diff --git a/products/terraform/docs/swfw/azure/vmseries/examples/standalone_panorama.md b/products/terraform/docs/swfw/azure/vmseries/examples/panorama_standalone.md similarity index 98% rename from products/terraform/docs/swfw/azure/vmseries/examples/standalone_panorama.md rename to products/terraform/docs/swfw/azure/vmseries/examples/panorama_standalone.md index cd1be21b9..cc4d4a5ba 100644 --- a/products/terraform/docs/swfw/azure/vmseries/examples/standalone_panorama.md +++ b/products/terraform/docs/swfw/azure/vmseries/examples/panorama_standalone.md @@ -1,6 +1,6 @@ --- hide_title: true -id: standalone_panorama +id: panorama_standalone keywords: - pan-os - panos @@ -14,7 +14,7 @@ keywords: - azure pagination_next: null pagination_prev: null -sidebar_label: Standalone Panorama Deployment +sidebar_label: Panorama Standalone title: Standalone Panorama Deployment --- @@ -29,7 +29,7 @@ The Terraform code presented here will deploy Palo Alto Networks Panorama manage (without additional logging disks). For option on how to add additional logging disks - please refer to panorama [module documentation](../../modules/panorama#input_logging_disks). -[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-azurerm-swfw-modules/tree/main/examples/standalone_panorama) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/swfw-modules/azurerm/latest/examples/standalone_panorama) +[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-azurerm-swfw-modules/tree/main/examples/panorama_standalone) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/swfw-modules/azurerm/latest/examples/panorama_standalone) ## Topology @@ -296,7 +296,9 @@ map(object({ address_prefixes = optional(list(string), []) network_security_group_key = optional(string) route_table_key = optional(string) + default_outbound_access_enabled = optional(bool) enable_storage_service_endpoint = optional(bool) + enable_appgw_delegation = optional(bool) enable_cloudngfw_delegation = optional(bool) })), {}) })) diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/vmseries.md b/products/terraform/docs/swfw/azure/vmseries/modules/vmseries.md index a9c6a3359..ddcd4ff32 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/vmseries.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/vmseries.md @@ -169,6 +169,8 @@ Basic Azure VM image configuration. Following properties are available: +- `use_airs` - (`bool`, optional, defaults to `false`) when set to `true`, the AI Runtime Security VM image is + used instead of the one passed to the module and version for `airs-flex` offer must be provided. - `version` - (`string`, optional, defaults to `null`) VM-Series PAN-OS version; list available with `az vm image list -o table --publisher paloaltonetworks --offer vmseries-flex --all`. - `publisher` - (`string`, optional, defaults to `paloaltonetworks`) the Azure Publisher identifier for a image @@ -190,6 +192,7 @@ Type: ```hcl object({ + use_airs = optional(bool, false) version = optional(string) publisher = optional(string, "paloaltonetworks") offer = optional(string, "vmseries-flex") diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/vmss.md b/products/terraform/docs/swfw/azure/vmseries/modules/vmss.md index f4c64ce56..cda1ad588 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/vmss.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/vmss.md @@ -240,6 +240,8 @@ Basic Azure VM configuration. Following properties are available: +- `use_airs` - (`bool`, optional, defaults to `false`) when set to `true`, the AI Runtime Security VM image is + used instead of the one passed to the module and version for `airs-flex` offer must be provided. - `version` - (`string`, optional, defaults to `null`) VM-Series PAN-OS version; list available with `az vm image list -o table --publisher paloaltonetworks --offer vmseries-flex --all`. - `publisher` - (`string`, optional, defaults to `paloaltonetworks`) the Azure Publisher identifier for an image @@ -261,6 +263,7 @@ Type: ```hcl object({ + use_airs = optional(bool, false) version = optional(string) publisher = optional(string, "paloaltonetworks") offer = optional(string, "vmseries-flex") diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/vnet.md b/products/terraform/docs/swfw/azure/vmseries/modules/vnet.md index f0e8ed23a..3a8d5c8f6 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/vnet.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/vnet.md @@ -209,6 +209,8 @@ Name | Type | Description Name | Description --- | --- `virtual_network_id` | The identifier of the created or sourced Virtual Network. +`virtual_network_name` | The name of the created or sourced Virtual Network. +`virtual_network_resource_group` | The Resource Group name of the created or sourced Virtual Network. `vnet_cidr` | VNET address space. `subnet_ids` | The identifiers of the created or sourced Subnets. `subnet_cidrs` | Subnet CIDRs (sourced or created). @@ -517,9 +519,14 @@ List of available attributes of each subnet entry: `network_security_groups` that should be assigned to this subnet. - `route_table_key` - (`string`, optional, defaults to `null`) a key identifying a Route Table defined in `route_tables` that should be assigned to this subnet. +- `default_outbound_access_enabled` - (`bool`, optional, defaults to `false`) a flag that enables default outbound access to + the Internet from the subnet. Using explicit Internet access methods is recommended. - `enable_storage_service_endpoint` - (`bool`, optional, defaults to `false`) a flag that enables `Microsoft.Storage` service endpoint on a subnet. This is a suggested setting for the management interface when full bootstrapping using an Azure Storage Account is used. +- `enable_appgw_delegation` - (`bool`, optional, defaults to `false`) a flag that enables subnet delegation to + `Microsoft.Network/applicationGateways` service. This is required for Application Gateway + Enhanced Network Isolation. - `enable_cloudngfw_delegation` - (`bool`, optional, defaults to `false`) a flag that enables subnet delegation to `PaloAltoNetworks.Cloudngfw/firewalls` service. This is required for Cloud NGFW to work in a VNET-based deployment. @@ -555,7 +562,9 @@ map(object({ address_prefixes = optional(list(string), []) network_security_group_key = optional(string) route_table_key = optional(string) + default_outbound_access_enabled = optional(bool, false) enable_storage_service_endpoint = optional(bool, false) + enable_appgw_delegation = optional(bool, false) enable_cloudngfw_delegation = optional(bool, false) })) ``` diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/vwan.md b/products/terraform/docs/swfw/azure/vmseries/modules/vwan.md new file mode 100644 index 000000000..f709b5e3c --- /dev/null +++ b/products/terraform/docs/swfw/azure/vmseries/modules/vwan.md @@ -0,0 +1,539 @@ +--- +hide_title: true +id: vwan +keywords: +- pan-os +- panos +- firewall +- configuration +- terraform +- vmseries +- vm-series +- swfw +- software-firewalls +- azure +pagination_next: null +pagination_prev: null +sidebar_label: Vwan +title: Palo Alto Networks vWAN Module for Azure +--- + +# Palo Alto Networks vWAN Module for Azure + +This Terraform module manages core Azure Virtual WAN networking components. It enables the creation and configuration of a Virtual WAN, one or more Virtual Hubs, Hub Route Tables, and Hub Connections (such as VNet or VPN Site connections). The module also supports deploying VPN Gateways within hubs and configuring VPN Sites with advanced IPSec settings. + +It allows both creating new and referencing existing Virtual WANs and Virtual Hubs, offering flexibility for greenfield and brownfield deployments. + +[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-azurerm-swfw-modules/tree/main/modules/vwan) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/swfw-modules/azurerm/latest/submodules/vwan) + +## Usage + +- creates a vWAN, vHub, Connections and Routing Intent resource. + +```hcl +virtual_wans = { + "virtual_wan" = { + name = "virtual_wan" + virtual_hubs = { + "virtual_hub" = { + name = "virtual_hub" + address_prefix = "10.0.0.0/24" + connections = { + "app1-to-hub" = { + name = "app1-to-hub" + connection_type = "Vnet" + remote_virtual_network_key = "app1" + } + "app2-to-hub" = { + name = "app2-to-hub" + connection_type = "Vnet" + remote_virtual_network_key = "app2" + } + } + routing_intent = { + routing_intent_name = "routing_intent" + routing_policy = [ + { + routing_policy_name = "PrivateTraffic" + destinations = ["PrivateTraffic"] + next_hop_key = "cloudngfw" + }, + { + routing_policy_name = "Internet" + destinations = ["Internet"] + next_hop_key = "cloudngfw" + } + ] + } + } + } + } +} +``` + +- creates a vWAN, vHub, Route Table, Routes and Connections. Associates each Connection with the appropriate Route Table based on the provided configuration. + +```hcl +virtual_wans = { + "virtual_wan" = { + name = "virtual_wan" + virtual_hubs = { + "virtual_hub" = { + name = "virtual_hub" + address_prefix = "10.0.0.0/24" + route_tables = { + "route_table" = { + name = "route_table" + labels = ["rt_label01", "rt_label02"] + routes = { + "route01" = { + name = "route01" + destinations_type = "CIDR" + destinations = ["10.100.0.0/24"] + next_hop_key = "ha-ports" + } + "route02" = { + name = "route02" + destinations_type = "CIDR" + destinations = ["10.100.1.0/24"] + next_hop_key = "ha-ports" + } + } + } + } + connections = { + "app1-to-hub" = { + name = "app1-to-hub" + connection_type = "Vnet" + remote_virtual_network_key = "app1" + routing = { + associated_route_table_key = "route_table" + propagated_route_table_keys = ["route_table"] + } + } + "app2-to-hub" = { + name = "app2-to-hub" + connection_type = "Vnet" + remote_virtual_network_key = "app2" + routing = { + associated_route_table_key = "route_table" + propagated_route_table_keys = ["route_table"] + } + } + } + } + } + } +} +``` + +- creates a vWAN, vHub, VPN Gateway in vHub, VPN Sites and Connections. Associates Connection with the appropriate VPN Site based on the provided configuration. + +```hcl +virtual_wans = { + "virtual_wan" = { + name = "virtual_wan" + virtual_hubs = { + "virtual_hub" = { + name = "virtual_hub" + address_prefix = "10.0.0.0/24" + connections = { + "site-to-hub" = { + name = "site-to-hub" + connection_type = "Site-to-Site" + vpn_site_key = "site" + vpn_link = [ + { + vpn_link_name = "link-name" + vpn_site_link_key = "ISPW1" + bandwidth_mbps = 50 + ipsec_policy = { + dh_group = "DHGroup24" + ike_encryption_algorithm = "AES256" + ike_integrity_algorithm = "SHA256" + encryption_algorithm = "GCMAES128" + integrity_algorithm = "GCMAES128" + pfs_group = "PFS14" + sa_data_size_kb = 1025 + sa_lifetime_sec = 301 + } + } + ] + } + } + vpn_gateway = { + name = "vpn_gateway01" + } + vpn_sites = { + "site" = { + name = "site" + address_cidrs = ["10.100.0.0/24"] + link = { + "ISPW1" = { + name = "ISPW1" + ip_address = "203.0.113.1" + provider_name = "Provider01" + speed_in_mbps = 100 + } + "ISPW2" = { + name = "ISPW2" + ip_address = "205.0.113.1" + provider_name = "Provider02" + speed_in_mbps = 100 + } + } + } + } + } + } + } +} +``` + +## Reference + +### Requirements + +- `terraform`, version: >= 1.5, < 2.0 +- `azurerm`, version: ~> 4.0 + +### Providers + +- `azurerm`, version: ~> 4.0 + + + +### Resources + +- `virtual_hub` (managed) +- `virtual_hub_connection` (managed) +- `virtual_hub_route_table` (managed) +- `virtual_wan` (managed) +- `vpn_gateway` (managed) +- `vpn_gateway_connection` (managed) +- `vpn_site` (managed) +- `virtual_hub` (data) +- `virtual_wan` (data) + +### Required Inputs + +Name | Type | Description +--- | --- | --- +[`virtual_wan_name`](#virtual_wan_name) | `string` | The name of the Azure Virtual WAN. +[`resource_group_name`](#resource_group_name) | `string` | The name of the Resource Group where the Virtual WAN should exist. +[`region`](#region) | `string` | The name of the Azure region to deploy the virtual WAN. + +### Optional Inputs + +Name | Type | Description +--- | --- | --- +[`create`](#create) | `bool` | Controls Virtual WAN creation. +[`tags`](#tags) | `map` | The map of tags to assign to all created resources. +[`allow_branch_to_branch_traffic`](#allow_branch_to_branch_traffic) | `bool` | Optional boolean flag to specify whether branch-to-branch traffic is allowed. +[`disable_vpn_encryption`](#disable_vpn_encryption) | `bool` | Optional boolean flag to specify whether VPN encryption is disabled. +[`virtual_hubs`](#virtual_hubs) | `map` | Map of objects defining Virtual Hubs to manage within a Virtual WAN. +[`connections`](#connections) | `map` | Map of objects describing Connections within a Virtual Hub. +[`route_tables`](#route_tables) | `map` | Map of objects describing Route Tables to manage within a Virtual Hub. +[`vpn_sites`](#vpn_sites) | `map` | Map of objects describing VPN Sites to be configured within the Azure environment. + +### Outputs + +Name | Description +--- | --- +`virtual_wan_id` | The identifier of the created or sourced Virtual WAN. +`virtual_hub_ids` | The identifier of the created or sourced