool, true) routes = map(object({ name = string address_prefix = string @@ -468,37 +491,17 @@ Default value: `map[]` [back to list](#modules-optional-inputs) -#### create_subnets - -Controls subnet creation. - -Possible variants: - -- `true` - create subnets described in `var.subnets`. -- `false` - source subnets described in `var.subnets`. - -**Note!** \ -When this variable is `false` and `var.subnets` variable is empty, subnets management is skipped. - - -Type: bool - -Default value: `true` - -[back to list](#modules-optional-inputs) - #### subnets Map of objects describing subnets to manage. -By the default the described subnets will be created. If however `create_subnets` is set to `false` this is just a mapping -between the existing subnets and UDRs and NSGs that should be assigned to them. - List of available attributes of each subnet entry: +- `create` - (`bool`, optional, defaults to `true`) controls subnet creation, subnets are created when + set to `true` or sourced when set to `false`. - `name` - (`string`, required) name of a subnet. -- `address_prefixes` - (`list(string)`, required when `create_subnets = true`) a list of address prefixes within - VNET's address space to assign to a created subnet. +- `address_prefixes` - (`list(string)`, required when `create` = true`) a list of address prefixes within VNET's + address space to assign to a created subnet. - `network_security_group_key` - (`string`, optional, defaults to `null`) a key identifying an NSG defined in `network_security_groups` that should be assigned to this subnet. - `route_table_key` - (`string`, optional, defaults to `null`) a key identifying a Route Table defined in @@ -506,6 +509,9 @@ List of available attributes of each subnet entry: - `enable_storage_service_endpoint` - (`bool`, optional, defaults to `false`) a flag that enables `Microsoft.Storage` service endpoint on a subnet. This is a suggested setting for the management interface when full bootstrapping using an Azure Storage Account is used. +- `enable_cloudngfw_delegation` - (`bool`, optional, defaults to `false`) a flag that enables subnet delegation to + `PaloAltoNetworks.Cloudngfw/firewalls` service. This is required for Cloud NGFW to work + in a VNET-based deployment. Example: ```hcl @@ -533,11 +539,13 @@ Type: ```hcl map(object({ + create = optional(bool, true) name = string address_prefixes = optional(list(string), []) network_security_group_key = optional(string) route_table_key = optional(string) enable_storage_service_endpoint = optional(bool, false) + enable_cloudngfw_delegation = optional(bool, false) })) ``` diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/vnet_peering.md b/products/terraform/docs/swfw/azure/vmseries/modules/vnet_peering.md index 162661161..e390d7118 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/vnet_peering.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/vnet_peering.md @@ -47,11 +47,11 @@ remote_peer_config = { ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 diff --git a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries.md b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries.md index 5f6c1bfe8..f7209cbc6 100644 --- a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries.md +++ b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries.md @@ -108,7 +108,10 @@ A list of requirements might vary depending on the platform used to deploy the i - checkout the code locally (if you haven't done so yet) - copy the [`example.tfvars`](./example.tfvars) file, rename it to `terraform.tfvars` and adjust it to your needs (take a closer look at the `TODO` markers) -- _(optional)_ authenticate to AzureRM, switch to the Subscription of your choice if necessary +- _(optional)_ authenticate to AzureRM, switch to the Subscription of your choice +- provide `subscription_id` either by creating an environment variable named `ARM_SUBSCRIPTION_ID` with Subscription ID as value + in your shell (recommended option) or by setting the value of `subscription_id` variable within your `tfvars` file (discouraged + option, we don't recommend putting the Subscription ID in clear text inside the code). - initialize the Terraform module: ```bash @@ -209,6 +212,7 @@ Name | Version | Source | Description --- | --- | --- | --- `vnet` | - | ../../modules/vnet | `vnet_peering` | - | ../../modules/vnet_peering | +`public_ip` | - | ../../modules/public_ip | `natgw` | - | ../../modules/natgw | `load_balancer` | - | ../../modules/loadbalancer | `appgw` | - | ../../modules/appgw | @@ -229,6 +233,7 @@ Name | Version | Source | Description Name | Type | Description --- | --- | --- +[`subscription_id`](#subscription_id) | `string` | Azure Subscription ID is a required argument since AzureRM provider v4. [`resource_group_name`](#resource_group_name) | `string` | Name of the Resource Group. [`region`](#region) | `string` | The Azure region to use. [`vnets`](#vnets) | `map` | A map defining VNETs. @@ -241,6 +246,7 @@ Name | Type | Description [`create_resource_group`](#create_resource_group) | `bool` | When set to `true` it will cause a Resource Group creation. [`tags`](#tags) | `map` | Map of tags to assign to the created resources. [`vnet_peerings`](#vnet_peerings) | `map` | A map defining VNET peerings. +[`public_ips`](#public_ips) | `object` | A map defining Public IP Addresses and Prefixes. [`natgws`](#natgws) | `map` | A map defining NAT Gateways. [`load_balancers`](#load_balancers) | `map` | A map containing configuration for all (both private and public) Load Balancers. [`appgws`](#appgws) | `map` | A map defining all Application Gateways in the current deployment. @@ -265,10 +271,23 @@ Name | Description `test_vms_usernames` | Initial administrative username to use for test VMs. `test_vms_passwords` | Initial administrative password to use for test VMs. `test_vms_ips` | IP Addresses of the test VMs. -`app_lb_frontend_ips` | IP Addresses of the load balancers. +`test_lb_frontend_ips` | IP Addresses of the test load balancers. ### Required Inputs details +#### subscription_id + +Azure Subscription ID is a required argument since AzureRM provider v4. + +**Note!** \ +Instead of putting the Subscription ID directly in the code, it's recommended to use an environment variable. Create an +environment variable named `ARM_SUBSCRIPTION_ID` with your Subscription ID as value and leave this variable set to `null`. + + +Type: string + +[back to list](#modules-required-inputs) + #### resource_group_name Name of the Resource Group. @@ -295,30 +314,31 @@ For detailed documentation on each property refer to [module documentation](../. an existing VNET. - `name` - (`string`, required) a name of a VNET. In case `create_virtual_network = false` this should be a full resource name, including prefixes. +- `resource_group_name` - (`string`, optional, defaults to current RG) a name of an existing Resource Group in which the + VNET will reside or is sourced from. - `address_space` - (`list`, required when `create_virtual_network = false`) a list of CIDRs for a newly created VNET. +- `dns_servers` - (`list`, optional, defaults to module defaults) a list of IP addresses of custom DNS servers (by + default Azure DNS is used). - `vnet_encryption` - (`string`, optional, defaults to module default) enables Azure Virtual Network Encryption when set, only possible value at the moment is `AllowUnencrypted`. When set to `null`, the feature is disabled. -- `resource_group_name` - (`string`, optional, defaults to current RG) a name of an existing Resource Group in which the - VNET will reside or is sourced from. -- `create_subnets` - (`bool`, optional, defaults to `true`) if `true`, create Subnets inside the Virtual Network, - otherwise use source existing subnets. -- `subnets` - (`map`, optional) map of Subnets to create or source, for details see - [VNET module documentation](../../modules/vnet#subnets). - `network_security_groups` - (`map`, optional) map of Network Security Groups to create, for details see [VNET module documentation](../../modules/vnet#network_security_groups). - `route_tables` - (`map`, optional) map of Route Tables to create, for details see [VNET module documentation](../../modules/vnet#route_tables). +- `subnets` - (`map`, optional) map of Subnets to create or source, for details see + [VNET module documentation](../../modules/vnet#subnets). Type: ```hcl map(object({ + create_virtual_network = optional(bool, true) name = string resource_group_name = optional(string) - create_virtual_network = optional(bool, true) address_space = optional(list(string)) + dns_servers = optional(list(string)) vnet_encryption = optional(string) network_security_groups = optional(map(object({ name = string @@ -340,7 +360,7 @@ map(object({ })), {}) route_tables = optional(map(object({ name = string - disable_bgp_route_propagation = optional(bool) + bgp_route_propagation_enabled = optional(bool) routes = map(object({ name = string address_prefix = string @@ -348,13 +368,14 @@ map(object({ next_hop_ip_address = optional(string) })) })), {}) - create_subnets = optional(bool, true) subnets = optional(map(object({ + create = optional(bool, true) name = string address_prefixes = optional(list(string), []) network_security_group_key = optional(string) route_table_key = optional(string) - enable_storage_service_endpoint = optional(bool, false) + enable_storage_service_endpoint = optional(bool) + enable_cloudngfw_delegation = optional(bool) })), {}) })) ``` @@ -433,6 +454,49 @@ map(object({ ``` +Default value: `map[]` + +[back to list](#modules-optional-inputs) + +#### public_ips + +A map defining Public IP Addresses and Prefixes. + +Following properties are available: + +- `public_ip_addresses` - (`map`, optional) map of objects describing Public IP Addresses, please refer to + [module documentation](../../modules/public_ip#public_ip_addresses) + for available properties. +- `public_ip_prefixes` - (`map`, optional) map of objects describing Public IP Prefixes, please refer to + [module documentation](../../modules/public_ip#public_ip_prefixes) + for available properties. + + +Type: + +```hcl +object({ + public_ip_addresses = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + domain_name_label = optional(string) + idle_timeout_in_minutes = optional(number) + prefix_name = optional(string) + prefix_resource_group_name = optional(string) + })), {}) + public_ip_prefixes = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + length = optional(number) + })), {}) + }) +``` + + Default value: `map[]` [back to list](#modules-optional-inputs) @@ -491,14 +555,16 @@ map(object({ idle_timeout = optional(number, 4) public_ip = optional(object({ create = bool - name = string + name = optional(string) resource_group_name = optional(string) + key = optional(string) })) public_ip_prefix = optional(object({ create = bool - name = string + name = optional(string) resource_group_name = optional(string) length = optional(number) + key = optional(string) })) })) ``` @@ -577,9 +643,11 @@ map(object({ frontend_ips = optional(map(object({ name = string subnet_key = optional(string) - public_ip_name = optional(string) create_public_ip = optional(bool, false) + public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + public_ip_prefix_key = optional(string) private_ip_address = optional(string) gwlb_key = optional(string) in_rules = optional(map(object({ @@ -658,9 +726,10 @@ map(object({ subnet_key = string zones = optional(list(string)) public_ip = object({ - name = string create = optional(bool, true) + name = optional(string) resource_group_name = optional(string) + key = optional(string) }) domain_name_label = optional(string) capacity = optional(object({ @@ -962,7 +1031,7 @@ Following properties are supported: - `version` - (`string`, optional) describes the PAN-OS image version from Azure Marketplace. - `size` - (`string`, optional, defaults to module default) Azure VM size (type). Consult the *VM-Series Deployment Guide* as only a few selected sizes are supported. -- `bootstrap_options` - (`string`, optional, mutually exclusive with `bootstrap_package`) bootstrap options passed to PAN-OS +- `bootstrap_options` - (`map`, optional, mutually exclusive with `bootstrap_package`) bootstrap options passed to PAN-OS when launched for the 1st time, for details see module documentation. - `bootstrap_package` - (`map`, optional, mutually exclusive with `bootstrap_options`) a map defining content of the bootstrap package. For details and available properties refer to `vmseries` variable. @@ -972,9 +1041,36 @@ Type: ```hcl object({ - version = optional(string) - size = optional(string) - bootstrap_options = optional(string) + version = optional(string) + size = optional(string) + bootstrap_options = optional(object({ + type = optional(string) + ip-address = optional(string) + default-gateway = optional(string) + netmask = optional(string) + ipv6-address = optional(string) + ipv6-default-gateway = optional(string) + hostname = optional(string) + panorama-server = optional(string) + panorama-server-2 = optional(string) + tplname = optional(string) + dgname = optional(string) + cgname = optional(string) + dns-primary = optional(string) + dns-secondary = optional(string) + vm-auth-key = optional(string) + op-command-modes = optional(string) + op-cmd-dpdk-pkt-io = optional(string) + plugin-op-commands = optional(string) + dhcp-send-hostname = optional(string) + dhcp-send-client-id = optional(string) + dhcp-accept-server-hostname = optional(string) + dhcp-accept-server-domain = optional(string) + vm-series-auto-registration-pin-id = optional(string) + vm-series-auto-registration-pin-value = optional(string) + auth-key = optional(string) + authcodes = optional(string) + })) bootstrap_package = optional(object({ bootstrap_storage_key = string static_files = optional(map(string), {}) @@ -1035,7 +1131,7 @@ The most basic properties are as follows: - `disk_type` - (`string`, optional, defaults to module default) type of a Managed Disk which should be created, possible values are `Standard_LRS`, `StandardSSD_LRS` or `Premium_LRS` (works only for selected `size` values). - - `bootstrap_options` - (`string`, optional, mutually exclusive with `bootstrap_package`) bootstrap options passed to PAN-OS + - `bootstrap_options` - (`map`, optional, mutually exclusive with `bootstrap_package`) bootstrap options passed to PAN-OS when launched for the 1st time, for details see module documentation. - `bootstrap_package` - (`map`, optional, mutually exclusive with `bootstrap_options`) a map defining content of the bootstrap package. @@ -1086,7 +1182,7 @@ The most basic properties are as follows: private networks. When set it will override the private Subnet CIDR for inbound traffic static routes. - For details on all properties refer to [module's documentation](../../modules/panorama#virtual_machine). + For details on all properties refer to [module's documentation](../../modules/vmseries#virtual_machine). - `interfaces` - (`list`, required) configuration of all network interfaces. Order of the interfaces does matter - the 1st interface is the management one. Most common properties are: @@ -1100,7 +1196,9 @@ The most basic properties are as follows: backend pool. - `application_gateway_key` - (`string`, optional, defaults to `null`) key of an Application Gateway defined in `var.appgws` variable, network interface that has this property defined will be added to the Application - Gateway's backend pool. + Gateway's backend pool. Mutually exclusive with `appgw_backend_pool_id`. + - `appgw_backend_pool_id` - (`string`, optional, defaults to `null`) ID of the Application Gateway backend pool to which + the network interface will be added. Mutually exclusive with `application_gateway_key`. For details on all properties refer to [module's documentation](../../modules/panorama#interfaces). @@ -1126,8 +1224,35 @@ map(object({ custom_id = optional(string) })) virtual_machine = object({ - size = optional(string) - bootstrap_options = optional(string) + size = optional(string) + bootstrap_options = optional(object({ + type = optional(string) + ip-address = optional(string) + default-gateway = optional(string) + netmask = optional(string) + ipv6-address = optional(string) + ipv6-default-gateway = optional(string) + hostname = optional(string) + panorama-server = optional(string) + panorama-server-2 = optional(string) + tplname = optional(string) + dgname = optional(string) + cgname = optional(string) + dns-primary = optional(string) + dns-secondary = optional(string) + vm-auth-key = optional(string) + op-command-modes = optional(string) + op-cmd-dpdk-pkt-io = optional(string) + plugin-op-commands = optional(string) + dhcp-send-hostname = optional(string) + dhcp-send-client-id = optional(string) + dhcp-accept-server-hostname = optional(string) + dhcp-accept-server-domain = optional(string) + vm-series-auto-registration-pin-id = optional(string) + vm-series-auto-registration-pin-value = optional(string) + auth-key = optional(string) + authcodes = optional(string) + })) bootstrap_package = optional(object({ bootstrap_storage_key = string static_files = optional(map(string), {}) @@ -1158,9 +1283,11 @@ map(object({ create_public_ip = optional(bool, false) public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) private_ip_address = optional(string) load_balancer_key = optional(string) application_gateway_key = optional(string) + appgw_backend_pool_id = optional(string) })) })) ``` @@ -1191,14 +1318,12 @@ Following properties are supported: a full resource name, including prefixes. - `address_space` - (`list(string)`, required when `create_virtual_network = `false`) a list of CIDRs for a newly created VNET. - - `create_subnets` - (`bool`, optional, defaults to `true`) if `true`, create Subnets inside the Virtual Network, - otherwise use source existing subnets. - - `subnets` - (`map`, optional) map of Subnets to create or source, for details see - [VNET module documentation](../../modules/vnet#subnets). - `network_security_groups` - (`map`, optional) map of Network Security Groups to create, for details see [VNET module documentation](../../modules/vnet#network_security_groups). - `route_tables` - (`map`, optional) map of Route Tables to create, for details see [VNET module documentation](../../modules/vnet#route_tables). + - `subnets` - (`map`, optional) map of Subnets to create or source, for details see + [VNET module documentation](../../modules/vnet#subnets). - `local_peer_config` - (`map`, optional) a map that contains local peer configuration parameters. This value allows to set `allow_virtual_network_access`, `allow_forwarded_traffic`, `allow_gateway_transit` and `use_remote_gateways` parameters on the local VNet peering. @@ -1276,9 +1401,10 @@ map(object({ create_resource_group = optional(bool, true) resource_group_name = optional(string) vnets = map(object({ - name = string create_virtual_network = optional(bool, true) + name = string address_space = optional(list(string)) + dns_servers = optional(list(string)) hub_resource_group_name = optional(string) hub_vnet_name = string network_security_groups = optional(map(object({ @@ -1301,7 +1427,7 @@ map(object({ })), {}) route_tables = optional(map(object({ name = string - disable_bgp_route_propagation = optional(bool) + bgp_route_propagation_enabled = optional(bool) routes = map(object({ name = string address_prefix = string @@ -1309,13 +1435,14 @@ map(object({ next_hop_ip_address = optional(string) })) })), {}) - create_subnets = optional(bool, true) subnets = optional(map(object({ + create = optional(bool, true) name = string address_prefixes = optional(list(string), []) network_security_group_key = optional(string) route_table_key = optional(string) - enable_storage_service_endpoint = optional(bool, false) + enable_storage_service_endpoint = optional(bool) + enable_cloudngfw_delegation = optional(bool) })), {}) local_peer_config = optional(object({ allow_virtual_network_access = optional(bool, true) @@ -1354,9 +1481,11 @@ map(object({ frontend_ips = optional(map(object({ name = string subnet_key = optional(string) - public_ip_name = optional(string) create_public_ip = optional(bool, false) + public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + public_ip_prefix_key = optional(string) private_ip_address = optional(string) gwlb_key = optional(string) in_rules = optional(map(object({ @@ -1401,10 +1530,13 @@ map(object({ custom_data = optional(string) })) bastions = map(object({ - name = string - public_ip_name = optional(string) - vnet_key = string - subnet_key = string + name = string + create_public_ip = optional(bool, true) + public_ip_name = optional(string) + public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + vnet_key = string + subnet_key = string })) })) ``` diff --git a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries_and_autoscale.md b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries_and_autoscale.md index 4b1868470..118158fd7 100644 --- a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries_and_autoscale.md +++ b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries_and_autoscale.md @@ -146,7 +146,10 @@ A non-platform requirement would be a running Panorama instance. For full automa - copy the [`example.tfvars`](./example.tfvars) file, rename it to `terraform.tfvars` and adjust it to your needs (take a closer look at the `TODO` markers). If you already have a configured Panorama (with at least minimum configuration described above) you might want to also adjust the `bootstrap_options` for the scale set [`common`](./example.tfvars#L224). -- _(optional)_ authenticate to AzureRM, switch to the Subscription of your choice if necessary +- _(optional)_ authenticate to AzureRM, switch to the Subscription of your choice +- provide `subscription_id` either by creating an environment variable named `ARM_SUBSCRIPTION_ID` with Subscription ID as value + in your shell (recommended option) or by setting the value of `subscription_id` variable within your `tfvars` file (discouraged + option, we don't recommend putting the Subscription ID in clear text inside the code). - initialize the Terraform module: ```bash @@ -233,22 +236,26 @@ terraform destroy - `random` - `azurerm` +- `local` ### Modules Name | Version | Source | Description --- | --- | --- | --- `vnet` | - | ../../modules/vnet | `vnet_peering` | - | ../../modules/vnet_peering | +`public_ip` | - | ../../modules/public_ip | `natgw` | - | ../../modules/natgw | `load_balancer` | - | ../../modules/loadbalancer | `appgw` | - | ../../modules/appgw | `ngfw_metrics` | - | ../../modules/ngfw_metrics | +`bootstrap` | - | ../../modules/bootstrap | `vmss` | - | ../../modules/vmss | `test_infrastructure` | - | ../../modules/test_infrastructure | ### Resources - `resource_group` (managed) +- `file` (managed) - `password` (managed) - `resource_group` (data) @@ -256,6 +263,7 @@ Name | Version | Source | Description Name | Type | Description --- | --- | --- +[`subscription_id`](#subscription_id) | `string` | Azure Subscription ID is a required argument since AzureRM provider v4. [`resource_group_name`](#resource_group_name) | `string` | Name of the Resource Group. [`region`](#region) | `string` | The Azure region to use. [`vnets`](#vnets) | `map` | A map defining VNETs. @@ -268,10 +276,12 @@ Name | Type | Description [`create_resource_group`](#create_resource_group) | `bool` | When set to `true` it will cause a Resource Group creation. [`tags`](#tags) | `map` | Map of tags to assign to the created resources. [`vnet_peerings`](#vnet_peerings) | `map` | A map defining VNET peerings. +[`public_ips`](#public_ips) | `object` | A map defining Public IP Addresses and Prefixes. [`natgws`](#natgws) | `map` | A map defining NAT Gateways. [`load_balancers`](#load_balancers) | `map` | A map containing configuration for all (both private and public) Load Balancers. [`appgws`](#appgws) | `map` | A map defining all Application Gateways in the current deployment. [`ngfw_metrics`](#ngfw_metrics) | `object` | A map controlling metrics-relates resources. +[`bootstrap_storages`](#bootstrap_storages) | `map` | A map defining Azure Storage Accounts used to host file shares for bootstrapping NGFWs. [`scale_sets_universal`](#scale_sets_universal) | `object` | A map defining common settings for all created VM-Series Scale Sets. [`scale_sets`](#scale_sets) | `map` | A map defining Azure Virtual Machine Scale Sets based on Palo Alto Networks Next Generation Firewall image. [`test_infrastructure`](#test_infrastructure) | `map` | A map defining test infrastructure including test VMs and Azure Bastion hosts. @@ -282,15 +292,29 @@ Name | Description --- | --- `usernames` | Initial firewall administrative usernames for all deployed Scale Sets. `passwords` | Initial firewall administrative passwords for all deployed Scale Sets. +`natgw_public_ips` | Nat Gateways Public IP resources. `metrics_instrumentation_keys` | The Instrumentation Key of the created instance(s) of Azure Application Insights. `lb_frontend_ips` | IP Addresses of the load balancers. `test_vms_usernames` | Initial administrative username to use for test VMs. `test_vms_passwords` | Initial administrative password to use for test VMs. `test_vms_ips` | IP Addresses of the test VMs. -`app_lb_frontend_ips` | IP Addresses of the load balancers. +`test_lb_frontend_ips` | IP Addresses of the test load balancers. ### Required Inputs details +#### subscription_id + +Azure Subscription ID is a required argument since AzureRM provider v4. + +**Note!** \ +Instead of putting the Subscription ID directly in the code, it's recommended to use an environment variable. Create an +environment variable named `ARM_SUBSCRIPTION_ID` with your Subscription ID as value and leave this variable set to `null`. + + +Type: string + +[back to list](#modules-required-inputs) + #### resource_group_name Name of the Resource Group. @@ -310,37 +334,38 @@ Type: string #### vnets A map defining VNETs. - + For detailed documentation on each property refer to [module documentation](../../modules/vnet) - `create_virtual_network` - (`bool`, optional, defaults to `true`) when set to `true` will create a VNET, `false` will source an existing VNET. - `name` - (`string`, required) a name of a VNET. In case `create_virtual_network = false` this should be a full resource name, including prefixes. +- `resource_group_name` - (`string`, optional, defaults to current RG) a name of an existing Resource Group in which the + VNET will reside or is sourced from. - `address_space` - (`list`, required when `create_virtual_network = false`) a list of CIDRs for a newly created VNET. +- `dns_servers` - (`list`, optional, defaults to module defaults) a list of IP addresses of custom DNS servers (by + default Azure DNS is used). - `vnet_encryption` - (`string`, optional, defaults to module default) enables Azure Virtual Network Encryption when set, only possible value at the moment is `AllowUnencrypted`. When set to `null`, the feature is disabled. -- `resource_group_name` - (`string`, optional, defaults to current RG) a name of an existing Resource Group in which the - VNET will reside or is sourced from. -- `create_subnets` - (`bool`, optional, defaults to `true`) if `true`, create Subnets inside the Virtual Network, - otherwise use source existing subnets. -- `subnets` - (`map`, optional) map of Subnets to create or source, for details see - [VNET module documentation](../../modules/vnet#subnets). - `network_security_groups` - (`map`, optional) map of Network Security Groups to create, for details see [VNET module documentation](../../modules/vnet#network_security_groups). - `route_tables` - (`map`, optional) map of Route Tables to create, for details see [VNET module documentation](../../modules/vnet#route_tables). +- `subnets` - (`map`, optional) map of Subnets to create or source, for details see + [VNET module documentation](../../modules/vnet#subnets). Type: ```hcl map(object({ + create_virtual_network = optional(bool, true) name = string resource_group_name = optional(string) - create_virtual_network = optional(bool, true) address_space = optional(list(string)) + dns_servers = optional(list(string)) vnet_encryption = optional(string) network_security_groups = optional(map(object({ name = string @@ -362,7 +387,7 @@ map(object({ })), {}) route_tables = optional(map(object({ name = string - disable_bgp_route_propagation = optional(bool) + bgp_route_propagation_enabled = optional(bool) routes = map(object({ name = string address_prefix = string @@ -370,13 +395,14 @@ map(object({ next_hop_ip_address = optional(string) })) })), {}) - create_subnets = optional(bool, true) subnets = optional(map(object({ + create = optional(bool, true) name = string address_prefixes = optional(list(string), []) network_security_group_key = optional(string) route_table_key = optional(string) - enable_storage_service_endpoint = optional(bool, false) + enable_storage_service_endpoint = optional(bool) + enable_cloudngfw_delegation = optional(bool) })), {}) })) ``` @@ -455,6 +481,49 @@ map(object({ ``` +Default value: `map[]` + +[back to list](#modules-optional-inputs) + +#### public_ips + +A map defining Public IP Addresses and Prefixes. + +Following properties are available: + +- `public_ip_addresses` - (`map`, optional) map of objects describing Public IP Addresses, please refer to + [module documentation](../../modules/public_ip#public_ip_addresses) + for available properties. +- `public_ip_prefixes` - (`map`, optional) map of objects describing Public IP Prefixes, please refer to + [module documentation](../../modules/public_ip#public_ip_prefixes) + for available properties. + + +Type: + +```hcl +object({ + public_ip_addresses = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + domain_name_label = optional(string) + idle_timeout_in_minutes = optional(number) + prefix_name = optional(string) + prefix_resource_group_name = optional(string) + })), {}) + public_ip_prefixes = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + length = optional(number) + })), {}) + }) +``` + + Default value: `map[]` [back to list](#modules-optional-inputs) @@ -515,12 +584,14 @@ map(object({ create = bool name = string resource_group_name = optional(string) + key = optional(string) })) public_ip_prefix = optional(object({ create = bool name = string resource_group_name = optional(string) length = optional(number) + key = optional(string) })) })) ``` @@ -599,9 +670,11 @@ map(object({ frontend_ips = optional(map(object({ name = string subnet_key = optional(string) - public_ip_name = optional(string) create_public_ip = optional(bool, false) + public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + public_ip_prefix_key = optional(string) private_ip_address = optional(string) gwlb_key = optional(string) in_rules = optional(map(object({ @@ -680,9 +753,10 @@ map(object({ subnet_key = string zones = optional(list(string)) public_ip = object({ - name = string create = optional(bool, true) + name = optional(string) resource_group_name = optional(string) + key = optional(string) }) domain_name_label = optional(string) capacity = optional(object({ @@ -845,6 +919,102 @@ Default value: `&{}` [back to list](#modules-optional-inputs) +#### bootstrap_storages + +A map defining Azure Storage Accounts used to host file shares for bootstrapping NGFWs. + +You can create or re-use an existing Storage Account and/or File Share. For details on all available properties please refer to +[module's documentation](../../modules/bootstrap). Following is just an extract of the most important ones: + +- `name` - (`string`, required) name of the Storage Account that will be created or sourced. + + **Note** \ + For new Storage Accounts this name will not be prefixed with `var.name_prefix`. \ + Please note the limitations on naming. This has to be a globally unique name, between 3 and 63 chars, only lower-case letters + and numbers. + +- `resource_group_name` - (`string`, optional, defaults to `null`) name of the Resource Group that hosts (sourced) or + will host (created) a Storage Account. When skipped the code will fall back to + `var.resource_group_name`. +- `storage_account` - (`map`, optional, defaults to `{}`) a map controlling basic Storage Account configuration. + + The property you should pay attention to is: + + - `create` - (`bool`, optional, defaults to module default) controls if the Storage Account specified in the `name` property + will be created or sourced. + + For detailed documentation see [module's documentation](../../modules/bootstrap#storage_account). + +- `storage_network_security` - (`map`, optional, defaults to `{}`) a map defining network security settings for a **new** + storage account. + + The properties you should pay attention to are: + + - `allowed_subnet_keys` - (`list`, optional, defaults to `[]`) a list of keys pointing to Subnet definitions in the + `var.vnets` map. These Subnets will have dedicated access to the Storage Account. For this to work + they also need to have the Storage Account Service Endpoint enabled. + - `vnet_key` - (`string`, optional) a key pointing to a VNET definition in the `var.vnets` map that stores the + Subnets described in `allowed_subnet_keys`. + + For detailed documentation see [module's documentation](../../modules/bootstrap#storage_network_security). + +- `file_shares_configuration` - (`map`, optional, defaults to `{}`) a map defining common File Share setting. + + The properties you should pay attention to are: + + - `create_file_shares` - (`bool`, optional, defaults to module default) controls if the File Shares defined in the + `file_shares` property will be created or sourced. + - `disable_package_dirs_creation` - (`bool`, optional, defaults to module default) for sourced File Shares, controls if the + bootstrap package folder structure will be created. + + For detailed documentation see [module's documentation](../../modules/bootstrap#file_shares_configuration). + +- `file_shares` - (`map`, optional, defaults to `{}`) a map that holds File Shares and bootstrap package + configuration. For detailed description see + [module's documentation](../../modules/bootstrap#file_shares). + + +Type: + +```hcl +map(object({ + name = string + resource_group_name = optional(string) + storage_account = optional(object({ + create = optional(bool) + replication_type = optional(string) + kind = optional(string) + tier = optional(string) + blob_retention = optional(number) + }), {}) + storage_network_security = optional(object({ + min_tls_version = optional(string) + allowed_public_ips = optional(list(string)) + vnet_key = optional(string) + allowed_subnet_keys = optional(list(string), []) + }), {}) + file_shares_configuration = optional(object({ + create_file_shares = optional(bool) + disable_package_dirs_creation = optional(bool) + quota = optional(number) + access_tier = optional(string) + }), {}) + file_shares = optional(map(object({ + name = string + bootstrap_package_path = optional(string) + bootstrap_files = optional(map(string)) + bootstrap_files_md5 = optional(map(string)) + quota = optional(number) + access_tier = optional(string) + })), {}) + })) +``` + + +Default value: `map[]` + +[back to list](#modules-optional-inputs) + #### scale_sets_universal A map defining common settings for all created VM-Series Scale Sets. @@ -858,17 +1028,56 @@ Following properties are supported: - `version` - (`string`, optional) describes the PAN-OS image version from Azure Marketplace. - `size` - (`string`, optional, defaults to module default) Azure VM size (type). Consult the *VM-Series Deployment Guide* as only a few selected sizes are supported. -- `bootstrap_options` - (`string`, optional, mutually exclusive with `bootstrap_package`) bootstrap options passed to PAN-OS +- `bootstrap_options` - (`map`, optional, mutually exclusive with `bootstrap_package`) bootstrap options passed to PAN-OS when launched for the 1st time, for details see module documentation. +- `bootstrap_package` - (`map`, optional, mutually exclusive with `bootstrap_options`) a map defining content of the bootstrap + package. For details and available properties refer to `scale_sets` variable. Type: ```hcl object({ - version = optional(string) - size = optional(string) - bootstrap_options = optional(string) + version = optional(string) + size = optional(string) + bootstrap_options = optional(object({ + type = optional(string) + ip-address = optional(string) + default-gateway = optional(string) + netmask = optional(string) + ipv6-address = optional(string) + ipv6-default-gateway = optional(string) + hostname = optional(string) + panorama-server = optional(string) + panorama-server-2 = optional(string) + tplname = optional(string) + dgname = optional(string) + cgname = optional(string) + dns-primary = optional(string) + dns-secondary = optional(string) + vm-auth-key = optional(string) + op-command-modes = optional(string) + op-cmd-dpdk-pkt-io = optional(string) + plugin-op-commands = optional(string) + dhcp-send-hostname = optional(string) + dhcp-send-client-id = optional(string) + dhcp-accept-server-hostname = optional(string) + dhcp-accept-server-domain = optional(string) + vm-series-auto-registration-pin-id = optional(string) + vm-series-auto-registration-pin-value = optional(string) + auth-key = optional(string) + authcodes = optional(string) + })) + bootstrap_package = optional(object({ + bootstrap_storage_key = string + static_files = optional(map(string), {}) + bootstrap_package_path = optional(string) + bootstrap_xml_template = optional(string) + private_snet_key = optional(string) + public_snet_key = optional(string) + ai_update_interval = optional(number, 5) + intranet_cidr = optional(string) + })) }) ``` @@ -922,7 +1131,57 @@ The basic Scale Set configuration properties are as follows: - `disk_type` - (`string`, optional, defaults to module default) type of Managed Disk which should be created, possible values are `Standard_LRS`, `StandardSSD_LRS` or `Premium_LRS` (works only for selected `vm_size` values). - - `bootstrap_options` - (`string`, optional, defaults to module default) bootstrap options to pass to VM-Series instance. + - `bootstrap_options` - (`map`, optional, mutually exclusive with `bootstrap_package`) bootstrap options passed to PAN-OS + when launched for the 1st time, for details see module documentation. + - `bootstrap_package` - (`map`, optional, mutually exclusive with `bootstrap_options`) a map defining content of the + bootstrap package. + + **Note!