AWS Account Onboarding using Prisma Cloud Terraform Provider

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
L2 Linker
No ratings

By Muhammad Rehan , Customer Success Engineer Team Lead, CSPM West

 

Introduction 

 

Many organizations have to create, read, update, and delete their cloud infrastructure. Terraform is an easy way to provision and deploy Infrastructure resources such as servers, databases, network components, etc. 

 

By using Terraform, you no longer have to log in nor navigate and set up all your settings manually in the Prisma Cloud console. You can now just simply create a Terraform configuration and efficiently apply it directly in a command line.

 

In this article, we would like to illustrate how you can onboard your AWS accounts using Prisma Cloud Terraform provider.


Step 1 : 

  • Install Terraform on your workstation. 

Note: Terraform can be downloaded as a single binary or an executable file from the Terraform download section:  www.terraform.io

 

Follow these steps to download and install Terraform on MAC.

 

% wget https://releases.hashicorp.com/terraform/0.13.0/terraform_0.13.0_linux_amd64.zip

% unzip terraform_0.13.0_linux_amd64.zip

% mv terraform /usr/local/bin

% terraform version

Terraform v1.3.4

On darwin_amd64

 

This last command verifies that you have successfully installed Terraform, and provides the version of Terraform that you are running.

Example 1 : Terraform Installation 

 

For installation on other operating systems, please refer to Install Terraform Guidelines

 

Step 2 : 

  • Use the following code for AWS Account Onboarding:

 

terraform {

  required_providers {

    prismacloud = {

      source = "PaloAltoNetworks/prismacloud"

      version = "1.3.7"

    }

  }

}

 

provider "prismacloud" {

    url = var.url

    username = var.username

    password = var.password

}

 

provider "aws" {

  region = "us-east-1"

  access_key = "xxxxxxxx"

  secret_key = "xxxxxxxx"

}

 

# Fetch Supported Features

data "prismacloud_account_supported_features" "prismacloud_supported_features" {

    cloud_type = "aws"

    account_type = "account"

}

 

# Fetch AWS CFT s3 presigned url based on required features

data "prismacloud_aws_cft_generator" "prismacloud_account_cft" {

    account_type = "account"

    account_id = "xxxxxxx"

    features = data.prismacloud_account_supported_features.prismacloud_supported_features.supported_features

}

 

# Create the IAM Role AWS CloudFormation Stack using S3 presigned cft url 

  resource "aws_cloudformation_stack" "prismacloud_iam_role_stack" {

  name = "PrismaCloudApp" // change if needed

  capabilities = ["CAPABILITY_NAMED_IAM"]

#   parameters { // optional

#     PrismaCloudRoleName="" 

#   }

  template_url = data.prismacloud_aws_cft_generator.prismacloud_account_cft.s3_presigned_cft_url

}

 

# Onboard the cloud account onto Prisma Cloud platform

resource "prismacloud_cloud_account_v2" "aws_account_onboarding_example" {

    disable_on_destroy = true

    aws {

        name = "myAwsAccountName" // should be unique for each account

        account_id = "xxxxxxxxxx"

        group_ids = [

            data.prismacloud_account_group.existing_account_group_id.group_id,// To use existing Account Group

            // prismacloud_account_group.new_account_group.group_id, // To create new Account group

        ]

        role_arn = "${aws_cloudformation_stack.prismacloud_iam_role_stack.outputs.PrismaCloudRoleARN}" // IAM role arn from prismacloud_iam_role_stack resource

        // features {              // feature names from prismacloud_supported_features data source

        //     name = "Remediation" // To enable Remediation also known as Monitor and Protect

        //     state = "enabled"

        // }

        // features {

        //     name = "Agentless Scanning" // To enable 'Agentless Scanning' feature if required.

        //     state = "enabled"

        // }

    }

}

 

// Retrieve existing account group name id

data "prismacloud_account_group" "existing_account_group_id" {

    name = "Default Account Group" // If you already have an account group that you wish to map the account then change the account group name, 

}

 

// To create a new account group

# resource "prismacloud_account_group" "new_account_group" {

#     name = "MyNewAccountGroup" // Account group name to be created

# }

 

Example 2 : AWS Account Onboarding Terraform code 

  • The parameters for Prisma Cloud providers are taken from the following locations, in order of preference:
  1. Any parameters specified explicitly in the provider block . A provider block is where we define credentials to authenticate with the corresponding Terraform provider.

Example:

provider "prismacloud" {

    url = var.url

    username = var.username

    password = var.password

}

2. From the parameter's environment variable, where applicable.

 

3. From the JSON config file, if specified.

 

Note : As a best security practice, it is recommended not to code credentials in the main.tf file. Hence, the values of all the variables url, username & password will be defined in a separate file called variables.tf in the same working directory.



variable "url" {

  default = "<stack>"

}

 

variable "username" {

  default = "<access key>"

}

 

variable "password" {

  default = "<secret access key>"

}

Example 3 : Variables.tf reference Terraform code 



  • Configuration for the AWS Provider can be derived from several sources, which are applied in the following order:
  1. Parameters in the provider configuration
  2. Environment variables
  3. Shared credentials files
  4. Shared configuration files
  5. Container credentials
  6. Instance profile credentials and region

Note : In this article, we will use “Parameters in the provider configuration” method for authentication.

