Aviatrix Terraform module for firenet deployment in multiple clouds, to be used in conjunction with mc-transit module.
Module version | Terraform version | Controller version | Terraform provider version | mc-transit module version |
---|---|---|---|---|
v1.1.1 | >=1.1.0 | ~> 6.7.1186 | ~> 2.22.0 | ~> v2.1.0 |
Check release notes for more details. Check Compatibility list for older versions.
module "mc_transit" {
source = "terraform-aviatrix-modules/mc-transit/aviatrix"
version = "v2.1.3"
cloud = "AWS"
cidr = "10.1.0.0/23"
region = "eu-central-1"
account = "AWS"
enable_transit_firenet = true
}
module "firenet_1" {
source = "terraform-aviatrix-modules/mc-firenet/aviatrix"
version = "v1.1.1"
transit_module = module.mc_transit
firewall_image = "Palo Alto Networks VM-Series Next-Generation Firewall Bundle 1"
}
The following variables are required:
key | value |
---|---|
firewall_image | The firewall image to be used to deploy the NGFW's. Use "aviatrix" to deploy Aviatrix FQDN egress filtering GW's (AWS/Azure/GCP). |
transit_module | Refer to the mc-transit module that built the transit. This module plugs directly into it's output to build firenet on top of it. |
The following variables are optional:
= AWS,
= Azure,
= GCP,
= OCI,
= Alibaba
Key | Supported_CSP's | Default value | Description |
---|---|---|---|
associated | ![]() ![]() ![]() ![]() |
true | Associate firewalls with transit gateway. |
attached | ![]() ![]() ![]() ![]() |
true | Attach firewall instances. |
bootstrap_bucket_name_1 | ![]() ![]() |
Name of bootstrap bucket to pull firewall config from. (If bootstrap_bucket_name_2 is not set, this will used for all NGFW instances) | |
bootstrap_bucket_name_2 | ![]() ![]() |
Name of bootstrap bucket to pull firewall config from. (Only used if 2 or more FW instances are deployed, e.g. when ha_gw is true. Applies to "even" fw instances (2,4,6 etc)) | |
bootstrap_storage_name_1 | ![]() |
null | Storagename to get bootstrap files from (PANW only). (If bootstrap_storage_name_2 is not set, this will used for all NGFW instances) |
bootstrap_storage_name_2 | ![]() |
null | Storagename to get bootstrap files from (PANW only) (Only used when HA FW instance is deployed) |
custom_fw_names | ![]() ![]() ![]() ![]() |
[] | If set, the NGFW instances will be deployed with the names provided in this list. First half of the list for instances in az1, second half for az2. |
east_west_inspection_excluded_cidrs | ![]() ![]() ![]() ![]() |
Network List Excluded From East-West Inspection. | |
egress_cidr | ![]() |
CIDR For Egress VPC for GCP Firenet. Only required when deploying in GCP and enable_transit_firenet is true. | |
egress_enabled | ![]() ![]() ![]() ![]() |
false | Enable/disable internet egress via NGFW. |
egress_static_cidrs | ![]() ![]() ![]() ![]() |
[] | List of egress static CIDRs. Egress is required to be enabled. Example: ["1.171.15.184/32", "1.171.15.185/32"]. |
fail_close_enabled | ![]() ![]() ![]() ![]() |
false | Set to true to enable fail close |
file_share_folder_1 | ![]() |
null | Name of the folder containing the bootstrap files (PANW only) (If file_share_folder_2 is not set, this will used for all NGFW instances) |
file_share_folder_2 | ![]() |
null | Name of the folder containing the bootstrap files (PANW only) (Only used when HA FW instance is deployed) |
firewall_image_id | ![]() ![]() |
Firewall image ID. Applicable to AWS and Azure only. For AWS, please use AMI ID. For Azure, the format is “Publisher:Offer:Plan:Version”. | |
firewall_image_version | ![]() ![]() ![]() ![]() |
When not provided, latest available will be used. | |
fw_amount | ![]() ![]() |
The amount of NGFW instances to deploy. These will be deployed accross multiple AZ's. Amount must be even and only applies when transit is HA. | |
iam_role_1 | ![]() |
IAM Role used to access bootstrap bucket. (If iam_role_2 is not set, this will used for all NGFW instances) | |
iam_role_2 | ![]() |
IAM Role used to access bootstrap bucket. (Only used if 2 or more FW instances are deployed, e.g. when ha_gw is true. Applies to "even" fw instances (2,4,6 etc)) | |
inspection_enabled | ![]() ![]() ![]() ![]() |
true | Enable/disable east/west + north/south inspection via NGFW. |
instance_size | ![]() ![]() ![]() ![]() |
c5.xlarge Standard_D3_v2 n1-standard-4 VM.Standard2.4 |
Size of the NGFW instances |
keep_alive_via_lan_interface_enabled | ![]() ![]() ![]() ![]() |
False | Enable Keep Alive via Firewall LAN Interface. |
mgmt_cidr | ![]() |
CIDR For Management VPC for GCP Firenet. Only required when deploying in GCP and enable_transit_firenet is true and deploying Palo Alto NGFW. | |
password | ![]() |
Aviatrix#1234 | Default initial password for firewall instances |
storage_access_key_1 | ![]() |
null | Storage_access_key to access bootstrap storage (PANW only) (If storage_access_key_2 is not set, this will used for all NGFW instances) |
storage_access_key_2 | ![]() |
null | Storage_access_key to access bootstrap storage (PANW only) (Only used when HA FW instance is deployed) |
tags | ![]() ![]() ![]() |
Map of tags to assign to the firewall or FQDN egress gw's. | |
use_gwlb | ![]() |
Deploy firenet using the AWS GWLB. | |
user_data_1 | ![]() ![]() ![]() ![]() |
Userdata to bootstrap FortiGate or Checkpoint Firewall. | |
user_data_2 | ![]() ![]() ![]() ![]() |
Userdata to bootstrap FortiGate or Checkpoint Firewall. If not set, user_data_1 will be used. | |
username | ![]() |
fwadmin | Applicable to Azure or AzureGov deployment only. "admin" as a username is not accepted. (For Checkpoint it is always admin) |
This module will return the following objects:
key | description |
---|---|
aviatrix_firenet | The created Aviatrix firenet object with all of it's attributes. |
aviatrix_firewall_instance | A list of the created firewall instances and their attributes. |
When using a firewall_image string that does not exist, a data lookup will fail and throw the error below. Make sure you are using a valid firewall_image. These can differ between clouds. Check the Aviatrix controller UI to see available firewall images.
│ Error: Invalid index
│
│ on variables.tf line 172:
│ (source code not available)
│
│ The given key does not identify an element in this collection value: the collection has no elements.