Skip to main content

Palo Alto Networks Cloud NGFW Module for AWS

A Terraform module for deploying a CloudNGFW firewall in AWS cloud.

Usage

For example usage, please refer to the examples directory.

Reference

Requirements

Name	Version
terraform	>= 1.5.0, < 2.0.0
aws	~> 5.17
cloudngfwaws	2.0.6

Providers

Name	Version
aws	~> 5.17
cloudngfwaws	2.0.6

Modules

No modules.

Resources

Name	Type
aws_cloudwatch_log_group.this	resource
aws_cloudwatch_log_stream.this	resource
cloudngfwaws_commit_rulestack.this	resource
cloudngfwaws_ngfw.this	resource
cloudngfwaws_ngfw_log_profile.this	resource
cloudngfwaws_rulestack.this	resource
cloudngfwaws_security_rule.this	resource
aws_caller_identity.current	data source

Inputs

Name	Description	Type	Default	Required
description	Cloud NGFW description.	`string`	`"CloudNGFW"`	no
description_rule	The rulestack description.	`string`	`"CloudNGFW rulestack"`	no
endpoint_mode	The endpoint mode indicate the creation method of endpoint for target VPC. Customer Managed required to create endpoint manually.	`string`	`"CustomerManaged"`	no
log_profiles	The CloudWatch logs group name should correspond with the assumed role generated in cfn. - `create_cw` = (Required\|string) Whether to create AWS CloudWatch log group. - `name` = (Required\|string) The CW log group should correspond with cfn cross zone role. - `destination_type` = (Required\|string) Only supported type is "CloudWatchLogs". - `log_type` = (Required\|string) The firewall log type. Example:log_profiles = { dest_1 = { create_cw = true name = "PaloAltoCloudNGFW" destination_type = "CloudWatchLogs" log_type = "THREAT" } dest_2 = { create_cw = true name = "PaloAltoCloudNGFW" destination_type = "CloudWatchLogs" log_type = "TRAFFIC" } dest_3 = { create_cw = true name = "PaloAltoCloudNGFW" destination_type = "CloudWatchLogs" log_type = "DECRYPTION" } }	map(object({ create_cw = bool name = string destination_type = string log_type = string } ))	`{}`	no
name	Name of the Cloud NGFW instance.	`string`	n/a	yes
profile_config	The rulestack profile config.	`map(any)`	`{}`	no
retention_in_days	CloudWatch log groups retains logs.	`number`	`365`	no
rulestack_name	The rulestack name.	`string`	n/a	yes
rulestack_scope	The rulestack scope. A local rulestack will require that you've retrieved a LRA JWT. A global rulestack will require that you've retrieved a GRA JWT	`string`	`"Local"`	no
security_rules	Example:security_rules = { rule_1 = { rule_list = "LocalRule" priority = 3 name = "tf-security-rule" description = "Also configured by Terraform" source_cidrs = ["any"] destination_cidrs = ["0.0.0.0/0"] negate_destination = false protocol = "application-default" applications = ["any"] category_feeds = [""] category_url_category_names = [""] action = "Allow" logging = true audit_comment = "initial config" } }	map(object({ rule_list = string priority = number name = string description = string source_cidrs = set(string) destination_cidrs = set(string) negate_destination = bool protocol = string applications = set(string) category_feeds = set(string) category_url_category_names = set(string) action = string logging = bool audit_comment = string }))	`{}`	no
subnets	Map of Subnets where to create the NAT Gateways. Each map's key is the availability zone name and each map's object has an attribute `id` identifying AWS Subnet. Importantly, the traffic returning from the NAT Gateway uses the Subnet's route table. The keys of this input map are used for the output map `endpoints`. Example for users of module `subnet_set`:subnets = module.subnet_set.subnetsExample:subnets = { "us-east-1a" = { id = "snet-123007" } "us-east-1b" = { id = "snet-123008" } }	map(object({ id = string tags = map(string) }))	n/a	yes
tags	AWS Tags for the VPC Endpoints.	`map(string)`	`{}`	no
vpc_id	ID of the security VPC the Load Balancer should be created in.	`string`	n/a	yes

Outputs

Name	Description
cloudngfw_service_name	The service endpoint name exposed to tenant environment.

Usage
Reference