Skip to content
This repository has been archived by the owner on Feb 14, 2024. It is now read-only.

Commit

Permalink
fix(example/transit_vnet_common): add code flexibility (#229)
Browse files Browse the repository at this point in the history 
Co-authored-by: Migara Ekanayake <[email protected]>
  • Loading branch information
@FoSix @migara
FoSix and migara authored Mar 15, 2023
1 parent 30958ae commit 377fced
Show file tree
Hide file tree
Showing 11 changed files with 510 additions and 386 deletions.
1 change: 1 addition & 0 deletions .gitignore
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,5 +45,6 @@ terraform.tfvars
terraform.tfvars.json
*.auto.tfvars
*.auto.tfvars.json
*.tfplan
**/files

8 changes: 4 additions & 4 deletions examples/transit_vnet_common/Makefile
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
ifndef UUID
UUID := $(shell uuidgen | tr '[:upper:]' '[:lower:]')
endif
RG := GHCI-$(shell echo ${UUID} | cut -d '-' -f 1,5)
STORAGE := ghci$(shell echo ${UUID} | cut -d '-' -f 5)
TF_PARAMS := -var-file=example.tfvars -var resource_group_name=${RG} -var files={"files/authcodes.sample"="license/authcodes","files/init-cfg.sample.txt"="config/init-cfg.txt"} -var storage_account_name=${STORAGE}
RG := $(shell echo ${UUID} | cut -d '-' -f 1,5)
PREFIX := ghci$(shell echo ${UUID} | cut -d '-' -f 2)-
TF_PARAMS := -var-file=example.tfvars -var resource_group_name=${RG} -var name_prefix=${PREFIX}

init:
@../../makefile.sh init
Expand All @@ -26,4 +26,4 @@ indepotency:
@../../makefile.sh indepotency '${TF_PARAMS}'

destroy:
@../../makefile.sh destroy '${RG}'
@../../makefile.sh destroy '${PREFIX}${RG}'
80 changes: 39 additions & 41 deletions examples/transit_vnet_common/README.md
View file

Large diffs are not rendered by default.

249 changes: 192 additions & 57 deletions examples/transit_vnet_common/example.tfvars
View file
Original file line number Diff line number Diff line change
@@ -1,75 +1,210 @@
location = "East US 2"
resource_group_name = "example-rg"
virtual_network_name = "vnet-vmseries"
address_space = ["10.110.0.0/16"]
enable_zones = true

network_security_groups = {
"sg-mgmt" = {}
"sg-private" = {}
"sg-public" = {}
# --- GENERAL --- #
# location = "North Europe" # TODO adjust deployment region to your needs
location = "Australia East" # TODO adjust deployment region to your needs
resource_group_name = "common-refarch"
name_prefix = "example-"
create_resource_group = true
tags = {
"CreatedBy" = "Palo Alto Networks"
"CreatedWith" = "Terraform"
}
enable_zones = false

allow_inbound_mgmt_ips = [
"191.191.191.191", # Put your own public IP address here
"10.255.0.0/24", # Example Panorama access
]

olb_private_ip = "10.110.0.21"

route_tables = {
private_route_table = {
routes = {
default = {
address_prefix = "0.0.0.0/0"
next_hop_type = "VirtualAppliance"
next_hop_in_ip_address = "10.110.0.21"
# --- VNET CONFIGURATION --- #
vnets = {
"transit-vnet" = {
create_virtual_network = true
address_space = ["10.0.0.0/25"] # TODO adjust the VNET and subnet address spaces if you plan to peer this vnet
network_security_groups = {
"management" = {
rules = {
vmseries_mgmt_allow_inbound = {
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_address_prefixes = ["1.1.1.1"] # TODO adjust to allow public IPs to connect to the firewalls' management interfaces from the internet
source_port_range = "*"
destination_address_prefix = "10.0.0.0/27"
destination_port_ranges = ["22", "443"]
}
}
}
"private" = {}
"public" = {}
}
route_tables = { # TODO these route tables provide basic black-holing, adjust for further security
"management" = {
routes = {
"private_blackhole" = {
address_prefix = "10.0.0.32/27"
next_hop_type = "None"
}
"public_blackhole" = {
address_prefix = "10.0.0.64/27"
next_hop_type = "None"
}
}
}
"private" = {
routes = {
"default" = {
address_prefix = "0.0.0.0/0"
next_hop_type = "VirtualAppliance"
next_hop_in_ip_address = "10.0.0.50"
}
"mgmt_blackhole" = {
address_prefix = "10.0.0.0/27"
next_hop_type = "None"
}
"public_blackhole" = {
address_prefix = "10.0.0.64/27"
next_hop_type = "None"
}
}
}
"public" = {
routes = {
"mgmt_blackhole" = {
address_prefix = "10.0.0.0/27"
next_hop_type = "None"
}
"private_blackhole" = {
address_prefix = "10.0.0.32/27"
next_hop_type = "None"
}
}
}
}
create_subnets = true
subnets = {
"management" = {
address_prefixes = ["10.0.0.0/27"]
network_security_group = "management"
route_table = "management"
}
"private" = {
address_prefixes = ["10.0.0.32/27"]
route_table = "private"
}
"public" = {
address_prefixes = ["10.0.0.64/27"]
network_security_group = "public"
route_table = "public"
}
}
}
}

