feat(module/bootstrap)!: Enhanced user experience of the module usage

examples/bootstrap/README.md

@@ -1,12 +1,14 @@
 # Palo Alto Networks Bootstrap Module Example
 
-This Terraform example uses the [Palo Alto Networks Bootstrap module](../../modules/bootstrap) to deploy a Storage Account and the dependencies required
-to [bootstrap a VM-Series firewall in Azure](https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/bootstrap-the-vm-series-firewall/bootstrap-the-vm-series-firewall-in-azure.html#idd51f75b8-e579-44d6-a809-2fafcfe4b3b6).
+This Terraform example uses the [Palo Alto Networks Bootstrap module](../../modules/bootstrap/README.md) to deploy a Storage Account and dependencies required
+to [bootstrap a VM-Series firewall in Azure](https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/bootstrap-the-vm-series-firewall/bootstrap-the-vm-series-firewall-in-azure).
+
+This example covers creation of a single Storage Account with two File Shares: one for Next Generation Firewalls handling inbound traffic and one for firewalls handling outbound and east-west (OBEW) traffic.
 
 The following resources will be deployed when using the provided example:
-* 1 [Resource Group](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal#what-is-a-resource-group).
-* 1 [Storage Account](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview).
-* 1 [File Share](https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction#:~:text=Azure%20Files%20offers%20fully%20managed,cloud%20or%20on%2Dpremises%20deployments).
+* 1 [Resource Group](https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal#what-is-a-resource-group)
+* 1 [Storage Account](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview)
+* 2 [File Shares](https://docs.microsoft.com/en-us/azure/storage/files/storage-files-introduction#:~:text=Azure%20Files%20offers%20fully%20managed,cloud%20or%20on%2Dpremises%20deployments).
 
 ## Usage
 
@@ -15,7 +17,7 @@ Create a `terraform.tfvars` file and copy the content of `example.tfvars` into i
 ```sh
 terraform init
 terraform apply
-terraform output -json
+terraform output   # optional, this command will give you the terraform output only
 ```
 
 ## Cleanup
@@ -30,36 +32,38 @@ terraform destroy
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.29, < 2.0 |
-| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | = 3.7.0 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.1 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | = 3.7.0 |
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | n/a |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_bootstrap"></a> [bootstrap](#module\_bootstrap) | ../../modules/bootstrap | n/a |
+| <a name="module_inbound_bootstrap"></a> [inbound\_bootstrap](#module\_inbound\_bootstrap) | ../../modules/bootstrap | n/a |
+| <a name="module_obew_bootstrap"></a> [obew\_bootstrap](#module\_obew\_bootstrap) | ../../modules/bootstrap | n/a |
 
 ## Resources
 
 | Name | Type |
 |------|------|
-| [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/3.7.0/docs/resources/resource_group) | resource |
+| [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_files"></a> [files](#input\_files) | Map of all files to copy to bucket. The keys are local paths, the values are remote paths. Always use slash `/` as directory separator (unix-like), not the backslash `\`. For example `{"dir/my.txt" = "config/init-cfg.txt"}` | `map(string)` | `{}` | no |
+| <a name="input_inbound_files"></a> [inbound\_files](#input\_inbound\_files) | Map of all files to copy to a File Share. This represents files for inbound firewall.<br><br>The keys are local paths, values - remote paths. Always use slash `/` as directory separator (unix-like). | `map(string)` | `{}` | no |
+| <a name="input_inbound_storage_share_name"></a> [inbound\_storage\_share\_name](#input\_inbound\_storage\_share\_name) | Name of Storage Share that will host files for bootstrapping a firewall protecting inbound traffic. | `string` | n/a | yes |
 | <a name="input_location"></a> [location](#input\_location) | Region to deploy the bootstrap resources into. | `string` | n/a | yes |
+| <a name="input_obew_files"></a> [obew\_files](#input\_obew\_files) | Map of all files to copy to a File Share. This represents files for OBEW firewall.<br><br>The keys are local paths, values - remote paths. Always use slash `/` as directory separator (unix-like). | `map(string)` | `{}` | no |
+| <a name="input_obew_storage_share_name"></a> [obew\_storage\_share\_name](#input\_obew\_storage\_share\_name) | Name of Storage Share that will host files for bootstrapping a firewall protecting OBEW traffic. | `string` | n/a | yes |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | Name of the Resource Group to create. | `string` | n/a | yes |
-| <a name="input_storage_account_name"></a> [storage\_account\_name](#input\_storage\_account\_name) | Default name of the storage account to create.<br>The name you choose must be unique across Azure. The name also must be between 3 and 24 characters in length, and may include only numbers and lowercase letters. | `string` | `"pantfstorage"` | no |
-| <a name="input_storage_share_name"></a> [storage\_share\_name](#input\_storage\_share\_name) | Name of storage share to be created that holds `files` for bootstrapping. | `string` | `"bootstrapshare"` | no |
+| <a name="input_storage_account_name"></a> [storage\_account\_name](#input\_storage\_account\_name) | Name of the Storage Account to create.<br>The name you choose must be unique across Azure. The name also must be between 3 and 24 characters in length and may include only numbers and lowercase letters. | `string` | n/a | yes |
 
