Palo Alto Networks Autoscaling Group Module for AWS
A Terraform module for deploying VM-Series in Autoscaling group in AWS cloud.
Usage
For example usage, please refer to the examples directory:
- Reference Architecture with Terraform: VM-Series in AWS, Centralized Design Model, Common NGFW option with Autoscaling
- Reference Architecture with Terraform: VM-Series in AWS, Combined Design Model, Common NGFW Option with Autoscaling
- Reference Architecture with Terraform: VM-Series in AWS, Isolated Design Model, Common NGFW option with Autoscaling
Reference
Requirements
| Name | Version |
|---|---|
| terraform | >= 1.5.0, < 2.0.0 |
| archive | ~> 2.2 |
| aws | ~> 5.17 |
| null | 3.2.1 |
Providers
| Name | Version |
|---|---|
| archive | ~> 2.2 |
| aws | ~> 5.17 |
| null | 3.2.1 |
Modules
No modules.
Resources
| Name | Type |
|---|---|
| aws_autoscaling_group.this | resource |
| aws_autoscalingplans_scaling_plan.this | resource |
| aws_cloudwatch_event_rule.instance_launch_event_rule | resource |
| aws_cloudwatch_event_rule.instance_terminate_event_rule | resource |
| aws_cloudwatch_event_target.instance_launch_event | resource |
| aws_cloudwatch_event_target.instance_terminate_event | resource |
| aws_iam_role.this | resource |
| aws_iam_role_policy.lambda_iam_policy_default | resource |
| aws_iam_role_policy.lambda_iam_policy_delicense | resource |
| aws_lambda_function.this | resource |
| aws_lambda_permission.this | resource |
| aws_launch_template.this | resource |
| null_resource.python_requirements | resource |
| archive_file.this | data source |
| aws_ami.this | data source |
| aws_caller_identity.current | data source |
| aws_kms_alias.ebs_kms | data source |
| aws_partition.this | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| asg_name | Name of the autoscaling group to create | string | "asg" | no |
| bootstrap_options | Bootstrap options to put into userdata | any | {} | no |
| delete_timeout | Timeout needed to correctly drain autoscaling group while deleting ASG. By default in AWS timeout is set to 10 minutes, which is too low and causes issue: Error: waiting for Auto Scaling Group (example-asg) drain: timeout while waiting for state to become '0' (last state: '1', timeout: 10m0s) | string | "20m" | no |
| delicense_enabled | If true, then Lambda is going to delicense FW before destroying VM-Series | bool | false | no |
| delicense_ssm_param_name | Secure string in Parameter Store with value in below format:{"username":"ACCOUNT","password":"PASSWORD","panorama1":"IP_ADDRESS1","panorama2":"IP_ADDRESS2","license_manager":"LICENSE_MANAGER_NAME"}"the format can either be the plain name in case you store it without hierarchy or with a "/" in case you store in in a hierarchy | any | null | no |
| desired_capacity | Number of Amazon EC2 instances that should be running in the group. | number | 2 | no |
| ebs_kms_id | Alias for AWS KMS used for EBS encryption in VM-Series | string | "alias/aws/ebs" | no |
| enabled_metrics | List of Auto Scaling group metrics to collect. Set to an empty list to disable metrics collection. | list(string) | [ "GroupMinSize", "GroupMaxSize", "GroupDesiredCapacity", "GroupInServiceInstances", "GroupPendingInstances", "GroupStandbyInstances", "GroupTerminatingInstances", "GroupTotalInstances", "WarmPoolDesiredCapacity", "WarmPoolWarmedCapacity", "WarmPoolPendingCapacity", "WarmPoolTerminatingCapacity", "WarmPoolTotalCapacity", "GroupAndWarmPoolDesiredCapacity", "GroupAndWarmPoolTotalCapacity", ] | no |
| fw_license_type | Select License type (byol/payg1/payg2) | string | "byol" | no |
| global_tags | Map of AWS tags to apply to all the created resources. | map(any) | n/a | yes |
| health_check | Controls how health checking is done. | object({ grace_period = number type = string }) | { "grace_period": 300, "type": "EC2" } | no |
| include_deprecated_ami | In certain scenarios, customers may deploy a VM-Series instance through the marketplace, only to later discover that the ami has been deprecated, resulting in pipeline failures. Setting the specified parameter to true will enable the continued use of deprecated AMIs, mitigating this issue. | bool | false | no |