subnets = {
"subnet-mgmt" = {
address_prefixes = ["10.110.255.0/24"]
network_security_group = "sg-mgmt"
}
"subnet-private" = {
address_prefixes = ["10.110.0.0/24"]
network_security_group = "sg-private"
route_table = "private_route_table"
}
"subnet-public" = {
address_prefixes = ["10.110.129.0/24"]
network_security_group = "sg-public"
}
}

frontend_ips = {
"frontend01" = {
create_public_ip = true
rules = {
"balancessh" = {
protocol = "Tcp"
port = 22

# --- LOAD BALANCING CONFIGURATION --- #
load_balancers = {
"lb-public" = {
vnet_name = "transit-vnet"
network_security_group_name = "public"
network_security_allow_source_ips = ["1.1.1.1"] # TODO adjust to the public IPs that will connect to the public Load Balancer

frontend_ips = {
"palo-lb-app1-pip" = { # TODO this is just a basic load balancing rule that will balance HTTP(s) traffic, add more rules to balance different types of traffic
create_public_ip = true
rules = {
"balanceHttp" = {
protocol = "Tcp"
port = 80
}
"balanceHttps" = {
protocol = "Tcp"
port = 443
}
}
}
}
}
"lb-private" = {
frontend_ips = {
"ha-ports" = {
vnet_name = "transit-vnet"
subnet_name = "private"
private_ip_address = "10.0.0.50"
rules = {
HA_PORTS = {
port = 0
protocol = "All"
}
}
}
}
}
}

vmseries = {
"fw00" = { avzone = 1 }
"fw01" = { avzone = 2 }
}

common_vmseries_version = "9.1.3"
common_vmseries_sku = "bundle1"
storage_account_name = "pantfstorage"
storage_share_name = "bootstrapshare"

files = {
"files/authcodes" = "license/authcodes" # authcode is required only with common_vmseries_sku = "byol"
"files/init-cfg.txt" = "config/init-cfg.txt"
# --- VMSERIES CONFIGURATION --- #
availability_set = {
"vmseries" = {
fault_domain_count = 2
}
}

avzones = ["1", "2", "3"]
vmseries_version = "10.2.2"
vmseries_vm_size = "Standard_DS3_v2"
vmseries_sku = "byol"
# vmseries_password = "" # TODO by default the VM-Series admin password is autogenerated, uncomment and provide you own
vmseries = {
"vmseries-1" = {
availability_set_name = "vmseries"
app_insights_settings = {}
bootstrap_options = "type=dhcp-client" # TODO add licensing, panorama configuration if needed
vnet_name = "transit-vnet"
interfaces = [
{
name = "mgmt"
subnet_name = "management"
private_ip_address = "10.0.0.10"
create_pip = true
},
{
name = "private"
subnet_name = "private"
load_balancer_name = "lb-private"
private_ip_address = "10.0.0.40"
},
{
name = "public"
subnet_name = "public"
load_balancer_name = "lb-public"
private_ip_address = "10.0.0.70"
create_pip = true
}
]
}
"vmseries-2" = {
availability_set_name = "vmseries"
app_insights_settings = {}
bootstrap_options = "type=dhcp-client" # TODO add licensing, panorama configuration if needed
vnet_name = "transit-vnet"
interfaces = [
{
name = "mgmt"
subnet_name = "management"
private_ip_address = "10.0.0.11"
create_pip = true
},
{
name = "private"
subnet_name = "private"
load_balancer_name = "lb-private"
private_ip_address = "10.0.0.41"
},
{
name = "public"
subnet_name = "public"
load_balancer_name = "lb-public"
private_ip_address = "10.0.0.71"
create_pip = true
}
]
}
}
1 change: 0 additions & 1 deletion examples/transit_vnet_common/files/authcodes.sample
View file

This file was deleted.

10 changes: 0 additions & 10 deletions examples/transit_vnet_common/files/init-cfg.sample.txt
View file

This file was deleted.

Loading

0 comments on commit 377fced

Please sign in to comment.