 ## Outputs
 
@@ -68,6 +72,6 @@ terraform destroy
 | <a name="output_primary_access_key"></a> [primary\_access\_key](#output\_primary\_access\_key) | The primary access key for the Azure Storage Account. |
 | <a name="output_storage_account_id"></a> [storage\_account\_id](#output\_storage\_account\_id) | Identifier of the Azure Storage Account object used for the Bootstrap. |
 | <a name="output_storage_account_name"></a> [storage\_account\_name](#output\_storage\_account\_name) | Name of the Azure Storage Account object used for the Bootstrap. |
-| <a name="output_storage_share_id"></a> [storage\_share\_id](#output\_storage\_share\_id) | Identifier of the File Share within Azure Storage. |
-| <a name="output_storage_share_name"></a> [storage\_share\_name](#output\_storage\_share\_name) | Name of the File Share within Azure Storage. |
+| <a name="output_storage_share_ids"></a> [storage\_share\_ids](#output\_storage\_share\_ids) | Identifier of the File Share within Azure Storage. |
+| <a name="output_storage_share_names"></a> [storage\_share\_names](#output\_storage\_share\_names) | Name of the File Share within Azure Storage. |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

examples/bootstrap/example.tfvars

@@ -1,8 +1,15 @@
-resource_group_name  = "example-rg"
-location             = "East US"
-storage_account_name = "examplebootstrap"
+resource_group_name        = "example-rg"
+location                   = "West US"
+storage_account_name       = "examplebootstrap"
+inbound_storage_share_name = "inboundbootstrap"
+obew_storage_share_name    = "obewbootstrap"
 
-files = {
-  "files/authcodes.sample"    = "license/authcodes"
-  "files/init-cfg.sample.txt" = "config/init-cfg.txt"
+inbound_files = {
+  "inbound_files/authcodes.sample"    = "license/authcodes"
+  "inbound_files/init-cfg.sample.txt" = "config/init-cfg.txt"
+}
+
+obew_files = {
+  "obew_files/authcodes.sample"    = "license/authcodes"
+  "obew_files/init-cfg.sample.txt" = "config/init-cfg.txt"
 }

examples/bootstrap/main.tf

@@ -3,11 +3,24 @@ resource "azurerm_resource_group" "this" {
   location = var.location
 }
 
-module "bootstrap" {
+module "inbound_bootstrap" {
   source = "../../modules/bootstrap"
 
+  storage_account_name = var.storage_account_name
+  storage_share_name   = var.inbound_storage_share_name
   resource_group_name  = azurerm_resource_group.this.name
   location             = azurerm_resource_group.this.location
-  storage_account_name = var.storage_account_name
-  files                = var.files
+  files                = var.inbound_files
+}
+
+module "obew_bootstrap" {
+  source = "../../modules/bootstrap"
+
+  create_storage_account = false
+  storage_account_name   = module.inbound_bootstrap.storage_account.name
+  storage_share_name     = var.obew_storage_share_name
+  resource_group_name    = azurerm_resource_group.this.name
+  files                  = var.obew_files
+
+  depends_on = [module.inbound_bootstrap]
 }

examples/bootstrap/obew_files/authcodes.sample

@@ -0,0 +1 @@
+Ixxxxxxx

examples/bootstrap/obew_files/init-cfg.sample.txt

@@ -0,0 +1,9 @@
+type=dhcp-client
+vm-auth-key=xxxxxyyyyyzzzzz
+panorama-server=aaa.bbb.ccc.ddd
+tplname=some-stack
+dgname=some_dg
+dhcp-send-hostname=yes
+dhcp-send-client-id=yes
+dhcp-accept-server-hostname=yes
+dhcp-accept-server-domain=yes

examples/bootstrap/outputs.tf

@@ -1,29 +1,31 @@
 output "storage_account_name" {
   description = "Name of the Azure Storage Account object used for the Bootstrap."
-  value       = module.bootstrap.storage_account.name
-  sensitive   = true
+  value       = module.inbound_bootstrap.storage_account.name
 }
 
 output "storage_account_id" {
   description = "Identifier of the Azure Storage Account object used for the Bootstrap."
-  value       = module.bootstrap.storage_account.id
-  sensitive   = true
+  value       = module.inbound_bootstrap.storage_account.id
 }
 
