Skip to main content

bootstrap

This Terraform Module creates a PAN-OS bootstrap package in an AWS S3 bucket to be used for bootstrapping Palo Alto Networks VM-Series virtual firewall instances. A bootstrap package must include an init-cfg.txt file that provides the basic configuration details to configure the VM-Series instance and register it with its Panorama management console. If this file does not exist, it will be generated by this module using the variables provided.

The bootstrap package may optionally include a PAN-OS software image, application and threat signature updates, VM-Series plug-ins, and/or license files.

GitHub Logo Terraform Logo

Directory and file structure

The root directory of the Terraform plan calling this module should include a files directory containing a subdirectory structure similar to the one below.

files
├── config
├── content
├── license
├── plugins
└── software

Example

#
# main.tf
#

provider "aws" {
region = var.bootstrap_region
}

module "panos-bootstrap" {
source = "../../modules/bootstrap"

hostname = "my-firewall"
panorama-server = "panorama1.example.org"
panorama-server2 = "panorama2.example.org"
tplname = "My Firewall Template"
dgname = "My Firewalls"
vm-auth-key = "supersecretauthkey"
plugin-op-commands = "aws-gwlb-inspect:enable"
}

Instructions

  1. Define a main.tf file that calls the module and provides any required and optional variables.
  2. Define a variables.tf file that declares the variables that will be utilized.
  3. (OPTIONAL) Define an output.tf file to capture and display the module return values.
  4. Create the directories files/config, files/software, files/content, files/license, and files/plugins.
  5. (OPTIONAL) Add software images, content updates, plugins, and license files to their respective subdirectories.
  6. (OPTIONAL) Define a terraform.tfvars file containing the required variables and associated values.
  7. Initialize the providers and modules with the terraform init command.
  8. Validate the plan using the terraform plan command.
  9. Apply the plan using the terraform apply command.

Reference

Requirements

NameVersion
terraform>= 1.0.0, < 2.0.0
aws~> 5.17
random~> 3.3.2

Providers

NameVersion
aws~> 5.17
random~> 3.3.2

Modules

No modules.

Resources

NameType
aws_iam_instance_profile.thisresource
aws_iam_role.thisresource
aws_iam_role_policy.bootstrapresource
aws_s3_bucket.thisresource
aws_s3_bucket_ownership_controls.thisresource
aws_s3_bucket_public_access_block.thisresource
aws_s3_bucket_server_side_encryption_configuration.exampleresource
aws_s3_bucket_versioning.thisresource
aws_s3_object.bootstrap_dirsresource
aws_s3_object.bootstrap_filesresource
aws_s3_object.init_cfgresource
random_id.sufixresource
aws_iam_role.thisdata source
aws_partition.thisdata source
aws_s3_bucket.thisdata source

Inputs

NameDescriptionTypeDefaultRequired
bootstrap_directoriesList of subdirectories to be created inside the bucket (whether or not they exist locally inside the source_root_directory). A hardcoded pan-os requirement.list(string)[
"config/",
"content/",
"software/",
"license/",
"plugins/"
]
no
bootstrap_optionsObject define bootstrap options used in the init-cfg.txt file.

There are available bootstrap parameters:
- hostname - (string, optional) The hostname of the VM-series instance.
- panorama-server - (string, optional) The FQDN or IP address of the primary Panorama server.
- panorama-server-2 - (string, optional) The FQDN or IP address of the secondary Panorama server.
- tplname - (string, optional) The Panorama template stack name.
- dgname - (string, optional) The Panorama device group name.
- cgname - (string, optional) The Panorama collector group name.
- dns-primary - (string, optional) The IP address of the primary DNS server.
- dns-secondary - (string, optional) The IP address of the secondary DNS server.
- auth-key - (string, optional) VM-Series authentication key generated via plugin sw_fw_license.
- vm-auth-key - (string, optional) VM-Series authentication key generated on Panorama.
- op-command-modes - (string, optional) Set jumbo-frame and/or mgmt-interface-swap.
- plugin-op-commands - (string, optional) Set plugin-op-commands.
- dhcp-send-hostname - (string, optional) The DHCP server determines a value of yes or no. If yes, the firewall sends its hostname to the DHCP server.
- dhcp-send-client-id - (string, optional) The DHCP server determines a value of yes or no. If yes, the firewall sends its client ID to the DHCP server.
- dhcp-accept-server-hostname - (string, optional) The DHCP server determines a value of yes or no. If yes, the firewall accepts its hostname from the DHCP server.
- dhcp-accept-server-domain - (string, optional) The DHCP server determines a value of yes or no. If yes, the firewall accepts its DNS server from the DHCP server.
any{
"dhcp-accept-server-domain": "yes",
"dhcp-accept-server-hostname": "yes",
"dhcp-send-client-id": "yes",
"dhcp-send-hostname": "yes"
}
no
bucket_nameName of a bucket to reuse or create (depending on create_bucket value). In the latter case - if empty, the name will be auto-generated.string""no
create_bucketIf true, a new bucket will be created. When false, name of existing bucket to use has to be provided in bucket_name variable.booltrueno
create_iam_role_policyIf true, a new IAM role with policy will be created. When false, name of existing IAM role to use has to be provided in iam_role_name variable.booltrueno
force_destroySet to false to prevent Terraform from destroying a bucket with unknown objects or locked objects.booltrueno
global_tagsMap of arbitrary tags to apply to all resources.map(any){}no
iam_instance_profile_nameName of the instance profile to create. If empty, name will be auto-generated.string""no
iam_role_nameName of a IAM role to reuse or create (depending on create_iam_role_policy value).stringnullno
prefixThe prefix to use for bucket name, IAM role name, and IAM role policy name. It is allowed to use dash "-" as the last character.string"bootstrap-"no
source_root_directoryThe source directory to become the bucket's root directory. If empty uses files subdirectory of a Terraform configuration root directory.string""no

Outputs

NameDescription
bucket_domain_nameGlobal domain name of the bucket.
bucket_idAWS identifier of the bucket.
bucket_nameName of the bucket.
bucket_regional_domain_nameRegional domain name of the bucket.
iam_role_arnARN of created or used IAM role
iam_role_nameName of created or used IAM role
instance_profile_nameName of created IAM instance profile.

References