The Terraform provider for PAN-OS enables you to automate the configuration of a Palo Alto Networks next-generation firewall that has been deployed in either a virtualized environment or on a physical network. In the public cloud, users can automate the creation of a VPC or Resource Group that contains a VM-Series firewall using an AWS, Google Cloud or Azure provider. Using the PAN-OS provider, they can then apply the VM-Series configuration, effectively performing end-to-end deployment automation. Let’s walk through an example of how you might use the Terraform provider for PAN-OS.
Whether another provider has been used to deploy the VM-Series or the firewall is physical, let's assume that the firewall is accessible. We now want to configure two ethernet interfaces on the firewall: ethernet1/1 in a L3-trust zone that allows pings, and ethernet1/2 in a L3-untrust zone. Both interfaces will use DHCP to get their IP addresses. We'll do all of this in vsys1.
First we'll need to configure the provider connection to the VM-Series. The full documentation for the provider can be found here.
There are only three parameters that are required to configure the provider: the hostname, username, and password. So, let's start out our Terraform plan file with just our provider config like so:
provider "panos" {
hostname = "127.0.0.1"
username = "terraform"
password = "secret"
}
In our example, I'm following best practices of creating a separate user account named "terraform". Functionally, there is no reason that you couldn't use the "admin" account to do this but do so only for proof of concepts. This way, when Terraform is running, this separate account will appear in the Active Sessions dashboard in the GUI, informing you that Terraform is making changes.
Now that we've specified our authentication info, let's go ahead and configure the interface management profile that we want our internal interface to use. The full documentation for interface management profiles can be found here.
Based on the documentation for interface management profiles, we can now configure it like so:
resource "panos_management_profile" "mp1" {
name = "Allow ping"
ping = true
}
Next up is our two interfaces. The full documentation for ethernet interfaces can be found here.
Using the interface documentation, we can now configure our two ethernet interfaces. For our example, let's say that we want to configure ethernet1/1 as the internal interface and ethernet1/2 as the external interface. We need to apply our interface management profile to the internal interface to enable the services we want, which means that the interface management profile needs to be created first. To make this happen, we'll refer to our management profile via its Terraform variable name instead of using the string "Allow ping". So the configuration will look like this:
resource "panos_ethernet_interface" "eth1" {
name = "ethernet1/1"
comment = "Internal interface"
management_profile = "${panos_management_profile.mp1.name}"
vsys = "vsys1"
mode = "layer3"
enable_dhcp = true
create_dhcp_default_route = true
}
resource "panos_ethernet_interface" "eth2" {
name = "ethernet1/2"
comment = "External interface"
vsys = "vsys1"
mode = "layer3"
enable_dhcp = true
}
Now we need to create our two security zones. The full documentation for security zones can be found here.
Just like with the data interfaces, we will want to refer to the interfaces via their Terraform variable names to signal to Terraform that we want the interfaces to be created before the security zones are created. Since "vsys1" is assumed if it isn't present, we don't need to specify it. Thus, the security zone configuration will look like this:
resource "panos_zone" "intZone" {
name = "L3-trust"
mode = "layer3"
interfaces = ["${panos_ethernet_interface.eth1.name}"]
}
resource "panos_zone" "extZone" {
name = "L3-untrust"
mode = "layer3"
interfaces = ["${panos_ethernet_interface.eth2.name}"]
}
The Terraform provider for PAN-OS allows users to embed next generation security into their multi-cloud application deployment lifecycle, eliminating potential security roadblocks that may occur as developers add or remove workloads.
Here's the full configuration including provider, interface management profile, ethernet interface, and zone configurations:
provider "panos" {
hostname = "127.0.0.1"
username = "terraform"
password = "secret"
}
resource "panos_management_profile" "mp1" {
name = "Allow ping"
ping = true
}
resource "panos_ethernet_interface" "eth1" {
name = "ethernet1/1"
comment = "Internal interface"
management_profile = "${panos_management_profile.mp1.name}"
vsys = "vsys1"
mode = "layer3"
enable_dhcp = true
create_dhcp_default_route = true
}
resource "panos_ethernet_interface" "eth2" {
name = "ethernet1/2"
comment = "External interface"
vsys = "vsys1"
mode = "layer3"
enable_dhcp = true
}
resource "panos_zone" "intZone" {
name = "L3-trust"
mode = "layer3"
interfaces = ["${panos_ethernet_interface.eth1.name}"]
}
resource "panos_zone" "extZone" {
name = "L3-untrust"
mode = "layer3"
interfaces = ["${panos_ethernet_interface.eth2.name}"]
}
Check out the Terraform provider for PAN-OS here.
