Palo Alto Networks VM-series firewall deployment
To manage via ssh/https please connect to the second interface (the nic1) of a VM-series firewall. The primary interface is by default not used for management.
When troubleshooting you can use this module also with a good ol' Linux image. Instead of booting PAN-OS, you can just re-create the same instance with Linux. It boots faster, it's probably more familiar, but there is a caveat when connecting from outside the GCP VPC Network:
- One cannot connect to
nic1of Linux, because GCP DHCP doesn't ever furnish it with a default route. Connect to the primary interface (thenic0) for both data traffic and management traffic.
Reference
Requirements
| Name | Version |
|---|---|
| terraform | >= 1.3, < 2.0 |
| ~> 4.54 | |
| null | ~> 3.1 |
Providers
| Name | Version |
|---|---|
| ~> 4.54 | |
| null | ~> 3.1 |
Modules
No modules.
Resources
| Name | Type |
|---|---|
| google_compute_address.private | resource |
| google_compute_address.public | resource |
| google_compute_instance.this | resource |
| google_compute_instance_group.this | resource |
| null_resource.dependency_getter | resource |
| google_compute_image.vmseries | data source |
| google_compute_subnetwork.this | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| bootstrap_options | VM-Series bootstrap options to pass using instance metadata. Proper syntax is a map, where keys are the bootstrap parameters. Example: bootstrap_options = { type = dhcp-client panorama-server = 1.2.3.4 } A list of available parameters: type, ip-address, default-gateway, netmask, ipv6-address, ipv6-default-gateway, hostname, panorama-server, panorama-server-2, tplname, dgname, dns-primary, dns-secondary, vm-auth-key, op-command-modes, op-cmd-dpdk-pkt-io, plugin-op-commands, dhcp-send-hostname, dhcp-send-client-id, dhcp-accept-server-hostname, dhcp-accept-server-domain, vm-series-auto-registration-pin-id, vm-series-auto-registration-pin-value, auth-key, authcodes, vmseries-bootstrap-gce-storagebucket, mgmt-interface-swap. For more details on the options please refer to VM-Series documentation. | map(string) | {} | no |
| create_instance_group | Create an instance group, that can be used in a load balancer setup. | bool | false | no |
| custom_image | The full URI to GCE image resource, the output of gcloud compute images list --uri. Overrides official image specified using vmseries_image. | string | null | no |
| deletion_protection | Enable deletion protection on the instance. | bool | false | no |
| dependencies | n/a | list(string) | [] | no |
| disk_type | Boot disk type. See provider documentation for available values. | string | "pd-standard" | no |
| labels | GCP instance lables. | map(any) | {} | no |
| machine_type | Firewall instance machine type, which depends on the license used. See the Terraform manual | string | "n2-standard-4" | no |
| metadata | Other, not VM-Series specific, metadata to set for an instance. | map(string) | {} | no |
| metadata_startup_script | See the Terraform manual | string | null | no |
| min_cpu_platform | Minimum CPU platform for the compute instance. Up to date version can be found here. | string | "Intel Cascade Lake" | no |
| name | Name of the VM-Series instance. | string | n/a | yes |
| named_ports | The list of named ports to create in the instance group:named_ports = [ { name = "http" port = "80" }, { name = "app42" port = "4242" }, ]The name identifies the backend port to receive the traffic from the global load balancers. Practically, tcp port 80 named "http" works even when not defined here, but it's not a documented provider's behavior. | list | [] | no |
| network_interfaces | List of the network interface specifications. Available options: - subnetwork - (Required|string) Self-link of a subnetwork to create interface in.- private_ip_name - (Optional|string) Name for a private address to reserve.- private_ip - (Optional|string) Private address to reserve.- create_public_ip - (Optional|boolean) Whether to reserve public IP for the interface. Ignored if public_ip is provided. Defaults to 'false'.- public_ip_name - (Optional|string) Name for a public address to reserve.- public_ip - (Optional|string) Existing public IP to use.- public_ptr_domain_name - (Optional|string) Existing public PTR name to use.- alias_ip_ranges - (Optional|list) List of objects that define additional IP ranges for an interface, as specified here | list(any) | n/a | yes |
| project | n/a | string | null | no |
| resource_policies | n/a | list(string) | [] | no |
| scopes | n/a | list(string) | [ "https://www.googleapis.com/auth/compute.readonly", "https://www.googleapis.com/auth/cloud.useraccounts.readonly", "https://www.googleapis.com/auth/devstorage.read_only", "https://www.googleapis.com/auth/logging.write", "https://www.googleapis.com/auth/monitoring.write" ] | no |
| service_account | IAM Service Account for running firewall instance (just the email) | string | null | no |
| ssh_keys | Public keys to allow SSH access for, separated by newlines. | string | null | no |
| tags | GCP instance tags. | list(string) | [] | no |
| vmseries_image | The image name from which to boot an instance, including the license type and the version. To get a list of available official images, please run the following command: gcloud compute images list --filter="name ~ vmseries" --project paloaltonetworksgcp-public --no-standard-images | string | "vmseries-flex-bundle1-1008h8" | no |
| zone | Zone to deploy instance in. | string | n/a | yes |
Outputs
| Name | Description |
|---|---|
| instance | n/a |
| instance_group | n/a |
| instance_group_self_link | n/a |
| private_ips | n/a |
| public_ips | n/a |
| self_link | n/a |