-output "storage_share_name" {
-  description = "Name of the File Share within Azure Storage."
-  value       = module.bootstrap.storage_share.name
+output "primary_access_key" {
+  description = "The primary access key for the Azure Storage Account."
+  value       = module.inbound_bootstrap.primary_access_key
   sensitive   = true
 }
 
-output "storage_share_id" {
-  description = "Identifier of the File Share within Azure Storage."
-  value       = module.bootstrap.storage_share.id
-  sensitive   = true
+output "storage_share_names" {
+  description = "Name of the File Share within Azure Storage."
+  value = {
+    inbound = module.inbound_bootstrap.storage_share.name
+    obew    = module.obew_bootstrap.storage_share.name
+  }
 }
 
-output "primary_access_key" {
-  description = "The primary access key for the Azure Storage Account."
-  value       = module.bootstrap.primary_access_key
-  sensitive   = true
+output "storage_share_ids" {
+  description = "Identifier of the File Share within Azure Storage."
+  value = {
+    inbound = module.inbound_bootstrap.storage_share.id
+    obew    = module.obew_bootstrap.storage_share.id
+  }
 }

examples/bootstrap/variables.tf

@@ -10,21 +10,38 @@ variable "location" {
 
 variable "storage_account_name" {
   description = <<-EOF
-  Default name of the storage account to create.
-  The name you choose must be unique across Azure. The name also must be between 3 and 24 characters in length, and may include only numbers and lowercase letters.
+  Name of the Storage Account to create.
+  The name you choose must be unique across Azure. The name also must be between 3 and 24 characters in length and may include only numbers and lowercase letters.
   EOF
-  default     = "pantfstorage"
   type        = string
 }
 
-variable "files" {
-  description = "Map of all files to copy to bucket. The keys are local paths, the values are remote paths. Always use slash `/` as directory separator (unix-like), not the backslash `\\`. For example `{\"dir/my.txt\" = \"config/init-cfg.txt\"}`"
+variable "inbound_storage_share_name" {
+  description = "Name of Storage Share that will host files for bootstrapping a firewall protecting inbound traffic."
+  type        = string
+}
+
+variable "obew_storage_share_name" {
+  description = "Name of Storage Share that will host files for bootstrapping a firewall protecting OBEW traffic."
+  type        = string
+}
+
+variable "inbound_files" {
+  description = <<-EOF
+  Map of all files to copy to a File Share. This represents files for inbound firewall.
+
+  The keys are local paths, values - remote paths. Always use slash `/` as directory separator (unix-like).
+  EOF
   default     = {}
   type        = map(string)
 }
 
-variable "storage_share_name" {
-  description = "Name of storage share to be created that holds `files` for bootstrapping."
-  default     = "bootstrapshare"
-  type        = string
+variable "obew_files" {
+  description = <<-EOF
+  Map of all files to copy to a File Share. This represents files for OBEW firewall.
+
+  The keys are local paths, values - remote paths. Always use slash `/` as directory separator (unix-like).
+  EOF
+  default     = {}
+  type        = map(string)
 }

examples/bootstrap/versions.tf

@@ -2,8 +2,7 @@ terraform {
   required_version = ">= 0.12.29, < 2.0"
   required_providers {
     azurerm = {
-      source  = "hashicorp/azurerm"
-      version = "= 3.7.0"
+      source = "hashicorp/azurerm"
     }
     random = {
       source  = "hashicorp/random"

