Palo Alto Networks Cloud NGFW Module for AWS
A Terraform module for deploying a CloudNGFW firewall in AWS cloud.
Usage
For example usage, please refer to the examples directory.
Reference
Requirements
Name | Version |
---|---|
terraform | >= 1.5.0, < 2.0.0 |
aws | ~> 5.17 |
cloudngfwaws | 2.0.6 |
Providers
Name | Version |
---|---|
aws | ~> 5.17 |
cloudngfwaws | 2.0.6 |
Modules
No modules.
Resources
Name | Type |
---|---|
aws_cloudwatch_log_group.this | resource |
aws_cloudwatch_log_stream.this | resource |
cloudngfwaws_commit_rulestack.this | resource |
cloudngfwaws_ngfw.this | resource |
cloudngfwaws_ngfw_log_profile.this | resource |
cloudngfwaws_rulestack.this | resource |
cloudngfwaws_security_rule.this | resource |
aws_caller_identity.current | data source |
Inputs
Name | Description | Type | Default | Required |
---|---|---|---|---|
description | Cloud NGFW description. | string | "CloudNGFW" | no |
description_rule | The rulestack description. | string | "CloudNGFW rulestack" | no |
endpoint_mode | The endpoint mode indicate the creation method of endpoint for target VPC. Customer Managed required to create endpoint manually. | string | "CustomerManaged" | no |
log_profiles | The CloudWatch logs group name should correspond with the assumed role generated in cfn. - create_cw = (Required|string) Whether to create AWS CloudWatch log group.- name = (Required|string) The CW log group should correspond with cfn cross zone role.- destination_type = (Required|string) Only supported type is "CloudWatchLogs".- log_type = (Required|string) The firewall log type.Example:log_profiles = { dest_1 = { create_cw = true name = "PaloAltoCloudNGFW" destination_type = "CloudWatchLogs" log_type = "THREAT" } dest_2 = { create_cw = true name = "PaloAltoCloudNGFW" destination_type = "CloudWatchLogs" log_type = "TRAFFIC" } dest_3 = { create_cw = true name = "PaloAltoCloudNGFW" destination_type = "CloudWatchLogs" log_type = "DECRYPTION" } } | map(object({ create_cw = bool name = string destination_type = string log_type = string } )) | {} | no |
name | Name of the Cloud NGFW instance. | string | n/a | yes |
profile_config | The rulestack profile config. | map(any) | {} | no |
retention_in_days | CloudWatch log groups retains logs. | number | 365 | no |
rulestack_name | The rulestack name. | string | n/a | yes |
rulestack_scope | The rulestack scope. A local rulestack will require that you've retrieved a LRA JWT. A global rulestack will require that you've retrieved a GRA JWT | string | "Local" | no |
security_rules | Example:security_rules = { rule_1 = { rule_list = "LocalRule" priority = 3 name = "tf-security-rule" description = "Also configured by Terraform" source_cidrs = ["any"] destination_cidrs = ["0.0.0.0/0"] negate_destination = false protocol = "application-default" applications = ["any"] category_feeds = [""] category_url_category_names = [""] action = "Allow" logging = true audit_comment = "initial config" } } | map(object({ rule_list = string priority = number name = string description = string source_cidrs = set(string) destination_cidrs = set(string) negate_destination = bool protocol = string applications = set(string) category_feeds = set(string) category_url_category_names = set(string) action = string logging = bool audit_comment = string })) | {} | no |
subnets | Map of Subnets where to create the NAT Gateways. Each map's key is the availability zone name and each map's object has an attribute id identifying AWS Subnet. Importantly, the traffic returning from the NAT Gateway uses the Subnet's route table.The keys of this input map are used for the output map endpoints .Example for users of module subnet_set :subnets = module.subnet_set.subnetsExample:subnets = {"us-east-1a" = { id = "snet-123007" } "us-east-1b" = { id = "snet-123008" } } | map(object({ id = string tags = map(string) })) | n/a | yes |
tags | AWS Tags for the VPC Endpoints. | map(string) | {} | no |
vpc_id | ID of the security VPC the Load Balancer should be created in. | string | n/a | yes |
Outputs
Name | Description |
---|---|
cloudngfw_service_name | The service endpoint name exposed to tenant environment. |