diff --git a/makefile b/makefile
deleted file mode 100755
index 69e166ab..00000000
--- a/makefile
+++ /dev/null
@@ -1,64 +0,0 @@
-#!/bin/bash
-
-TFPLAN=gh_ci.tfplan
-
-case $1 in
- init)
- echo ":: INITIALIZING TERRAFORM ::"
- terraform init | nl -bn
- echo
- ;;
-
- validate)
- echo ":: INITIALIZING TERRAFORM ::"
- terraform init -backend=false | nl -bn
- echo
- echo ":: VALIDATING CODE ::"
- terraform validate | nl -bn
- echo
- ;;
-
- plan)
- echo ":: PLANNING INFRASTRUCTURE ::"
- TF_PARAMS=${@: 2}
- terraform plan ${TF_PARAMS} | nl -bn
- echo
- ;;
-
- plan_file)
- echo ":: CREATING INFRASTRUCTURE PLAN FILE ::"
- TF_PARAMS=${@: 2}
- terraform plan ${TF_PARAMS} -out ${TFPLAN} | nl -bn
- echo
- ;;
-
- apply_file)
- echo ":: APPLYING INFRASTRUCTURE PLAN FILE ::"
- if [ -f "${TFPLAN}" ]; then
- terraform apply ${TFPLAN} | nl -bn
- else
- echo "No TFPLAN file."
- exit 1
- fi
- echo
- ;;
-
- indepotency)
- echo ":: TESTING INDEPOTENCY ::"
- TF_PARAMS=${@: 2}
- terraform plan -detailed-exitcode ${TF_PARAMS} | nl -bn
- echo
- ;;
-
- destroy)
- echo ":: DESTROYING INFRASTRUCTURE ::"
- TF_PARAMS=${@: 2}
- for G in ${TF_PARAMS[@]}; do az group delete -g "$G" -y --no-wait | nl -bn; done
- echo
-
- echo ":: REMOVING INFRASTRUCTURE PLAN FILE ::"
- if [ -f "${TFPLAN}" ]; then rm ${TFPLAN} | nl -bn; fi
- echo
- ;;
-
-esac
diff --git a/modules/vmseries/README.md b/modules/vmseries/README.md
index cf27008a..044b3af8 100644
--- a/modules/vmseries/README.md
+++ b/modules/vmseries/README.md
@@ -96,7 +96,7 @@ No modules.
| [img\_publisher](#input\_img\_publisher) | The Azure Publisher identifier for a image which should be deployed. | `string` | `"paloaltonetworks"` | no |
| [img\_sku](#input\_img\_sku) | VM-series SKU - list available with `az vm image list -o table --all --publisher paloaltonetworks` | `string` | `"bundle2"` | no |
| [img\_version](#input\_img\_version) | VM-series PAN-OS version - list available for a default `img_offer` with `az vm image list -o table --publisher paloaltonetworks --offer vmseries-flex --all` | `string` | `"10.1.0"` | no |
-| [interfaces](#input\_interfaces) | List of the network interface specifications.
The first should be the management interface, which does not participate in data filtering.
The remaining ones are the dataplane interfaces.
Options for an interface object:
- `name` - (required\|string) Interface name.
- `subnet_id` - (required\|string) Identifier of an existing subnet to create interface in.
- `private_ip_address` - (optional\|string) Static private IP to asssign to the interface. If null, dynamic one is allocated.
- `public_ip_address_id` - (optional\|string) Identifier of an existing public IP to associate.
- `create_public_ip` - (optional\|bool) If true, create a public IP for the interface and ignore the `public_ip_address_id`. Default is false.
- `availability_zone` - (optional\|string) Availability zone to create public IP in. If not specified, set based on `avzone` and `enable_zones`.
- `enable_ip_forwarding` - (optional\|bool) If true, the network interface will not discard packets sent to an IP address other than the one assigned. If false, the network interface only accepts traffic destined to its IP address.
- `enable_backend_pool` - (optional\|bool) If true, associate interface with backend pool specified with `lb_backend_pool_id`. Default is false.
- `lb_backend_pool_id` - (optional\|string) Identifier of an existing backend pool to associate interface with. Required if `enable_backend_pool` is true.
