Commit Cloud NGFW Rulestack

info

This is a multi-section tutorial, with dependencies between each section. Please perform each section in order, per the links on the left-hand sidebar.

Objective

In this next part of the tutorial, the objective is to use Terraform to commit the Cloud NGFW rulestack. Changes made to rulestacks are not made live immediately, they stay in a pending state until they are committed. This section will make live the rulestack configuration from the previous section.

Assumptions and Lab Guidance

Please ensure you have read and understood the assumptions and lab guideance at the start of this multi-section tutorial.

Select and configure Terraform Providers

First, create a providers.tf file, in a directory called 10_cloudngfw_commit. This file defines any Terraform providers you will use, and configures them appropriately. Here we define just the Cloud NGFW provider.

10_cloudngfw_commit/providers.tf
terraform {
  required_providers {
    cloudngfwaws = {
      source  = "paloaltonetworks/cloudngfwaws"
      version = "1.0.8"
    }
  }
}

provider "cloudngfwaws" {
  host    = "api.${local.aws_region}.aws.cloudngfw.paloaltonetworks.com"
  region  = local.aws_region
  lfa_arn = local.cloudngfw_role_arn
  lra_arn = local.cloudngfw_role_arn
}

Define input variables

Create a variables.tf file in the 10_cloudngfw_commit directory, where all the variables for Cloud NGFW are defined. The values are retrieved from the outputs of the first section of this tutorial, where you created your AWS infrastructure.

10_cloudngfw_commit/variables.tf
# Build path to AWS Infrastructure's Terraform state
data "terraform_remote_state" "aws_infra" {
  backend = "local"
  config = {
    path = "../00_aws_infra/terraform.tfstate"
  }
}

# Build path to Cloud NGFW Rulestack's Terraform state
data "terraform_remote_state" "cloudngfw_rulestack" {
  backend = "local"
  config = {
    path = "../01_cloudngfw_rulestacks_rules/terraform.tfstate"
  }
}

# Variables - values retrieved from previous Terraform deployments, using the deployment states as declared above
locals {
  aws_region         = data.terraform_remote_state.aws_infra.outputs.aws_region
  cloudngfw_role_arn = data.terraform_remote_state.aws_infra.outputs.cloudngfw_role_arn
  rulestack_name     = data.terraform_remote_state.cloudngfw_rulestack.outputs.rulestack_name
}

Define AWS infrastructure

The next file, main.tf, defines a commit operation for Cloud NGFW.

10_cloudngfw_commit/main.tf
# Commit the rulestack
resource "cloudngfwaws_commit_rulestack" "example" {
  rulestack = local.rulestack_name
}

Define required outputs

The final file for this section, outputs.tf, defines which values Terraform should present and make available at the end of the apply phase. With this output you will be able to see the status of the commit operation once it is complete.

10_cloudngfw_commit/outputs.tf
output "commit_status" {
  value = cloudngfwaws_commit_rulestack.the_commit.commit_status
}

Terraform init

With all the files above in place, ensure you are in the 10_cloudngfw_commit directory, then execute terraform init to initialize the Terraform working directory and download the required providers. Your output should look similar to this:

Initializing the backend...

Initializing provider plugins...
- terraform.io/builtin/terraform is built in to Terraform
- Finding paloaltonetworks/cloudngfwaws versions matching "1.0.8"...
- Installing paloaltonetworks/cloudngfwaws v1.0.8...
- Installed paloaltonetworks/cloudngfwaws v1.0.8 (signed by a HashiCorp partner, key ID D1B17746D294B5C8)

Terraform plan

Next, run terraform plan to view the upcoming changes Terraform would make next in order to perform the commit operation. The output should look similar to this, truncated for brevity:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # cloudngfwaws_commit_rulestack.example will be created
  + resource "cloudngfwaws_commit_rulestack" "example" {
      + commit_errors     = (known after apply)
      + commit_status     = (known after apply)
      + id                = (known after apply)
      + rulestack         = "Lab-rulestack"
      + scope             = "Local"
      + state             = "Running"
      + validation_errors = (known after apply)
      + validation_status = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Terraform apply

If you are happy with the plan, as described in the output from the previous step, instruct Terraform to create the AWS infrastructure with terraform apply --auto-approve. The output will look like this, again truncated for brevity:

cloudngfwaws_commit_rulestack.example: Creating...
cloudngfwaws_commit_rulestack.example: Still creating... [10s elapsed]
cloudngfwaws_commit_rulestack.example: Creation complete after 12s [id=Local:Lab-rulestack]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

Outputs:

commit_status = "Success"

Commit Cloud NGFW Rulestack

Objective​

Assumptions and Lab Guidance​

Select and configure Terraform Providers​

Define input variables​

Define AWS infrastructure​

Define required outputs​

Terraform init​

Terraform plan​

Terraform apply​