The terraform-azurerm-panos-bootstrap module is used to create an Azure file share that to be used for bootstrapping Palo Alto Networks VM-Series virtual firewall instances. A bootstrap package must include an init-cfg.txt file that provides the basic configuration details to configure the VM-Series instance and register it with its Panorama management console. This file will be generated by this module using the variables provided.
The bootstrap package may optionally include a PAN-OS software image, application and threat signature updates, VM-Series plug-ins, and/or license files.
The root directory of the Terraform plan calling this module should include a files directory containing a subdirectory structure similar to the one below.
files
├── config
├── content
├── license
├── plugins
└── software
#
# main.tf
#
provider "azurerm" {
subscription_id = var.azure_subscription_id
tenant_id = var.azure_tenant_id
client_id = var.azure_client_id
client_secret = var.azure_client_secret
}
module "panos-bootstrap" {
source = "PaloAltoNetworks/panos-bootstrap/azurerm"
version = "1.0.4"
azure_resource_group = var.azure_resource_group
azure_location = var.azure_location
hostname = "my-firewall"
panorama-server = "panorama1.example.org"
panorama-server2 = "panorama2.example.org"
tplname = "My Firewall Template"
dgname = "My Firewalls"
vm-auth-key = "supersecretauthkey"
}The Azure CLI must be installed on the host executing the Terraform plan.
- Define a
main.tffile that calls the module and provides any required and optional variables. - Define a
variables.tffile that declares the variables that will be utilized. - (OPTIONAL) Define an
output.tffile to capture and display the module return values. - Create the directories
files/config,files/software,files/content,files/license, andfiles/plugins. - (OPTIONAL) Add software images, content updates, plugins, and license files to their respective subdirectories.
- (OPTIONAL) Define a
terraform.tfvarsfile containing the required variables and associated values. - Initialize the providers and modules with the
terraform initcommand. - Validate the plan using the
terraform plancommand. - Apply the plan using the
terraform applycommand.
The module output will provide values for the storage_account, access_key, and share_name. These values can then be used in a azurerm_virtual_machine resource to instantiate a VM-Series instance. They are used in the os_profile{custom_data} parameter.
resource "azurerm_virtual_machine" "vmseries" {
count = var.vm_count
name = "${var.name}${count.index + 1}"
location = var.location
resource_group_name = var.resource_group_name
vm_size = var.size
primary_network_interface_id = element(azurerm_network_interface.nic0.*.id, count.index)
network_interface_ids = [
element(azurerm_network_interface.nic0.*.id, count.index),
element(azurerm_network_interface.nic1.*.id, count.index),
element(azurerm_network_interface.nic2.*.id, count.index),
]
availability_set_id = azurerm_availability_set.default.id
os_profile_linux_config {
disable_password_authentication = false
}
plan {
name = var.license
publisher = "paloaltonetworks"
product = "vmseries1"
}
storage_image_reference {
publisher = "paloaltonetworks"
offer = "vmseries1"
sku = var.license
version = var.panos
}
storage_os_disk {
name = "${var.name}${count.index + 1}-osdisk"
caching = "ReadWrite"
create_option = "FromImage"
managed_disk_type = "Standard_LRS"
}
os_profile {
computer_name = "${var.name}${count.index + 1}"
admin_username = var.username
admin_password = var.password
custom_data = base64encode(
join(
",",
[
"storage-account=${var.storage_account}",
"access-key=${var.access_key}",
"file-share=${var.share_name}",
"share-directory=${var.share_directory}"
],
)
)
}
}