- `tags` - (optional\|map) Tags to assign to the interface and public IP (if created). Overrides contents of `tags` variable.
Example:[
{
name = "fw-mgmt"
subnet_id = azurerm_subnet.my_mgmt_subnet.id
public_ip_address_id = azurerm_public_ip.my_mgmt_ip.id
},
{
name = "fw-public"
subnet_id = azurerm_subnet.my_pub_subnet.id
lb_backend_pool_id = module.inbound_lb.backend_pool_id
enable_backend_pool = true
},
]
| `list(any)` | n/a | yes |
+| [interfaces](#input\_interfaces) | List of the network interface specifications.
NOTICE. The ORDER in which you specify the interfaces DOES MATTER.
Interfaces will be attached to VM in the order you define here, therefore:
* The first should be the management interface, which does not participate in data filtering.
* The remaining ones are the dataplane interfaces.
Options for an interface object:
- `name` - (required\|string) Interface name.
- `subnet_id` - (required\|string) Identifier of an existing subnet to create interface in.
- `private_ip_address` - (optional\|string) Static private IP to asssign to the interface. If null, dynamic one is allocated.
- `public_ip_address_id` - (optional\|string) Identifier of an existing public IP to associate.
- `create_public_ip` - (optional\|bool) If true, create a public IP for the interface and ignore the `public_ip_address_id`. Default is false.
- `availability_zone` - (optional\|string) Availability zone to create public IP in. If not specified, set based on `avzone` and `enable_zones`.
- `enable_ip_forwarding` - (optional\|bool) If true, the network interface will not discard packets sent to an IP address other than the one assigned. If false, the network interface only accepts traffic destined to its IP address.
- `enable_backend_pool` - (optional\|bool) If true, associate interface with backend pool specified with `lb_backend_pool_id`. Default is false.
- `lb_backend_pool_id` - (optional\|string) Identifier of an existing backend pool to associate interface with. Required if `enable_backend_pool` is true.
- `tags` - (optional\|map) Tags to assign to the interface and public IP (if created). Overrides contents of `tags` variable.
Example:[
{
name = "fw-mgmt"
subnet_id = azurerm_subnet.my_mgmt_subnet.id
public_ip_address_id = azurerm_public_ip.my_mgmt_ip.id
},
{
name = "fw-public"
subnet_id = azurerm_subnet.my_pub_subnet.id
lb_backend_pool_id = module.inbound_lb.backend_pool_id
enable_backend_pool = true
},
]
| `list(any)` | n/a | yes |
| [location](#input\_location) | Region where to deploy VM-Series and dependencies. | `string` | n/a | yes |
| [managed\_disk\_type](#input\_managed\_disk\_type) | Type of OS Managed Disk to create for the virtual machine. Possible values are `Standard_LRS`, `StandardSSD_LRS` or `Premium_LRS`. The `Premium_LRS` works only for selected `vm_size` values, details in Azure docs. | `string` | `"StandardSSD_LRS"` | no |
| [name](#input\_name) | VM-Series instance name. | `string` | n/a | yes |
diff --git a/modules/vmseries/main.tf b/modules/vmseries/main.tf
index 5d1f7b58..6f8184bb 100644
--- a/modules/vmseries/main.tf
+++ b/modules/vmseries/main.tf
@@ -1,5 +1,5 @@
resource "azurerm_public_ip" "this" {
- for_each = { for k, v in var.interfaces : k => v if try(v.create_public_ip, false) }
+ for_each = { for v in var.interfaces : v.name => v if try(v.create_public_ip, false) }
location = var.location
resource_group_name = var.resource_group_name
@@ -11,26 +11,26 @@ resource "azurerm_public_ip" "this" {
}
resource "azurerm_network_interface" "this" {
- count = length(var.interfaces)
+ for_each = { for k, v in var.interfaces : v.name => merge(v, { index = k }) }
- name = var.interfaces[count.index].name
+ name = each.value.name
location = var.location
resource_group_name = var.resource_group_name
- enable_accelerated_networking = count.index == 0 ? false : var.accelerated_networking # for interface 0 it is unsupported by PAN-OS
