PaloAltoNetworks · horiagunica · Jan 18, 2023 · Jan 18, 2023 · Jan 18, 2023 · Jan 18, 2023
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -18,4 +18,9 @@ repos:
     hooks:
     - id: checkov
       verbose: true
-      args: [--soft-fail]
+      args: [
+        --compact,
+        --quiet,
+        --skip-check, "CKV_AZURE_118,CKV_AZURE_119,CKV_AZURE_120,CKV2_AZURE_10,CKV2_AZURE_12,CKV2_GHA_1",
+        --soft-fail-on, "CKV_AZURE_93,CKV2_AZURE_1,CKV2_AZURE_18",
+      ]
diff --git a/examples/bootstrap/README.md b/examples/bootstrap/README.md
@@ -66,7 +66,10 @@ terraform destroy
 | <a name="input_obew_files"></a> [obew\_files](#input\_obew\_files) | Map of all files to copy to a File Share. This represents files for OBEW firewall.<br><br>The keys are local paths, values - remote paths. Always use slash `/` as directory separator (unix-like). | `map(string)` | `{}` | no |
 | <a name="input_obew_storage_share_name"></a> [obew\_storage\_share\_name](#input\_obew\_storage\_share\_name) | Name of Storage Share that will host files for bootstrapping a firewall protecting OBEW traffic. | `string` | n/a | yes |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | Name of the Resource Group to create. | `string` | n/a | yes |
+| <a name="input_retention_policy_days"></a> [retention\_policy\_days](#input\_retention\_policy\_days) | Log retention policy in days | `number` | n/a | yes |
 | <a name="input_storage_account_name"></a> [storage\_account\_name](#input\_storage\_account\_name) | Name of the Storage Account to create.<br>The name you choose must be unique across Azure. The name also must be between 3 and 24 characters in length and may include only numbers and lowercase letters. | `string` | n/a | yes |
+| <a name="input_storage_acl"></a> [storage\_acl](#input\_storage\_acl) | If `true`, storage account network rules will be activated with Deny default statement. | `bool` | n/a | yes |
+| <a name="input_storage_allow_inbound_public_ips"></a> [storage\_allow\_inbound\_public\_ips](#input\_storage\_allow\_inbound\_public\_ips) | List of IP CIDR ranges (like `["23.23.23.23"]`) that are allowed to access the storage.<br>Only public IPs are allowed - RFC1918 address space is not permitted.<br>Remember to include the IP address you are running terraform from. | `list(string)` | `null` | no |
 
 ## Outputs
 

diff --git a/examples/bootstrap/example.tfvars b/examples/bootstrap/example.tfvars
@@ -1,8 +1,11 @@
-resource_group_name        = "example-rg"
-location                   = "West US"
-storage_account_name       = "examplebootstrap"
-inbound_storage_share_name = "inboundbootstrap"
-obew_storage_share_name    = "obewbootstrap"
+resource_group_name              = "example-rg"
+location                         = "West US"
+storage_account_name             = "examplebootstrap"
+inbound_storage_share_name       = "inboundbootstrap"
+obew_storage_share_name          = "obewbootstrap"
+retention_policy_days            = 7
+storage_allow_inbound_public_ips = ["<public IP 1>", "public IP 2"]
+storage_acl                      = true
 
 inbound_files = {
   "inbound_files/authcodes.sample"    = "license/authcodes"

diff --git a/examples/bootstrap/main.tf b/examples/bootstrap/main.tf
@@ -6,21 +6,25 @@ resource "azurerm_resource_group" "this" {
 module "inbound_bootstrap" {
   source = "../../modules/bootstrap"
 
-  storage_account_name = var.storage_account_name
-  storage_share_name   = var.inbound_storage_share_name
-  resource_group_name  = azurerm_resource_group.this.name
-  location             = azurerm_resource_group.this.location
-  files                = var.inbound_files
+  storage_account_name             = var.storage_account_name
+  storage_share_name               = var.inbound_storage_share_name
+  resource_group_name              = azurerm_resource_group.this.name
+  location                         = azurerm_resource_group.this.location
+  retention_policy_days            = var.retention_policy_days
+  files                            = var.inbound_files
+  storage_allow_inbound_public_ips = var.storage_allow_inbound_public_ips
+  storage_acl                      = var.storage_acl
 }
 
 module "obew_bootstrap" {
   source = "../../modules/bootstrap"
 
