Aviatrix Terraform module for firenet deployment in multiple clouds, to be used in conjunction with mc-transit module.
| Module version | Terraform version | Controller version | Terraform provider version | mc-transit module version |
|---|---|---|---|---|
| v1.1.1 | >=1.1.0 | ~> 6.7.1186 | ~> 2.22.0 | ~> v2.1.0 |
Check release notes for more details. Check Compatibility list for older versions.
module "mc_transit" {
source = "terraform-aviatrix-modules/mc-transit/aviatrix"
version = "v2.1.3"
cloud = "AWS"
cidr = "10.1.0.0/23"
region = "eu-central-1"
account = "AWS"
enable_transit_firenet = true
}
module "firenet_1" {
source = "terraform-aviatrix-modules/mc-firenet/aviatrix"
version = "v1.1.1"
transit_module = module.mc_transit
firewall_image = "Palo Alto Networks VM-Series Next-Generation Firewall Bundle 1"
}
The following variables are required:
| key | value |
|---|---|
| firewall_image | The firewall image to be used to deploy the NGFW's. Use "aviatrix" to deploy Aviatrix FQDN egress filtering GW's (AWS/Azure/GCP). |
| transit_module | Refer to the mc-transit module that built the transit. This module plugs directly into it's output to build firenet on top of it. |
The following variables are optional:
= AWS, 
= Azure, 
= GCP, 
= OCI, 
= Alibaba
| Key | Supported_CSP's | Default value | Description |
|---|---|---|---|
| associated |     |
true | Associate firewalls with transit gateway. |
| attached | |
true | Attach firewall instances. |
| bootstrap_bucket_name_1 | |
Name of bootstrap bucket to pull firewall config from. (If bootstrap_bucket_name_2 is not set, this will used for all NGFW instances) | |
| bootstrap_bucket_name_2 | |
Name of bootstrap bucket to pull firewall config from. (Only used if 2 or more FW instances are deployed, e.g. when ha_gw is true. Applies to "even" fw instances (2,4,6 etc)) | |
| bootstrap_storage_name_1 | |
null | Storagename to get bootstrap files from (PANW only). (If bootstrap_storage_name_2 is not set, this will used for all NGFW instances) |
| bootstrap_storage_name_2 | |
null | Storagename to get bootstrap files from (PANW only) (Only used when HA FW instance is deployed) |
| custom_fw_names | |
[] | If set, the NGFW instances will be deployed with the names provided in this list. First half of the list for instances in az1, second half for az2. |
| east_west_inspection_excluded_cidrs | |
Network List Excluded From East-West Inspection. | |
| egress_cidr | |
CIDR For Egress VPC for GCP Firenet. Only required when deploying in GCP and enable_transit_firenet is true. | |
| egress_enabled | |
false | Enable/disable internet egress via NGFW. |
| egress_static_cidrs | |
[] | List of egress static CIDRs. Egress is required to be enabled. Example: ["1.171.15.184/32", "1.171.15.185/32"]. |
| fail_close_enabled | |
false | Set to true to enable fail close |
| file_share_folder_1 | |
null | Name of the folder containing the bootstrap files (PANW only) (If file_share_folder_2 is not set, this will used for all NGFW instances) |
| file_share_folder_2 | |
null | Name of the folder containing the bootstrap files (PANW only) (Only used when HA FW instance is deployed) |
| firewall_image_id | |
Firewall image ID. Applicable to AWS and Azure only. For AWS, please use AMI ID. For Azure, the format is “Publisher:Offer:Plan:Version”. | |
| firewall_image_version | |
When not provided, latest available will be used. | |
| fw_amount | |
The amount of NGFW instances to deploy. These will be deployed accross multiple AZ's. Amount must be even and only applies when transit is HA. | |
| iam_role_1 | |
IAM Role used to access bootstrap bucket. (If iam_role_2 is not set, this will used for all NGFW instances) | |
| iam_role_2 | |
IAM Role used to access bootstrap bucket. (Only used if 2 or more FW instances are deployed, e.g. when ha_gw is true. Applies to "even" fw instances (2,4,6 etc)) | |
| inspection_enabled | |
true | Enable/disable east/west + north/south inspection via NGFW. |
| instance_size | |
c5.xlarge Standard_D3_v2 n1-standard-4 VM.Standard2.4 |
Size of the NGFW instances |
| keep_alive_via_lan_interface_enabled | |
False | Enable Keep Alive via Firewall LAN Interface. |
| mgmt_cidr | |
CIDR For Management VPC for GCP Firenet. Only required when deploying in GCP and enable_transit_firenet is true and deploying Palo Alto NGFW. | |
| password | |
Aviatrix#1234 | Default initial password for firewall instances |
| storage_access_key_1 | |
null | Storage_access_key to access bootstrap storage (PANW only) (If storage_access_key_2 is not set, this will used for all NGFW instances) |
| storage_access_key_2 | |
null | Storage_access_key to access bootstrap storage (PANW only) (Only used when HA FW instance is deployed) |
| tags | |
Map of tags to assign to the firewall or FQDN egress gw's. | |
| use_gwlb | |
Deploy firenet using the AWS GWLB. | |
| user_data_1 | |
Userdata to bootstrap FortiGate or Checkpoint Firewall. | |
| user_data_2 | |
Userdata to bootstrap FortiGate or Checkpoint Firewall. If not set, user_data_1 will be used. | |
| username | |
fwadmin | Applicable to Azure or AzureGov deployment only. "admin" as a username is not accepted. (For Checkpoint it is always admin) |
This module will return the following objects:
| key | description |
|---|---|
| aviatrix_firenet | The created Aviatrix firenet object with all of it's attributes. |
| aviatrix_firewall_instance | A list of the created firewall instances and their attributes. |
When using a firewall_image string that does not exist, a data lookup will fail and throw the error below. Make sure you are using a valid firewall_image. These can differ between clouds. Check the Aviatrix controller UI to see available firewall images.
│ Error: Invalid index
│
│ on variables.tf line 172:
│ (source code not available)
│
│ The given key does not identify an element in this collection value: the collection has no elements.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent