From c9111f9e5b2ab628f155a1f8112ebf893b99fa2f Mon Sep 17 00:00:00 2001 From: michalbil Date: Wed, 2 Oct 2024 03:39:26 +0200 Subject: [PATCH] feat(examples): Add sample configuration for SCM --- examples/multi_nic_common/README.md | 12 ++++++-- examples/multi_nic_common/example.tfvars | 28 +++++++++++++++---- .../README.md | 8 +++++- .../example.tfvars | 26 +++++++++++++++-- examples/vmseries_ha/README.md | 12 ++++++-- examples/vmseries_ha/example.tfvars | 28 +++++++++++++++---- examples/vpc_peering_common/README.md | 12 ++++++-- examples/vpc_peering_common/example.tfvars | 28 +++++++++++++++---- .../vpc_peering_common_dual_stack/README.md | 8 ++++++ .../example.tfvars | 28 +++++++++++++++---- .../README.md | 8 ++++++ .../example.tfvars | 17 ++++++++++- .../README.md | 12 ++++++-- .../example.tfvars | 28 +++++++++++++++---- examples/vpc_peering_dedicated/README.md | 12 ++++++-- examples/vpc_peering_dedicated/example.tfvars | 28 +++++++++++++++---- .../README.md | 8 ++++++ .../example.tfvars | 17 ++++++++++- 18 files changed, 268 insertions(+), 52 deletions(-) diff --git a/examples/multi_nic_common/README.md b/examples/multi_nic_common/README.md index 2164287..fd1ba36 100644 --- a/examples/multi_nic_common/README.md +++ b/examples/multi_nic_common/README.md @@ -29,6 +29,14 @@ The following steps should be followed before deploying the Terraform code prese 1. Prepare [VM-Series licenses](https://support.paloaltonetworks.com/) 2. Configure the terraform [google provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication-configuration) +## Bootstrap + +With default settings, firewall instances will get the initial configuration from generated `init-cfg.txt` and `bootstrap.xml` files placed in Cloud Storage. + +The `example.tfvars` file also contains commented out sample settings that can be used to register the firewalls to either Panorama or Strata Cloud Manager (SCM) and complete the configuration. To enable this, uncomment one of the sections and adjust `vmseries_common.bootstrap_options` and `vmseries..bootstrap_options` parameters accordingly. + +> SCM bootstrap is supported on PAN-OS version 11.0 and above. + ## Usage 1. Access Google Cloud Shell or any other environment that has access to your GCP project @@ -59,10 +67,10 @@ terraform apply 4. Check the output plan and confirm the apply. -5. Check the successful application and outputs of the resulting infrastructure: +5. Check the successful application and outputs of the resulting infrastructure (number of resources can vary based on how many instances are defined in tfvars): ``` -Apply complete! Resources: 77 added, 0 changed, 0 destroyed. (Number of resources can vary based on how many instances you push through tfvars) +Apply complete! Resources: 77 added, 0 changed, 0 destroyed. Outputs: diff --git a/examples/multi_nic_common/example.tfvars b/examples/multi_nic_common/example.tfvars index d551ddc..cdbf5c8 100644 --- a/examples/multi_nic_common/example.tfvars +++ b/examples/multi_nic_common/example.tfvars @@ -176,8 +176,24 @@ vmseries_common = { min_cpu_platform = "Intel Cascade Lake" service_account_key = "sa-vmseries-01" bootstrap_options = { + # TODO: Modify the values below as per deployment requirements type = "dhcp-client" mgmt-interface-swap = "enable" + + ## Panorama based bootstrap. + # panorama-server = "1.1.1.1" + # panorama-server-2 = "2.2.2.2" + # tplname = "example-template" + # dgname = "example-device-group" + # vm-auth-key = "example-123456789" + + ## SCM based bootstrap. + # panorama-server = "cloud" + # dgname = "example-scm-folder" + # vm-series-auto-registration-pin-id = "example-pin-id" + # vm-series-auto-registration-pin-value = "example-pin-value" + # authcode = "D123456" + # plugin-op-commands = "advance-routing:enable" } } @@ -195,9 +211,9 @@ vmseries = { ] bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" } bootstrap_template_map = { spoke1_gcp_router_ip = "10.10.12.1" @@ -256,9 +272,9 @@ vmseries = { ] bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" } bootstrap_template_map = { spoke1_gcp_router_ip = "10.10.12.1" diff --git a/examples/standalone_vmseries_with_metadata_bootstrap/README.md b/examples/standalone_vmseries_with_metadata_bootstrap/README.md index 0aa3452..d6b1060 100644 --- a/examples/standalone_vmseries_with_metadata_bootstrap/README.md +++ b/examples/standalone_vmseries_with_metadata_bootstrap/README.md @@ -5,7 +5,13 @@ show_in_hub: false A Terraform module example for deploying a VM-Series NGFW in GCP using the [metadata](https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/bootstrap-the-vm-series-firewall/choose-a-bootstrap-method#idf6412176-e973-488e-9d7a-c568fe1e33a9) bootstrap method. -This example can be used to familarize oneself with both the VM-Series NGFW and Terraform - it creates a single instance of virtualized firewall in a Security VPC with a management-only interface and lacks any traffic inspection. +This example can be used to familarize oneself with both the VM-Series NGFW and Terraform - by default the deployment creates a single instance of virtualized firewall in a Security VPC with a management-only interface and lacks any traffic inspection. + +## Bootstrap + +By default, only basic bootstrap parameters are enabled. The example also provides sample settings that can be used to register the firewall to either Panorama or Strata Cloud Manager (SCM) and complete the configuration. To enable this, uncomment one of the sections in `bootstrap_options` parameter. + +> SCM bootstrap is supported on PAN-OS version 11.0 and above. ## Reference diff --git a/examples/standalone_vmseries_with_metadata_bootstrap/example.tfvars b/examples/standalone_vmseries_with_metadata_bootstrap/example.tfvars index e0b93e6..d7d64ee 100644 --- a/examples/standalone_vmseries_with_metadata_bootstrap/example.tfvars +++ b/examples/standalone_vmseries_with_metadata_bootstrap/example.tfvars @@ -45,9 +45,29 @@ vmseries = { "https://www.googleapis.com/auth/monitoring.write", ] bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + type = "dhcp-client" + dhcp-accept-server-hostname = "yes" + dhcp-accept-server-domain = "yes" + dhcp-send-hostname = "yes" + dhcp-send-client-id = "yes" + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" + + ## Panorama based bootstrap. + # panorama-server = "1.1.1.1" + # panorama-server-2 = "2.2.2.2" + # tplname = "example-template" + # dgname = "example-device-group" + # vm-auth-key = "example-123456789" + + ## SCM based bootstrap. + # panorama-server = "cloud" + # dgname = "example-scm-folder" + # vm-series-auto-registration-pin-id = "example-pin-id" + # vm-series-auto-registration-pin-value = "example-pin-value" + # authcode = "D123456" + # plugin-op-commands = "advance-routing:enable" } named_ports = [ { diff --git a/examples/vmseries_ha/README.md b/examples/vmseries_ha/README.md index 9971342..61a26c2 100644 --- a/examples/vmseries_ha/README.md +++ b/examples/vmseries_ha/README.md @@ -55,6 +55,14 @@ The following steps should be followed before deploying the Terraform code prese 1. Prepare [VM-Series licenses](https://support.paloaltonetworks.com/) 2. Configure the terraform [google provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication-configuration) +## Bootstrap + +With default settings, firewall instances will get the initial configuration from generated `init-cfg.txt` and `bootstrap.xml` files placed in Cloud Storage. + +The `example.tfvars` file also contains commented out sample settings that can be used to register the firewalls to either Panorama or Strata Cloud Manager (SCM) and complete the configuration. To enable this, uncomment one of the sections and adjust `vmseries_common.bootstrap_options` and `vmseries..bootstrap_options` parameters accordingly. + +> SCM bootstrap is supported on PAN-OS version 11.0 and above. + ## Usage 1. Access Google Cloud Shell or any other environment that has access to your GCP project @@ -85,10 +93,10 @@ terraform apply 4. Check the output plan and confirm the apply. -5. Check the successful application and outputs of the resulting infrastructure: +5. Check the successful application and outputs of the resulting infrastructure (number of resources can vary based on how many instances are defined in tfvars): ``` -Apply complete! Resources: 96 added, 0 changed, 0 destroyed. (Number of resources can vary based on how many instances you push through tfvars) +Apply complete! Resources: 96 added, 0 changed, 0 destroyed. Outputs: diff --git a/examples/vmseries_ha/example.tfvars b/examples/vmseries_ha/example.tfvars index a083328..7ce510b 100644 --- a/examples/vmseries_ha/example.tfvars +++ b/examples/vmseries_ha/example.tfvars @@ -239,8 +239,24 @@ vmseries_common = { min_cpu_platform = "Intel Cascade Lake" service_account_key = "sa-vmseries-01" bootstrap_options = { + # TODO: Modify the values below as per deployment requirements type = "dhcp-client" mgmt-interface-swap = "enable" + + ## Panorama based bootstrap. + # panorama-server = "1.1.1.1" + # panorama-server-2 = "2.2.2.2" + # tplname = "example-template" + # dgname = "example-device-group" + # vm-auth-key = "example-123456789" + + ## SCM based bootstrap. + # panorama-server = "cloud" + # dgname = "example-scm-folder" + # vm-series-auto-registration-pin-id = "example-pin-id" + # vm-series-auto-registration-pin-value = "example-pin-value" + # authcode = "D123456" + # plugin-op-commands = "advance-routing:enable" } } @@ -258,9 +274,9 @@ vmseries = { ] bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" } bootstrap_template_map = { trust_gcp_router_ip = "10.10.12.1" @@ -321,9 +337,9 @@ vmseries = { ] bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" } bootstrap_template_map = { trust_gcp_router_ip = "10.10.12.1" diff --git a/examples/vpc_peering_common/README.md b/examples/vpc_peering_common/README.md index ac20070..7c81ab0 100644 --- a/examples/vpc_peering_common/README.md +++ b/examples/vpc_peering_common/README.md @@ -53,6 +53,14 @@ The following steps should be followed before deploying the Terraform code prese 1. Prepare [VM-Series licenses](https://support.paloaltonetworks.com/) 2. Configure the terraform [google provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication-configuration) +## Bootstrap + +With default settings, firewall instances will get the initial configuration from generated `init-cfg.txt` and `bootstrap.xml` files placed in Cloud Storage. + +The `example.tfvars` file also contains commented out sample settings that can be used to register the firewalls to either Panorama or Strata Cloud Manager (SCM) and complete the configuration. To enable this, uncomment one of the sections and adjust `vmseries_common.bootstrap_options` and `vmseries..bootstrap_options` parameters accordingly. + +> SCM bootstrap is supported on PAN-OS version 11.0 and above. + ## Usage 1. Access Google Cloud Shell or any other environment that has access to your GCP project @@ -83,10 +91,10 @@ terraform apply 4. Check the output plan and confirm the apply. -5. Check the successful application and outputs of the resulting infrastructure: +5. Check the successful application and outputs of the resulting infrastructure (number of resources can vary based on how many instances are defined in tfvars): ``` -Apply complete! Resources: 96 added, 0 changed, 0 destroyed. (Number of resources can vary based on how many instances you push through tfvars) +Apply complete! Resources: 96 added, 0 changed, 0 destroyed. Outputs: diff --git a/examples/vpc_peering_common/example.tfvars b/examples/vpc_peering_common/example.tfvars index 49d9257..8c79d9a 100644 --- a/examples/vpc_peering_common/example.tfvars +++ b/examples/vpc_peering_common/example.tfvars @@ -215,8 +215,24 @@ vmseries_common = { min_cpu_platform = "Intel Cascade Lake" service_account_key = "sa-vmseries-01" bootstrap_options = { + # TODO: Modify the values below as per deployment requirements type = "dhcp-client" mgmt-interface-swap = "enable" + + ## Panorama based bootstrap. + # panorama-server = "1.1.1.1" + # panorama-server-2 = "2.2.2.2" + # tplname = "example-template" + # dgname = "example-device-group" + # vm-auth-key = "example-123456789" + + ## SCM based bootstrap. + # panorama-server = "cloud" + # dgname = "example-scm-folder" + # vm-series-auto-registration-pin-id = "example-pin-id" + # vm-series-auto-registration-pin-value = "example-pin-value" + # authcode = "D123456" + # plugin-op-commands = "advance-routing:enable" } } @@ -234,9 +250,9 @@ vmseries = { ] bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" } bootstrap_template_map = { trust_gcp_router_ip = "10.10.12.1" @@ -288,9 +304,9 @@ vmseries = { ] bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" } bootstrap_template_map = { trust_gcp_router_ip = "10.10.12.1" diff --git a/examples/vpc_peering_common_dual_stack/README.md b/examples/vpc_peering_common_dual_stack/README.md index 59d86fa..a5d73e2 100644 --- a/examples/vpc_peering_common_dual_stack/README.md +++ b/examples/vpc_peering_common_dual_stack/README.md @@ -77,6 +77,14 @@ The following steps should be followed before deploying the Terraform code prese 2. Configure the Terraform [google provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication-configuration) 