Many organizations have to create, read, update, and delete their cloud infrastructure. Terraform is an easy way to provision and deploy Infrastructure resources such as servers, databases, network components, etc.
By using Terraform, you no longer have to log in nor navigate and set up all your settings manually in the Prisma Cloud console. You can now just simply create a Terraform configuration and efficiently apply it directly in a command line.
In this article, we would like to illustrate how you can onboard your AWS accounts using Prisma Cloud Terraform provider.
Step 1 :
Note: Terraform can be downloaded as a single binary or an executable file from the Terraform download section: www.terraform.io
Follow these steps to download and install Terraform on MAC.
% wget https://releases.hashicorp.com/terraform/0.13.0/terraform_0.13.0_linux_amd64.zip
% unzip terraform_0.13.0_linux_amd64.zip
% mv terraform /usr/local/bin
% terraform version
Terraform v1.3.4
On darwin_amd64
This last command verifies that you have successfully installed Terraform, and provides the version of Terraform that you are running.
Example 1 : Terraform Installation
For installation on other operating systems, please refer to Install Terraform Guidelines
Step 2 :
terraform {
required_providers {
prismacloud = {
source = "PaloAltoNetworks/prismacloud"
version = "1.3.7"
}
}
}
provider "prismacloud" {
url = var.url
username = var.username
password = var.password
}
provider "aws" {
region = "us-east-1"
access_key = "xxxxxxxx"
secret_key = "xxxxxxxx"
}
# Fetch Supported Features
data "prismacloud_account_supported_features" "prismacloud_supported_features" {
cloud_type = "aws"
account_type = "account"
}
# Fetch AWS CFT s3 presigned url based on required features
data "prismacloud_aws_cft_generator" "prismacloud_account_cft" {
account_type = "account"
account_id = "xxxxxxx"
features = data.prismacloud_account_supported_features.prismacloud_supported_features.supported_features
}
# Create the IAM Role AWS CloudFormation Stack using S3 presigned cft url
resource "aws_cloudformation_stack" "prismacloud_iam_role_stack" {
name = "PrismaCloudApp" // change if needed
capabilities = ["CAPABILITY_NAMED_IAM"]
# parameters { // optional
# PrismaCloudRoleName=""
# }
template_url = data.prismacloud_aws_cft_generator.prismacloud_account_cft.s3_presigned_cft_url
}
# Onboard the cloud account onto Prisma Cloud platform
resource "prismacloud_cloud_account_v2" "aws_account_onboarding_example" {
disable_on_destroy = true
aws {
name = "myAwsAccountName" // should be unique for each account
account_id = "xxxxxxxxxx"
group_ids = [
data.prismacloud_account_group.existing_account_group_id.group_id,// To use existing Account Group
// prismacloud_account_group.new_account_group.group_id, // To create new Account group
]
role_arn = "${aws_cloudformation_stack.prismacloud_iam_role_stack.outputs.PrismaCloudRoleARN}" // IAM role arn from prismacloud_iam_role_stack resource
// features { // feature names from prismacloud_supported_features data source
// name = "Remediation" // To enable Remediation also known as Monitor and Protect
// state = "enabled"
// }
// features {
// name = "Agentless Scanning" // To enable 'Agentless Scanning' feature if required.
// state = "enabled"
// }
}
}
// Retrieve existing account group name id
data "prismacloud_account_group" "existing_account_group_id" {
name = "Default Account Group" // If you already have an account group that you wish to map the account then change the account group name,
}
// To create a new account group
# resource "prismacloud_account_group" "new_account_group" {
# name = "MyNewAccountGroup" // Account group name to be created
# }
Example 2 : AWS Account Onboarding Terraform code
Example:
provider "prismacloud" {
url = var.url
username = var.username
password = var.password
}
2. From the parameter's environment variable, where applicable.
3. From the JSON config file, if specified.
Note : As a best security practice, it is recommended not to code credentials in the main.tf file. Hence, the values of all the variables url, username & password will be defined in a separate file called variables.tf in the same working directory.
variable "url" {
default = "<stack>"
}
variable "username" {
default = "<access key>"
}
variable "password" {
default = "<secret access key>"
}
Example 3 : Variables.tf reference Terraform code
Note : In this article, we will use “Parameters in the provider configuration” method for authentication.