Virtual Hub. +`route_table_ids` | A map of identifiers for the created Route Tables. + +### Required Inputs details + +#### virtual_wan_name + +The name of the Azure Virtual WAN. + +Type: string + +[back to list](#modules-required-inputs) + +#### resource_group_name + +The name of the Resource Group where the Virtual WAN should exist. + +Type: string + +[back to list](#modules-required-inputs) + +#### region + +The name of the Azure region to deploy the virtual WAN + +Type: string + +[back to list](#modules-required-inputs) + +### Optional Inputs details + +#### create + +Controls Virtual WAN creation. When set to `true`, creates the Virtual WAN, otherwise just uses a pre-existing Virtual WAN. + + +Type: bool + +Default value: `true` + +[back to list](#modules-optional-inputs) + +#### tags + +The map of tags to assign to all created resources. + +Type: map(string) + +Default value: `map[]` + +[back to list](#modules-optional-inputs) + +#### allow_branch_to_branch_traffic + +Optional boolean flag to specify whether branch-to-branch traffic is allowed. Defaults to `true`. + +Type: bool + +Default value: `true` + +[back to list](#modules-optional-inputs) + +#### disable_vpn_encryption + +Optional boolean flag to specify whether VPN encryption is disabled. Defaults to `false`. + +Type: bool + +Default value: `false` + +[back to list](#modules-optional-inputs) + +#### virtual_hubs + +Map of objects defining Virtual Hubs to manage within a Virtual WAN. + +Each object's key is an arbitrary identifier you choose (used for indexing inside the module) and each object supports the +following attributes: + +- `name` - (string, required) name of the Virtual Hub, must be unique within the Virtual WAN. +- `create` - (bool, optional, defaults to `true`) when set to `true` module will create a new + Virtual Hub, when set to `false` it will reference an existing one by name. +- `resource_group_name` - (string, optional) Resource Group in which to create the hub or source it from, + defaults to the module's `resource_group_name` if omitted. +- `region` - (string, optional) Azure region (e.g. `"West Europe"`) for the hub, defaults to + the module's `region` if omitted. +- `address_prefix` - (string, required) the address prefix (CIDR) for the hub's internal subnet, must + be at least `/24` (Microsoft recommends `/23`). +- `hub_routing_preference` - (string, optional) routing preference for the hub, valid values are: + `ExpressRoute`, `ASPath`, or `VpnGateway`. +- `virtual_router_auto_scale_min_capacity` - (number, optional) minimum capacity for the hub's auto-scale router, Azure default + is `0`. +- `vpn_gateway` - (object, optional, defaults to `null`) configuration for an attached VPN Gateway, + if provided this object supports the following attributes: + - `name` - (string, required) VPN Gateway name. + - `resource_group_name` - (string, optional) overrides hub's Resource Group. + - `region` - (string, optional) overrides hub's Azure region. + - `scale_unit` - (number, optional, defaults to `1`) scale unit for the VPN Gateway. + - `routing_preference` - (string, optional, defaults to `"Microsoft Network"`) VPN Gateway's routing preference. + + +Type: + +```hcl +map(object({ + name = string + create = optional(bool, true) + resource_group_name = optional(string) + region = optional(string) + address_prefix = string + hub_routing_preference = optional(string) + virtual_router_auto_scale_min_capacity = optional(number) + vpn_gateway = optional(object({ + name = string + resource_group_name = optional(string) + region = optional(string) + scale_unit = optional(number, 1) + routing_preference = optional(string, "Microsoft Network") + }), null) + })) +``` + + +Default value: `map[]` + +[back to list](#modules-optional-inputs) + +#### connections + +Map of objects describing Connections within a Virtual Hub. + +Each object represents one Connection and supports the following properties: + +- `name` - (`string`, required) the name of the Connection, must be unique within the Virtual Hub. +- `connection_type` - (`string`, required) the type of Connection, use `Vnet` for Virtual Network connections. +- `remote_virtual_network_id` - (`string`, optional) the resource ID of a remote Virtual Network. +- `hub_key` - (`string`, required) the key referencing the Virtual Hub. +- `vpn_site_key` - (`string`, optional) the key referencing the VPN Site used in this Connection. +- `vpn_link` - (`list`, optional, defaults to `[]`) list of VPN link configurations, each object supports the + following attributes: + - `vpn_link_name` - (`string`, required) the name of the VPN link. + - `vpn_site_link_key` - (`string`, required) the key referencing the VPN Site link. + - `bandwidth_mbps` - (`number`, optional, defaults to `10`) bandwidth limit in Mbps. + - `bgp_enabled` - (`bool`, optional, defaults to `false`) flag that enables BGP on this link. + - `connection_mode` - (`string`, optional, defaults to `Default`) VPN connection mode, valid values are: + `Default`, `InitiatorOnly`, `ResponderOnly`. + - `protocol` - (`string`, optional, defaults to `IKEv2`) VPN protocol, valid values are: `IKEv2`, + `IKEv1`. + - `ratelimit_enabled` - (`bool`, optional, defaults to `false`) flag that enables rate limiting. + - `route_weight` - (`number`, optional, defaults to `0`) routing weight for this link. + - `shared_key` - (`string`, optional) pre-shared key for the VPN. + - `local_azure_ip_address_enabled` - (`bool`, optional, defaults to `false`) flag that enables use of local Azure IP address. + - `ipsec_policy` - (`object`, optional) IPSec policy configuration, following attributes are supported: + - `dh_group` - (`string`, optional) Diffie-Hellman group, valid values are: `DHGroup14`, `DHGroup24`, + `ECP256`, `ECP384`. + - `ike_encryption_algorithm` - (`string`, optional) IKE encryption algorithm, valid values are: `AES128`, `AES256`, + `GCMAES128`, `GCMAES256`. + - `ike_integrity_algorithm` - (`string`, optional) IKE integrity algorithm, valid values are: `SHA256`, `SHA384`. + - `encryption_algorithm` - (`string`, optional) IPSec encryption algorithm, valid values are: `AES192`, `AES128`, + `AES256`, `DES`, `DES3`, `GCMAES192`, `GCMAES128`, `GCMAES256`, `None`. + - `integrity_algorithm` - (`string`, optional) IPSec integrity algorithm, valid values are: `SHA256`, `GCMAES128`, + `GCMAES256`. + - `pfs_group` - (`string`, optional) Perfect Forward Secrecy algorithm, valid values are: `ECP384`, + `ECP256`, `PFSMM`, `PFS1`, `PFS14`, `PFS2`, `PFS24`, `PFS2048`, `None`. + - `sa_data_size_kb` - (`number`, optional) Security