3. Install `gcloud` beta components: `gcloud components install beta` +## Bootstrap + +With default settings, firewall instances will get the initial configuration from generated `init-cfg.txt` and `bootstrap.xml` files placed in Cloud Storage. + +The `example.tfvars` file also contains commented out sample settings that can be used to register the firewalls to either Panorama or Strata Cloud Manager (SCM) and complete the configuration. To enable this, uncomment one of the sections and adjust `vmseries_common.bootstrap_options` and `vmseries..bootstrap_options` parameters accordingly. + +> SCM bootstrap is supported on PAN-OS version 11.0 and above. + ## Usage 1. Access Google Cloud Shell or any other environment that has access to your GCP project diff --git a/examples/vpc_peering_common_dual_stack/example.tfvars b/examples/vpc_peering_common_dual_stack/example.tfvars index 6825e4a..3d7d219 100644 --- a/examples/vpc_peering_common_dual_stack/example.tfvars +++ b/examples/vpc_peering_common_dual_stack/example.tfvars @@ -276,8 +276,24 @@ vmseries_common = { min_cpu_platform = "Intel Cascade Lake" service_account_key = "sa-vmseries-01" bootstrap_options = { + # TODO: Modify the values below as per deployment requirements type = "dhcp-client" mgmt-interface-swap = "enable" + + ## Panorama based bootstrap. + # panorama-server = "1.1.1.1" + # panorama-server-2 = "2.2.2.2" + # tplname = "example-template" + # dgname = "example-device-group" + # vm-auth-key = "example-123456789" + + ## SCM based bootstrap. + # panorama-server = "cloud" + # dgname = "example-scm-folder" + # vm-series-auto-registration-pin-id = "example-pin-id" + # vm-series-auto-registration-pin-value = "example-pin-value" + # authcode = "D123456" + # plugin-op-commands = "advance-routing:enable" } } @@ -295,9 +311,9 @@ vmseries = { ] bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" } bootstrap_template_map = { trust_gcp_router_ip = "10.10.12.1" @@ -354,9 +370,9 @@ vmseries = { ] bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" } bootstrap_template_map = { trust_gcp_router_ip = "10.10.12.1" diff --git a/examples/vpc_peering_common_with_autoscale/README.md b/examples/vpc_peering_common_with_autoscale/README.md index 9885f98..45a1a49 100644 --- a/examples/vpc_peering_common_with_autoscale/README.md +++ b/examples/vpc_peering_common_with_autoscale/README.md @@ -42,6 +42,14 @@ The following steps should be followed before deploying the Terraform code prese 1. Prepare [VM-Series licenses](https://support.paloaltonetworks.com/) 2. Configure the terraform [google provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication-configuration) +## Bootstrap + +With default settings, firewall instances will get the initial configuration from generated `init-cfg.txt` and `bootstrap.xml` files placed in Cloud Storage. + +The `example.tfvars` file also contains commented out sample settings that can be used to register the firewalls to either Panorama or Strata Cloud Manager (SCM) and complete the configuration. To enable this, uncomment one of the sections and adjust `vmseries_common.bootstrap_options` and `vmseries..bootstrap_options` parameters accordingly. + +> SCM bootstrap is supported on PAN-OS version 11.0 and above. + ## Usage 1. Access Google Cloud Shell or any other environment that has access to your GCP project diff --git a/examples/vpc_peering_common_with_autoscale/example.tfvars b/examples/vpc_peering_common_with_autoscale/example.tfvars index 2573804..8bad7d1 100644 --- a/examples/vpc_peering_common_with_autoscale/example.tfvars +++ b/examples/vpc_peering_common_with_autoscale/example.tfvars @@ -248,14 +248,29 @@ autoscale = { } } bootstrap_options = { + # TODO: Modify the values below as per deployment requirements type = "dhcp-client" dhcp-send-hostname = "yes" dhcp-send-client-id = "yes" dhcp-accept-server-hostname = "yes" dhcp-accept-server-domain = "yes" mgmt-interface-swap = "enable" - panorama-server = "1.1.1.1" ssh-keys = "admin:" # Replace this value with client data + + # Panorama based bootstrap. + panorama-server = "1.1.1.1" + panorama-server-2 = "2.2.2.2" + tplname = "example-template" + dgname = "example-device-group" + vm-auth-key = "example-123456789" + + ## SCM based bootstrap. + # panorama-server = "cloud" + # dgname = "example-scm-folder" + # vm-series-auto-registration-pin-id = "example-pin-id" + # vm-series-auto-registration-pin-value = "example-pin-value" + # authcode = "D123456" + # plugin-op-commands = "advance-routing:enable" } network_interfaces = [ { diff --git a/examples/vpc_peering_common_with_network_tags/README.md b/examples/vpc_peering_common_with_network_tags/README.md index e4f81f1..9a27248 100644 --- a/examples/vpc_peering_common_with_network_tags/README.md +++ b/examples/vpc_peering_common_with_network_tags/README.md @@ -36,6 +36,14 @@ With default variable values the topology consists of : 2. Configure the terraform [google provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication-configuration) +## Bootstrap + +With default settings, firewall instances will get the initial configuration from generated `init-cfg.txt` and `bootstrap.xml` files placed in Cloud Storage. + +The `example.tfvars` file also contains commented out sample settings that can be used to register the firewalls to either Panorama or Strata Cloud Manager (SCM) and complete the configuration. To enable this, uncomment one of the sections and adjust `vmseries_common.bootstrap_options` and `vmseries..bootstrap_options` parameters accordingly. + +> SCM bootstrap is supported on PAN-OS version 11.0 and above. + ## Build 1. Access Google Cloud Shell or any other environment which has access to your GCP project @@ -65,10 +73,10 @@ terraform apply -var-file=example.tfvars 4. Check the output plan and confirm the apply. -5. Check the successful application and outputs of the resulting infrastructure: +5. Check the successful application and outputs of the resulting infrastructure (number of resources can vary based on how many instances are defined in tfvars): ``` -Apply complete! Resources: 115 added, 0 changed, 0 destroyed. (Number of resources can vary based on how many instances you push through tfvars) +Apply complete! Resources: 115 added, 0 changed, 0 destroyed. Outputs: diff --git a/examples/vpc_peering_common_with_network_tags/example.tfvars b/examples/vpc_peering_common_with_network_tags/example.tfvars index 4b95726..ac75763 100644 --- a/examples/vpc_peering_common_with_network_tags/example.tfvars +++ b/examples/vpc_peering_common_with_network_tags/example.tfvars @@ -210,8 +210,24 @@ vmseries_common = { min_cpu_platform = "Intel Cascade Lake" service_account_key = "sa-vmseries-01" bootstrap_options = { + # TODO: Modify the values below as per deployment requirements type = "dhcp-client" mgmt-interface-swap = "enable" + + ## Panorama based bootstrap. + # panorama-server = "1.1.1.1" + # panorama-server-2 = "2.2.2.2" + # tplname = "example-template" + # dgname = "example-device-group" + # vm-auth-key = "example-123456789" + + ## SCM based bootstrap. + # panorama-server = "cloud" + # dgname = "example-scm-folder" + # vm-series-auto-registration-pin-id = "example-pin-id" + # vm-series-auto-registration-pin-value = "example-pin-value" + # authcode = "D123456" + # plugin-op-commands = "advance-routing:enable" } } @@ -230,9 +246,9 @@ vmseries = { ] bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" } bootstrap_template_map = { trust_gcp_router_ip = "10.10.12.1" @@ -285,9 +301,9 @@ vmseries = { ] bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" } bootstrap_template_map = { trust_gcp_router_ip = "10.10.12.1" diff --git a/examples/vpc_peering_dedicated/README.md b/examples/vpc_peering_dedicated/README.md index 0e1ebfb..891c21c 100644 --- a/examples/vpc_peering_dedicated/README.md +++ b/examples/vpc_peering_dedicated/README.md @@ -49,6 +49,14 @@ The following steps should be followed before deploying the Terraform code prese 1. Prepare [VM-Series licenses](https://support.paloaltonetworks.com/) 2. Configure the terraform [google provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication-configuration) +## Bootstrap + +With default settings, firewall instances will get the initial configuration from generated `init-cfg.txt` and `bootstrap.xml` files placed in Cloud Storage. + +The `example.tfvars` file also contains commented out sample settings that can be used to register the firewalls to either Panorama or Strata Cloud Manager (SCM) and complete the configuration. To enable this, uncomment one of the sections and adjust `vmseries_common.bootstrap_options` and `vmseries..bootstrap_options` parameters accordingly. + +> SCM bootstrap is supported on PAN-OS version 11.0 and above. + ## Build 1. Access Google Cloud Shell