Skip to main content

Palo Alto Networks Cloud NGFW Module for AWS

A Terraform module for deploying a CloudNGFW firewall in AWS cloud.

GitHub Logo Terraform Logo

Usage

For example usage, please refer to the examples directory.

Reference

Requirements

NameVersion
terraform>= 1.5.0, < 2.0.0
aws~> 5.17
cloudngfwaws2.0.6

Providers

NameVersion
aws~> 5.17
cloudngfwaws2.0.6

Modules

No modules.

Resources

NameType
aws_cloudwatch_log_group.thisresource
aws_cloudwatch_log_stream.thisresource
cloudngfwaws_commit_rulestack.thisresource
cloudngfwaws_ngfw.thisresource
cloudngfwaws_ngfw_log_profile.thisresource
cloudngfwaws_rulestack.thisresource
cloudngfwaws_security_rule.thisresource
aws_caller_identity.currentdata source

Inputs

NameDescriptionTypeDefaultRequired
descriptionCloud NGFW description.string"CloudNGFW"no
description_ruleThe rulestack description.string"CloudNGFW rulestack"no
endpoint_modeThe endpoint mode indicate the creation method of endpoint for target VPC. Customer Managed required to create endpoint manually.string"CustomerManaged"no
log_profilesThe CloudWatch logs group name should correspond with the assumed role generated in cfn.
- create_cw = (Required|string) Whether to create AWS CloudWatch log group.
- name = (Required|string) The CW log group should correspond with cfn cross zone role.
- destination_type = (Required|string) Only supported type is "CloudWatchLogs".
- log_type = (Required|string) The firewall log type.
Example:log_profiles = {
dest_1 = {
create_cw = true
name = "PaloAltoCloudNGFW"
destination_type = "CloudWatchLogs"
log_type = "THREAT"
}
dest_2 = {
create_cw = true
name = "PaloAltoCloudNGFW"
destination_type = "CloudWatchLogs"
log_type = "TRAFFIC"
}
dest_3 = {
create_cw = true
name = "PaloAltoCloudNGFW"
destination_type = "CloudWatchLogs"
log_type = "DECRYPTION"
}
}
map(object({
create_cw = bool
name = string
destination_type = string
log_type = string
}
))
{}no
nameName of the Cloud NGFW instance.stringn/ayes
profile_configThe rulestack profile config.map(any){}no
retention_in_daysCloudWatch log groups retains logs.number365no
rulestack_nameThe rulestack name.stringn/ayes
rulestack_scopeThe rulestack scope. A local rulestack will require that you've retrieved a LRA JWT. A global rulestack will require that you've retrieved a GRA JWTstring"Local"no
security_rulesExample:security_rules = {
rule_1 = {
rule_list = "LocalRule"
priority = 3
name = "tf-security-rule"
description = "Also configured by Terraform"
source_cidrs = ["any"]
destination_cidrs = ["0.0.0.0/0"]
negate_destination = false
protocol = "application-default"
applications = ["any"]
category_feeds = [""]
category_url_category_names = [""]
action = "Allow"
logging = true
audit_comment = "initial config"
}
}
map(object({
rule_list = string
priority = number
name = string
description = string
source_cidrs = set(string)
destination_cidrs = set(string)
negate_destination = bool
protocol = string
applications = set(string)
category_feeds = set(string)
category_url_category_names = set(string)
action = string
logging = bool
audit_comment = string
}))
{}no
subnetsMap of Subnets where to create the NAT Gateways. Each map's key is the availability zone name and each map's object has an attribute id identifying AWS Subnet. Importantly, the traffic returning from the NAT Gateway uses the Subnet's route table.
The keys of this input map are used for the output map endpoints.
Example for users of module subnet_set:subnets = module.subnet_set.subnetsExample:subnets = {
"us-east-1a" = { id = "snet-123007" }
"us-east-1b" = { id = "snet-123008" }
}
map(object({
id = string
tags = map(string)
}))
n/ayes
tagsAWS Tags for the VPC Endpoints.map(string){}no
vpc_idID of the security VPC the Load Balancer should be created in.stringn/ayes

Outputs

NameDescription
cloudngfw_service_nameThe service endpoint name exposed to tenant environment.