Palo Alto Networks Autoscaling Group Module for AWS
A Terraform module for deploying VM-Series in Autoscaling group in AWS cloud.
Usage
For example usage, please refer to the Examples directory.
Reference
Requirements
| Name | Version |
|---|---|
| terraform | >= 1.0.0, < 2.0.0 |
| archive | ~> 2.2 |
| aws | ~> 5.17 |
| null | 3.2.1 |
Providers
| Name | Version |
|---|---|
| archive | ~> 2.2 |
| aws | ~> 5.17 |
| null | 3.2.1 |
Modules
No modules.
Resources
| Name | Type |
|---|---|
| aws_autoscaling_group.this | resource |
| aws_autoscalingplans_scaling_plan.this | resource |
| aws_cloudwatch_event_rule.instance_launch_event_rule | resource |
| aws_cloudwatch_event_rule.instance_terminate_event_rule | resource |
| aws_cloudwatch_event_target.instance_launch_event | resource |
| aws_cloudwatch_event_target.instance_terminate_event | resource |
| aws_iam_role.this | resource |
| aws_iam_role_policy.lambda_iam_policy_default | resource |
| aws_iam_role_policy.lambda_iam_policy_delicense | resource |
| aws_lambda_function.this | resource |
| aws_lambda_permission.this | resource |
| aws_launch_template.this | resource |
| null_resource.python_requirements | resource |
| archive_file.this | data source |
| aws_ami.this | data source |
| aws_caller_identity.current | data source |
| aws_kms_alias.ebs_kms | data source |
| aws_partition.this | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| asg_name | Name of the autoscaling group to create | string | "asg" | no |
| bootstrap_options | Bootstrap options to put into userdata | any | {} | no |
| delicense_enabled | If true, then Lambda is going to delicense FW before destroying VM-Series | bool | false | no |
| delicense_ssm_param_name | Secure string in Parameter Store with value in below format: | any | null | no |
| desired_capacity | Number of Amazon EC2 instances that should be running in the group. | number | 2 | no |
| ebs_kms_id | Alias for AWS KMS used for EBS encryption in VM-Series | string | "alias/aws/ebs" | no |
| fw_license_type | Select License type (byol/payg1/payg2) | string | "byol" | no |
| global_tags | Map of AWS tags to apply to all the created resources. | map(any) | n/a | yes |
| instance_type | EC2 instance type. | string | "m5.xlarge" | no |
| interfaces | Map of the network interface specifications. If "mgmt-interface-swap" bootstrap option is enabled, ensure dataplane interface device_index is set to 0 and the firewall management interface device_index is set to 1.Available options: - device_index = (Required|int) Determines order in which interfaces are attached to the instance. Interface with 0 is attached at boot time.- subnet_id = (Required|string) Subnet ID to create the ENI in.- name = (Optional|string) Name tag for the ENI. Defaults to instance name suffixed by map's key.- description = (Optional|string) A descriptive name for the ENI.- create_public_ip = (Optional|bool) Whether to create a public IP for the ENI. Defaults to false.- eip_allocation_id = (Optional|string) Associate an existing EIP to the ENI.- private_ips = (Optional|list) List of private IPs to assign to the ENI. If not set, dynamic allocation is used.- public_ipv4_pool = (Optional|string) EC2 IPv4 address pool identifier.- source_dest_check = (Optional|bool) Whether to enable source destination checking for the ENI. Defaults to false.- security_group_ids = (Optional|list) A list of Security Group IDs to assign to this interface. Defaults to null.Example: | map(any) | n/a | yes |
| ip_target_groups | Target groups (type IP) for load balancers, which are used by Lamda to register VM-Series IP of untrust interface | | [] | no |
| lambda_timeout | Amount of time Lambda Function has to run in seconds. | number | 30 | no |
| lifecycle_hook_timeout | How long should we wait for lambda to finish | number | 300 | no |
| max_size | Maximum size of the Auto Scaling Group. | number | 2 | no |
| min_size | Minimum size of the Auto Scaling Group. | number | 1 | no |
| name_prefix | All resource names will be prepended with this string | string | n/a | yes |
| region | AWS region | string | n/a | yes |
| reserved_concurrent_executions | Amount of reserved concurrent execussions for lambda function. | number | 100 | no |
| scaling_cloudwatch_namespace | Name of CloudWatch namespace, where metrics are available (it should be the same as namespace configured in VM-Series plugin in PAN-OS) | string | "VMseries_dimensions" | no |
| scaling_metric_name | Name of the metric used in dynamic scaling policy | string | "" | no |
| scaling_plan_enabled | True, if automatic dynamic scaling policy should be created | bool | false | no |
| scaling_statistic | Statistic of the metric. Valid values: Average, Maximum, Minimum, SampleCount, Sum | string | "Average" | no |
| scaling_tags | Tags configured for dynamic scaling policy | map(any) | {} | no |
| scaling_target_value | Target value for the metric used in dynamic scaling policy | number | 70 | no |
| security_group_ids | List of security group IDs associated with the Lambda function | list(string) | [] | no |
| ssh_key_name | Name of AWS keypair to associate with instances | string | n/a | yes |
| subnet_ids | List of subnet IDs associated with the Lambda function | list(string) | [] | no |
| suspended_processes | List of processes to suspend for the Auto Scaling Group. The allowed values are Launch, Terminate, HealthCheck, ReplaceUnhealthy, AZRebalance, AlarmNotification, ScheduledActions, AddToLoadBalancer, InstanceRefresh | list(string) | [] | no |
| target_group_arn | ARN of target group (type instance) for load balancer, which is used by ASG to register VM-Series instance | string | null | no |
| vmseries_ami_id | The AMI from which to launch the instance. Takes precedence over fw_version and fw_license_type | string | null | no |
| vmseries_iam_instance_profile | IAM instance profile used in launch template | string | "" | no |
| vmseries_product_code | Product code corresponding to a chosen VM-Series license type model - by default - BYOL. To check the available license type models and their codes, please refer to the VM-Series documentation | string | "6njl1pau431dv1qxipg63mvah" | no |
| vmseries_version | Select which FW version to deploy | string | "10.2.2" | no |
Outputs
| Name | Description |
|---|---|
| asg | n/a |