Skip to content

Commit 028e112

Browse files
slawomir-kaczmarekslawomir-kaczmarek
authored
feat: add vm-auth-key optional bootstrap parameter (#87)
1 parent 3c1e010 commit 028e112

File tree

14 files changed

+15
-7
lines changed

14 files changed

+15
-7
lines changed

examples/centralized_design/README.md

+1-1
Large diffs are not rendered by default.

examples/centralized_design/variables.tf

+1
Original file line numberDiff line numberDiff line change
@@ -391,6 +391,7 @@ variable "vmseries" {
391391
plugin-op-commands = string
392392
panorama-server = string
393393
auth-key = optional(string)
394+
vm-auth-key = optional(string)
394395
dgname = string
395396
tplname = optional(string)
396397
dhcp-send-hostname = string

examples/centralized_design_autoscale/README.md

+1-1
Large diffs are not rendered by default.

examples/centralized_design_autoscale/variables.tf

+1
Original file line numberDiff line numberDiff line change
@@ -421,6 +421,7 @@ variable "vmseries_asgs" {
421421
plugin-op-commands = string
422422
panorama-server = string
423423
auth-key = optional(string)
424+
vm-auth-key = optional(string)
424425
dgname = string
425426
tplname = optional(string)
426427
dhcp-send-hostname = string

examples/combined_design/README.md

+1-1
Large diffs are not rendered by default.

examples/combined_design/variables.tf

+1
Original file line numberDiff line numberDiff line change
@@ -423,6 +423,7 @@ variable "vmseries" {
423423
plugin-op-commands = string
424424
panorama-server = string
425425
auth-key = optional(string)
426+
vm-auth-key = optional(string)
426427
dgname = string
427428
tplname = optional(string)
428429
dhcp-send-hostname = string

examples/combined_design_autoscale/README.md

+1-1
Large diffs are not rendered by default.

examples/combined_design_autoscale/variables.tf

+1
Original file line numberDiff line numberDiff line change
@@ -436,6 +436,7 @@ variable "vmseries_asgs" {
436436
plugin-op-commands = string
437437
panorama-server = string
438438
auth-key = optional(string)
439+
vm-auth-key = optional(string)
439440
dgname = string
440441
tplname = optional(string)
441442
dhcp-send-hostname = string