| instance_refresh | If this variable is configured (not null), then start an Instance Refresh when Auto Scaling Group is updated. Instance refresh is defined by attributes: - strategy - Strategy to use for instance refresh. The only allowed value is Rolling- preferences - Override default parameters for Instance Refresh:- checkpoint_delay - Number of seconds to wait after a checkpoint. Defaults to 3600.- checkpoint_percentages - List of percentages for each checkpoint. Values must be unique and in ascending order. To replace all instances, the final number must be 100. - instance_warmup - Number of seconds until a newly launched instance is configured and ready to use. Default behavior is to use the Auto Scaling Group's health check grace period. - min_healthy_percentage - Amount of capacity in the Auto Scaling group that must remain healthy during an instance refresh to allow the operation to continue, as a percentage of the desired capacity of the Auto Scaling group. Defaults to 90. - skip_matching - Replace instances that already have your desired configuration. Defaults to false.- auto_rollback - Automatically rollback if instance refresh fails. Defaults to false. This option may only be set to true when specifying a launch_template or mixed_instances_policy. - scale_in_protected_instances - Behavior when encountering instances protected from scale in are found. Available behaviors are Refresh, Ignore, and Wait. Default is Ignore. - standby_instances - Behavior when encountering instances in the Standby state in are found. Available behaviors are Terminate, Ignore, and Wait. Default is Ignore. - trigger - Set of additional property names that will trigger an Instance Refresh. A refresh will always be triggered by a change in any of launch_configuration, launch_template, or mixed_instances_policy. | object({ strategy = string preferences = object({ checkpoint_delay = number checkpoint_percentages = list(number) instance_warmup = number min_healthy_percentage = number skip_matching = bool auto_rollback = bool scale_in_protected_instances = string standby_instances = string }) triggers = list(string) }) | null | no |
| instance_type | EC2 instance type. | string | "m5.xlarge" | no |
| interfaces | Map of the network interface specifications. If "mgmt-interface-swap" bootstrap option is enabled, ensure dataplane interface device_index is set to 0 and the firewall management interface device_index is set to 1.Available options: - device_index = (Required|int) Determines order in which interfaces are attached to the instance. Interface with 0 is attached at boot time.- subnet_id = (Required|string) Subnet ID to create the ENI in.- name = (Optional|string) Name tag for the ENI. Defaults to instance name suffixed by map's key.- description = (Optional|string) A descriptive name for the ENI.- create_public_ip = (Optional|bool) Whether to create a public IP for the ENI. Defaults to false.- eip_allocation_id = (Optional|string) Associate an existing EIP to the ENI.- private_ips = (Optional|list) List of private IPs to assign to the ENI. If not set, dynamic allocation is used.- public_ipv4_pool = (Optional|string) EC2 IPv4 address pool identifier.- source_dest_check = (Optional|bool) Whether to enable source destination checking for the ENI. Defaults to false.- security_group_ids = (Optional|list) A list of Security Group IDs to assign to this interface. Defaults to null.Example:interfaces = { mgmt = { device_index = 0 subnet_id = aws_subnet.mgmt.id name = "mgmt" create_public_ip = true source_dest_check = true security_group_ids = ["sg-123456"] }, public = { device_index = 1 subnet_id = aws_subnet.public.id name = "public" create_public_ip = true }, private = { device_index = 2 subnet_id = aws_subnet.private.id name = "private" }, ] | map(any) | n/a | yes |
| ip_target_groups | Target groups (type IP) for load balancers, which are used by Lamda to register VM-Series IP of untrust interface | list(object({ arn = string port = string })) | [] | no |
