Skip to main content

Palo Alto Networks Autoscaling Group Module for AWS

A Terraform module for deploying VM-Series in Autoscaling group in AWS cloud.

GitHub Logo Terraform Logo

Usage

For example usage, please refer to the examples directory:

Reference

Requirements

NameVersion
terraform>= 1.0.0, < 2.0.0
archive~> 2.2
aws~> 5.17
null3.2.1

Providers

NameVersion
archive~> 2.2
aws~> 5.17
null3.2.1

Modules

No modules.

Resources

NameType
aws_autoscaling_group.thisresource
aws_autoscalingplans_scaling_plan.thisresource
aws_cloudwatch_event_rule.instance_launch_event_ruleresource
aws_cloudwatch_event_rule.instance_terminate_event_ruleresource
aws_cloudwatch_event_target.instance_launch_eventresource
aws_cloudwatch_event_target.instance_terminate_eventresource
aws_iam_role.thisresource
aws_iam_role_policy.lambda_iam_policy_defaultresource
aws_iam_role_policy.lambda_iam_policy_delicenseresource
aws_lambda_function.thisresource
aws_lambda_permission.thisresource
aws_launch_template.thisresource
null_resource.python_requirementsresource
archive_file.thisdata source
aws_ami.thisdata source
aws_caller_identity.currentdata source
aws_kms_alias.ebs_kmsdata source
aws_partition.thisdata source

Inputs

NameDescriptionTypeDefaultRequired
asg_nameName of the autoscaling group to createstring"asg"no
bootstrap_optionsBootstrap options to put into userdataany{}no
delete_timeoutTimeout needed to correctly drain autoscaling group while deleting ASG.

By default in AWS timeout is set to 10 minutes, which is too low and causes issue:
Error: waiting for Auto Scaling Group (example-asg) drain: timeout while waiting for state to become '0' (last state: '1', timeout: 10m0s)		string"20m"no
delicense_enabledIf true, then Lambda is going to delicense FW before destroying VM-Seriesboolfalseno
delicense_ssm_param_nameSecure string in Parameter Store with value in below format:
{"username":"ACCOUNT","password":"PASSWORD","panorama1":"IP_ADDRESS1","panorama2":"IP_ADDRESS2","license_manager":"LICENSE_MANAGER_NAME"}"
anynullno
desired_capacityNumber of Amazon EC2 instances that should be running in the group.number2no
ebs_kms_idAlias for AWS KMS used for EBS encryption in VM-Seriesstring"alias/aws/ebs"no
fw_license_typeSelect License type (byol/payg1/payg2)string"byol"no
global_tagsMap of AWS tags to apply to all the created resources.map(any)n/ayes
instance_typeEC2 instance type.string"m5.xlarge"no
interfacesMap of the network interface specifications.
If "mgmt-interface-swap" bootstrap option is enabled, ensure dataplane interface device_index is set to 0 and the firewall management interface device_index is set to 1.
Available options:
- device_index = (Required|int) Determines order in which interfaces are attached to the instance. Interface with 0 is attached at boot time.
- subnet_id = (Required|string) Subnet ID to create the ENI in.
- name = (Optional|string) Name tag for the ENI. Defaults to instance name suffixed by map's key.
- description = (Optional|string) A descriptive name for the ENI.
- create_public_ip = (Optional|bool) Whether to create a public IP for the ENI. Defaults to false.
- eip_allocation_id = (Optional|string) Associate an existing EIP to the ENI.
- private_ips = (Optional|list) List of private IPs to assign to the ENI. If not set, dynamic allocation is used.
- public_ipv4_pool = (Optional|string) EC2 IPv4 address pool identifier.
- source_dest_check = (Optional|bool) Whether to enable source destination checking for the ENI. Defaults to false.
- security_group_ids = (Optional|list) A list of Security Group IDs to assign to this interface. Defaults to null.