examples/isolated_design/README.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -120,7 +120,7 @@ To enable access from the session manager, the Internet connection for a public
120120
| <a name="input_spoke_nlbs"></a> [spoke\_nlbs](#input\_spoke\_nlbs) | A map defining Network Load Balancers deployed in spoke VPCs.<br><br>Following properties are available:<br>- `vpc`: key of the VPC<br>- `subnet_group`: key of the subnet\_group<br>- `vms`: keys of spoke VMs<br><br>Example:<pre>spoke_lbs = {<br> "app1-nlb" = {<br> vpc = "app1_vpc"<br> subnet_group = "app1_lb"<br> vms = ["app1_vm01", "app1_vm02"]<br> }<br>}</pre> | <pre>map(object({<br> vpc = string<br> subnet_group = string<br> vms = list(string)<br> }))</pre> | `{}` | no |
121121
| <a name="input_spoke_vms"></a> [spoke\_vms](#input\_spoke\_vms) | A map defining VMs in spoke VPCs.<br><br>Following properties are available:<br>- `az`: name of the Availability Zone<br>- `vpc`: name of the VPC (needs to be one of the keys in map `vpcs`)<br>- `subnet_group`: key of the subnet\_group<br>- `security_group`: security group assigned to ENI used by VM<br>- `type`: EC2 type VM<br><br>Example:<pre>spoke_vms = {<br> "app1_vm01" = {<br> az = "eu-central-1a"<br> vpc = "app1_vpc"<br> subnet_group = "app1_vm"<br> security_group = "app1_vm"<br> type = "t2.micro"<br> }<br>}</pre> | <pre>map(object({<br> az = string<br> vpc = string<br> subnet_group = string<br> security_group = string<br> type = string<br> }))</pre> | `{}` | no |
122122
| <a name="input_ssh_key_name"></a> [ssh\_key\_name](#input\_ssh\_key\_name) | Name of the SSH key pair existing in AWS key pairs and used to authenticate to VM-Series or test boxes | `string` | n/a | yes |
123-
| <a name="input_vmseries"></a> [vmseries](#input\_vmseries) | A map defining VM-Series instances<br>Following properties are available:<br>- `instances`: map of VM-Series instances<br>- `bootstrap_options`: VM-Seriess bootstrap options used to connect to Panorama<br>- `panos_version`: PAN-OS version used for VM-Series<br>- `ebs_kms_id`: alias for AWS KMS used for EBS encryption in VM-Series<br>- `vpc`: key of VPC<br>- `gwlb`: key of GWLB<br>- `subinterfaces`: configuration of network subinterfaces used to map with GWLB endpoints<br>- `system_services`: map of system services<br>- `application_lb`: ALB placed in front of the Firewalls' public interfaces<br>- `network_lb`: NLB placed in front of the Firewalls' public interfaces<br>Example:<pre>vmseries = {<br> vmseries = {<br> instances = {<br> "01" = { az = "eu-central-1a" }<br> "02" = { az = "eu-central-1b" }<br> }<br> # Value of `panorama-server`, `auth-key`, `dgname`, `tplname` can be taken from plugin `sw_fw_license`<br> bootstrap_options = {<br> mgmt-interface-swap = "enable"<br> plugin-op-commands = "panorama-licensing-mode-on,aws-gwlb-inspect:enable,aws-gwlb-overlay-routing:enable"<br> dhcp-send-hostname = "yes"<br> dhcp-send-client-id = "yes"<br> dhcp-accept-server-hostname = "yes"<br> dhcp-accept-server-domain = "yes"<br> }<br> panos_version = "10.2.3" # TODO: update here<br> ebs_kms_id = "alias/aws/ebs" # TODO: update here<br> # Value of `vpc` must match key of objects stored in `vpcs`<br> vpc = "security_vpc"<br> # Value of `gwlb` must match key of objects stored in `gwlbs`<br> gwlb = "security_gwlb"<br> interfaces = {<br> private = {<br> device_index = 0<br> security_group = "vmseries_private"<br> vpc = "security_vpc"<br> subnet_group = "private"<br> create_public_ip = false<br> source_dest_check = false<br> }<br> mgmt = {<br> device_index = 1<br> security_group = "vmseries_mgmt"<br> vpc = "security_vpc"<br> subnet_group = "mgmt"<br> create_public_ip = true<br> source_dest_check = true<br> }<br> public = {<br> device_index = 2<br> security_group = "vmseries_public"<br> vpc = "security_vpc"<br> subnet_group = "public"<br> create_public_ip = true<br> source_dest_check = false<br> }<br> }<br> # Value of `gwlb_endpoint` must match key of objects stored in `gwlb_endpoints`<br> subinterfaces = {<br> inbound = {<br> app1 = {<br> gwlb_endpoint = "app1_inbound"<br> subinterface = "ethernet1/1.11"<br> }<br> app2 = {<br> gwlb_endpoint = "app2_inbound"<br> subinterface = "ethernet1/1.12"<br> }<br> }<br> outbound = {<br> only_1_outbound = {<br> gwlb_endpoint = "security_gwlb_outbound"<br> subinterface = "ethernet1/1.20"<br> }<br> }<br> eastwest = {<br> only_1_eastwest = {<br> gwlb_endpoint = "security_gwlb_eastwest"<br> subinterface = "ethernet1/1.30"<br> }<br> }<br> }<br> system_services = {<br> dns_primary = "4.2.2.2" # TODO: update here<br> dns_secondy = null # TODO: update here<br> ntp_primary = "pool.ntp.org" # TODO: update here<br> ntp_secondy = null # TODO: update here<br> }<br> application_lb = null<br> network_lb = null<br> }<br>}</pre> | <pre>map(object({<br> instances = map(object({<br> az = string<br> }))<br><br> bootstrap_options = object({<br> mgmt-interface-swap = string<br> plugin-op-commands = string<br> panorama-server = string<br> auth-key = optional(string)<br> dgname = string<br> tplname = optional(string)<br> dhcp-send-hostname = string<br> dhcp-send-client-id = string<br> dhcp-accept-server-hostname = string<br> dhcp-accept-server-domain = string<br> authcodes = optional(string)<br> vm-series-auto-registration-pin-id = optional(string)<br> vm-series-auto-registration-pin-value = optional(string)<br> })<br><br> panos_version = string<br> ebs_kms_id = string<br><br> vpc = string<br> gwlb = string<br><br> interfaces = map(object({<br> device_index = number<br> security_group = string<br> vpc = string<br> subnet_group = string<br> create_public_ip = bool<br> source_dest_check = bool<br> }))<br><br> subinterfaces = map(map(object({<br> gwlb_endpoint = string<br> subinterface = string<br> })))<br><br> system_services = object({<br> dns_primary = string<br> dns_secondy = string<br> ntp_primary = string<br> ntp_secondy = string<br> })<br><br> application_lb = object({<br> name = string<br> rules = any<br> })<br><br> network_lb = object({<br> name = string<br> rules = any<br> })<br> }))</pre> | `{}` | no |
123+
| <a name="input_vmseries"></a> [vmseries](#input\_vmseries) | A map defining VM-Series instances<br>Following properties are available:<br>- `instances`: map of VM-Series instances<br>- `bootstrap_options`: VM-Seriess bootstrap options used to connect to Panorama<br>- `panos_version`: PAN-OS version used for VM-Series<br>- `ebs_kms_id`: alias for AWS KMS used for EBS encryption in VM-Series<br>- `vpc`: key of VPC<br>- `gwlb`: key of GWLB<br>- `subinterfaces`: configuration of network subinterfaces used to map with GWLB endpoints<br>- `system_services`: map of system services<br>- `application_lb`: ALB placed in front of the Firewalls' public interfaces<br>- `network_lb`: NLB placed in front of the Firewalls' public interfaces<br>Example:<pre>vmseries = {<br> vmseries = {<br> instances = {<br> "01" = { az = "eu-central-1a" }<br> "02" = { az = "eu-central-1b" }<br> }<br> # Value of `panorama-server`, `auth-key`, `dgname`, `tplname` can be taken from plugin `sw_fw_license`<br> bootstrap_options = {<br> mgmt-interface-swap = "enable"<br> plugin-op-commands = "panorama-licensing-mode-on,aws-gwlb-inspect:enable,aws-gwlb-overlay-routing:enable"<br> dhcp-send-hostname = "yes"<br> dhcp-send-client-id = "yes"<br> dhcp-accept-server-hostname = "yes"<br> dhcp-accept-server-domain = "yes"<br> }<br> panos_version = "10.2.3" # TODO: update here<br> ebs_kms_id = "alias/aws/ebs" # TODO: update here<br> # Value of `vpc` must match key of objects stored in `vpcs`<br> vpc = "security_vpc"<br> # Value of `gwlb` must match key of objects stored in `gwlbs`<br> gwlb = "security_gwlb"<br> interfaces = {<br> private = {<br> device_index = 0<br> security_group = "vmseries_private"<br> vpc = "security_vpc"<br> subnet_group = "private"<br> create_public_ip = false<br> source_dest_check = false<br> }<br> mgmt = {<br> device_index = 1<br> security_group = "vmseries_mgmt"<br> vpc = "security_vpc"<br> subnet_group = "mgmt"<br> create_public_ip = true<br> source_dest_check = true<br> }<br> public = {<br> device_index = 2<br> security_group = "vmseries_public"<br> vpc = "security_vpc"<br> subnet_group = "public"<br> create_public_ip = true<br> source_dest_check = false<br> }<br> }<br> # Value of `gwlb_endpoint` must match key of objects stored in `gwlb_endpoints`<br> subinterfaces = {<br> inbound = {<br> app1 = {<br> gwlb_endpoint = "app1_inbound"<br> subinterface = "ethernet1/1.11"<br> }<br> app2 = {<br> gwlb_endpoint = "app2_inbound"<br> subinterface = "ethernet1/1.12"<br> }<br> }<br> outbound = {<br> only_1_outbound = {<br> gwlb_endpoint = "security_gwlb_outbound"<br> subinterface = "ethernet1/1.20"<br> }<br> }<br> eastwest = {<br> only_1_eastwest = {<br> gwlb_endpoint = "security_gwlb_eastwest"<br> subinterface = "ethernet1/1.30"<br> }<br> }<br> }<br> system_services = {<br> dns_primary = "4.2.2.2" # TODO: update here<br> dns_secondy = null # TODO: update here<br> ntp_primary = "pool.ntp.org" # TODO: update here<br> ntp_secondy = null # TODO: update here<br> }<br> application_lb = null<br> network_lb = null<br> }<br>}</pre> | <pre>map(object({<br> instances = map(object({<br> az = string<br> }))<br><br> bootstrap_options = object({<br> mgmt-interface-swap = string<br> plugin-op-commands = string<br> panorama-server = string<br> auth-key = optional(string)<br> vm-auth-key = optional(string)<br> dgname = string<br> tplname = optional(string)<br> dhcp-send-hostname = string<br> dhcp-send-client-id = string<br> dhcp-accept-server-hostname = string<br> dhcp-accept-server-domain = string<br> authcodes = optional(string)<br> vm-series-auto-registration-pin-id = optional(string)<br> vm-series-auto-registration-pin-value = optional(string)<br> })<br><br> panos_version = string<br> ebs_kms_id = string<br><br> vpc = string<br> gwlb = string<br><br> interfaces = map(object({<br> device_index = number<br> security_group = string<br> vpc = string<br> subnet_group = string<br> create_public_ip = bool<br> source_dest_check = bool<br> }))<br><br> subinterfaces = map(map(object({<br> gwlb_endpoint = string<br> subinterface = string<br> })))<br><br> system_services = object({<br> dns_primary = string<br> dns_secondy = string<br> ntp_primary = string<br> ntp_secondy = string<br> })<br><br> application_lb = object({<br> name = string<br> rules = any<br> })<br><br> network_lb = object({<br> name = string<br> rules = any<br> })<br> }))</pre> | `{}` | no |
124124
| <a name="input_vpcs"></a> [vpcs](#input\_vpcs) | A map defining VPCs with security groups and subnets.<br><br>Following properties are available:<br>- `name`: VPC name<br>- `cidr`: CIDR for VPC<br>- `nacls`: map of network ACLs<br>- `security_groups`: map of security groups<br>- `subnets`: map of subnets with properties:<br> - `az`: availability zone<br> - `subnet_group`: identity of the same purpose subnets group such as management<br> - `nacl`: key of NACL (can be null)<br>- `routes`: map of routes with properties:<br> - `vpc` - key of VPC<br> - `subnet_group` - key of subnet\_group<br> - `next_hop_key` - must match keys use to create TGW attachment, IGW, GWLB endpoint or other resources<br> - `next_hop_type` - internet\_gateway, nat\_gateway, transit\_gateway\_attachment or gwlbe\_endpoint<br><br>Example:<pre>vpcs = {<br> example_vpc = {<br> name = "example-spoke-vpc"<br> cidr = "10.104.0.0/16"<br> nacls = {<br> trusted_path_monitoring = {<br> name = "trusted-path-monitoring"<br> rules = {<br> allow_inbound = {<br> rule_number = 300<br> egress = false<br> protocol = "-1"<br> rule_action = "allow"<br> cidr_block = "0.0.0.0/0"<br> from_port = null<br> to_port = null<br> }<br> }<br> }<br> }<br> security_groups = {<br> example_vm = {<br> name = "example_vm"<br> rules = {<br> all_outbound = {<br> description = "Permit All traffic outbound"<br> type = "egress", from_port = "0", to_port = "0", protocol = "-1"<br> cidr_blocks = ["0.0.0.0/0"]<br> }<br> }<br> }<br> }<br> subnets = {<br> "10.104.0.0/24" = { az = "eu-central-1a", subnet_group = "vm", nacl = null }<br> "10.104.128.0/24" = { az = "eu-central-1b", subnet_group = "vm", nacl = null }<br> }<br> routes = {<br> vm_default = {<br> vpc = "app1_vpc"<br> subnet_group = "app1_vm"<br> to_cidr = "0.0.0.0/0"<br> next_hop_key = "app1"<br> next_hop_type = "transit_gateway_attachment"<br> }<br> }<br> }<br>}</pre> | <pre>map(object({<br> name = string<br> cidr = string<br> nacls = map(object({<br> name = string<br> rules = map(object({<br> rule_number = number<br> egress = bool<br> protocol = string<br> rule_action = string<br> cidr_block = string<br> from_port = string<br> to_port = string<br> }))<br> }))<br> security_groups = any<br> subnets = map(object({<br> az = string<br> subnet_group = string<br> nacl = string<br> }))<br> routes = map(object({<br> vpc = string<br> subnet_group = string<br> to_cidr = string<br> next_hop_key = string<br> next_hop_type = string<br> }))<br> }))</pre> | `{}` | no |
125125

126126
### Outputs

examples/isolated_design/variables.tf

+1
Original file line numberDiff line numberDiff line change
@@ -324,6 +324,7 @@ variable "vmseries" {
324324
plugin-op-commands = string
325325
panorama-server = string
326326
auth-key = optional(string)
327+
vm-auth-key = optional(string)
327328
dgname = string
328329
tplname = optional(string)
329330
dhcp-send-hostname = string

0 commit comments

Comments
 (0)