bootstrap
This Terraform Module creates a PAN-OS bootstrap package in an AWS S3 bucket to
be used for bootstrapping Palo Alto Networks VM-Series virtual firewall
instances. A bootstrap package must include an init-cfg.txt
file that
provides the basic configuration details to configure the VM-Series instance
and register it with its Panorama management console. If this file does not
exist, it will be generated by this module using the variables provided.
The bootstrap package may optionally include a PAN-OS software image, application and threat signature updates, VM-Series plug-ins, and/or license files.
Directory and file structure
The root directory of the Terraform plan calling this module should include a
files
directory containing a subdirectory structure similar to the one below.
files
├── config
├── content
├── license
├── plugins
└── software
Example
#
# main.tf
#
provider "aws" {
region = var.bootstrap_region
}
module "panos-bootstrap" {
source = "../../modules/bootstrap"
hostname = "my-firewall"
panorama-server = "panorama1.example.org"
panorama-server2 = "panorama2.example.org"
tplname = "My Firewall Template"
dgname = "My Firewalls"
vm-auth-key = "supersecretauthkey"
plugin-op-commands = "aws-gwlb-inspect:enable"
}
Instructions
- Define a
main.tf
file that calls the module and provides any required and optional variables. - Define a
variables.tf
file that declares the variables that will be utilized. - (OPTIONAL) Define an
output.tf
file to capture and display the module return values. - Create the directories
files/config
,files/software
,files/content
,files/license
, andfiles/plugins
. - (OPTIONAL) Add software images, content updates, plugins, and license files to their respective subdirectories.
- (OPTIONAL) Define a
terraform.tfvars
file containing the required variables and associated values. - Initialize the providers and modules with the
terraform init
command. - Validate the plan using the
terraform plan
command. - Apply the plan using the
terraform apply
command.
Reference
Requirements
Name | Version |
---|---|
terraform | >= 1.0.0, < 2.0.0 |
aws | ~> 5.17 |
random | ~> 3.3.2 |
Providers
Name | Version |
---|---|
aws | ~> 5.17 |
random | ~> 3.3.2 |
Modules
No modules.
Resources
Name | Type |
---|---|
aws_iam_instance_profile.this | resource |
aws_iam_role.this | resource |
aws_iam_role_policy.bootstrap | resource |
aws_s3_bucket.this | resource |
aws_s3_bucket_ownership_controls.this | resource |
aws_s3_bucket_public_access_block.this | resource |
aws_s3_bucket_server_side_encryption_configuration.example | resource |
aws_s3_bucket_versioning.this | resource |
aws_s3_object.bootstrap_dirs | resource |
aws_s3_object.bootstrap_files | resource |
aws_s3_object.init_cfg | resource |
random_id.sufix | resource |
aws_iam_role.this | data source |
aws_partition.this | data source |
aws_s3_bucket.this | data source |
Inputs
Name | Description | Type | Default | Required |
---|---|---|---|---|
bootstrap_directories | List of subdirectories to be created inside the bucket (whether or not they exist locally inside the source_root_directory ). A hardcoded pan-os requirement. | list(string) | [ "config/", "content/", "software/", "license/", "plugins/" ] | no |
bootstrap_options | Object define bootstrap options used in the init-cfg.txt file. There are available bootstrap parameters: - hostname - (string , optional) The hostname of the VM-series instance.- panorama-server - (string , optional) The FQDN or IP address of the primary Panorama server.- panorama-server-2 - (string , optional) The FQDN or IP address of the secondary Panorama server.- tplname - (string , optional) The Panorama template stack name.- dgname - (string , optional) The Panorama device group name.- cgname - (string , optional) The Panorama collector group name.- dns-primary - (string , optional) The IP address of the primary DNS server.- dns-secondary - (string , optional) The IP address of the secondary DNS server.- auth-key - (string , optional) VM-Series authentication key generated via plugin sw_fw_license.- vm-auth-key - (string , optional) VM-Series authentication key generated on Panorama.- op-command-modes - (string , optional) Set jumbo-frame and/or mgmt-interface-swap.- plugin-op-commands - (string , optional) Set plugin-op-commands.- dhcp-send-hostname - (string , optional) The DHCP server determines a value of yes or no. If yes, the firewall sends its hostname to the DHCP server.- dhcp-send-client-id - (string , optional) The DHCP server determines a value of yes or no. If yes, the firewall sends its client ID to the DHCP server.- dhcp-accept-server-hostname - (string , optional) The DHCP server determines a value of yes or no. If yes, the firewall accepts its hostname from the DHCP server.- dhcp-accept-server-domain - (string , optional) The DHCP server determines a value of yes or no. If yes, the firewall accepts its DNS server from the DHCP server. | any | { "dhcp-accept-server-domain": "yes", "dhcp-accept-server-hostname": "yes", "dhcp-send-client-id": "yes", "dhcp-send-hostname": "yes" } | no |
bucket_name | Name of a bucket to reuse or create (depending on create_bucket value). In the latter case - if empty, the name will be auto-generated. | string | "" | no |
create_bucket | If true, a new bucket will be created. When false, name of existing bucket to use has to be provided in bucket_name variable. | bool | true | no |
create_iam_role_policy | If true, a new IAM role with policy will be created. When false, name of existing IAM role to use has to be provided in iam_role_name variable. | bool | true | no |
force_destroy | Set to false to prevent Terraform from destroying a bucket with unknown objects or locked objects. | bool | true | no |
global_tags | Map of arbitrary tags to apply to all resources. | map(any) | {} | no |
iam_instance_profile_name | Name of the instance profile to create. If empty, name will be auto-generated. | string | "" | no |
iam_role_name | Name of a IAM role to reuse or create (depending on create_iam_role_policy value). | string | null | no |
prefix | The prefix to use for bucket name, IAM role name, and IAM role policy name. It is allowed to use dash "-" as the last character. | string | "bootstrap-" | no |
source_root_directory | The source directory to become the bucket's root directory. If empty uses files subdirectory of a Terraform configuration root directory. | string | "" | no |
Outputs
Name | Description |
---|---|
bucket_domain_name | Global domain name of the bucket. |
bucket_id | AWS identifier of the bucket. |
bucket_name | Name of the bucket. |
bucket_regional_domain_name | Regional domain name of the bucket. |
iam_role_arn | ARN of created or used IAM role |
iam_role_name | Name of created or used IAM role |
instance_profile_name | Name of created IAM instance profile. |