Palo Alto Networks Bootstrap Module for Azure
A terraform module for deploying a storage account and the dependencies required to bootstrap a VM-Series firewalls in Azure.
The module does not configure the bootstrap images, licenses, or configurations.
Usage
Simple example usage is shown below. For more real life code please check examples folder.
module "bootstrap" {
source = "PaloAltoNetworks/vmseries-modules/azurerm//modules/bootstrap"
storage_account_name = "accountname"
resource_group_name = "rg-name"
location = "West US"
storage_share_name = "vm_bootstrap"
files = {
"files/init-cfg.txt" = "config/init-cfg.txt"
"files/bootstrap.xml" = "config/bootstrap.xml"
}
}
Known Limitations
If a file does not exist because it is supposed to be generated by the same Terraform run, add a hash of its contents to
the input files_md5 as a workaround. For example:
module "bootstrap" {
# ...
files = { (local_file.this.filename) = "config/dynamic-content-test.txt" }
files_md5 = { (local_file.this.filename) = md5(local_file.this.content) }
}
resource "local_file" "this" {
filename = "test.txt"
content = "hello world"
}
Reference
Requirements
| Name | Version |
|---|---|
| terraform | >= 1.2, < 2.0 |
| azurerm | ~> 3.25 |
| random | ~> 3.1 |
Providers
| Name | Version |
|---|---|
| azurerm | ~> 3.25 |
Modules
No modules.
Resources
| Name | Type |
|---|---|
| azurerm_storage_account.this | resource |
| azurerm_storage_share.this | resource |
| azurerm_storage_share_directory.this | resource |
| azurerm_storage_share_file.this | resource |
| azurerm_storage_account.this | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| create_storage_account | If true, create a Storage Account. | bool | true | no |
| name | Name of the Storage Account, either a new or an existing one (depending on the value of create_storage_account).The name you choose must be unique across Azure. The name also must be between 3 and 24 characters in length, and may include only numbers and lowercase letters. | string | n/a | yes |
| resource_group_name | Name of the Resource Group to use. | string | n/a | yes |
| location | Region to deploy bootstrap resources. Ignored when create_storage_account is set to false. | string | null | no |
| min_tls_version | The minimum supported TLS version for the storage account. | string | "TLS1_2" | no |
| files | Map of all files to copy to bucket. The keys are local paths, the values are remote paths. Always use slash / as directory separator (unix-like), not the backslash \.Example: | map(string) | {} | no |
| bootstrap_files_dir | Bootstrap file directory. If the variable has a value of null (default) - then it will not upload any other files other than the ones specified in the files variable. More information can be found at https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/bootstrap-the-vm-series-firewall/bootstrap-package. | string | null | no |
| files_md5 | Optional map of MD5 hashes of file contents. Normally the map could be empty, because all the files that exist before the terraform apply will have their hashes auto-calculated.This input is necessary only for the selected files which are created/modified within the same Terraform run as this module. The keys of the map should be identical with selected keys of the files input, while the values should be MD5 hashes of the contents of that file.Example: | map(string) | {} | no |
| storage_share_name | Name of a storage File Share to be created that will hold files used for bootstrapping.For rules defining a valid name see Microsoft documentation. | string | null | no |
| storage_share_quota | Maximum size of a File Share. | number | 50 | no |
| storage_share_access_tier | Access tier for the File Share. | string | "Cool" | no |
| tags | A map of tags to be associated with the resources created. | map(string) | {} | no |
| retention_policy_days | Log retention policy in days | number | 7 | no |
| blob_delete_retention_policy_days | Specifies the number of days that the blob should be retained | number | 7 | no |
| storage_allow_inbound_public_ips | List of IP CIDR ranges (like ["23.23.23.23"]) that are allowed to access the Storage Account.Only public IPs are allowed - RFC1918 address space is not permitted. | list(string) | [] | no |
| storage_allow_vnet_subnet_ids | List of the allowed VNet subnet ids. Note that this option requires network service endpoint enabled for Microsoft Storage for the specified subnets. If you are using vnet module - set storage_private_access to true for the specific subnet.Example: | list(string) | [] | no |
| storage_acl | If true, storage account network rules will be activated with Deny as the default action. In such case, at least one of storage_allow_inbound_public_ips or storage_allow_vnet_subnet_ids must be a non-empty list. | bool | true | no |
Outputs
| Name | Description |
|---|---|
| storage_account | The Azure Storage Account object used for the Bootstrap. |
| storage_share | The File Share object within Azure Storage used for the Bootstrap. |
| primary_access_key | The primary access key for the Azure Storage Account. |