-  create_storage_account = false
-  storage_account_name   = module.inbound_bootstrap.storage_account.name
-  storage_share_name     = var.obew_storage_share_name
-  resource_group_name    = azurerm_resource_group.this.name
-  files                  = var.obew_files
-
-  depends_on = [module.inbound_bootstrap]
+  create_storage_account           = false
+  storage_account_name             = module.inbound_bootstrap.storage_account.name
+  storage_share_name               = var.obew_storage_share_name
+  resource_group_name              = azurerm_resource_group.this.name
+  files                            = var.obew_files
+  storage_allow_inbound_public_ips = var.storage_allow_inbound_public_ips
+  storage_acl                      = var.storage_acl
+  depends_on                       = [module.inbound_bootstrap]
 }
diff --git a/examples/bootstrap/variables.tf b/examples/bootstrap/variables.tf
@@ -45,3 +45,23 @@ variable "obew_files" {
   default     = {}
   type        = map(string)
 }
+
+variable "retention_policy_days" {
+  description = "Log retention policy in days"
+  type        = number
+}
+
+variable "storage_allow_inbound_public_ips" {
+  description = <<-EOF
+    List of IP CIDR ranges (like `["23.23.23.23"]`) that are allowed to access the storage.
+    Only public IPs are allowed - RFC1918 address space is not permitted.
+    Remember to include the IP address you are running terraform from.
+  EOF
+  type        = list(string)
+  default     = null
+}
+
+variable "storage_acl" {
+  description = "If `true`, storage account network rules will be activated with Deny default statement."
+  type        = bool
+}
diff --git a/examples/transit_vnet_common/README.md b/examples/transit_vnet_common/README.md
@@ -73,6 +73,7 @@ $ terraform apply
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | Name of the Resource Group to create. If not provided, it will be auto-generated. | `string` | `""` | no |
 | <a name="input_route_tables"></a> [route\_tables](#input\_route\_tables) | Definition of Route Tables to create. Refer to the `vnet` module documentation for more information. | `any` | n/a | yes |
 | <a name="input_storage_account_name"></a> [storage\_account\_name](#input\_storage\_account\_name) | Default name of the storage account to create.<br>The name you choose must be unique across Azure. The name also must be between 3 and 24 characters in length, and may include only numbers and lowercase letters. | `string` | `"pantfstorage"` | no |
+| <a name="input_storage_acl"></a> [storage\_acl](#input\_storage\_acl) | If `true`, storage account network rules will be activated with Deny default statement. | `bool` | n/a | yes |
 | <a name="input_storage_share_name"></a> [storage\_share\_name](#input\_storage\_share\_name) | Name of storage share to be created that holds `files` for bootstrapping. | `string` | n/a | yes |
 | <a name="input_subnets"></a> [subnets](#input\_subnets) | Definition of Subnets to create. Refer to the `vnet` module documentation for more information. | `any` | n/a | yes |
 | <a name="input_username"></a> [username](#input\_username) | Initial administrative username to use for all systems. | `string` | `"panadmin"` | no |

diff --git a/examples/transit_vnet_common/example.tfvars b/examples/transit_vnet_common/example.tfvars
@@ -66,6 +66,7 @@ common_vmseries_version = "9.1.3"
 common_vmseries_sku     = "bundle1"
 storage_account_name    = "pantfstorage"
 storage_share_name      = "bootstrapshare"
+storage_acl             = false
 
 files = {
   "files/authcodes"    = "license/authcodes" # authcode is required only with common_vmseries_sku = "byol"

diff --git a/examples/transit_vnet_common/main.tf b/examples/transit_vnet_common/main.tf
@@ -106,6 +106,7 @@ module "bootstrap" {
   storage_account_name = var.storage_account_name
   storage_share_name   = var.storage_share_name
   files                = var.files
+  storage_acl          = var.storage_acl
 }
 