** \ + At least one of `static_files`, `bootstrap_xml_template` or `bootstrap_package_path` is required. You can use a + combination of all 3. The `bootstrap_package_path` is the less important. For details on this mechanism and for details + on the other properties see the [`bootstrap` module documentation](../../modules/bootstrap). + + Following properties are available: + + - `bootstrap_storage_key` - (`string`, required) a key of a bootstrap storage defined in `var.bootstrap_storages` that + will host bootstrap packages. Each package will be hosted on a separate File Share. The File + Shares will be created automatically, one for each firewall. + - `static_files` - (`map`, optional, defaults to `{}`) a map containing files that will be copied to a File + Share, see [`file_shares.bootstrap_files`](../../modules/bootstrap#file_shares) + property documentation for details. + - `bootstrap_package_path` - (`string`, optional, defaults to `null`) a path to a folder containing a full bootstrap + package. + - `bootstrap_xml_template` - (`string`, optional, defaults to `null`) a path to a `bootstrap.xml` template. If this + example is using full bootstrap method, the sample templates are in + [`templates`](./templates) folder. + + The templates are used to provide `day0` like configuration which consists of: + + - network interfaces configuration. + - one or more (depending on the architecture) Virtual Routers configurations. This config contains static routes + required for the Load Balancer (and Application Gateway, if defined) health checks to work and routes that allow + Inbound and OBEW traffic. + - *any-any* security rule. + - an outbound NAT rule that will allow the Outbound traffic to flow to the Internet. + + **Note!** \ + Day0 configuration is **not meant** to be **secure**. It's here merely to help with the basic firewall setup. When + `bootstrap_xml_template` is set, one of the following properties might be required. + + - `private_snet_key` - (`string`, required only when `bootstrap_xml_template` is set, defaults to `null`) a key + pointing to a private Subnet definition in `var.vnets` (the `vnet_key` property is used to + identify a VNET). The Subnet definition is used to calculate static routes for a private + Load Balancer health checks and for Inbound traffic. + - `public_snet_key` - (`string`, required only when `bootstrap_xml_template` is set, defaults to `null`) a key + pointing to a public Subnet definition in `var.vnets` (the `vnet_key` property is used to + identify a VNET). The Subnet definition is used to calculate static routes for a public + Load Balancer health checks and for Outbound traffic. + - `ai_update_interval` - (`number`, optional, defaults to `5`) Application Insights update interval, used only when + `ngfw_metrics` module is defined and used in this example. The Application Insights + Instrumentation Key will be populated automatically. + - `intranet_cidr` - (`string`, optional, defaults to `null`) a CIDR of the Intranet - combined CIDR of all + private networks. When set it will override the private Subnet CIDR for inbound traffic + static routes. For details on all properties refer to [module's documentation](../../modules/vmss#virtual_machine_scale_set). @@ -948,8 +1207,8 @@ The basic Scale Set configuration properties are as follows: - `application_gateway_key` - (`string`, optional, defaults to `null`) key of an Application Gateway defined in the `var.appgws`, network interface that has this property defined will be added to the Application Gateways's backend pool. - - `pip_domain_name_label` - (`string`, optional, defaults to `null`) prefix which should be used for the Domain Name Label - for each VM instance. + + For details on all properties refer to [module's documentation](../../modules/vmss#interfaces). - `autoscaling_profiles` - (`list`, optional, defaults to `[]`) a list of autoscaling profiles, for details on available properties please refer to @@ -977,10 +1236,47 @@ map(object({ custom_id = optional(string) })) virtual_machine_scale_set = optional(object({ - size = optional(string) - bootstrap_options = optional(string) - zones = optional(list(string)) - disk_type = optional(string) + size = optional(string) + zones = optional(list(string)) + disk_type = optional(string) + bootstrap_options = optional(object({ + type = optional(string) + ip-address = optional(string) + default-gateway = optional(string) + netmask = optional(string) + ipv6-address = optional(string) + ipv6-default-gateway = optional(string) + hostname = optional(string) + panorama-server = optional(string) + panorama-server-2 = optional(string) + tplname = optional(string) + dgname = optional(string) + cgname = optional(string) + dns-primary = optional(string) + dns-secondary = optional(string) + vm-auth-key = optional(string) + op-command-modes = optional(string) + op-cmd-dpdk-pkt-io = optional(string) + plugin-op-commands = optional(string) + dhcp-send-hostname = optional(string) + dhcp-send-client-id = optional(string) + dhcp-accept-server-hostname = optional(string) + dhcp-accept-server-domain = optional(string) + vm-series-auto-registration-pin-id = optional(string) + vm-series-auto-registration-pin-value = optional(string) + auth-key = optional(string) + authcodes = optional(string) + })) + bootstrap_package = optional(object({ + bootstrap_storage_key = string + static_files = optional(map(string), {}) + bootstrap_package_path = optional(string) + bootstrap_xml_template = optional(string) + private_snet_key = optional(string) + public_snet_key = optional(string) + ai_update_interval = optional(number, 5) + intranet_cidr = optional(string) + })) accelerated_networking = optional(bool) allow_extension_operations = optional(bool) encryption_at_host_enabled = optional(bool) @@ -1002,12 +1298,15 @@ map(object({ webhooks_uris = optional(map(string), {}) }), {}) interfaces = list(object({ - name = string - subnet_key = string - create_public_ip = optional(bool) - load_balancer_key = optional(string) - application_gateway_key = optional(string) - pip_domain_name_label = optional(string) + name = string + subnet_key = string + create_public_ip = optional(bool) + pip_domain_name_label = optional(string) + pip_idle_timeout_in_minutes = optional(number) + pip_prefix_name = optional(string) + pip_prefix_resource_group_name = optional(string) + load_balancer_key = optional(string) + application_gateway_key = optional(string) })) autoscaling_profiles = optional(list(object({ name = string @@ -1073,20 +1372,18 @@ Following properties are supported: a full resource name, including prefixes. - `address_space` - (`list(string)`, required when `create_virtual_network = `false`) a list of CIDRs for a newly created VNET. - - `create_subnets` - (`bool`, optional, defaults to `true`) if `true`, create Subnets inside the Virtual Network, - otherwise use source existing subnets. - - `subnets` - (`map`, optional) map of Subnets to create or source, for details see - [VNET module documentation](../../modules/vnet#subnets). - `network_security_groups` - (`map`, optional) map of Network Security Groups to create, for details see [VNET module documentation](../../modules/vnet#network_security_groups). - `route_tables` - (`map`, optional) map of Route Tables to create, for details see [VNET module documentation](../../modules/vnet#route_tables). + - `subnets` - (`map`, optional) map of Subnets to create or source, for details see + [VNET module documentation](../../modules/vnet#subnets). - `local_peer_config` - (`map`, optional) a map that contains local peer configuration parameters. This value allows to set `allow_virtual_network_access`, `allow_forwarded_traffic`, `allow_gateway_transit` and `use_remote_gateways` parameters on the local VNet peering. - `remote_peer_config` - (`map`, optional) a map that contains remote peer configuration parameters. This value allows to set `allow_virtual_network_access`, `allow_forwarded_traffic`, `allow_gateway_transit` and - `use_remote_gateways` parameters on the remote VNet peering. + `use_remote_gateways` parameters on the remote VNet peering. For all properties and their default values see [module's documentation](../../modules/test_infrastructure#vnets). @@ -1158,9 +1455,10 @@ map(object({ create_resource_group = optional(bool, true) resource_group_name = optional(string) vnets = map(object({ - name = string create_virtual_network = optional(bool, true) + name = string address_space = optional(list(string)) + dns_servers = optional(list(string)) hub_resource_group_name = optional(string) hub_vnet_name = string network_security_groups = optional(map(object({ @@ -1183,7 +1481,7 @@ map(object({ })), {}) route_tables = optional(map(object({ name = string - disable_bgp_route_propagation = optional(bool) + bgp_route_propagation_enabled = optional(bool) routes = map(object({ name = string address_prefix = string @@ -1191,13 +1489,14 @@ map(object({ next_hop_ip_address = optional(string) })) })), {}) - create_subnets = optional(bool, true) subnets = optional(map(object({ + create = optional(bool, true) name = string address_prefixes = optional(list(string), []) network_security_group_key = optional(string) route_table_key = optional(string) - enable_storage_service_endpoint = optional(bool, false) + enable_storage_service_endpoint = optional(bool) + enable_cloudngfw_delegation = optional(bool) })), {}) local_peer_config = optional(object({ allow_virtual_network_access = optional(bool, true) @@ -1236,9 +1535,11 @@ map(object({ frontend_ips = optional(map(object({ name = string subnet_key = optional(string) - public_ip_name = optional(string) create_public_ip = optional(bool, false) + public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + public_ip_prefix_key = optional(string) private_ip_address = optional(string) gwlb_key = optional(string) in_rules = optional(map(object({ @@ -1283,10 +1584,13 @@ map(object({ custom_data = optional(string) })) bastions = map(object({ - name = string - public_ip_name = optional(string) - vnet_key = string - subnet_key = string + name = string + create_public_ip = optional(bool, true) + public_ip_name = optional(string) + public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + vnet_key = string + subnet_key = string })) })) ``` diff --git a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries.md b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries.md index 935cb51ec..fff64c1e1 100644 --- a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries.md +++ b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries.md @@ -110,7 +110,10 @@ A list of requirements might vary depending on the platform used to deploy the i look at the `TODO` markers) - copy the [`init-cfg.sample.txt`](./files/init-cfg.sample.txt) to `init-cfg.txt` and fill it out with required bootstrap parameters (see this [documentation](https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/bootstrap-the-vm-series-firewall/create-the-init-cfgtxt-file/init-cfgtxt-file-components#id07933d91-15be-414d-bc8d-f2a5f3d8df6b) for details) -- _(optional)_ authenticate to AzureRM, switch to the Subscription of your choice if necessary +- _(optional)_ authenticate to AzureRM, switch to the Subscription of your choice +- provide `subscription_id` either by creating an environment variable named `ARM_SUBSCRIPTION_ID` with Subscription ID as value + in your shell (recommended option) or by setting the value of `subscription_id` variable within your `tfvars` file (discouraged + option, we don't recommend putting the Subscription ID in clear text inside the code). - initialize the Terraform module: ```bash @@ -213,6 +216,7 @@ Name | Version | Source | Description --- | --- | --- | --- `vnet` | - | ../../modules/vnet | `vnet_peering` | - | ../../modules/vnet_peering | +`public_ip` | - | ../../modules/public_ip | `natgw` | - | ../../modules/natgw | `load_balancer` | - | ../../modules/loadbalancer | `appgw` | - | ../../modules/appgw | @@ -233,6 +237,7 @@ Name | Version | Source | Description Name | Type | Description --- | --- | --- +[`subscription_id`](#subscription_id) | `string` | Azure Subscription ID is a required argument since AzureRM provider v4. [`resource_group_name`](#resource_group_name) | `string` | Name of the Resource Group. [`region`](#region) | `string` | The Azure region to use. [`vnets`](#vnets) | `map` | A map defining VNETs. @@ -245,6 +250,7 @@ Name | Type | Description [`create_resource_group`](#create_resource_group) | `bool` | When set to `true` it will cause a Resource Group creation. [`tags`](#tags) | `map` | Map of tags to assign to the created resources. [`vnet_peerings`](#vnet_peerings) | `map` | A map defining VNET peerings. +[`public_ips`](#public_ips) | `object` | A map defining Public IP Addresses and Prefixes. [`natgws`](#natgws) | `map` | A map defining NAT Gateways. [`load_balancers`](#load_balancers) | `map` | A map containing configuration for all (both private and public) Load Balancers. [`appgws`](#appgws) | `map` | A map defining all Application Gateways in the current deployment. @@ -269,10 +275,23 @@ Name | Description `test_vms_usernames` | Initial administrative username to use for test VMs. `test_vms_passwords` | Initial administrative password to use for test VMs. `test_vms_ips` | IP Addresses of the test VMs. -`app_lb_frontend_ips` | IP Addresses of the load balancers. +`test_lb_frontend_ips` | IP Addresses of the test load balancers. ### Required Inputs details +#### subscription_id + +Azure Subscription ID is a required argument since AzureRM provider v4. + +**Note!** \ +Instead of putting the Subscription ID directly in the code, it's recommended to use an environment variable. Create an +environment variable named `ARM_SUBSCRIPTION_ID` with your Subscription ID as value and leave this variable set to `null`. + + +Type: string + +[back to list](#modules-required-inputs) + #### resource_group_name Name of the Resource Group. @@ -292,37 +311,38 @@ Type: string #### vnets A map defining VNETs. - + For detailed documentation on each property refer to [module documentation](../../modules/vnet) - `create_virtual_network` - (`bool`, optional, defaults to `true`) when set to `true` will create a VNET, `false` will source an existing VNET. - `name` - (`string`, required) a name of a VNET. In case `create_virtual_network = false` this should be a full resource name, including prefixes. +- `resource_group_name` - (`string`, optional, defaults to current RG) a name of an existing Resource Group in which the + VNET will reside or is sourced from. - `address_space` - (`list`, required when `create_virtual_network = false`) a list of CIDRs for a newly created VNET. +- `dns_servers` - (`list`, optional, defaults to module defaults) a list of IP addresses of custom DNS servers (by + default Azure DNS is used). - `vnet_encryption` - (`string`, optional, defaults to module default) enables Azure Virtual Network Encryption when set, only possible value at the moment is `AllowUnencrypted`. When set to `null`, the feature is disabled. -- `resource_group_name` - (`string`, optional, defaults to current RG) a name of an existing Resource Group in which the - VNET will reside or is sourced from. -- `create_subnets` - (`bool`, optional, defaults to `true`) if `true`, create Subnets inside the Virtual Network, - otherwise use source existing subnets. -- `subnets` - (`map`, optional) map of Subnets to create or source, for details see - [VNET module documentation](../../modules/vnet#subnets). - `network_security_groups` - (`map`, optional) map of Network Security Groups to create, for details see [VNET module documentation](../../modules/vnet#network_security_groups). - `route_tables` - (`map`, optional) map of Route Tables to create, for details see [VNET module documentation](../../modules/vnet#route_tables). +- `subnets` - (`map`, optional) map of Subnets to create or source, for details see + [VNET module documentation](../../modules/vnet#subnets). Type: ```hcl map(object({ + create_virtual_network = optional(bool, true) name = string resource_group_name = optional(string) - create_virtual_network = optional(bool, true) address_space = optional(list(string)) + dns_servers = optional(list(string)) vnet_encryption = optional(string) network_security_groups = optional(map(object({ name = string @@ -344,7 +364,7 @@ map(object({ })), {}) route_tables = optional(map(object({ name = string - disable_bgp_route_propagation = optional(bool) + bgp_route_propagation_enabled = optional(bool) routes = map(object({ name = string address_prefix = string @@ -352,13 +372,14 @@ map(object({ next_hop_ip_address = optional(string) })) })), {}) - create_subnets = optional(bool, true) subnets = optional(map(object({ + create = optional(bool, true) name = string address_prefixes = optional(list(string), []) network_security_group_key = optional(string) route_table_key = optional(string) - enable_storage_service_endpoint = optional(bool, false) + enable_storage_service_endpoint = optional(bool) + enable_cloudngfw_delegation = optional(bool) })), {}) })) ``` @@ -378,7 +399,7 @@ Example: ``` name_prefix = "test-" ``` - + **Note!** \ This prefix is not applied to existing resources. If you plan to reuse i.e. a VNET please specify it's full name, even if it is also prefixed with the same value as the one in this property. @@ -394,7 +415,7 @@ Default value: `` When set to `true` it will cause a Resource Group creation. Name of the newly specified RG is controlled by `resource_group_name`. - + When set to `false` the `resource_group_name` parameter is used to specify a name of an existing Resource Group. @@ -437,18 +458,61 @@ map(object({ ``` +Default value: `map[]` + +[back to list](#modules-optional-inputs) + +#### public_ips + +A map defining Public IP Addresses and Prefixes. + +Following properties are available: + +- `public_ip_addresses` - (`map`, optional) map of objects describing Public IP Addresses, please refer to + [module documentation](../../modules/public_ip#public_ip_addresses) + for available properties. +- `public_ip_prefixes` - (`map`, optional) map of objects describing Public IP Prefixes, please refer to + [module documentation](../../modules/public_ip#public_ip_prefixes) + for available properties. + + +Type: + +```hcl +object({ + public_ip_addresses = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + domain_name_label = optional(string) + idle_timeout_in_minutes = optional(number) + prefix_name = optional(string) + prefix_resource_group_name = optional(string) + })), {}) + public_ip_prefixes = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + length = optional(number) + })), {}) + }) +``` + + Default value: `map[]` [back to list](#modules-optional-inputs) #### natgws -A map defining NAT Gateways. +A map defining NAT Gateways. Please note that a NAT Gateway is a zonal resource, this means it's always placed in a zone (even when you do not specify one explicitly). Please refer to Microsoft documentation for notes on NAT Gateway's zonal resiliency. For detailed documentation on each property refer to [module documentation](../../modules/natgw). - + Following properties are supported: - `name` - (`string`, required) a name of a NAT Gateway. In case `create_natgw = false` this should be a full resource name, including prefixes. @@ -495,14 +559,16 @@ map(object({ idle_timeout = optional(number, 4) public_ip = optional(object({ create = bool - name = string + name = optional(string) resource_group_name = optional(string) + key = optional(string) })) public_ip_prefix = optional(object({ create = bool - name = string + name = optional(string) resource_group_name = optional(string) length = optional(number) + key = optional(string) })) })) ``` @@ -534,8 +600,8 @@ Following properties are available: - `nsg_auto_rules_settings` - (`map`, optional, defaults to `null`) a map defining a location of an existing NSG rule that will be populated with `Allow` rules for each load balancing rule (`in_rules`), please refer to [module documentation](../../modules/loadbalancer#nsg_auto_rules_settings) for - available properties. - + available properties. + Please note that in this example two additional properties are available: - `nsg_vnet_key` - (`string`, optional, mutually exclusive with `nsg_name`) a key pointing to a VNET definition in the @@ -581,9 +647,11 @@ map(object({ frontend_ips = optional(map(object({ name = string subnet_key = optional(string) - public_ip_name = optional(string) create_public_ip = optional(bool, false) + public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + public_ip_prefix_key = optional(string) private_ip_address = optional(string) gwlb_key = optional(string) in_rules = optional(map(object({ @@ -620,7 +688,7 @@ For detailed documentation on how to configure this resource, for available prop refer to [module documentation](../../modules/appgw). **Note!** \ -The `rules` property is meant to bind together `backend_setting`, `redirect` or `url_path_map` (all 3 are mutually exclusive). +The `rules` property is meant to bind together `backend_setting`, `redirect` or `url_path_map` (all 3 are mutually exclusive). It represents the Rules section of an Application Gateway in Azure Portal. Below you can find a brief list of most important properties: @@ -642,11 +710,11 @@ Below you can find a brief list of most important properties: settings, see [module's documentation](../../modules/appgw#backend_settings) for details. - `probes` - (`map`, optional, defaults to module default) defines backend probes used check health of backends, see [module's documentation](../../modules/appgw#probes) for details. -- `rewrites` - (`map`, optional, defaults to module default) defines rewrite rules, see +- `rewrites` - (`map`, optional, defaults to module default) defines rewrite rules, see [module's documentation](../../modules/appgw#rewrites) for details. -- `redirects` - (`map`, optional, mutually exclusive with `backend_settings` and `url_path_maps`) static redirects +- `redirects` - (`map`, optional, mutually exclusive with `backend_settings` and `url_path_maps`) static redirects definition, see [module's documentation](../../modules/appgw#redirects) for details. -- `url_path_maps` - (`map`, optional, mutually exclusive with `backend_settings` and `redirects`) URL path maps definition, +- `url_path_maps` - (`map`, optional, mutually exclusive with `backend_settings` and `redirects`) URL path maps definition, see [module's documentation](../../modules/appgw#url_path_maps) for details. - `rules` - (`map`, required) Application Gateway Rules definition, bind together a `listener` with either `backend_setting`, `redirect` or `url_path_map`, see @@ -662,9 +730,10 @@ map(object({ subnet_key = string zones = optional(list(string)) public_ip = object({ - name = string create = optional(bool, true) + name = optional(string) resource_group_name = optional(string) + key = optional(string) }) domain_name_label = optional(string) capacity = optional(object({ @@ -794,7 +863,7 @@ Following properties are supported: - `name` - (`string`, required) name of the Application Insights. - `update_domain_count` - (`number`, optional, defaults to Azure default) specifies the number of update domains that are used. - `fault_domain_count` - (`number`, optional, defaults to Azure default) specifies the number of fault domains that are used. - + **Note!** \ Please keep in mind that Azure defaults are not working for every region (especially the small ones, without any Availability Zones). Please verify how many update and fault domain are supported in a region before deploying this resource. @@ -875,7 +944,7 @@ You can create or re-use an existing Storage Account and/or File Share. For deta will host (created) a Storage Account. When skipped the code will fall back to `var.resource_group_name`. - `storage_account` - (`map`, optional, defaults to `{}`) a map controlling basic Storage Account configuration. - + The property you should pay attention to is: - `create` - (`bool`, optional, defaults to module default) controls if the Storage Account specified in the `name` property @@ -884,8 +953,8 @@ You can create or re-use an existing Storage Account and/or File Share. For deta For detailed documentation see [module's documentation](../../modules/bootstrap#storage_account). - `storage_network_security` - (`map`, optional, defaults to `{}`) a map defining network security settings for a **new** - storage account. - + storage account. + The properties you should pay attention to are: - `allowed_subnet_keys` - (`list`, optional, defaults to `[]`) a list of keys pointing to Subnet definitions in the @@ -895,9 +964,9 @@ You can create or re-use an existing Storage Account and/or File Share. For deta Subnets described in `allowed_subnet_keys`. For detailed documentation see [module's documentation](../../modules/bootstrap#storage_network_security). - + - `file_shares_configuration` - (`map`, optional, defaults to `{}`) a map defining common File Share setting. - + The properties you should pay attention to are: - `create_file_shares` - (`bool`, optional, defaults to module default) controls if the File Shares defined in the @@ -966,7 +1035,7 @@ Following properties are supported: - `version` - (`string`, optional) describes the PAN-OS image version from Azure Marketplace. - `size` - (`string`, optional, defaults to module default) Azure VM size (type). Consult the *VM-Series Deployment Guide* as only a few selected sizes are supported. -- `bootstrap_options` - (`string`, optional, mutually exclusive with `bootstrap_package`) bootstrap options passed to PAN-OS +- `bootstrap_options` - (`map`, optional, mutually exclusive with `bootstrap_package`) bootstrap options passed to PAN-OS when launched for the 1st time, for details see module documentation. - `bootstrap_package` - (`map`, optional, mutually exclusive with `bootstrap_options`) a map defining content of the bootstrap package. For details and available properties refer to `vmseries` variable. @@ -976,9 +1045,36 @@ Type: ```hcl object({ - version = optional(string) - size = optional(string) - bootstrap_options = optional(string) + version = optional(string) + size = optional(string) + bootstrap_options = optional(object({ + type = optional(string) + ip-address = optional(string) + default-gateway = optional(string) + netmask = optional(string) + ipv6-address = optional(string) + ipv6-default-gateway = optional(string) + hostname = optional(string) + panorama-server = optional(string) + panorama-server-2 = optional(string) + tplname = optional(string) + dgname = optional(string) + cgname = optional(string) + dns-primary = optional(string) + dns-secondary = optional(string) + vm-auth-key = optional(string) + op-command-modes = optional(string) + op-cmd-dpdk-pkt-io = optional(string) + plugin-op-commands = optional(string) + dhcp-send-hostname = optional(string) + dhcp-send-client-id = optional(string) + dhcp-accept-server-hostname = optional(string) + dhcp-accept-server-domain = optional(string) + vm-series-auto-registration-pin-id = optional(string) + vm-series-auto-registration-pin-value = optional(string) + auth-key = optional(string) + authcodes = optional(string) + })) bootstrap_package = optional(object({ bootstrap_storage_key = string static_files = optional(map(string), {}) @@ -1039,7 +1135,7 @@ The most basic properties are as follows: - `disk_type` - (`string`, optional, defaults to module default) type of a Managed Disk which should be created, possible values are `Standard_LRS`, `StandardSSD_LRS` or `Premium_LRS` (works only for selected `size` values). - - `bootstrap_options` - (`string`, optional, mutually exclusive with `bootstrap_package`) bootstrap options passed to PAN-OS + - `bootstrap_options` - (`map`, optional, mutually exclusive with `bootstrap_package`) bootstrap options passed to PAN-OS when launched for the 1st time, for details see module documentation. - `bootstrap_package` - (`map`, optional, mutually exclusive with `bootstrap_options`) a map defining content of the bootstrap package. @@ -1090,7 +1186,7 @@ The most basic properties are as follows: private networks. When set it will override the private Subnet CIDR for inbound traffic static routes. - For details on all properties refer to [module's documentation](../../modules/panorama#virtual_machine). + For details on all properties refer to [module's documentation](../../modules/vmseries#virtual_machine). - `interfaces` - (`list`, required) configuration of all network interfaces. Order of the interfaces does matter - the 1st interface is the management one. Most common properties are: @@ -1104,7 +1200,9 @@ The most basic properties are as follows: backend pool. - `application_gateway_key` - (`string`, optional, defaults to `null`) key of an Application Gateway defined in `var.appgws` variable, network interface that has this property defined will be added to the Application - Gateway's backend pool. + Gateway's backend pool. Mutually exclusive with `appgw_backend_pool_id`. + - `appgw_backend_pool_id` - (`string`, optional, defaults to `null`) ID of the Application Gateway backend pool to which + the network interface will be added. Mutually exclusive with `application_gateway_key`. For details on all properties refer to [module's documentation](../../modules/panorama#interfaces). @@ -1130,8 +1228,35 @@ map(object({ custom_id = optional(string) })) virtual_machine = object({ - size = optional(string) - bootstrap_options = optional(string) + size = optional(string) + bootstrap_options = optional(object({ + type = optional(string) + ip-address = optional(string) + default-gateway = optional(string) + netmask = optional(string) + ipv6-address = optional(string) + ipv6-default-gateway = optional(string) + hostname = optional(string) + panorama-server = optional(string) + panorama-server-2 = optional(string) + tplname = optional(string) + dgname = optional(string) + cgname = optional(string) + dns-primary = optional(string) + dns-secondary = optional(string) + vm-auth-key = optional(string) + op-command-modes = optional(string) + op-cmd-dpdk-pkt-io = optional(string) + plugin-op-commands = optional(string) + dhcp-send-hostname = optional(string) + dhcp-send-client-id = optional(string) + dhcp-accept-server-hostname = optional(string) + dhcp-accept-server-domain = optional(string) + vm-series-auto-registration-pin-id = optional(string) + vm-series-auto-registration-pin-value = optional(string) + auth-key = optional(string) + authcodes = optional(string) + })) bootstrap_package = optional(object({ bootstrap_storage_key = string static_files = optional(map(string), {}) @@ -1162,9 +1287,11 @@ map(object({ create_public_ip = optional(bool, false) public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) private_ip_address = optional(string) load_balancer_key = optional(string) application_gateway_key = optional(string) + appgw_backend_pool_id = optional(string) })) })) ``` @@ -1195,14 +1322,12 @@ Following properties are supported: a full resource name, including prefixes. - `address_space` - (`list(string)`, required when `create_virtual_network = `false`) a list of CIDRs for a newly created VNET. - - `create_subnets` - (`bool`, optional, defaults to `true`) if `true`, create Subnets inside the Virtual Network, - otherwise use source existing subnets. - - `subnets` - (`map`, optional) map of Subnets to create or source, for details see - [VNET module documentation](../../modules/vnet#subnets). - `network_security_groups` - (`map`, optional) map of Network Security Groups to create, for details see [VNET module documentation](../../modules/vnet#network_security_groups). - `route_tables` - (`map`, optional) map of Route Tables to create, for details see [VNET module documentation](../../modules/vnet#route_tables). + - `subnets` - (`map`, optional) map of Subnets to create or source, for details see + [VNET module documentation](../../modules/vnet#subnets). - `local_peer_config` - (`map`, optional) a map that contains local peer configuration parameters. This value allows to set `allow_virtual_network_access`, `allow_forwarded_traffic`, `allow_gateway_transit` and `use_remote_gateways` parameters on the local VNet peering. @@ -1280,9 +1405,10 @@ map(object({ create_resource_group = optional(bool, true) resource_group_name = optional(string) vnets = map(object({ - name = string create_virtual_network = optional(bool, true) + name = string address_space = optional(list(string)) + dns_servers = optional(list(string)) hub_resource_group_name = optional(string) hub_vnet_name = string network_security_groups = optional(map(object({ @@ -1305,7 +1431,7 @@ map(object({ })), {}) route_tables = optional(map(object({ name = string - disable_bgp_route_propagation = optional(bool) + bgp_route_propagation_enabled = optional(bool) routes = map(object({ name = string address_prefix = string @@ -1313,13 +1439,14 @@ map(object({ next_hop_ip_address = optional(string) })) })), {}) - create_subnets = optional(bool, true) subnets = optional(map(object({ + create = optional(bool, true) name = string address_prefixes = optional(list(string), []) network_security_group_key = optional(string) route_table_key = optional(string) - enable_storage_service_endpoint = optional(bool, false) + enable_storage_service_endpoint = optional(bool) + enable_cloudngfw_delegation = optional(bool) })), {}) local_peer_config = optional(object({ allow_virtual_network_access = optional(bool, true) @@ -1358,9 +1485,11 @@ map(object({ frontend_ips = optional(map(object({ name = string subnet_key = optional(string) - public_ip_name = optional(string) create_public_ip = optional(bool, false) + public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + public_ip_prefix_key = optional(string) private_ip_address = optional(string) gwlb_key = optional(string) in_rules = optional(map(object({ @@ -1405,10 +1534,13 @@ map(object({ custom_data = optional(string) })) bastions = map(object({ - name = string - public_ip_name = optional(string) - vnet_key = string - subnet_key = string + name = string + create_public_ip = optional(bool, true) + public_ip_name = optional(string) + public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + vnet_key = string + subnet_key = string })) })) ``` diff --git a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries_and_autoscale.md b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries_and_autoscale.md index 89d2ebe97..5eb0b38f2 100644 --- a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries_and_autoscale.md +++ b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries_and_autoscale.md @@ -140,7 +140,10 @@ requirements: look at the `TODO` markers). If you already have a configured Panorama (with at least minimum configuration described above) you might want to also adjust the `bootstrap_options` for each scale set ([inbound](./example.tfvars#L205) and [obew](./example.tfvars#L249) separately). -- _(optional)_ authenticate to AzureRM, switch to the Subscription of your choice if necessary +- _(optional)_ authenticate to AzureRM, switch to the Subscription of your choice +- provide `subscription_id` either by creating an environment variable named `ARM_SUBSCRIPTION_ID` with Subscription ID as value + in your shell (recommended option) or by setting the value of `subscription_id` variable within your `tfvars` file (discouraged + option, we don't recommend putting the Subscription ID in clear text inside the code). - initialize the Terraform module: ```bash @@ -227,22 +230,26 @@ terraform destroy - `random` - `azurerm` +- `local` ### Modules Name | Version | Source | Description --- | --- | --- | --- `vnet` | - | ../../modules/vnet | `vnet_peering` | - | ../../modules/vnet_peering | +`public_ip` | - | ../../modules/public_ip | `natgw` | - | ../../modules/natgw | `load_balancer` | - | ../../modules/loadbalancer | `appgw` | - | ../../modules/appgw | `ngfw_metrics` | - | ../../modules/ngfw_metrics | +`bootstrap` | - | ../../modules/bootstrap | `vmss` | - | ../../modules/vmss | `test_infrastructure` | - | ../../modules/test_infrastructure | ### Resources - `resource_group` (managed) +- `file` (managed) - `password` (managed) - `resource_group` (data) @@ -250,6 +257,7 @@ Name | Version | Source | Description Name | Type | Description --- | --- | --- +[`subscription_id`](#subscription_id) | `string` | Azure Subscription ID is a required argument since AzureRM provider v4. [`resource_group_name`](#resource_group_name) | `string` | Name of the Resource Group. [`region`](#region) | `string` | The Azure region to use. [`vnets`](#vnets) | `map` | A map defining VNETs. @@ -262,10 +270,12 @@ Name | Type | Description [`create_resource_group`](#create_resource_group) | `bool` | When set to `true` it will cause a Resource Group creation. [`tags`](#tags) | `map` | Map of tags to assign to the created resources. [`vnet_peerings`](#vnet_peerings) | `map` | A map defining VNET peerings. +[`public_ips`](#public_ips) | `object` | A