Association size in kilobits, value must be `0` or between + `1024` and `2147483647`. + - `sa_lifetime_sec` - (`number`, optional) Security Association lifetime in seconds, value must be between `300` + and `172799`. +- `routing` - (`object`, optional) routing configuration, the following attributes are supported: + - `associated_route_table_key` - (`string`, optional) key of the associated Route Table. + - `propagated_route_table_keys` - (`list(string)`, optional) list of Route Table keys to propagate routes to. + - `propagated_route_table_labels` - (`set(string)`, optional) set of labels for propagated Route Tables. + - `static_vnet_route_name` - (`string`, optional) name of the static route. + - `static_vnet_route_address_prefixes` - (`set(string)`, optional) set of CIDR address prefixes for static route. + - `static_vnet_route_next_hop_ip_address` - (`string`, optional) IP address of the next hop. + - `static_vnet_local_route_override_criteria` - (`string`, optional, defaults to `Contains`) override criteria for the local + route, valid values are: `Contains`, `Equal`. + + +Type: + +```hcl +map(object({ + name = string + connection_type = string + hub_key = string + remote_virtual_network_id = optional(string) + vpn_site_key = optional(string) + vpn_link = optional(list(object({ + vpn_link_name = string + vpn_site_link_key = string + bandwidth_mbps = optional(number, 10) + bgp_enabled = optional(bool, false) + connection_mode = optional(string, "Default") + protocol = optional(string, "IKEv2") + ratelimit_enabled = optional(bool, false) + route_weight = optional(number, 0) + shared_key = optional(string) + local_azure_ip_address_enabled = optional(bool, false) + ipsec_policy = optional(object({ + dh_group = optional(string) + ike_encryption_algorithm = optional(string) + ike_integrity_algorithm = optional(string) + encryption_algorithm = optional(string) + integrity_algorithm = optional(string) + pfs_group = optional(string) + sa_data_size_kb = optional(number) + sa_lifetime_sec = optional(number) + })) + })), []) + routing = optional(object({ + associated_route_table_key = optional(string, "default") + propagated_route_table_keys = optional(list(string), ["default"]) + propagated_route_table_labels = optional(list(string), ["default"]) + static_vnet_route_name = optional(string) + static_vnet_route_address_prefixes = optional(set(string)) + static_vnet_route_next_hop_ip_address = optional(string) + static_vnet_local_route_override_criteria = optional(string) + })) + })) +``` + + +Default value: `map[]` + +[back to list](#modules-optional-inputs) + +#### route_tables + +Map of objects describing Route Tables to manage within a Virtual Hub. + +Each object defines a Virtual Hub Route Table configuration with attributes to control its association. + +List of available attributes for each Route Table object: + +- `name` - (`string`, required) name of the Virtual Hub Route Table. +- `labels` - (`set`, optional) set of labels associated with the Route Table. +- `hub_key` - (`string`, required) the key referencing the Virtual Hub. + + +Type: + +```hcl +map(object({ + name = string + labels = optional(set(string)) + hub_key = string + })) +``` + + +Default value: `map[]` + +[back to list](#modules-optional-inputs) + +#### vpn_sites + +Map of objects describing VPN Sites to be configured within the Azure environment. + +Each object defines a single VPN Site and supports the following properties: + +- `name` - (`string`, required) the unique name of the VPN Site. +- `resource_group_name` - (`string`, optional) the name of the Resource Group for the VPN Site. +- `region` - (`string`, optional) the Azure region where the VPN Site is located. +- `address_cidrs` - (`set(string)`, required) set of IPv4 CIDR blocks associated with the VPN Site. +- `link` - (`list(object)`, optional, defaults to `[]`) list of individual link configurations, each object + supports the following properties: + - `name` - (`string`, required) the name of the link. + - `ip_address` - (`string`, optional) the public IP address of the link. + - `fqdn` - (`string`, optional) the fully qualified domain name for the link. + - `provider_name` - (`string`, optional) the name of the service provider. + - `speed_in_mbps` - (`number`, optional, defaults to `0`) the link speed in Mbps. + + +Type: + +```hcl +map(object({ + name = string + resource_group_name = optional(string) + region = optional(string) + address_cidrs = optional(set(string)) + link = optional(map(object({ + name = string + ip_address = optional(string) + fqdn = optional(string) + provider_name = optional(string) + speed_in_mbps = optional(number, 0) + })), {}) + })) +``` + + +Default value: `map[]` + +[back to list](#modules-optional-inputs) \ No newline at end of file diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/vwan_routes.md b/products/terraform/docs/swfw/azure/vmseries/modules/vwan_routes.md new file mode 100644 index 000000000..e2e98cce6 --- /dev/null +++ b/products/terraform/docs/swfw/azure/vmseries/modules/vwan_routes.md @@ -0,0 +1,264 @@ +--- +hide_title: true +id: vwan_routes +keywords: +- pan-os +- panos +- firewall +- configuration +- terraform +- vmseries +- vm-series +- swfw +- software-firewalls +- azure +pagination_next: null +pagination_prev: null +sidebar_label: Vwan Routes +title: Palo Alto Networks Virtual WAN Routing Module for Azure +--- + +# Palo Alto Networks Virtual WAN Routing Module for Azure + +A Terraform module for managing routing in an Azure Virtual WAN. + +[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-azurerm-swfw-modules/tree/main/modules/vwan_routes) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/swfw-modules/azurerm/latest/submodules/vwan_routes) + +## Usage + +In order to use the `vwan_routes` module, you need to deploy the `vwan` module as a prerequisite. +Then you can use the example below to call the module and configure routing in the Virtual Hub: + +```hcl +locals { + routing_intent = { + for vwan_key, vwan in var.virtual_wans : vwan_key => { + for hub_key, hub in try(vwan.virtual_hubs, {}) : hub_key => { + virtual_hub_id = try( + module.virtual_wan[vwan_key].virtual_hub_ids[hub_key], + null + ) + routing_intent = { + routing_intent_name = hub.routing_intent.routing_intent_name + routing_policy = [ + for policy in hub.routing_intent.routing_policy : merge( + policy, + { + next_hop_id = try( + module.cloudngfw[policy.next_hop_key] + .palo_alto_virtual_network_appliance_id, + null + ) + } + ) + ] + } + } + if hub.routing_intent != null + } + } + + routes = { + for vwan_key, vwan in var.virtual_wans : vwan_key => { + for route_item in flatten([ + for hub_key, hub in try(vwan.virtual_hubs, {}) : [ + for rt_key, rt in try(hub.route_tables, {}) : [ + for route_key, route in try(rt.routes, {}) : { + route_key = route_key + name = route.name + destinations_type = route.destinations_type + destinations = route.destinations + next_hop_type = route.next_hop_type + next_hop_key = try(route.next_hop_key, null) + route_table_key = rt_key + hub_key = hub_key + } + ] + ] + ]) : route_item.route_key => { + name = route_item.name + destinations_type = route_item.destinations_type + destinations = route_item.destinations + next_hop_type = route_item.next_hop_type + next_hop_id = try( + module.cloudngfw[route_item.next_hop_key].palo_alto_virtual_network_appliance_id, + null + ) + route_table_id = try( + module.virtual_wan[vwan_key].route_table_ids[route_item.route_table_key], + null + ) + } + } + } +} + +module "vwan_routes" { + source = "../../modules/vwan_routes" + for_each = var.virtual_wans + + routes = lookup(local.routes, each.key, {}) + routing_intent = lookup(local.routing_intent, each.key, {}) +} +``` + +Below there are provided sample values: + +```hcl +"virtual_hub_routes" = { + name = "virtual_hub_routes" + address_prefix = "11.0.0.0/24" + route_tables = { + "route_table" = { + name = "route_table" + labels = ["rt_label01", "rt_label02"] + routes = { + "route01" = { + name = "route01" + destinations_type = "CIDR" + destinations = ["10.0.0.0/16"] + next_hop_key = "ha-ports" + } + "route02" = { + name = "route02" + destinations_type = "CIDR" + destinations = ["11.0.0.0/16"] + next_hop_key = "ha-ports" + } + } + } + } +} +"virtual_hub_routing_intent" = { + name = "virtual_hub_routing_intent" + address_prefix = "12.0.0.0/24" + routing_intent = { + routing_intent_name = "routing_intent" + routing_policy = [ + { + routing_policy_name = "PrivateTraffic" + destinations = ["PrivateTraffic"] + next_hop_key = "cloudngfw" + }, + { + routing_policy_name = "Internet" + destinations = ["Internet"] + next_hop_key = "cloudngfw" + } + ] + } +} +``` + +## Reference + +### Requirements + +- `terraform`, version: >= 1.5, < 2.0 +- `azurerm`, version: ~> 4.0 + +### Providers + +- `azurerm`, version: ~> 4.0 + + + +### Resources + +- `virtual_hub_route_table_route` (managed) +- `virtual_hub_routing_intent` (managed) + +### Required Inputs + +Name | Type | Description +--- | --- | --- + +### Optional Inputs + +Name | Type | Description +--- | --- | --- +[`routing_intent`](#routing_intent) | `map` | Map of objects defining Routing Intent configuration for Virtual Hubs. +[`routes`](#routes) | `map` | A map of routing configurations, where each entry defines a route with the following attributes: + +- `name` - (`string`, required) the name of the route. + +### Outputs + +Name | Description +--- | --- +`routing_intent_ids` | The identifiers of the created Virtual Hub Routing Intents. +`route_ids` | The identifiers of the created Routes within Virtual Hub Route Table. + +### Required Inputs details + +### Optional Inputs details + +#### routing_intent + +Map of objects defining Routing Intent configuration for Virtual Hubs. + +Each object key represents a unique identifier, and the value supports the following attributes: + +- `virtual_hub_id` - (`string`, required) the resource ID of the Virtual Hub where the Routing Intent should be applied. +- `routing_intent` - (`object`, required) configuration of the Routing Intent, following properties are available: + - `routing_intent_name` - (`string`, required) the name of the Routing Intent, must be unique across all defined intents. + - `routing_policy` - (`list`, required) a list of Routing Policies to apply, following properties are available: + - `routing_policy_name` - (`string`, required) the name of the Routing Policy, must be unique within the Routing Intent. + - `destinations` - (`list(string)`, required) list of traffic types the policy applies to, valid values are: + `Internet`, `PrivateTraffic`. + - `next_hop_id` - (`string`, required) the resource ID of the next hop used by this routing policy. + + + +Type: + +```hcl +map(object({ + virtual_hub_id = string + routing_intent = object({ + routing_intent_name = string + routing_policy = list(object({ + routing_policy_name = string + destinations = list(string) + next_hop_id = string + })) + }) + })) +``` + + +Default value: `map[]` + +[back to list](#modules-optional-inputs) + +#### routes + +A map of routing configurations, where each entry defines a route with the following attributes: + +- `name` - (`string`, required) the name of the route. Must be unique within the routing configurations. +- `destinations_type` - (`string`, required) specifies the type of destinations, valid values are: `CIDR`, `ResourceId`, + or `Service`. +- `destinations` - (`list`, required) a list of destinations for the route. +- `next_hop_type` - (`string`, required, defaults to "ResourceId") specifies the type of next hop. +- `next_hop_id` - (`string`, required) the id for the next hop resource to which the route points. +- `route_table_id` - (`string`, required) the id of the route table to which this route belongs. + + + +Type: + +```hcl +map(object({ + name = string + destinations_type = string + destinations = list(string) + next_hop_type = optional(string, "ResourceId") + next_hop_id = string + route_table_id = string + })) +``` + + +Default value: `map[]` + +[back to list](#modules-optional-inputs) \ No newline at end of file diff --git a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries.md b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/vmseries_transit_vnet_common.md similarity index 98% rename from products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries.md rename to products/terraform/docs/swfw/azure/vmseries/reference-architectures/vmseries_transit_vnet_common.md index bfdd6de05..9b9312978 100644 --- a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries.md +++ b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/vmseries_transit_vnet_common.md @@ -1,6 +1,6 @@ --- hide_title: true -id: common_vmseries +id: vmseries_transit_vnet_common keywords: - pan-os - panos @@ -14,7 +14,7 @@ keywords: - azure pagination_next: null pagination_prev: null -sidebar_label: Common Firewall Option +sidebar_label: VM-Series Transit VNet Common title: 'Reference Architecture with Terraform: VM-Series in