bootstrap

This Terraform Module creates a PAN-OS bootstrap package in an AWS S3 bucket to be used for bootstrapping Palo Alto Networks VM-Series virtual firewall instances. A bootstrap package must include an init-cfg.txt file that provides the basic configuration details to configure the VM-Series instance and register it with its Panorama management console. If this file does not exist, it will be generated by this module using the variables provided.

The bootstrap package may optionally include a PAN-OS software image, application and threat signature updates, VM-Series plug-ins, and/or license files.

Directory and file structure

The root directory of the Terraform plan calling this module should include a files directory containing a subdirectory structure similar to the one below.

files
├── config
├── content
├── license
├── plugins
└── software

Example

#
# main.tf
#

provider "aws" {
  region      = var.bootstrap_region
}

module "panos-bootstrap" {
  source = "../../modules/bootstrap"

  hostname           = "my-firewall"
  panorama-server    = "panorama1.example.org"
  panorama-server2   = "panorama2.example.org"
  tplname            = "My Firewall Template"
  dgname             = "My Firewalls"
  vm-auth-key        = "supersecretauthkey"
  plugin-op-commands = "aws-gwlb-inspect:enable"
}

Instructions

Define a main.tf file that calls the module and provides any required and optional variables.
Define a variables.tf file that declares the variables that will be utilized.
(OPTIONAL) Define an output.tf file to capture and display the module return values.
Create the directories files/config, files/software, files/content, files/license, and files/plugins.
(OPTIONAL) Add software images, content updates, plugins, and license files to their respective subdirectories.
(OPTIONAL) Define a terraform.tfvars file containing the required variables and associated values.
Initialize the providers and modules with the terraform init command.
Validate the plan using the terraform plan command.
Apply the plan using the terraform apply command.

Reference

Requirements

Name	Version
terraform	>= 1.0.0, < 2.0.0
aws	~> 5.17
random	~> 3.3.2

Providers

Name	Version
aws	~> 5.17
random	~> 3.3.2

Modules

No modules.

Resources

Name	Type
aws_iam_instance_profile.this	resource
aws_iam_role.this	resource
aws_iam_role_policy.bootstrap	resource
aws_s3_bucket.this	resource
aws_s3_bucket_ownership_controls.this	resource
aws_s3_bucket_public_access_block.this	resource
aws_s3_bucket_server_side_encryption_configuration.example	resource
aws_s3_bucket_versioning.this	resource
aws_s3_object.bootstrap_dirs	resource
aws_s3_object.bootstrap_files	resource
aws_s3_object.init_cfg	resource
random_id.sufix	resource
aws_iam_role.this	data source
aws_partition.this	data source
aws_s3_bucket.this	data source

Inputs

Name	Description	Type	Default	Required
bootstrap_directories	List of subdirectories to be created inside the bucket (whether or not they exist locally inside the `source_root_directory`). A hardcoded pan-os requirement.	`list(string)`	`[ "config/", "content/", "software/", "license/", "plugins/" ]`	no
bootstrap_options	Object define bootstrap options used in the init-cfg.txt file. There are available bootstrap parameters: - `hostname` - (`string`, optional) The hostname of the VM-series instance. - `panorama-server` - (`string`, optional) The FQDN or IP address of the primary Panorama server. - `panorama-server-2` - (`string`, optional) The FQDN or IP address of the secondary Panorama server. - `tplname` - (`string`, optional) The Panorama template stack name. - `dgname` - (`string`, optional) The Panorama device group name. - `cgname` - (`string`, optional) The Panorama collector group name. - `dns-primary` - (`string`, optional) The IP address of the primary DNS server. - `dns-secondary` - (`string`, optional) The IP address of the secondary DNS server. - `auth-key` - (`string`, optional) VM-Series authentication key generated via plugin sw_fw_license. - `vm-auth-key` - (`string`, optional) VM-Series authentication key generated on Panorama. - `op-command-modes` - (`string`, optional) Set jumbo-frame and/or mgmt-interface-swap. - `plugin-op-commands` - (`string`, optional) Set plugin-op-commands. - `dhcp-send-hostname` - (`string`, optional) The DHCP server determines a value of yes or no. If yes, the firewall sends its hostname to the DHCP server. - `dhcp-send-client-id` - (`string`, optional) The DHCP server determines a value of yes or no. If yes, the firewall sends its client ID to the DHCP server. - `dhcp-accept-server-hostname` - (`string`, optional) The DHCP server determines a value of yes or no. If yes, the firewall accepts its hostname from the DHCP server. - `dhcp-accept-server-domain` - (`string`, optional) The DHCP server determines a value of yes or no. If yes, the firewall accepts its DNS server from the DHCP server.	`any`	`{ "dhcp-accept-server-domain": "yes", "dhcp-accept-server-hostname": "yes", "dhcp-send-client-id": "yes", "dhcp-send-hostname": "yes" }`	no
bucket_name	Name of a bucket to reuse or create (depending on `create_bucket` value). In the latter case - if empty, the name will be auto-generated.	`string`	`""`	no
create_bucket	If true, a new bucket will be created. When false, name of existing bucket to use has to be provided in `bucket_name` variable.	`bool`	`true`	no
create_iam_role_policy	If true, a new IAM role with policy will be created. When false, name of existing IAM role to use has to be provided in `iam_role_name` variable.	`bool`	`true`	no
force_destroy	Set to false to prevent Terraform from destroying a bucket with unknown objects or locked objects.	`bool`	`true`	no
global_tags	Map of arbitrary tags to apply to all resources.	`map(any)`	`{}`	no
iam_instance_profile_name	Name of the instance profile to create. If empty, name will be auto-generated.	`string`	`""`	no
iam_role_name	Name of a IAM role to reuse or create (depending on `create_iam_role_policy` value).	`string`	`null`	no
prefix	The prefix to use for bucket name, IAM role name, and IAM role policy name. It is allowed to use dash "-" as the last character.	`string`	`"bootstrap-"`	no
source_root_directory	The source directory to become the bucket's root directory. If empty uses `files` subdirectory of a Terraform configuration root directory.	`string`	`""`	no

Outputs

Name	Description
bucket_domain_name	Global domain name of the bucket.
bucket_id	AWS identifier of the bucket.
bucket_name	Name of the bucket.
bucket_regional_domain_name	Regional domain name of the bucket.
iam_role_arn	ARN of created or used IAM role
iam_role_name	Name of created or used IAM role
instance_profile_name	Name of created IAM instance profile.

bootstrap

Directory and file structure​

Example​

Instructions​

Reference​

Requirements​

Providers​

Modules​

Resources​

Inputs​

Outputs​

References​