Step 3 :
Step 4 :
Step 5 :
% terraform init
Initializing the backend...
Initializing provider plugins...
…
- Installing paloaltonetworks/prismacloud v1.3.7...
- Installed paloaltonetworks/prismacloud v1.3.7 (signed by a HashiCorp partner, key ID D5D93F98EFA33E83)
- Using previously-installed hashicorp/aws v4.65.0
…
Example 5 : Terraform Init
% terraform plan
data.prismacloud_account_supported_features.prismacloud_supported_features: Reading...
…
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# aws_cloudformation_stack.prismacloud_iam_role_stack will be created
+ resource "aws_cloudformation_stack" "prismacloud_iam_role_stack" {
+ capabilities = [
+ "CAPABILITY_NAMED_IAM",
]
+ id = (known after apply)
+ name = "PrismaCloudApp"
+ outputs = (known after apply)
+ parameters = (known after apply)
+ policy_body = (known after apply)
+ tags_all = (known after apply)
+ template_body = (known after apply)
+ template_url = "xxxxxxxx"
}
# prismacloud_cloud_account_v2.aws_account_onboarding_example will be created
+ resource "prismacloud_cloud_account_v2" "aws_account_onboarding_example" {
+ disable_on_destroy = true
+ id = (known after apply)
+ aws {
+ account_id = "xxxxxxxx"
+ account_type = "account"
…
Plan: 2 to add, 0 to change, 0 to destroy.
Changes to Outputs:
+ external_id = "xxxxxxxxxx"
+ iam_role = (known after apply)
+ s3_presigned_cft_url = "xxxxxxxxx"
Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.
Example 6 : Terraform Plan (Truncated Output)
% terraform apply
data.prismacloud_account_group.existing_account_group_id: Reading...
…
Terraform will perform the following actions:
# aws_cloudformation_stack.prismacloud_iam_role_stack will be created
+ resource "aws_cloudformation_stack" "prismacloud_iam_role_stack" {
+ capabilities = [
+ "CAPABILITY_NAMED_IAM",
]
…
}
# prismacloud_cloud_account_v2.aws_account_onboarding_example will be created
+ resource "prismacloud_cloud_account_v2" "aws_account_onboarding_example" {
+ disable_on_destroy = true
+ id = (known after apply)
+ aws {
+ account_id = "xxxxxxxxxx"
…
}
Plan: 2 to add, 0 to change, 0 to destroy.
Changes to Outputs:
+ external_id = "xxxxxxxxx"
+ iam_role = (known after apply)
+ s3_presigned_cft_url = "xxxxxxxxx"
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
aws_cloudformation_stack.prismacloud_iam_role_stack: Creating...
…
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
Example 7 : Terraform Apply
Step 6 :
After “Terraform apply” execution is complete, there will be a stack created on AWS cloud formation. Navigate to AWS — Services — Cloud Formation — Stacks to verify the newly created stack.
Example 8 : AWS Cloud Formation Stack_palo-alto-networks
Step 7 :
Verify the Prisma Cloud IAM role created on AWS IAM. Navigate to AWS — Services — IAM — Roles to verify the IAM role created for Prisma Cloud.
Example 9 : AWS IAM Role for Prisma Cloud_palo-alto-networks
Step 8 :
Verify the AWS Account is fully onboarded on Prisma Cloud UI. Login to Prisma Cloud console & navigate to Settings — Cloud Accounts to verify the newly onboarded AWS cloud account
Example 10 : Prisma Cloud Account Onboarding_palo-alto-networks
Conclusion
Terraform is a widely used tool for automating, deploying & managing your cloud infrastructure. It provides flexibility and allows users to deploy the resources in a matter of minutes.
Palo Alto Networks Prisma Cloud is a provider which supports Terraform for managing resources on the Prisma Cloud Platform. Since new features are added as part of every version, it is always useful to use the latest version available for the Prisma Cloud provider via Prisma Cloud Terraform Registry.
Muhammad Rehan is a Customer Success consultant specializing in Cloud Security Posture Management, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. Rehan uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage his multi industry knowledge to inspire success.