Azure, Centralized Architecture. Common NGFW Option' --- @@ -30,7 +30,7 @@ The Terraform code presented here will deploy Palo Alto Networks VM-Series firew common VM-Series for all traffic; for a discussion of other options, please see the design guide from [the reference architecture guides](https://www.paloaltonetworks.com/resources/reference-architectures). -[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-azurerm-swfw-modules/tree/main/examples/common_vmseries) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/swfw-modules/azurerm/latest/examples/common_vmseries) +[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-azurerm-swfw-modules/tree/main/examples/vmseries_transit_vnet_common) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/swfw-modules/azurerm/latest/examples/vmseries_transit_vnet_common) ## Reference Architecture Design @@ -377,7 +377,9 @@ map(object({ address_prefixes = optional(list(string), []) network_security_group_key = optional(string) route_table_key = optional(string) + default_outbound_access_enabled = optional(bool) enable_storage_service_endpoint = optional(bool) + enable_appgw_delegation = optional(bool) enable_cloudngfw_delegation = optional(bool) })), {}) })) @@ -697,8 +699,8 @@ Below you can find a brief list of most important properties: described by `subnet_key`. - `subnet_key` - (`string`, required) a key pointing to a Subnet definition in the `var.vnets` map, this has to be an Application Gateway V2 dedicated subnet. -- `zones` - (`list`, optional, defaults to module default) parameter controlling if this is a zonal, or a non-zonal - deployment. +- `zones` - (`list`, optional, defaults to `["1", "2", "3"]`) parameter controlling if this is a zonal, or a + non-zonal deployment. - `public_ip` - (`map`, required) defines a Public IP resource used by the Application Gateway instance, a newly created Public IP will have it's name prefixes with `var.name_prefix`. - `listeners` - (`map`, required) defines Application Gateway's Listeners, see @@ -727,7 +729,7 @@ map(object({ name = string vnet_key = string subnet_key = string - zones = optional(list(string)) + zones = optional(list(string), ["1", "2", "3"]) public_ip = object({ create = optional(bool, true) name = optional(string) @@ -787,7 +789,7 @@ map(object({ timeout = optional(number) use_cookie_based_affinity = optional(bool) affinity_cookie_name = optional(string) - probe = optional(string) + probe_key = optional(string) root_certs = optional(map(object({ name = string path = string @@ -1030,7 +1032,9 @@ However, if values are set in those maps, they still take precedence over the on universal properties can be overriden on a per-VM basis. Following properties are supported: - + +- `use_airs` - (`bool`, optional, defaults to `false`) when set to `true`, the AI Runtime Security VM image is used + instead of the one passed to the module and version for `airs-flex` offer must be provided. - `version` - (`string`, optional) describes the PAN-OS image version from Azure Marketplace. - `size` - (`string`, optional, defaults to module default) Azure VM size (type). Consult the *VM-Series Deployment Guide* as only a few selected sizes are supported. @@ -1044,8 +1048,9 @@ Type: ```hcl object({ - version = optional(string) - size = optional(string) + use_airs = optional(bool) + version = optional(string) + size = optional(string) bootstrap_options = optional(object({ type = optional(string) ip-address = optional(string) @@ -1219,6 +1224,7 @@ map(object({ ssh_keys = optional(list(string), []) }), {}) image = optional(object({ + use_airs = optional(bool) version = optional(string) publisher = optional(string) offer = optional(string) @@ -1447,7 +1453,9 @@ map(object({ address_prefixes = optional(list(string), []) network_security_group_key = optional(string) route_table_key = optional(string) + default_outbound_access_enabled = optional(bool) enable_storage_service_endpoint = optional(bool) + enable_appgw_delegation = optional(bool) enable_cloudngfw_delegation = optional(bool) })), {}) local_peer_config = optional(object({ diff --git a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries_and_autoscale.md b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/vmseries_transit_vnet_common_autoscale.md similarity index 98% rename from products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries_and_autoscale.md rename to products/terraform/docs/swfw/azure/vmseries/reference-architectures/vmseries_transit_vnet_common_autoscale.md index eabe558d4..a8a4837ae 100644 --- a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries_and_autoscale.md +++ b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/vmseries_transit_vnet_common_autoscale.md @@ -1,6 +1,6 @@ --- hide_title: true -id: common_vmseries_and_autoscale +id: vmseries_transit_vnet_common_autoscale keywords: - pan-os - panos @@ -14,7 +14,7 @@ keywords: - azure pagination_next: null pagination_prev: null -sidebar_label: Common Firewall Option with Autoscaling +sidebar_label: VM-Series Transit VNet Common with Autoscaling title: 'Reference Architecture with Terraform: VM-Series in Azure, Centralized Architecture, Common NGFW Option with Autoscaling' --- @@ -36,7 +36,7 @@ utilization). Since firewalls are added or removed automatically, they cannot be management and updates a Panorama appliance is suggested. Deployment of a Panorama instance is not covered in this example, but a [dedicated one exists](../standalone\_panorama). -[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-azurerm-swfw-modules/tree/main/examples/common_vmseries_and_autoscale) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/swfw-modules/azurerm/latest/examples/common_vmseries_and_autoscale) +[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-azurerm-swfw-modules/tree/main/examples/vmseries_transit_vnet_common_autoscale) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/swfw-modules/azurerm/latest/examples/vmseries_transit_vnet_common_autoscale) ## Reference Architecture Design @@ -404,7 +404,9 @@ map(object({ address_prefixes = optional(list(string), []) network_security_group_key = optional(string) route_table_key = optional(string) + default_outbound_access_enabled = optional(bool) enable_storage_service_endpoint = optional(bool) + enable_appgw_delegation = optional(bool) enable_cloudngfw_delegation = optional(bool) })), {}) })) @@ -724,8 +726,8 @@ Below you can find a brief list of most important properties: described by `subnet_key`. - `subnet_key` - (`string`, required) a key pointing