or any other environment which has access to your GCP project @@ -79,10 +87,10 @@ terraform apply -var-file=example.tfvars 4. Check the output plan and confirm the apply. -5. Check the successful application and outputs of the resulting infrastructure: +5. Check the successful application and outputs of the resulting infrastructure (number of resources can vary based on how many instances are defined in tfvars): ``` -Apply complete! Resources: 104 added, 0 changed, 0 destroyed. (Number of resources can vary based on how many instances you push through tfvars) +Apply complete! Resources: 104 added, 0 changed, 0 destroyed. Outputs: diff --git a/examples/vpc_peering_dedicated/example.tfvars b/examples/vpc_peering_dedicated/example.tfvars index 00e4d89..6b1d6d4 100644 --- a/examples/vpc_peering_dedicated/example.tfvars +++ b/examples/vpc_peering_dedicated/example.tfvars @@ -215,8 +215,24 @@ vmseries_common = { min_cpu_platform = "Intel Cascade Lake" service_account_key = "sa-vmseries-01" bootstrap_options = { + # TODO: Modify the values below as per deployment requirements type = "dhcp-client" mgmt-interface-swap = "enable" + + ## Panorama based bootstrap. + # panorama-server = "1.1.1.1" + # panorama-server-2 = "2.2.2.2" + # tplname = "example-template" + # dgname = "example-device-group" + # vm-auth-key = "example-123456789" + + ## SCM based bootstrap. + # panorama-server = "cloud" + # dgname = "example-scm-folder" + # vm-series-auto-registration-pin-id = "example-pin-id" + # vm-series-auto-registration-pin-value = "example-pin-value" + # authcode = "D123456" + # plugin-op-commands = "advance-routing:enable" } } @@ -234,9 +250,9 @@ vmseries = { ] bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" } bootstrap_template_map = { trust_gcp_router_ip = "10.10.12.1" @@ -286,9 +302,9 @@ vmseries = { ] bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" } bootstrap_template_map = { trust_gcp_router_ip = "10.10.12.1" diff --git a/examples/vpc_peering_dedicated_with_autoscale/README.md b/examples/vpc_peering_dedicated_with_autoscale/README.md index fa8ca03..3cc4e17 100644 --- a/examples/vpc_peering_dedicated_with_autoscale/README.md +++ b/examples/vpc_peering_dedicated_with_autoscale/README.md @@ -43,6 +43,14 @@ The following steps should be followed before deploying the Terraform code prese 1. Prepare [VM-Series licenses](https://support.paloaltonetworks.com/) 2. Configure the terraform [google provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication-configuration) +## Bootstrap + +With default settings, firewall instances will get the initial configuration from generated `init-cfg.txt` and `bootstrap.xml` files placed in Cloud Storage. + +The `example.tfvars` file also contains commented out sample settings that can be used to register the firewalls to either Panorama or Strata Cloud Manager (SCM) and complete the configuration. To enable this, uncomment one of the sections and adjust `vmseries_common.bootstrap_options` and `vmseries..bootstrap_options` parameters accordingly. + +> SCM bootstrap is supported on PAN-OS version 11.0 and above. + ## Usage 1. Access Google Cloud Shell or any other environment that has access to your GCP project diff --git a/examples/vpc_peering_dedicated_with_autoscale/example.tfvars b/examples/vpc_peering_dedicated_with_autoscale/example.tfvars index 17708c0..630415b 100644 --- a/examples/vpc_peering_dedicated_with_autoscale/example.tfvars +++ b/examples/vpc_peering_dedicated_with_autoscale/example.tfvars @@ -248,14 +248,29 @@ autoscale = { } } bootstrap_options = { + # TODO: Modify the values below as per deployment requirements type = "dhcp-client" dhcp-send-hostname = "yes" dhcp-send-client-id = "yes" dhcp-accept-server-hostname = "yes" dhcp-accept-server-domain = "yes" mgmt-interface-swap = "enable" - panorama-server = "1.1.1.1" ssh-keys = "admin:" # Replace this value with client data + + # Panorama based bootstrap. + panorama-server = "1.1.1.1" + panorama-server-2 = "2.2.2.2" + tplname = "example-template" + dgname = "example-device-group" + vm-auth-key = "example-123456789" + + ## SCM based bootstrap. + # panorama-server = "cloud" + # dgname = "example-scm-folder" + # vm-series-auto-registration-pin-id = "example-pin-id" + # vm-series-auto-registration-pin-value = "example-pin-value" + # authcode = "D123456" + # plugin-op-commands = "advance-routing:enable" } network_interfaces = [ {