map defining Public IP Addresses and Prefixes. [`natgws`](#natgws) | `map` | A map defining NAT Gateways. [`load_balancers`](#load_balancers) | `map` | A map containing configuration for all (both private and public) Load Balancers. [`appgws`](#appgws) | `map` | A map defining all Application Gateways in the current deployment. [`ngfw_metrics`](#ngfw_metrics) | `object` | A map controlling metrics-relates resources. +[`bootstrap_storages`](#bootstrap_storages) | `map` | A map defining Azure Storage Accounts used to host file shares for bootstrapping NGFWs. [`scale_sets_universal`](#scale_sets_universal) | `object` | A map defining common settings for all created VM-Series Scale Sets. [`scale_sets`](#scale_sets) | `map` | A map defining Azure Virtual Machine Scale Sets based on Palo Alto Networks Next Generation Firewall image. [`test_infrastructure`](#test_infrastructure) | `map` | A map defining test infrastructure including test VMs and Azure Bastion hosts. @@ -276,15 +286,29 @@ Name | Description --- | --- `usernames` | Initial firewall administrative usernames for all deployed Scale Sets. `passwords` | Initial firewall administrative passwords for all deployed Scale Sets. +`natgw_public_ips` | Nat Gateways Public IP resources. `metrics_instrumentation_keys` | The Instrumentation Key of the created instance(s) of Azure Application Insights. `lb_frontend_ips` | IP Addresses of the load balancers. `test_vms_usernames` | Initial administrative username to use for test VMs. `test_vms_passwords` | Initial administrative password to use for test VMs. `test_vms_ips` | IP Addresses of the test VMs. -`app_lb_frontend_ips` | IP Addresses of the load balancers. +`test_lb_frontend_ips` | IP Addresses of the test load balancers. ### Required Inputs details +#### subscription_id + +Azure Subscription ID is a required argument since AzureRM provider v4. + +**Note!** \ +Instead of putting the Subscription ID directly in the code, it's recommended to use an environment variable. Create an +environment variable named `ARM_SUBSCRIPTION_ID` with your Subscription ID as value and leave this variable set to `null`. + + +Type: string + +[back to list](#modules-required-inputs) + #### resource_group_name Name of the Resource Group. @@ -304,37 +328,38 @@ Type: string #### vnets A map defining VNETs. - + For detailed documentation on each property refer to [module documentation](../../modules/vnet) - `create_virtual_network` - (`bool`, optional, defaults to `true`) when set to `true` will create a VNET, `false` will source an existing VNET. - `name` - (`string`, required) a name of a VNET. In case `create_virtual_network = false` this should be a full resource name, including prefixes. +- `resource_group_name` - (`string`, optional, defaults to current RG) a name of an existing Resource Group in which the + VNET will reside or is sourced from. - `address_space` - (`list`, required when `create_virtual_network = false`) a list of CIDRs for a newly created VNET. +- `dns_servers` - (`list`, optional, defaults to module defaults) a list of IP addresses of custom DNS servers (by + default Azure DNS is used). - `vnet_encryption` - (`string`, optional, defaults to module default) enables Azure Virtual Network Encryption when set, only possible value at the moment is `AllowUnencrypted`. When set to `null`, the feature is disabled. -- `resource_group_name` - (`string`, optional, defaults to current RG) a name of an existing Resource Group in which the - VNET will reside or is sourced from. -- `create_subnets` - (`bool`, optional, defaults to `true`) if `true`, create Subnets inside the Virtual Network, - otherwise use source existing subnets. -- `subnets` - (`map`, optional) map of Subnets to create or source, for details see - [VNET module documentation](../../modules/vnet#subnets). - `network_security_groups` - (`map`, optional) map of Network Security Groups to create, for details see [VNET module documentation](../../modules/vnet#network_security_groups). - `route_tables` - (`map`, optional) map of Route Tables to create, for details see [VNET module documentation](../../modules/vnet#route_tables). +- `subnets` - (`map`, optional) map of Subnets to create or source, for details see + [VNET module documentation](../../modules/vnet#subnets). Type: ```hcl map(object({ + create_virtual_network = optional(bool, true) name = string resource_group_name = optional(string) - create_virtual_network = optional(bool, true) address_space = optional(list(string)) + dns_servers = optional(list(string)) vnet_encryption = optional(string) network_security_groups = optional(map(object({ name = string @@ -356,7 +381,7 @@ map(object({ })), {}) route_tables = optional(map(object({ name = string - disable_bgp_route_propagation = optional(bool) + bgp_route_propagation_enabled = optional(bool) routes = map(object({ name = string address_prefix = string @@ -364,13 +389,14 @@ map(object({ next_hop_ip_address = optional(string) })) })), {}) - create_subnets = optional(bool, true) subnets = optional(map(object({ + create = optional(bool, true) name = string address_prefixes = optional(list(string), []) network_security_group_key = optional(string) route_table_key = optional(string) - enable_storage_service_endpoint = optional(bool, false) + enable_storage_service_endpoint = optional(bool) + enable_cloudngfw_delegation = optional(bool) })), {}) })) ``` @@ -449,6 +475,49 @@ map(object({ ``` +Default value: `map[]` + +[back to list](#modules-optional-inputs) + +#### public_ips + +A map defining Public IP Addresses and Prefixes. + +Following properties are available: + +- `public_ip_addresses` - (`map`, optional) map of objects describing Public IP Addresses, please refer to + [module documentation](../../modules/public_ip#public_ip_addresses) + for available properties. +- `public_ip_prefixes` - (`map`, optional) map of objects describing Public IP Prefixes, please refer to + [module documentation](../../modules/public_ip#public_ip_prefixes) + for available properties. + + +Type: + +```hcl +object({ + public_ip_addresses = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + domain_name_label = optional(string) + idle_timeout_in_minutes = optional(number) + prefix_name = optional(string) + prefix_resource_group_name = optional(string) + })), {}) + public_ip_prefixes = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + length = optional(number) + })), {}) + }) +``` + + Default value: `map[]` [back to list](#modules-optional-inputs) @@ -509,12 +578,14 @@ map(object({ create = bool name = string resource_group_name = optional(string) + key = optional(string) })) public_ip_prefix = optional(object({ create = bool name = string resource_group_name = optional(string) length = optional(number) + key = optional(string) })) })) ``` @@ -593,9 +664,11 @@ map(object({ frontend_ips = optional(map(object({ name = string subnet_key = optional(string) - public_ip_name = optional(string) create_public_ip = optional(bool, false) + public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + public_ip_prefix_key = optional(string) private_ip_address = optional(string) gwlb_key = optional(string) in_rules = optional(map(object({ @@ -674,9 +747,10 @@ map(object({ subnet_key = string zones = optional(list(string)) public_ip = object({ - name = string create = optional(bool, true) + name = optional(string) resource_group_name = optional(string) + key = optional(string) }) domain_name_label = optional(string) capacity = optional(object({ @@ -839,6 +913,102 @@ Default value: `&{}` [back to list](#modules-optional-inputs) +#### bootstrap_storages + +A map defining Azure Storage Accounts used to host file shares for bootstrapping NGFWs. + +You can create or re-use an existing Storage Account and/or File Share. For details on all available properties please refer to +[module's documentation](../../modules/bootstrap). Following is just an extract of the most important ones: + +- `name` - (`string`, required) name of the Storage Account that will be created or sourced. + + **Note** \ + For new Storage Accounts this name will not be prefixed with `var.name_prefix`. \ + Please note the limitations on naming. This has to be a globally unique name, between 3 and 63 chars, only lower-case letters + and numbers. + +- `resource_group_name` - (`string`, optional, defaults to `null`) name of the Resource Group that hosts (sourced) or + will host (created) a Storage Account. When skipped the code will fall back to + `var.resource_group_name`. +- `storage_account` - (`map`, optional, defaults to `{}`) a map controlling basic Storage Account configuration. + + The property you should pay attention to is: + + - `create` - (`bool`, optional, defaults to module default) controls if the Storage Account specified in the `name` property + will be created or sourced. + + For detailed documentation see [module's documentation](../../modules/bootstrap#storage_account). + +- `storage_network_security` - (`map`, optional, defaults to `{}`) a map defining network security settings for a **new** + storage account. + + The properties you should pay attention to are: + + - `allowed_subnet_keys` - (`list`, optional, defaults to `[]`) a list of keys pointing to Subnet definitions in the + `var.vnets` map. These Subnets will have dedicated access to the Storage Account. For this to work + they also need to have the Storage Account Service Endpoint enabled. + - `vnet_key` - (`string`, optional) a key pointing to a VNET definition in the `var.vnets` map that stores the + Subnets described in `allowed_subnet_keys`. + + For detailed documentation see [module's documentation](../../modules/bootstrap#storage_network_security). + +- `file_shares_configuration` - (`map`, optional, defaults to `{}`) a map defining common File Share setting. + + The properties you should pay attention to are: + + - `create_file_shares` - (`bool`, optional, defaults to module default) controls if the File Shares defined in the + `file_shares` property will be created or sourced. + - `disable_package_dirs_creation` - (`bool`, optional, defaults to module default) for sourced File Shares, controls if the + bootstrap package folder structure will be created. + + For detailed documentation see [module's documentation](../../modules/bootstrap#file_shares_configuration). + +- `file_shares` - (`map`, optional, defaults to `{}`) a map that holds File Shares and bootstrap package + configuration. For detailed description see + [module's documentation](../../modules/bootstrap#file_shares). + + +Type: + +```hcl +map(object({ + name = string + resource_group_name = optional(string) + storage_account = optional(object({ + create = optional(bool) + replication_type = optional(string) + kind = optional(string) + tier = optional(string) + blob_retention = optional(number) + }), {}) + storage_network_security = optional(object({ + min_tls_version = optional(string) + allowed_public_ips = optional(list(string)) + vnet_key = optional(string) + allowed_subnet_keys = optional(list(string), []) + }), {}) + file_shares_configuration = optional(object({ + create_file_shares = optional(bool) + disable_package_dirs_creation = optional(bool) + quota = optional(number) + access_tier = optional(string) + }), {}) + file_shares = optional(map(object({ + name = string + bootstrap_package_path = optional(string) + bootstrap_files = optional(map(string)) + bootstrap_files_md5 = optional(map(string)) + quota = optional(number) + access_tier = optional(string) + })), {}) + })) +``` + + +Default value: `map[]` + +[back to list](#modules-optional-inputs) + #### scale_sets_universal A map defining common settings for all created VM-Series Scale Sets. @@ -852,17 +1022,56 @@ Following properties are supported: - `version` - (`string`, optional) describes the PAN-OS image version from Azure Marketplace. - `size` - (`string`, optional, defaults to module default) Azure VM size (type). Consult the *VM-Series Deployment Guide* as only a few selected sizes are supported. -- `bootstrap_options` - (`string`, optional, mutually exclusive with `bootstrap_package`) bootstrap options passed to PAN-OS +- `bootstrap_options` - (`map`, optional, mutually exclusive with `bootstrap_package`) bootstrap options passed to PAN-OS when launched for the 1st time, for details see module documentation. +- `bootstrap_package` - (`map`, optional, mutually exclusive with `bootstrap_options`) a map defining content of the bootstrap + package. For details and available properties refer to `scale_sets` variable. Type: ```hcl object({ - version = optional(string) - size = optional(string) - bootstrap_options = optional(string) + version = optional(string) + size = optional(string) + bootstrap_options = optional(object({ + type = optional(string) + ip-address = optional(string) + default-gateway = optional(string) + netmask = optional(string) + ipv6-address = optional(string) + ipv6-default-gateway = optional(string) + hostname = optional(string) + panorama-server = optional(string) + panorama-server-2 = optional(string) + tplname = optional(string) + dgname = optional(string) + cgname = optional(string) + dns-primary = optional(string) + dns-secondary = optional(string) + vm-auth-key = optional(string) + op-command-modes = optional(string) + op-cmd-dpdk-pkt-io = optional(string) + plugin-op-commands = optional(string) + dhcp-send-hostname = optional(string) + dhcp-send-client-id = optional(string) + dhcp-accept-server-hostname = optional(string) + dhcp-accept-server-domain = optional(string) + vm-series-auto-registration-pin-id = optional(string) + vm-series-auto-registration-pin-value = optional(string) + auth-key = optional(string) + authcodes = optional(string) + })) + bootstrap_package = optional(object({ + bootstrap_storage_key = string + static_files = optional(map(string), {}) + bootstrap_package_path = optional(string) + bootstrap_xml_template = optional(string) + private_snet_key = optional(string) + public_snet_key = optional(string) + ai_update_interval = optional(number, 5) + intranet_cidr = optional(string) + })) }) ``` @@ -916,7 +1125,57 @@ The basic Scale Set configuration properties are as follows: - `disk_type` - (`string`, optional, defaults to module default) type of Managed Disk which should be created, possible values are `Standard_LRS`, `StandardSSD_LRS` or `Premium_LRS` (works only for selected `vm_size` values). - - `bootstrap_options` - (`string`, optional, defaults to module default) bootstrap options to pass to VM-Series instance. + - `bootstrap_options` - (`map`, optional, mutually exclusive with `bootstrap_package`) bootstrap options passed to PAN-OS + when launched for the 1st time, for details see module documentation. + - `bootstrap_package` - (`map`, optional, mutually exclusive with `bootstrap_options`) a map defining content of the + bootstrap package. + + **Note!** \ + At least one of `static_files`, `bootstrap_xml_template` or `bootstrap_package_path` is required. You can use a + combination of all 3. The `bootstrap_package_path` is the less important. For details on this mechanism and for details + on the other properties see the [`bootstrap` module documentation](../../modules/bootstrap). + + Following properties are available: + + - `bootstrap_storage_key` - (`string`, required) a key of a bootstrap storage defined in `var.bootstrap_storages` that + will host bootstrap packages. Each package will be hosted on a separate File Share. The File + Shares will be created automatically, one for each firewall. + - `static_files` - (`map`, optional, defaults to `{}`) a map containing files that will be copied to a File + Share, see [`file_shares.bootstrap_files`](../../modules/bootstrap#file_shares) + property documentation for details. + - `bootstrap_package_path` - (`string`, optional, defaults to `null`) a path to a folder containing a full bootstrap + package. + - `bootstrap_xml_template` - (`string`, optional, defaults to `null`) a path to a `bootstrap.xml` template. If this + example is using full bootstrap method, the sample templates are in + [`templates`](./templates) folder. + + The templates are used to provide `day0` like configuration which consists of: + + - network interfaces configuration. + - one or more (depending on the architecture) Virtual Routers configurations. This config contains static routes + required for the Load Balancer (and Application Gateway, if defined) health checks to work and routes that allow + Inbound and OBEW traffic. + - *any-any* security rule. + - an outbound NAT rule that will allow the Outbound traffic to flow to the Internet. + + **Note!** \ + Day0 configuration is **not meant** to be **secure**. It's here merely to help with the basic firewall setup. When + `bootstrap_xml_template` is set, one of the following properties might be required. + + - `private_snet_key` - (`string`, required only when `bootstrap_xml_template` is set, defaults to `null`) a key + pointing to a private Subnet definition in `var.vnets` (the `vnet_key` property is used to + identify a VNET). The Subnet definition is used to calculate static routes for a private + Load Balancer health checks and for Inbound traffic. + - `public_snet_key` - (`string`, required only when `bootstrap_xml_template` is set, defaults to `null`) a key + pointing to a public Subnet definition in `var.vnets` (the `vnet_key` property is used to + identify a VNET). The Subnet definition is used to calculate static routes for a public + Load Balancer health checks and for Outbound traffic. + - `ai_update_interval` - (`number`, optional, defaults to `5`) Application Insights update interval, used only when + `ngfw_metrics` module is defined and used in this example. The Application Insights + Instrumentation Key will be populated automatically. + - `intranet_cidr` - (`string`, optional, defaults to `null`) a CIDR of the Intranet - combined CIDR of all + private networks. When set it will override the private Subnet CIDR for inbound traffic + static routes. For details on all properties refer to [module's documentation](../../modules/vmss#virtual_machine_scale_set). @@ -942,8 +1201,8 @@ The basic Scale Set configuration properties are as follows: - `application_gateway_key` - (`string`, optional, defaults to `null`) key of an Application Gateway defined in the `var.appgws`, network interface that has this property defined will be added to the Application Gateways's backend pool. - - `pip_domain_name_label` - (`string`, optional, defaults to `null`) prefix which should be used for the Domain Name Label - for each VM instance. + + For details on all properties refer to [module's documentation](../../modules/vmss#interfaces). - `autoscaling_profiles` - (`list`, optional, defaults to `[]`) a list of autoscaling profiles, for details on available properties please refer to @@ -971,10 +1230,47 @@ map(object({ custom_id = optional(string) })) virtual_machine_scale_set = optional(object({ - size = optional(string) - bootstrap_options = optional(string) - zones = optional(list(string)) - disk_type = optional(string) + size = optional(string) + zones = optional(list(string)) + disk_type = optional(string) + bootstrap_options = optional(object({ + type = optional(string) + ip-address = optional(string) + default-gateway = optional(string) + netmask = optional(string) + ipv6-address = optional(string) + ipv6-default-gateway = optional(string) + hostname = optional(string) + panorama-server = optional(string) + panorama-server-2 = optional(string) + tplname = optional(string) + dgname = optional(string) + cgname = optional(string) + dns-primary = optional(string) + dns-secondary = optional(string) + vm-auth-key = optional(string) + op-command-modes = optional(string) + op-cmd-dpdk-pkt-io = optional(string) + plugin-op-commands = optional(string) + dhcp-send-hostname = optional(string) + dhcp-send-client-id = optional(string) + dhcp-accept-server-hostname = optional(string) + dhcp-accept-server-domain = optional(string) + vm-series-auto-registration-pin-id = optional(string) + vm-series-auto-registration-pin-value = optional(string) + auth-key = optional(string) + authcodes = optional(string) + })) + bootstrap_package = optional(object({ + bootstrap_storage_key = string + static_files = optional(map(string), {}) + bootstrap_package_path = optional(string) + bootstrap_xml_template = optional(string) + private_snet_key = optional(string) + public_snet_key = optional(string) + ai_update_interval = optional(number, 5) + intranet_cidr = optional(string) + })) accelerated_networking = optional(bool) allow_extension_operations = optional(bool) encryption_at_host_enabled = optional(bool) @@ -996,12 +1292,15 @@ map(object({ webhooks_uris = optional(map(string), {}) }), {}) interfaces = list(object({ - name = string - subnet_key = string - create_public_ip = optional(bool) - load_balancer_key = optional(string) - application_gateway_key = optional(string) - pip_domain_name_label = optional(string) + name = string + subnet_key = string + create_public_ip = optional(bool) + pip_domain_name_label = optional(string) + pip_idle_timeout_in_minutes = optional(number) + pip_prefix_name = optional(string) + pip_prefix_resource_group_name = optional(string) + load_balancer_key = optional(string) + application_gateway_key = optional(string) })) autoscaling_profiles = optional(list(object({ name = string @@ -1067,20 +1366,18 @@ Following properties are supported: a full resource name, including prefixes. - `address_space` - (`list(string)`, required when `create_virtual_network = `false`) a list of CIDRs for a newly created VNET. - - `create_subnets` - (`bool`, optional, defaults to `true`) if `true`, create Subnets inside the Virtual Network, - otherwise use source existing subnets. - - `subnets` - (`map`, optional) map of Subnets to create or source, for details see - [VNET module documentation](../../modules/vnet#subnets). - `network_security_groups` - (`map`, optional) map of Network Security Groups to create, for details see [VNET module documentation](../../modules/vnet#network_security_groups). - `route_tables` - (`map`, optional) map of Route Tables to create, for details see [VNET module documentation](../../modules/vnet#route_tables). + - `subnets` - (`map`, optional) map of Subnets to create or source, for details see + [VNET module documentation](../../modules/vnet#subnets). - `local_peer_config` - (`map`, optional) a map that contains local peer configuration parameters. This value allows to set `allow_virtual_network_access`, `allow_forwarded_traffic`, `allow_gateway_transit` and `use_remote_gateways` parameters on the local VNet peering. - `remote_peer_config` - (`map`, optional) a map that contains remote peer configuration parameters. This value allows to set `allow_virtual_network_access`, `allow_forwarded_traffic`, `allow_gateway_transit` and - `use_remote_gateways` parameters on the remote VNet peering. + `use_remote_gateways` parameters on the remote VNet peering. For all properties and their default values see [module's documentation](../../modules/test_infrastructure#vnets). @@ -1152,9 +1449,10 @@ map(object({ create_resource_group = optional(bool, true) resource_group_name = optional(string) vnets = map(object({ - name = string create_virtual_network = optional(bool, true) + name = string address_space = optional(list(string)) + dns_servers = optional(list(string)) hub_resource_group_name = optional(string) hub_vnet_name = string network_security_groups = optional(map(object({ @@ -1177,7 +1475,7 @@ map(object({ })), {}) route_tables = optional(map(object({ name = string - disable_bgp_route_propagation = optional(bool) + bgp_route_propagation_enabled = optional(bool) routes = map(object({ name = string address_prefix = string @@ -1185,13 +1483,14 @@ map(object({ next_hop_ip_address = optional(string) })) })), {}) - create_subnets = optional(bool, true) subnets = optional(map(object({ + create = optional(bool, true) name = string address_prefixes = optional(list(string), []) network_security_group_key = optional(string) route_table_key = optional(string) - enable_storage_service_endpoint = optional(bool, false) + enable_storage_service_endpoint = optional(bool) + enable_cloudngfw_delegation = optional(bool) })), {}) local_peer_config = optional(object({ allow_virtual_network_access = optional(bool, true) @@ -1230,9 +1529,11 @@ map(object({ frontend_ips = optional(map(object({ name = string subnet_key = optional(string) - public_ip_name = optional(string) create_public_ip = optional(bool, false) + public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + public_ip_prefix_key = optional(string) private_ip_address = optional(string) gwlb_key = optional(string) in_rules = optional(map(object({ @@ -1277,10 +1578,13 @@ map(object({ custom_data = optional(string) })) bastions = map(object({ - name = string - public_ip_name = optional(string) - vnet_key = string - subnet_key = string + name = string + create_public_ip = optional(bool, true) + public_ip_name = optional(string) + public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + vnet_key = string + subnet_key = string })) })) ```