- enable_ip_forwarding = try(var.interfaces[count.index].enable_ip_forwarding, count.index == 0 ? false : true) # for interface 0 use false per Reference Arch
- tags = try(var.interfaces[count.index].tags, var.tags)
+ enable_accelerated_networking = each.value.index == 0 ? false : var.accelerated_networking # for interface 0 it is unsupported by PAN-OS
+ enable_ip_forwarding = try(each.value.enable_ip_forwarding, each.value.index == 0 ? false : true) # for interface 0 use false per Reference Arch
+ tags = try(each.value.tags, var.tags)
ip_configuration {
name = "primary"
- subnet_id = var.interfaces[count.index].subnet_id
- private_ip_address_allocation = try(var.interfaces[count.index].private_ip_address, null) != null ? "Static" : "Dynamic"
- private_ip_address = try(var.interfaces[count.index].private_ip_address, null)
- public_ip_address_id = try(azurerm_public_ip.this[count.index].id, var.interfaces[count.index].public_ip_address_id, null)
+ subnet_id = each.value.subnet_id
+ private_ip_address_allocation = try(each.value.private_ip_address, null) != null ? "Static" : "Dynamic"
+ private_ip_address = try(each.value.private_ip_address, null)
+ public_ip_address_id = try(azurerm_public_ip.this[each.value.name].id, each.value.public_ip_address_id, null)
}
}
resource "azurerm_network_interface_backend_address_pool_association" "this" {
- for_each = { for k, v in var.interfaces : k => v if try(v.enable_backend_pool, false) }
+ for_each = { for v in var.interfaces : v.name => v if try(v.enable_backend_pool, false) }
backend_address_pool_id = each.value.lb_backend_pool_id
ip_configuration_name = azurerm_network_interface.this[each.key].ip_configuration[0].name
@@ -45,9 +45,10 @@ resource "azurerm_virtual_machine" "this" {
vm_size = var.vm_size
zones = var.enable_zones && var.avzone != null && var.avzone != "" ? [var.avzone] : null
availability_set_id = var.avset_id
- primary_network_interface_id = azurerm_network_interface.this[0].id
+ primary_network_interface_id = azurerm_network_interface.this[var.interfaces[0].name].id
- network_interface_ids = [for k, v in azurerm_network_interface.this : v.id]
+ # network_interface_ids = [for k, v in azurerm_network_interface.this : v.id]
+ network_interface_ids = [for v in var.interfaces : azurerm_network_interface.this[v.name].id]
storage_image_reference {
id = var.custom_image_id
diff --git a/modules/vmseries/outputs.tf b/modules/vmseries/outputs.tf
index 8780bb53..3773454e 100644
--- a/modules/vmseries/outputs.tf
+++ b/modules/vmseries/outputs.tf
@@ -1,6 +1,6 @@
output "mgmt_ip_address" {
description = "VM-Series management IP address. If `create_public_ip` was `true`, it is a public IP address, otherwise a private IP address."
- value = try(var.interfaces[0].create_public_ip, false) ? azurerm_public_ip.this[0].ip_address : azurerm_network_interface.this[0].ip_configuration[0].private_ip_address
+ value = try(var.interfaces[0].create_public_ip, false) ? azurerm_public_ip.this[var.interfaces[0].name].ip_address : azurerm_network_interface.this[var.interfaces[0].name].ip_configuration[0].private_ip_address
}
output "interfaces" {
diff --git a/modules/vmseries/variables.tf b/modules/vmseries/variables.tf
index 790fd143..2f06cfa1 100644
--- a/modules/vmseries/variables.tf
+++ b/modules/vmseries/variables.tf
@@ -44,8 +44,12 @@ variable "avset_id" {
variable "interfaces" {
description = <<-EOF
List of the network interface specifications.
- The first should be the management interface, which does not participate in data filtering.
- The remaining ones are the dataplane interfaces.
+
+ NOTICE. The ORDER in which you specify the interfaces DOES MATTER.
+ Interfaces will be attached to VM in the order you define here, therefore:
+ * The first should be the management interface, which does not participate in data filtering.
+ * The remaining ones are the dataplane interfaces.
+
Options for an interface object:
- `name` - (required|string) Interface name.
- `subnet_id` - (required|string) Identifier of an existing subnet to create interface in.