Setting up
In this tutorial, you will get ready to execute Terraform plans for PAN-OS by preparing your host machine.
Assumptions
This tutorial/guide assumes:
- you have access to a Terraform compatible host machine, with administrative credentials
- the host machine has working connectivity and access to the Internet to download content
- the host machine has working connectivity and access to either a PAN-OS next-generation firewall or Panorama
Important - Work in a Lab Environment First
With all of the tutorials and guides presented on this website, please ensure that you attempt the tasks in a lab or a similar safe and non-production environment first. In public cloud scenarios, this should be a non-production cloud account which contains no production assets or data. Confirm the tasks behave as expected and perform the operations you require, before using them in production or other live environments.
Install Terraform
- Download Terraform. The exact steps will differ based on your operating system and environment. Terraform downloads are listed here, and within the Get Started guides provided by Hashicorp for various cloud and environments, you will find instructions for installing Terraform.
- Test Terraform installed correctly. Execute this command:
terraform -version
- You should see an output like this (exact version numbers will differ, and you may receive a warning if you are not on the latest version):
Terraform v1.1.9
Your version of Terraform is out of date! The latest version
is 1.3.3. You can update by downloading from https://www.terraform.io/downloads.html
Confirm access to PAN-0S
- Ensure the host machine can reach the NGFW or Panorama. Execute the following command, replacing
HOSTNAME
with the IP address or hostname of your NGFW or Panorama:
http-ping https://HOSTNAME -c 1
- You should see an output like this:
HTTP-PING https://HOSTNAME GET
1: 192.168.1.1:443, code=302, size=0 bytes, time=24.7 ms
--- https://HOSTNAME ping statistics ---
1 requests sent, 1 answers received, 0.0% loss
round-trip min/avg/max/stddev = 24.672/24.672/24.672/0.000 ms
- An error like this suggests you may have an incorret hostname:
1: Error: Get "https://HOSTNAME": lookup HOSTNAME 192.168.1.254:53: no such host
- An error like this suggests you may not have working connectivity to the firewall/Panorama on HTTPS (TCP 443):
1: Error: Get "https://192.168.1.1": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
- If
http-ping
is not available on your host machine, you may be able to use other tools like curl to confirm the host machine can reach the NGFW or Panorama using HTTPS. If your machine has a web browser, you can browse tohttps://HOSTNAME
PAN-OS Provider declaration and configuration
Within the Terraform code in your working directory, you should declare:
- the PAN-OS provider, with version constraints
- the hostname/IP address of the PAN-OS device you are going to be using
- the administrative credentials for the PAN-OS device you are going to be using
The tutorials in this section all include code to cover these requirements within their step-by-step instructions, so you can move onto one of the tutorials now.
For informational purposes, example declarations will be shown below. First is the provider declaration, which would typically live in a providers.tf
file:
# Declare PAN-OS Terraform provider, with a version constraint
terraform {
required_providers {
panos = {
source = "paloaltonetworks/panos"
version = "~> 1.11.0"
}
}
}
# Configure the PAN-OS Terraform provider with hostname and administrative credential variables
provider "panos" {
hostname = var.panos_hostname
username = var.panos_username
password = var.panos_password
}
Second is the declaration of the variables used to configure the provider, which would typically live in a variables.tf
file, and would not normally include hard-coded vales:
# Define the values for the variables
variable "panos_hostname" {
type = string
default = "192.168.1.1"
}
variable "panos_username" {
type = string
default = "admin"
}
variable "panos_password" {
type = string
default = "admin"
}