| lambda_execute_pip_install_once | Flag used in local-exec command installing Python packages required by Lambda. If set to true, local-exec is executed only once, when all resources are created. If you need to have idempotent behaviour for terraform apply every time and you have downloaded all required Python packages, set it to true. If set to false, every time it's checked if files for package pan_os_python are downloaded. If not, it causes execution of local-exec command in two consecutive calls of terraform apply: - first time value of installed-pan-os-python is changed from true (or empty) to false - second time value of installed-pan-os-python is changed from false to true In summary while executing code from scratch, two consecutive calls of terraform apply are not idempotent. The third execution of terraform apply show no changes. While using modules in CI/CD pipelines, when agents are selected randomly, set this value to false in order to check every time, if pan_os_python package is downloaded. sdfdsf sdfvars | bool | false | no |
| lambda_timeout | Amount of time Lambda Function has to run in seconds. | number | 30 | no |
| launch_template_update_default_version | Whether to update launch template default version each update. If set to true, every time when e.g. bootstrap options are changed, new version is created and default version is updated. If set to false, every time when e.g. bootstrap options are changed, new version is created, but default version is not changed. | bool | true | no |
| launch_template_version | Launch template version to use to launch instances | string | "$Latest" | no |
| lifecycle_hook_timeout | How long should we wait for lambda to finish | number | 300 | no |
| max_size | Maximum size of the Auto Scaling Group. | number | 2 | no |
| min_size | Minimum size of the Auto Scaling Group. | number | 1 | no |
| metrics_granularity | Granularity for Auto Scaling group metrics. | string | "1Minute" | no |
| name_prefix | All resource names will be prepended with this string | string | n/a | yes |
| region | AWS region | string | n/a | yes |
| reserved_concurrent_executions | Amount of reserved concurrent execussions for lambda function. | number | 100 | no |
| scaling_cloudwatch_namespace | Name of CloudWatch namespace, where metrics are available (it should be the same as namespace configured in VM-Series plugin in PAN-OS) | string | "VMseries_dimensions" | no |
| scaling_estimated_instance_warmup | Estimated time, in seconds, until a newly launched instance can contribute to the CloudWatch metrics | number | 900 | no |
| scaling_metric_name | Name of the metric used in dynamic scaling policy | string | "" | no |
| scaling_plan_enabled | True, if automatic dynamic scaling policy should be created | bool | false | no |
| scaling_statistic | Statistic of the metric. Valid values: Average, Maximum, Minimum, SampleCount, Sum | string | "Average" | no |
| scaling_tags | Tags configured for dynamic scaling policy | map(any) | {} | no |
| scaling_target_value | Target value for the metric used in dynamic scaling policy | number | 70 | no |
| security_group_ids | List of security group IDs associated with the Lambda function | list(string) | [] | no |
| ssh_key_name | Name of AWS keypair to associate with instances | string | n/a | yes |
| subnet_ids | List of subnet IDs associated with the Lambda function | list(string) | [] | no |
| suspended_processes | List of processes to suspend for the Auto Scaling Group. The allowed values are Launch, Terminate, HealthCheck, ReplaceUnhealthy, AZRebalance, AlarmNotification, ScheduledActions, AddToLoadBalancer, InstanceRefresh | list(string) | [] | no |
| tag_specifications_targets | List of resources that will be tagged when launched via ASG | list(string) | [ "instance", "volume", "network-interface" ] | no |
| target_group_arn | ARN of target group (type instance) for load balancer, which is used by ASG to register VM-Series instance | string | null | no |
| vmseries_ami_id | The AMI from which to launch the instance. Takes precedence over fw_version and fw_license_type | string | null | no |
| vmseries_iam_instance_profile | IAM instance profile used in launch template | string | "" | no |
| vmseries_product_code | Product code corresponding to a chosen VM-Series license type model - by default - BYOL. To check the available license type models and their codes, please refer to the VM-Series documentation | string | "6njl1pau431dv1qxipg63mvah" | no |
| vmseries_version | Select which FW version to deploy | string | "10.2.9-h1" | no |
Outputs
| Name | Description |
|---|---|
| asg | n/a |