Skip to main content

Palo Alto Networks Bootstrap Module for Azure

A terraform module for deploying a storage account and the dependencies required to bootstrap a VM-Series firewalls in Azure.

The module does not configure the bootstrap images, licenses, or configurations.

GitHub Logo Terraform Logo

Usage

Simple example usage is shown below. For more real life code please check examples folder.

module "bootstrap" {
source = "PaloAltoNetworks/swfw-modules/azurerm//modules/bootstrap"

storage_account_name = "accountname"
resource_group_name = "rg-name"
location = "West US"

storage_share_name = "vm_bootstrap"

files = {
"files/init-cfg.txt" = "config/init-cfg.txt"
"files/bootstrap.xml" = "config/bootstrap.xml"
}
}

Known Limitations

If a file does not exist because it is supposed to be generated by the same Terraform run, add a hash of its contents to the input files_md5 as a workaround. For example:

module "bootstrap" {
# ...
files = { (local_file.this.filename) = "config/dynamic-content-test.txt" }
files_md5 = { (local_file.this.filename) = md5(local_file.this.content) }
}

resource "local_file" "this" {
filename = "test.txt"
content = "hello world"
}

Reference

Requirements

NameVersion
terraform>= 1.2, < 2.0
azurerm~> 3.25
random~> 3.1

Providers

NameVersion
azurerm~> 3.25

Modules

No modules.

Resources

NameType
azurerm_storage_account.thisresource
azurerm_storage_share.thisresource
azurerm_storage_share_directory.thisresource
azurerm_storage_share_file.thisresource
azurerm_storage_account.thisdata source

Inputs

NameDescriptionTypeDefaultRequired
create_storage_accountIf true, create a Storage Account.booltrueno
nameName of the Storage Account, either a new or an existing one (depending on the value of create_storage_account).

The name you choose must be unique across Azure. The name also must be between 3 and 24 characters in length, and may include only numbers and lowercase letters.
stringn/ayes
resource_group_nameName of the Resource Group to use.stringn/ayes
locationRegion to deploy bootstrap resources. Ignored when create_storage_account is set to false.stringnullno
min_tls_versionThe minimum supported TLS version for the storage account.string"TLS1_2"no
filesMap of all files to copy to bucket. The keys are local paths, the values are remote paths.
Always use slash / as directory separator (unix-like), not the backslash \.
Example:
files = {
"dir/my.txt" = "config/init-cfg.txt"
}
map(string){}no
bootstrap_files_dirBootstrap file directory. If the variable has a value of null (default) - then it will not upload any other files other than the ones specified in the files variable. More information can be found at https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/bootstrap-the-vm-series-firewall/bootstrap-package.stringnullno
files_md5Optional map of MD5 hashes of file contents.
Normally the map could be empty, because all the files that exist before the terraform apply will have their hashes auto-calculated.
This input is necessary only for the selected files which are created/modified within the same Terraform run as this module.
The keys of the map should be identical with selected keys of the files input, while the values should be MD5 hashes of the contents of that file.

Example:
files_md5 = {
"dir/my.txt" = "6f7ce3191b50a58cc13e751a8f7ae3fd"
}
map(string){}no
storage_share_nameName of a storage File Share to be created that will hold files used for bootstrapping.
For rules defining a valid name see Microsoft documentation.
stringnullno
storage_share_quotaMaximum size of a File Share.number50no
storage_share_access_tierAccess tier for the File Share.string"Cool"no
tagsA map of tags to be associated with the resources created.map(string){}no
retention_policy_daysLog retention policy in daysnumber7no
blob_delete_retention_policy_daysSpecifies the number of days that the blob should be retainednumber7no
storage_allow_inbound_public_ipsList of IP CIDR ranges (like ["23.23.23.23"]) that are allowed to access the Storage Account.
Only public IPs are allowed - RFC1918 address space is not permitted.
list(string)[]no
storage_allow_vnet_subnet_idsList of the allowed VNet subnet ids.
Note that this option requires network service endpoint enabled for Microsoft Storage for the specified subnets.
If you are using vnet module - set storage_private_access to true for the specific subnet.
Example:
[
module.vnet.subnet_ids["subnet-mgmt"],
module.vnet.subnet_ids["subnet-pub"],
module.vnet.subnet_ids["subnet-priv"]
]
list(string)[]no
storage_aclIf true, storage account network rules will be activated with Deny as the default action. In such case, at least one of storage_allow_inbound_public_ips or storage_allow_vnet_subnet_ids must be a non-empty list.booltrueno

Outputs

NameDescription
storage_accountThe Azure Storage Account object used for the Bootstrap.
storage_shareThe File Share object within Azure Storage used for the Bootstrap.
primary_access_keyThe primary access key for the Azure Storage Account.