Example:
interfaces = {
  mgmt = {
    device_index       = 0
    subnet_id          = aws_subnet.mgmt.id
    name               = "mgmt"
    create_public_ip   = true
    source_dest_check  = true
    security_group_ids = ["sg-123456"]
  },
  public = {
    device_index     = 1
    subnet_id        = aws_subnet.public.id
    name             = "public"
    create_public_ip = true
  },
  private = {
    device_index = 2
    subnet_id    = aws_subnet.private.id
    name         = "private"
  },
]
map(any)n/ayes
ip_target_groupsTarget groups (type IP) for load balancers, which are used by Lamda to register VM-Series IP of untrust interface
list(object({
    arn  = string
    port = string
  }))
[]no
lambda_execute_pip_install_onceFlag used in local-exec command installing Python packages required by Lambda.

If set to true, local-exec is executed only once, when all resources are created.
If you need to have idempotent behaviour for terraform apply every time and you have downloaded
all required Python packages, set it to true.

If set to false, every time it's checked if files for package pan_os_python are downloaded.
If not, it causes execution of local-exec command in two consecutive calls of terraform apply:
- first time value of installed-pan-os-python is changed from true (or empty) to false
- second time value of installed-pan-os-python is changed from false to true
In summary while executing code from scratch, two consecutive calls of terraform apply are not idempotent.
The third execution of terraform apply show no changes.
While using modules in CI/CD pipelines, when agents are selected randomly, set this value to false
in order to check every time, if pan_os_python package is downloaded. sdfdsf sdfvars		boolfalseno
lambda_timeoutAmount of time Lambda Function has to run in seconds.number30no
launch_template_update_default_versionWhether to update launch template default version each update.

If set to true, every time when e.g. bootstrap options are changed, new version is created and default version is updated.
If set to false, every time when e.g. bootstrap options are changed, new version is created, but default version is not changed.		booltrueno
lifecycle_hook_timeoutHow long should we wait for lambda to finishnumber300no
max_sizeMaximum size of the Auto Scaling Group.number2no
min_sizeMinimum size of the Auto Scaling Group.number1no
name_prefixAll resource names will be prepended with this stringstringn/ayes
regionAWS regionstringn/ayes
reserved_concurrent_executionsAmount of reserved concurrent execussions for lambda function.number100no
scaling_cloudwatch_namespaceName of CloudWatch namespace, where metrics are available (it should be the same as namespace configured in VM-Series plugin in PAN-OS)string"VMseries_dimensions"no
scaling_metric_nameName of the metric used in dynamic scaling policystring""no
scaling_plan_enabledTrue, if automatic dynamic scaling policy should be createdboolfalseno
scaling_statisticStatistic of the metric. Valid values: Average, Maximum, Minimum, SampleCount, Sumstring"Average"no
scaling_tagsTags configured for dynamic scaling policymap(any){}no
scaling_target_valueTarget value for the metric used in dynamic scaling policynumber70no
security_group_idsList of security group IDs associated with the Lambda functionlist(string)[]no
ssh_key_nameName of AWS keypair to associate with instancesstringn/ayes
subnet_idsList of subnet IDs associated with the Lambda functionlist(string)[]no
suspended_processesList of processes to suspend for the Auto Scaling Group. The allowed values are Launch, Terminate, HealthCheck, ReplaceUnhealthy, AZRebalance, AlarmNotification, ScheduledActions, AddToLoadBalancer, InstanceRefreshlist(string)[]no
target_group_arnARN of target group (type instance) for load balancer, which is used by ASG to register VM-Series instancestringnullno
vmseries_ami_idThe AMI from which to launch the instance. Takes precedence over fw_version and fw_license_typestringnullno
vmseries_iam_instance_profileIAM instance profile used in launch templatestring""no
vmseries_product_codeProduct code corresponding to a chosen VM-Series license type model - by default - BYOL.
To check the available license type models and their codes, please refer to the
VM-Series documentation		string"6njl1pau431dv1qxipg63mvah"no
vmseries_versionSelect which FW version to deploystring"10.2.2"no

Outputs

NameDescription
asgn/a