examples/panorama/README.md

@@ -65,7 +65,8 @@ $ terraform apply
 | <a name="input_panorama_version"></a> [panorama\_version](#input\_panorama\_version) | n/a | `string` | `"10.0.3"` | no |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | Name of the Resource Group to create. | `string` | n/a | yes |
 | <a name="input_security_group_name"></a> [security\_group\_name](#input\_security\_group\_name) | n/a | `string` | `"nsg-panorama"` | no |
-| <a name="input_storage_account_name"></a> [storage\_account\_name](#input\_storage\_account\_name) | Default name of the storage account to create.<br>The name you choose must be unique across Azure. The name also must be between 3 and 24 characters in length, and may include only numbers and lowercase letters. | `string` | `"pantfstorage"` | no |
+| <a name="input_storage_account_name"></a> [storage\_account\_name](#input\_storage\_account\_name) | Default name of the storage account to create.<br>The name you choose must be unique across Azure. The name also must be between 3 and 24 characters in length, and may include only numbers and lowercase letters. | `string` | n/a | yes |
+| <a name="input_storage_share_name"></a> [storage\_share\_name](#input\_storage\_share\_name) | Name of storage File Share to be created that holds `files` for bootstrapping. | `string` | n/a | yes |
 | <a name="input_subnet_names"></a> [subnet\_names](#input\_subnet\_names) | n/a | `list(string)` | <pre>[<br>  "subnet1"<br>]</pre> | no |
 | <a name="input_subnet_prefixes"></a> [subnet\_prefixes](#input\_subnet\_prefixes) | n/a | `list(string)` | <pre>[<br>  "10.0.0.0/24"<br>]</pre> | no |
 | <a name="input_subnets"></a> [subnets](#input\_subnets) | Map of subnet objects to create within a virtual network. The key of each entry acts as the subnet name.<br>List of available attributes of each subnet entry:<br>- `address_prefixes` : The address prefix to use for the subnet.<br>- `network_security_group_id` : The Network Security Group identifier to associate with the subnet.<br>- `route_table_id` : The Route Table identifier to associate with the subnet.<br>- `tags` : (Optional) Map of tags to assign to the resource.<br><br>Example:<pre>{<br>  "management" = {<br>    address_prefixes       = ["10.100.0.0/24"]<br>    network_security_group = "network_security_group_1"<br>    route_table            = "route_table_1"<br>  },<br>  "private" = {<br>    address_prefixes       = ["10.100.1.0/24"]<br>    network_security_group = "network_security_group_2"<br>    route_table            = "route_table_2"<br>  },<br>  "public" = {<br>    address_prefixes       = ["10.100.2.0/24"]<br>    network_security_group = "network_security_group_3"<br>    route_table            = "route_table_3"<br>  },<br>}</pre> | `any` | n/a | yes |

examples/panorama/example.tfvars

@@ -1,9 +1,9 @@
 location             = "East US"
 tags                 = { environment = "dev" }
-panorama_name        = "example-panorama"
 resource_group_name  = "example-rg"
-storage_account_name = "examplestorage"
 vnet_name            = "example-vnet"
+storage_account_name = "examplestorage"
+storage_share_name   = "bootdiagshare"
 enable_zones         = true
 address_space        = ["10.112.0.0/16"]
 panorama_version     = "10.1.5"

examples/panorama/main.tf

@@ -55,6 +55,7 @@ module "bootstrap" {
   resource_group_name  = azurerm_resource_group.this.name
   location             = var.location
   storage_account_name = var.storage_account_name
+  storage_share_name   = var.storage_share_name
 }
 
 module "panorama" {

examples/panorama/variables.tf

@@ -14,7 +14,11 @@ variable "storage_account_name" {
   Default name of the storage account to create.
   The name you choose must be unique across Azure. The name also must be between 3 and 24 characters in length, and may include only numbers and lowercase letters.
   EOF
-  default     = "pantfstorage"
+  type        = string
+}
+
+variable "storage_share_name" {
+  description = "Name of storage File Share to be created that will hold Panorama's boot diagnostics."
   type        = string
 }
 

examples/transit_vnet_dedicated/main.tf

@@ -112,12 +112,13 @@ module "bootstrap" {
 module "outbound_bootstrap" {
   source = "../../modules/bootstrap"
 
-  # location               = var.location
-  resource_group_name      = azurerm_resource_group.this.name
-  create_storage_account   = false
-  existing_storage_account = module.bootstrap.storage_account.name
-  storage_share_name       = var.outbound_storage_share_name
-  files                    = var.outbound_files
+  resource_group_name    = azurerm_resource_group.this.name
+  create_storage_account = false
+  storage_account_name   = module.bootstrap.storage_account.name
+  storage_share_name     = var.outbound_storage_share_name
+  files                  = var.outbound_files
+
+  depends_on = [module.bootstrap]
 }
 
 # Inbound VM-Series for handling inbound traffic from the Internet.

examples/vmseries_scaleset/main.tf

@@ -203,11 +203,13 @@ module "inbound_bootstrap" {
 module "outbound_bootstrap" {
   source = "../../modules/bootstrap"
 
-  resource_group_name      = local.inbound_resource_group.name
-  create_storage_account   = false
-  existing_storage_account = module.inbound_bootstrap.storage_account.name
-  storage_share_name       = var.outbound_storage_share_name
-  files                    = var.outbound_files
+  resource_group_name    = local.inbound_resource_group.name
+  create_storage_account = false
+  storage_account_name   = module.inbound_bootstrap.storage_account.name
+  storage_share_name     = var.outbound_storage_share_name
+  files                  = var.outbound_files
+
+  depends_on = [module.inbound_bootstrap]
 }
 
 ### SCALE SETS ###