Aviatrix Terraform module for firenet deployment in multiple clouds, to be used in conjunction with mc-transit module.
Module version | Terraform version | Controller version | Terraform provider version | mc-transit module version |
---|---|---|---|---|
v1.5.4 | >=1.3.0 | >= 7.1 | ~> 3.1.0 | ~> v2.5.2 |
Check release notes for more details. Check Compatibility list for older versions.
module "mc_transit" {
source = "terraform-aviatrix-modules/mc-transit/aviatrix"
version = "v2.6.0"
cloud = "AWS"
cidr = "10.1.0.0/23"
region = "eu-central-1"
account = "AWS"
enable_transit_firenet = true
}
module "firenet_1" {
source = "terraform-aviatrix-modules/mc-firenet/aviatrix"
version = "v1.6.0"
transit_module = module.mc_transit
firewall_image = "Palo Alto Networks VM-Series Next-Generation Firewall Bundle 1"
}
The following variables are required:
key | value |
---|---|
firewall_image | The firewall image to be used to deploy the NGFW's. Use "aviatrix" to deploy Aviatrix FQDN egress filtering GW's (AWS/Azure/GCP). |
transit_module | Refer to the mc-transit module that built the transit. This module plugs directly into it's output to build firenet on top of it. |
The following variables are optional:
= AWS, = Azure, = GCP, = OCI, = Alibaba
Key | Supported_CSP's | Default value | Description |
---|---|---|---|
associated | true | Associate firewalls with transit gateway. | |
attached | true | Attach firewall instances. | |
bootstrap_bucket_name_1 | Name of bootstrap bucket to pull firewall config from. (If bootstrap_bucket_name_2 is not set, this will used for all NGFW instances) | ||
bootstrap_bucket_name_2 | Name of bootstrap bucket to pull firewall config from. (Only used if 2 or more FW instances are deployed, e.g. when ha_gw is true. Applies to "even" fw instances (2,4,6 etc)) | ||
bootstrap_storage_name_1 | Storagename to get bootstrap files from (PANW only). (If bootstrap_storage_name_2 is not set, this will used for all NGFW instances) | ||
bootstrap_storage_name_2 | Storagename to get bootstrap files from (PANW only) (Only used when HA FW instance is deployed) | ||
custom_fw_names | [] | If set, the NGFW instances will be deployed with the names provided in this list. First half of the list for instances in az1, second half for az2. | |
east_west_inspection_excluded_cidrs | Network List Excluded From East-West Inspection. | ||
egress_cidr | CIDR For Egress VPC for GCP Firenet. Only required when deploying in GCP and enable_transit_firenet is true. | ||
egress_enabled | false | Enable/disable internet egress via NGFW. | |
egress_static_cidrs | [] | List of egress static CIDRs. Egress is required to be enabled. Example: ["1.171.15.184/32", "1.171.15.185/32"]. | |
egress_subnet_1 | Subnet for firenet egress interface (odd instances). Only used when mc-transit was built with an existing VNET. | ||
egress_subnet_2 | Subnet for firenet egress interface (even instances). Only used when mc-transit was built with an existing VNET. | ||
file_share_folder_1 | Name of the folder containing the bootstrap files (PANW only) (If file_share_folder_2 is not set, this will used for all NGFW instances) | ||
file_share_folder_2 | Name of the folder containing the bootstrap files (PANW only) (Only used when HA FW instance is deployed) | ||
firewall_image_id | Firewall image ID. Use AMI ID. | ||
firewall_image_version | When not provided, latest available will be used. | ||
fw_amount | The amount of NGFW instances to deploy. These will be deployed accross multiple AZ's. Amount must be even and only applies when transit is HA. | ||
hashing_algorithim | 5-Tuple | Hashing algorithm to load balance traffic across the firewall. Valid values: 2-Tuple, 5-Tuple. Default value: 5-Tuple. | |
iam_role_1 | IAM Role used to access bootstrap bucket. (If iam_role_2 is not set, this will used for all NGFW instances) | ||
iam_role_2 | IAM Role used to access bootstrap bucket. (Only used if 2 or more FW instances are deployed, e.g. when ha_gw is true. Applies to "even" fw instances (2,4,6 etc)) | ||
inspection_enabled | true | Enable/disable east/west + north/south inspection via NGFW. | |
instance_size | |
c5.xlarge Standard_D3_v2 n1-standard-4 VM.Standard2.4 |
Size of the NGFW instances |
key_name | Applicable to AWS deployment only. AWS Key Pair name. If not provided a Key Pair will be generated. | ||
mgmt_cidr | CIDR For Management VPC for GCP Firenet. Only required when deploying in GCP and enable_transit_firenet is true and deploying Palo Alto NGFW. | ||
mgmt_subnet_1 | Subnet for firenet management interface (odd instances). Only used when mc-transit was built with an existing VNET. | ||
mgmt_subnet_2 | Subnet for firenet management interface (even instances). Only used when mc-transit was built with an existing VNET. | ||
password | Aviatrix#1234 | Default initial password for firewall instances | |
ssh_public_key | Initial SSH public key for firewall instances. You can either set a password or an SSH key, but not both. | ||
storage_access_key_1 | Storage_access_key to access bootstrap storage (PANW only) (If storage_access_key_2 is not set, this will used for all NGFW instances) | ||
storage_access_key_2 | Storage_access_key to access bootstrap storage (PANW only) (Only used when HA FW instance is deployed) | ||
tags | Map of tags to assign to the firewall or FQDN egress gw's. | ||
sic_key | Sic key. Applicable to Check Point Series deployment only. | ||
user_data_1 | Userdata to bootstrap FortiGate or Checkpoint Firewall. | ||
user_data_2 | Userdata to bootstrap FortiGate or Checkpoint Firewall. If not set, user_data_1 will be used. | ||
username | fwadmin | Applicable to Azure or AzureGov deployment only. "admin" as a username is not accepted. (For Checkpoint it is always admin) |
This module will return the following objects:
key | description |
---|---|
aviatrix_firenet | The created Aviatrix firenet object with all of it's attributes. |
aviatrix_firewall_instance | A list of the created firewall instances and their attributes. |
egress_vpc | The aviatrix_vpc object that created the egress VPC with all it's attributes. Only in GCP. |
management_vpc | The aviatrix_vpc object that created the management VPC with all it's attributes. Only for Palo Alto deployments in GCP. |
module_metadata | Information about the module, like module version. |
When using a firewall_image string that does not exist, a data lookup will fail and throw the error below. Make sure you are using a valid firewall_image. These can differ between clouds. Check the Aviatrix controller UI to see available firewall images.
│ Error: Invalid index
│
│ on variables.tf line 172:
│ (source code not available)
│
│ The given key does not identify an element in this collection value: the collection has no elements.