 

Step 3 : 

  • Inspect the downloaded Terraform code and enable all the required features for onboarding. In this article, we use default features which are pre-enabled while onboarding (Misconfigurations (CSPM), Threat Detection)

 

 

Step 4 : 

  • Replace the AWS account id in line 31 & 50 in above code.
  • Replace the name to be used for AWS account in line 49.
  • If you are using pre-created account groups like the above code, make sure to use correct account group name in line 69 (Replace “Default Account Group” with the account name of your pre-created account group)

 

Step 5 : 

 

  • Execute the Terraform code for onboarding an AWS account. 

 

 

  • Terraform init

% terraform init

Initializing the backend...

Initializing provider plugins...

- Installing paloaltonetworks/prismacloud v1.3.7...

- Installed paloaltonetworks/prismacloud v1.3.7 (signed by a HashiCorp partner, key ID D5D93F98EFA33E83)

- Using previously-installed hashicorp/aws v4.65.0

Example 5 : Terraform Init

 

 

 

  • Terraform Plan

% terraform plan

data.prismacloud_account_supported_features.prismacloud_supported_features: Reading...

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:

  + create

 

Terraform will perform the following actions:

 

  # aws_cloudformation_stack.prismacloud_iam_role_stack will be created

  + resource "aws_cloudformation_stack" "prismacloud_iam_role_stack" {

      + capabilities  = [

          + "CAPABILITY_NAMED_IAM",

        ]

      + id            = (known after apply)

      + name          = "PrismaCloudApp"

      + outputs       = (known after apply)

      + parameters    = (known after apply)

      + policy_body   = (known after apply)

      + tags_all      = (known after apply)

      + template_body = (known after apply)

      + template_url  = "xxxxxxxx"

    }

 

  # prismacloud_cloud_account_v2.aws_account_onboarding_example will be created

  + resource "prismacloud_cloud_account_v2" "aws_account_onboarding_example" {

      + disable_on_destroy = true

      + id                 = (known after apply)

 

      + aws {

          + account_id                   = "xxxxxxxx"

          + account_type                 = "account"

 

Plan: 2 to add, 0 to change, 0 to destroy.

Changes to Outputs:

  + external_id          = "xxxxxxxxxx"

  + iam_role             = (known after apply)

  + s3_presigned_cft_url = "xxxxxxxxx"

 

Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.

Example 6 : Terraform Plan (Truncated Output)

 

 

  • Terraform Apply

 

% terraform apply

data.prismacloud_account_group.existing_account_group_id: Reading...

Terraform will perform the following actions:

 

  # aws_cloudformation_stack.prismacloud_iam_role_stack will be created

  + resource "aws_cloudformation_stack" "prismacloud_iam_role_stack" {

      + capabilities  = [

          + "CAPABILITY_NAMED_IAM",

        ]

    }

 

  # prismacloud_cloud_account_v2.aws_account_onboarding_example will be created

  + resource "prismacloud_cloud_account_v2" "aws_account_onboarding_example" {

      + disable_on_destroy = true

      + id                 = (known after apply)

 

      + aws {

          + account_id                   = "xxxxxxxxxx"

    }

 

Plan: 2 to add, 0 to change, 0 to destroy.

 

Changes to Outputs:

  + external_id          = "xxxxxxxxx"

  + iam_role             = (known after apply)

  + s3_presigned_cft_url = "xxxxxxxxx"

 

Do you want to perform these actions?

  Terraform will perform the actions described above.

  Only 'yes' will be accepted to approve.

 

  Enter a value: yes

 

aws_cloudformation_stack.prismacloud_iam_role_stack: Creating...

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

Example 7 : Terraform Apply 

 

Step 6 : 

After “Terraform apply” execution is complete, there will be a stack created on AWS cloud formation. Navigate to AWS — Services — Cloud Formation — Stacks to verify the newly created stack.

 

 

 

figure 7.jpg

Example 8 : AWS Cloud Formation Stack_palo-alto-networks

 

 

Step 7 : 

Verify the Prisma Cloud IAM role created on AWS IAM. Navigate to AWS — Services — IAM — Roles to verify the IAM role created for Prisma Cloud.

 

 

 

Figure 8.jpg

Example 9 : AWS IAM Role for Prisma Cloud_palo-alto-networks

 

 

Step 8 : 

Verify the AWS Account is fully onboarded on Prisma Cloud UI. Login to Prisma Cloud console & navigate to Settings — Cloud Accounts to verify the newly onboarded AWS cloud account

 

 

 

 

Figure 9.jpg

Example 10 : Prisma Cloud Account Onboarding_palo-alto-networks

 

Conclusion 

Terraform is a widely used tool for automating, deploying & managing your cloud infrastructure. It provides flexibility and allows users to deploy the resources in a matter of minutes. 

 

Palo Alto Networks Prisma Cloud is a provider which supports Terraform for managing resources on the Prisma Cloud Platform. Since new features are added as part of every version, it is  always useful to use the latest version available for the Prisma Cloud provider via Prisma Cloud Terraform Registry

 

About the Author

Muhammad Rehan is a Customer Success consultant specializing in Cloud Security Posture Management, Next-Generation Firewall, AWS, Azure, GCP, containers and Kubernetes. Rehan uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage his multi industry knowledge to inspire success.



 

Rate this article:
(1)
  • 4008 Views
  • 0 comments
  • 2 Likes
Register or Sign-in
Contributors
Labels
Article Dashboard
Version history
Last Updated:
‎09-19-2023 11:02 AM
Updated by: