feat(module/panorama): Add disk type variable for Panorama (#176)

* Add disk type variable + bump up Checkov version * Add validation + add disk type on logging disks * Code reformat * Fix error message Co-authored-by: Pawel Imielowski <[email protected]>
PaloAltoNetworks · Aug 23, 2022 · 083a173 · 083a173
1 parent dba30eb
commit 083a173
Show file tree

Hide file tree

Showing 7 changed files with 24 additions and 4 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -14,7 +14,7 @@ repos:
           --args=--only=terraform_workspace_remote,
         ]
   - repo: https://github.com/bridgecrewio/checkov.git
-    rev: '2.0.1075'
+    rev: '2.1.98'
     hooks:
     - id: checkov
       verbose: true

diff --git a/examples/panorama/README.md b/examples/panorama/README.md
@@ -58,6 +58,7 @@ $ terraform apply
 | <a name="input_firewall_mgmt_prefixes"></a> [firewall\_mgmt\_prefixes](#input\_firewall\_mgmt\_prefixes) | n/a | `list(string)` | <pre>[<br>  "10.0.0.0/24"<br>]</pre> | no |
 | <a name="input_location"></a> [location](#input\_location) | Region to deploy Panorama into. | `string` | `""` | no |
 | <a name="input_network_security_groups"></a> [network\_security\_groups](#input\_network\_security\_groups) | Map of Network Security Groups to create. The key of each entry acts as the Network Security Group name.<br>List of available attributes of each Network Security Group entry:<br>- `location` : (Optional) Specifies the Azure location where to deploy the resource.<br>- `rules`: A list of objects representing a Network Security Rule. The key of each entry acts as the name of the rule and<br>    needs to be unique across all rules in the Network Security Group.<br>    List of attributes available to define a Network Security Rule:<br>    - `priority` : Numeric priority of the rule. The value can be between 100 and 4096 and must be unique for each rule in the collection.<br>    The lower the priority number, the higher the priority of the rule.<br>    - `direction` : The direction specifies if rule will be evaluated on incoming or outgoing traffic. Possible values are `Inbound` and `Outbound`.<br>    - `access` : Specifies whether network traffic is allowed or denied. Possible values are `Allow` and `Deny`.<br>    - `protocol` : Network protocol this rule applies to. Possible values include `Tcp`, `Udp`, `Icmp`, or `*` (which matches all).<br>    - `source_port_range` : List of source ports or port ranges.<br>    - `destination_port_range` : Destination Port or Range. Integer or range between `0` and `65535` or `*` to match any.<br>    - `source_address_prefix` : List of source address prefixes. Tags may not be used.<br>    - `destination_address_prefix` : CIDR or destination IP range or `*` to match any IP.<br><br>Example:<pre>{<br>  "network_security_group_1" = {<br>    location = "Australia Central"<br>    rules = {<br>      "AllOutbound" = {<br>        priority                   = 100<br>        direction                  = "Outbound"<br>        access                     = "Allow"<br>        protocol                   = "Tcp"<br>        source_port_range          = "*"<br>        destination_port_range     = "*"<br>        source_address_prefix      = "*"<br>        destination_address_prefix = "*"<br>      },<br>      "AllowSSH" = {<br>        priority                   = 200<br>        direction                  = "Inbound"<br>        access                     = "Allow"<br>        protocol                   = "Tcp"<br>        source_port_range          = "*"<br>        destination_port_range     = "22"<br>        source_address_prefix      = "*"<br>        destination_address_prefix = "*"<br>      }<br>    }<br>  },<br>  "network_security_group_2" = {<br>    rules = {}<br>  }<br>}</pre> | `any` | n/a | yes |
+| <a name="input_panorama_disk_type"></a> [panorama\_disk\_type](#input\_panorama\_disk\_type) | n/a | `string` | `"Standard_LRS"` | no |
 | <a name="input_panorama_name"></a> [panorama\_name](#input\_panorama\_name) | n/a | `any` | n/a | yes |
 | <a name="input_panorama_private_ip_address"></a> [panorama\_private\_ip\_address](#input\_panorama\_private\_ip\_address) | Optional static private IP address of Panorama, for example 192.168.11.22. If empty, Panorama uses dynamic assignment. | `string` | `null` | no |
 | <a name="input_panorama_size"></a> [panorama\_size](#input\_panorama\_size) | n/a | `string` | `"Standard_D5_v2"` | no |

diff --git a/examples/panorama/main.tf b/examples/panorama/main.tf
@@ -68,6 +68,7 @@ module "panorama" {
   avzones             = var.avzones
   enable_zones        = var.enable_zones
   custom_image_id     = var.custom_image_id
+  panorama_disk_type  = var.panorama_disk_type
   panorama_sku        = var.panorama_sku
   panorama_size       = var.panorama_size
   panorama_version    = var.panorama_version

diff --git a/examples/panorama/variables.tf b/examples/panorama/variables.tf
@@ -40,6 +40,11 @@ variable "username" {
   default     = "panadmin"
 }
 
+variable "panorama_disk_type" {
+  type    = string
+  default = "Standard_LRS"
+}
+
 variable "panorama_sku" {
   type    = string
   default = "byol"

diff --git a/modules/panorama/README.md b/modules/panorama/README.md
@@ -74,8 +74,9 @@ No modules.
 | <a name="input_enable_zones"></a> [enable\_zones](#input\_enable\_zones) | If false, the input `avzone` is ignored and all created public IPs default not to use Availability Zones (the `No-Zone` setting). It is intended for the regions that do not yet support Availability Zones. | `bool` | `true` | no |
 | <a name="input_interface"></a> [interface](#input\_interface) | A array of map describing the intefaces configuration. Keys of the map are the names and values are { subnet\_id, private\_ip\_address, public\_ip, enable\_ip\_forwarding }. Example:<pre>[<br>  {<br>    name                 = "mgmt"<br>    subnet_id            = ""<br>    private_ip_address   = ""<br>    public_ip            = true<br>    public_ip_name       = ""<br>    enable_ip_forwarding = false<br>  }<br>]</pre> | `list(any)` | n/a | yes |
 | <a name="input_location"></a> [location](#input\_location) | Region to deploy Panorama into. | `string` | n/a | yes |
-| <a name="input_logging_disks"></a> [logging\_disks](#input\_logging\_disks) | A map of objects describing the additional disk configuration. The keys of the map are the names and values are { size, zone, lun }. <br> The size value is provided in GB. The recommended size for additional (optional) disks is at least 2TB (2048 GB). Example:<pre>{<br>  logs-1 = {<br>    size: "2048"<br>    zone: "1"<br>    lun: "1"<br>  }<br>  logs-2 = {<br>    size: "2048"<br>    zone: "2"<br>    lun: "2"<br>  }<br>}</pre> | `map(any)` | `{}` | no |
+| <a name="input_logging_disks"></a> [logging\_disks](#input\_logging\_disks) | A map of objects describing the additional disk configuration. The keys of the map are the names and values are { size, zone, lun }. <br> The size value is provided in GB. The recommended size for additional (optional) disks is at least 2TB (2048 GB). Example:<pre>{<br>  logs-1 = {<br>    size: "2048"<br>    zone: "1"<br>    lun: "1"<br>  }<br>  logs-2 = {<br>    size: "2048"<br>    zone: "2"<br>    lun: "2"<br>    disk_type: "StandardSSD_LRS"<br>  }<br>}</pre> | `map(any)` | `{}` | no |
 | <a name="input_os_disk_name"></a> [os\_disk\_name](#input\_os\_disk\_name) | The name of OS disk. The name is auto-generated when not provided. | `string` | `null` | no |
+| <a name="input_panorama_disk_type"></a> [panorama\_disk\_type](#input\_panorama\_disk\_type) | Specifies the type of managed disk to create. Possible values are either Standard\_LRS, StandardSSD\_LRS, Premium\_LRS or UltraSSD\_LRS. | `string` | `"Standard_LRS"` | no |
 | <a name="input_panorama_name"></a> [panorama\_name](#input\_panorama\_name) | The Panorama common name. | `string` | n/a | yes |
 | <a name="input_panorama_offer"></a> [panorama\_offer](#input\_panorama\_offer) | Panorama offer. | `string` | `"panorama"` | no |
 | <a name="input_panorama_publisher"></a> [panorama\_publisher](#input\_panorama\_publisher) | Panorama Publisher. | `string` | `"paloaltonetworks"` | no |

diff --git a/modules/panorama/main.tf b/modules/panorama/main.tf
@@ -55,7 +55,7 @@ resource "azurerm_virtual_machine" "panorama" {
     name              = coalesce(var.os_disk_name, "${var.panorama_name}-disk")
     caching           = "ReadWrite"
     create_option     = "FromImage"
-    managed_disk_type = "Standard_LRS"
+    managed_disk_type = var.panorama_disk_type
   }
 
   os_profile {
@@ -93,7 +93,7 @@ resource "azurerm_managed_disk" "this" {
   name                 = "${var.panorama_name}-disk-${each.key}"
   location             = var.location
   resource_group_name  = var.resource_group_name
-  storage_account_type = "Standard_LRS"
+  storage_account_type = lookup(each.value, "disk_type", "Standard_LRS")
   create_option        = "Empty"
   disk_size_gb         = lookup(each.value, "size", "2048")
   zone = try(

diff --git a/modules/panorama/variables.tf b/modules/panorama/variables.tf
@@ -64,6 +64,17 @@ variable "enable_plan" {
   type        = bool
 }
 
+variable "panorama_disk_type" {
+  description = "Specifies the type of managed disk to create. Possible values are either Standard_LRS, StandardSSD_LRS, Premium_LRS or UltraSSD_LRS."
+  default     = "Standard_LRS"
+  type        = string
+
+  validation {
+    condition     = contains(["Standard_LRS", "StandardSSD_LRS", "Premium_LRS", "UltraSSD_LRS"], var.panorama_disk_type)
+    error_message = "Panorama disk type need to be one of list Standard_LR, StandardSSD_LRS, Premium_LRS, UltraSSD_LRS."
+  }
+}
+
 variable "panorama_sku" {
   description = "Panorama SKU."
   default     = "byol"
@@ -133,6 +144,7 @@ variable "logging_disks" {
       size: "2048"
       zone: "2"
       lun: "2"
+      disk_type: "StandardSSD_LRS"
     }
   }
   ```