to a Subnet definition in the `var.vnets` map, this has to be an Application Gateway V2 dedicated subnet. -- `zones` - (`list`, optional, defaults to module default) parameter controlling if this is a zonal, or a non-zonal - deployment. +- `zones` - (`list`, optional, defaults to `["1", "2", "3"]`) parameter controlling if this is a zonal, or a + non-zonal deployment. - `public_ip` - (`map`, required) defines a Public IP resource used by the Application Gateway instance, a newly created Public IP will have it's name prefixes with `var.name_prefix`. - `listeners` - (`map`, required) defines Application Gateway's Listeners, see @@ -754,7 +756,7 @@ map(object({ name = string vnet_key = string subnet_key = string - zones = optional(list(string)) + zones = optional(list(string), ["1", "2", "3"]) public_ip = object({ create = optional(bool, true) name = optional(string) @@ -814,7 +816,7 @@ map(object({ timeout = optional(number) use_cookie_based_affinity = optional(bool) affinity_cookie_name = optional(string) - probe = optional(string) + probe_key = optional(string) root_certs = optional(map(object({ name = string path = string @@ -1027,7 +1029,9 @@ It duplicates popular properties from `scale_sets` variable, specifically `scale set within this variable. As a result, all universal properties can be overriden on a per-VMSS basis. Following properties are supported: - + +- `use_airs` - (`bool`, optional, defaults to `false`) when set to `true`, the AI Runtime Security VM image is used + instead of the one passed to the module and version for `airs-flex` offer must be provided. - `version` - (`string`, optional) describes the PAN-OS image version from Azure Marketplace. - `size` - (`string`, optional, defaults to module default) Azure VM size (type). Consult the *VM-Series Deployment Guide* as only a few selected sizes are supported. @@ -1041,8 +1045,9 @@ Type: ```hcl object({ - version = optional(string) - size = optional(string) + use_airs = optional(bool) + version = optional(string) + size = optional(string) bootstrap_options = optional(object({ type = optional(string) ip-address = optional(string) @@ -1231,6 +1236,7 @@ map(object({ ssh_keys = optional(list(string), []) }) image = optional(object({ + use_airs = optional(bool) version = optional(string) publisher = optional(string) offer = optional(string) @@ -1500,7 +1506,9 @@ map(object({ address_prefixes = optional(list(string), []) network_security_group_key = optional(string) route_table_key = optional(string) + default_outbound_access_enabled = optional(bool) enable_storage_service_endpoint = optional(bool) + enable_appgw_delegation = optional(bool) enable_cloudngfw_delegation = optional(bool) })), {}) local_peer_config = optional(object({ diff --git a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries.md b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/vmseries_transit_vnet_dedicated.md similarity index 98% rename from products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries.md rename to products/terraform/docs/swfw/azure/vmseries/reference-architectures/vmseries_transit_vnet_dedicated.md index cb87ba623..f9ca5a726 100644 --- a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries.md +++ b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/vmseries_transit_vnet_dedicated.md @@ -1,6 +1,6 @@ --- hide_title: true -id: dedicated_vmseries +id: vmseries_transit_vnet_dedicated keywords: - pan-os - panos @@ -14,7 +14,7 @@ keywords: - azure pagination_next: null pagination_prev: null -sidebar_label: Dedicated Firewall Option +sidebar_label: VM-Series Transit VNet Dedicated title: 'Reference Architecture with Terraform: VM-Series in Azure, Centralized Architecture, Dedicated Inbound NGFW Option' --- @@ -30,7 +30,7 @@ The Terraform code presented here will deploy Palo Alto Networks VM-Series firew dedicated-inbound VM-Series; for a discussion of other options, please see the design guide from [the reference architecture guides](https://www.paloaltonetworks.com/resources/reference-architectures). -[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-azurerm-swfw-modules/tree/main/examples/dedicated_vmseries) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/swfw-modules/azurerm/latest/examples/dedicated_vmseries) +[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-azurerm-swfw-modules/tree/main/examples/vmseries_transit_vnet_dedicated) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/swfw-modules/azurerm/latest/examples/vmseries_transit_vnet_dedicated) ## Reference Architecture Design @@ -381,7 +381,9 @@ map(object({ address_prefixes = optional(list(string), []) network_security_group_key = optional(string) route_table_key = optional(string) + default_outbound_access_enabled = optional(bool) enable_storage_service_endpoint = optional(bool) + enable_appgw_delegation = optional(bool) enable_cloudngfw_delegation = optional(bool) })), {}) })) @@ -701,8 +703,8 @@ Below you can find a brief list of most important properties: described by `subnet_key`. - `subnet_key` - (`string`, required) a key pointing to a Subnet definition in the `var.vnets` map, this has to be an Application Gateway V2 dedicated subnet. -- `zones` - (`list`, optional, defaults to module default) parameter controlling if this is a zonal, or a non-zonal - deployment. +- `zones` - (`list`, optional, defaults to `["1", "2", "3"]`) parameter controlling if this is a zonal, or a + non-zonal deployment. - `public_ip` - (`map`, required) defines a Public IP resource used by the Application Gateway instance, a newly created Public IP will have it's name prefixes with `var.name_prefix`. - `listeners` - (`map`, required) defines Application Gateway's Listeners, see @@ -731,7 +733,7 @@ map(object({ name = string vnet_key = string subnet_key = string - zones = optional(list(string)) + zones = optional(list(string), ["1", "2", "3"]) public_ip = object({ create = optional(bool, true) name = optional(string) @@ -791,7 +793,7 @@ map(object({ timeout = optional(number) use_cookie_based_affinity = optional(bool) affinity_cookie_name = optional(string) - probe = optional(string) + probe_key = optional(string) root_certs = optional(map(object({ name = string path = string @@ -1034,7 +1036,9 @@ However, if values are set in those maps, they still take precedence over the on universal properties can be overriden on a per-VM basis. Following properties are supported: - + +- `use_airs` - (`bool`, optional, defaults to `false`) when set to `true`, the AI Runtime Security VM image is used + instead of the one passed to the module and version for `airs-flex` offer must be provided. - `version` - (`string`, optional) describes the PAN-OS image version from Azure Marketplace. - `size` - (`string`, optional, defaults to module default) Azure VM size (type). Consult the *VM-Series Deployment Guide* as only a few selected sizes are supported. @@ -1048,8 +1052,9 @@ Type: ```hcl object({ - version = optional(string) - size = optional(string) + use_airs = optional(bool) + version = optional(string) + size = optional(string) bootstrap_options = optional(object({ type = optional(string) ip-address = optional(string) @@ -1223,6 +1228,7 @@ map(object({ ssh_keys = optional(list(string), []) }), {}) image = optional(object({ + use_airs = optional(bool) version = optional(string) publisher = optional(string) offer = optional(string) @@ -1451,7 +1457,9 @@ map(object({ address_prefixes = optional(list(string), []) network_security_group_key = optional(string) route_table_key = optional(string) + default_outbound_access_enabled = optional(bool) enable_storage_service_endpoint = optional(bool) + enable_appgw_delegation = optional(bool) enable_cloudngfw_delegation = optional(bool) })), {}) local_peer_config = optional(object({ diff --git a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries_and_autoscale.md b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/vmseries_transit_vnet_dedicated_autoscale.md similarity index 98% rename from products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries_and_autoscale.md rename to products/terraform/docs/swfw/azure/vmseries/reference-architectures/vmseries_transit_vnet_dedicated_autoscale.md index e5d7bb1a6..48c57906a 100644 --- a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries_and_autoscale.md +++ b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/vmseries_transit_vnet_dedicated_autoscale.md @@ -1,6 +1,6 @@ --- hide_title: true -id: dedicated_vmseries_and_autoscale +id: vmseries_transit_vnet_dedicated_autoscale keywords: - pan-os - panos @@ -14,7 +14,7 @@ keywords: - azure pagination_next: null pagination_prev: null -sidebar_label: Dedicated Firewall Option with Autoscaling +sidebar_label: VM-Series Transit VNet Dedicated with Autoscaling title: 'Reference Architecture with Terraform: VM-Series in Azure, Centralized Architecture, Dedicated Inbound NGFW Option with Autoscaling' --- @@ -36,7 +36,7 @@ utilization). Since firewalls are added or removed automatically, they cannot be assigned with public IP addresses. To ease licensing, management and updates a Panorama appliance is suggested. Deployment of a Panorama instance is not covered in this example, but a [dedicated one exists](../standalone_panorama). -[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-azurerm-swfw-modules/tree/main/examples/dedicated_vmseries_and_autoscale) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/swfw-modules/azurerm/latest/examples/dedicated_vmseries_and_autoscale) +[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-azurerm-swfw-modules/tree/main/examples/vmseries_transit_vnet_dedicated_autoscale) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/swfw-modules/azurerm/latest/examples/vmseries_transit_vnet_dedicated_autoscale) ## Reference Architecture Design @@ -398,7 +398,9 @@ map(object({ address_prefixes = optional(list(string), []) network_security_group_key = optional(string) route_table_key = optional(string) + default_outbound_access_enabled = optional(bool) enable_storage_service_endpoint = optional(bool) + enable_appgw_delegation = optional(bool) enable_cloudngfw_delegation = optional(bool) })), {}) })) @@ -718,8 +720,8 @@ Below you can find a brief list of most important properties: described by `subnet_key`. - `subnet_key` - (`string`, required) a key pointing to a Subnet definition in the `var.vnets` map, this has to be an Application Gateway V2 dedicated subnet. -- `zones` - (`list`, optional, defaults to module default) parameter controlling if this is a zonal, or a non-zonal - deployment. +- `zones` - (`list`, optional, defaults to `["1", "2", "3"]`) parameter controlling if this is a zonal, or a + non-zonal deployment. - `public_ip` - (`map`, required) defines a Public IP resource used by the Application Gateway instance, a newly created Public IP will have it's name prefixes with `var.name_prefix`. - `listeners` - (`map`, required) defines Application Gateway's Listeners, see @@ -748,7 +750,7 @@ map(object({ name = string vnet_key = string subnet_key = string - zones = optional(list(string)) + zones = optional(list(string), ["1", "2", "3"]) public_ip = object({ create = optional(bool, true) name = optional(string) @@ -808,7 +810,7 @@ map(object({ timeout = optional(number) use_cookie_based_affinity = optional(bool) affinity_cookie_name = optional(string) - probe = optional(string) + probe_key = optional(string) root_certs = optional(map(object({ name = string path = string @@ -1021,7 +1023,9 @@ It duplicates popular properties from `scale_sets` variable, specifically `scale set within this variable. As a result, all universal properties can be overriden on a per-VMSS basis. Following properties are supported: - + +- `use_airs` - (`bool`, optional, defaults to `false`) when set to `true`, the AI Runtime Security VM image is used + instead of the one passed to the module and version for `airs-flex` offer must be provided. - `version` - (`string`, optional) describes the PAN-OS image version from Azure Marketplace. - `size` - (`string`, optional, defaults to module default) Azure VM size (type). Consult the *VM-Series Deployment Guide* as only a few selected sizes are supported. @@ -1035,8 +1039,9 @@ Type: ```hcl object({ - version = optional(string) - size = optional(string) + use_airs = optional(bool) + version = optional(string) + size = optional(string) bootstrap_options = optional(object({ type = optional(string) ip-address = optional(string) @@ -1225,6 +1230,7 @@ map(object({ ssh_keys = optional(list(string), []) }) image = optional(object({ + use_airs = optional(bool) version = optional(string) publisher = optional(string) offer = optional(string) @@ -1494,7 +1500,9 @@ map(object({ address_prefixes = optional(list(string), []) network_security_group_key = optional(string) route_table_key = optional(string) + default_outbound_access_enabled = optional(bool) enable_storage_service_endpoint = optional(bool) + enable_appgw_delegation = optional(bool) enable_cloudngfw_delegation = optional(bool) })), {}) local_peer_config = optional(object({