Terraform NGFW provider failing to get token for CloudFirewallAdmin

SZanpure · ‎04-28-2022

Hi,

I am trialling out the TF provider in this repo and I have successfully built the provider locally. I am able to configure it as per the settings mentioned in the doc. To give a brief overview, I have

Subscribed to Palo NGFW in AWS Marketplace
Added our sandbox AWS Account to Palo NGFW and run the Cloudformation template which creates cross-account IAM roles.
Enabled Programmatic access and created the IAM role mentioned in the docs to grant access to API Gateway. I have also tagged the IAM role with
Key=NGFWaasRole, Value=CloudFirewallAdmin

Key=NGFWaasRole, Value=CloudRulestackAdmin
tags as mentioned in the other ticket
I have granted sts:AssumeRole permission so that any authenticated user in my sandbox account can assume the above role.
After setting up all of this, I supply the following config values to the provider

host: "api.us-east-1.aws.cloudngfw.paloaltonetworks.com"

region: "us-east-1"

arn: "<The arn of the API Gateway IAM Role I setup in step 3>"

The provider initialises successfully when I run terraform init, however when I run terraform plan, it errors as per the screenshot below

I can only speculate (since I am not familiar with golang, but the code for ngfw client is here ) that the client is failing to execute steps 8 and 9 mentioned here

Another thing to note is that the tags mentioned in step 5 of the above article are different from the ones you have mentioned in the linked ticket above. Is there any reason for this difference? Also, the Github repo linked in step 6 has a broken link, so I cannot view the CFT examples.

Any help would be appreciated since I am now effectively blocked in automating the NGFW firewall creation.

Regards,

Shreyas

gfreeman · ‎04-28-2022

Run terraform apply with logging enabled, it might have more information:

TF_LOG=debug terraform apply

gfreeman · ‎04-28-2022

I have been told that the docs are wrong with regards to the tags needed for the role created in AWS. Change the tags as follows:

CloudFirewallAdmin > CloudNGFWFirewallAdmin
CloudRulestackAdmin > CloudNGFWRulestackAdmin

SZanpure · ‎04-28-2022

Thanks @gfreeman

I made changes to the tags, and it made no difference. After switching on TF_LOG, I got an error message which might be of interest to you.

-----------------------------------------------------: timestamp=2022-04-28T21:05:56.317+0100
2022-04-28T21:05:56.381+0100 [INFO]  provider.terraform-provider-cloudngfwaws_v1.0.0: 2022/04/28 21:05:56 [DEBUG] CloudNgfwAws API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/1.1 403 Forbidden
Connection: close
Content-Length: 251
Access-Control-Allow-Headers: Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,X-Amz-User-Agent
Access-Control-Allow-Methods: *
Access-Control-Allow-Origin: *
Content-Type: application/json
Date: Thu, 28 Apr 2022 20:05:56 GMT
X-Amz-Apigw-Id: <Redacted>
X-Amzn-Errortype: AccessDeniedException
X-Amzn-Requestid: <Redacted>
X-Amzn-Trace-Id: <Redacted>

{
 "message": "User: arn:aws:sts::<Redacted>:assumed-role/palo-ngfw-admin-role/sdk_session is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:********1261:63kpcf9k68/prod/GET/v1/mgmt/tokens/cloudrulestackadmin"
}

The palo-ngfw-admin-role is setup as such

{
    "Version": "2012-10-17",
    "Statement": [ 
       {
          "Effect": "Allow",
          "Action": [
            "execute-api:Invoke"
          ],
          "Resource": [
            "arn:aws:execute-api:*:*:*"
          ]
      }
    ]
  }

The assume role policy for assuming the role above is set up as such

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Sid": "AssumeTaggedRole",
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Principal": {
            "AWS": "arn:aws:iam::${account-id}:root"
        },
        "Condition": {
            "StringEquals": {"iam:ResourceTag/CloudFirewallAdmin": "CloudNGFWFirewallAdmin"}
        }
      }
    ]
  }

The IAM role is set up as

resource "aws_iam_role" "palo-ngfw-admin-role" {
  name               = "palo-ngfw-admin-role"
  assume_role_policy = data.template_file.assume-role-policy.rendered
  tags = {
    "CloudFirewallAdmin"  = "CloudNGFWFirewallAdmin",
    "CloudRulestackAdmin" = "CloudNGFWRulestackAdmin"
  }
}

resource "aws_iam_policy" "palo-nfgw-admin-policy" {
  name   = "palo-nfgw-admin-policy"
  policy = data.template_file.palo-ngfw-admin-policy.rendered
  tags = {
    "Name" = "palo-nfgw-admin-policy"
  }
}

resource "aws_iam_role_policy_attachment" "palo-nfgw-admin-policy-to-palo-ngfw-admin-role" {
  role       = aws_iam_role.palo-ngfw-admin-role.name
  policy_arn = aws_iam_policy.palo-nfgw-admin-policy.arn
}

The provider config is setup as follows

provider "cloudngfwaws" {
  json_config_file = "./cloudngfwaws_config.json"
}

{
    "host": "api.us-east-1.aws.cloudngfw.paloaltonetworks.com",
    "region": "us-east-1",
    "arn": "arn:aws:iam::<redacted>:role/palo-ngfw-admin-role"
  }

After all this set up, the IAM user that I use to login to our sandbox account assumes the palo-ngfw-admin-role and tries to execute the api gateway which subsequently fails. Any ideas please?

Regards,

Shreyas

gfreeman · ‎04-28-2022

Looking at that response, it seems like something is misconfigured with your AWS setup.

Found some other documentation and this does actually have the updated role tags that I mentioned above, so maybe there's something in here that's the answer..?

https://pan.dev/cloudngfw/aws/api

Terraform NGFW provider failing to get token for CloudFirewallAdmin

Terraform NGFW provider failing to get token for CloudFirewallAdmin

Show your appreciation!