 # Common VM-Series for handling:
@@ -146,13 +147,13 @@ module "common_vmseries" {
       name                 = "${each.key}-public"
       subnet_id            = lookup(module.vnet.subnet_ids, "subnet-public", null)
       public_ip_address_id = azurerm_public_ip.public[each.key].id
-      lb_backend_pool_id   = module.inbound_lb.backend_pool_id
+      lb_backend_pool_id   = try(module.inbound_lb.backend_pool_id, null)
       enable_backend_pool  = true
     },
     {
       name                = "${each.key}-private"
       subnet_id           = lookup(module.vnet.subnet_ids, "subnet-private", null)
-      lb_backend_pool_id  = module.outbound_lb.backend_pool_id
+      lb_backend_pool_id  = try(module.outbound_lb.backend_pool_id, null)
       enable_backend_pool = true
 
       # Optional static private IP

diff --git a/examples/transit_vnet_common/variables.tf b/examples/transit_vnet_common/variables.tf
@@ -195,4 +195,9 @@ variable "avzones" {
   EOF
   default     = []
   type        = list(string)
+}
+
+variable "storage_acl" {
+  description = "If `true`, storage account network rules will be activated with Deny default statement."
+  type        = bool
 }
diff --git a/examples/transit_vnet_dedicated/README.md b/examples/transit_vnet_dedicated/README.md
@@ -84,6 +84,7 @@ terraform ouput -json password
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | Name of the Resource Group to create. If not provided, it will be auto-generated. | `string` | `""` | no |
 | <a name="input_route_tables"></a> [route\_tables](#input\_route\_tables) | Map of Route Tables to create. Refer to the `vnet` module documentation for more information. | `any` | n/a | yes |
 | <a name="input_storage_account_name"></a> [storage\_account\_name](#input\_storage\_account\_name) | Default name of the storage account to create.<br>The name you choose must be unique across Azure. The name also must be between 3 and 24 characters in length, and may include only numbers and lowercase letters. | `string` | `"pantfstorage"` | no |
+| <a name="input_storage_acl"></a> [storage\_acl](#input\_storage\_acl) | If `true`, storage account network rules will be activated with Deny default statement. | `bool` | n/a | yes |
 | <a name="input_subnets"></a> [subnets](#input\_subnets) | Map of Subnets to create. Refer to the `vnet` module documentation for more information. | `any` | n/a | yes |
 | <a name="input_username"></a> [username](#input\_username) | Initial administrative username to use for all systems. | `string` | `"panadmin"` | no |
 | <a name="input_virtual_network_name"></a> [virtual\_network\_name](#input\_virtual\_network\_name) | Name of the Virtual Network to create. | `string` | n/a | yes |

diff --git a/examples/transit_vnet_dedicated/example.tfvars b/examples/transit_vnet_dedicated/example.tfvars
@@ -77,6 +77,7 @@ common_vmseries_sku         = "bundle1"
 storage_account_name        = "pantfstorage"
 inbound_storage_share_name  = "ibbootstrapshare"
 outbound_storage_share_name = "obbootstrapshare"
+storage_acl                 = false
 
 inbound_files = {
   "inbound_files/authcodes"    = "license/authcodes" # this line is only needed for common_vmseries_sku  = "byol"

diff --git a/examples/transit_vnet_dedicated/main.tf b/examples/transit_vnet_dedicated/main.tf
@@ -106,6 +106,7 @@ module "bootstrap" {
   storage_account_name = var.storage_account_name
   storage_share_name   = var.inbound_storage_share_name
   files                = var.inbound_files
+  storage_acl          = var.storage_acl
 }
 
 # The file share for Outbound VM-Series.
@@ -117,6 +118,7 @@ module "outbound_bootstrap" {
   storage_account_name   = module.bootstrap.storage_account.name
   storage_share_name     = var.outbound_storage_share_name
   files                  = var.outbound_files
+  storage_acl            = var.storage_acl
 
   depends_on = [module.bootstrap]
 }
@@ -155,7 +157,7 @@ module "inbound_vmseries" {
     {
       name                = "${each.key}-public"
       subnet_id           = lookup(module.vnet.subnet_ids, "subnet-public", null)
-      lb_backend_pool_id  = module.inbound_lb.backend_pool_id
+      lb_backend_pool_id  = try(module.inbound_lb.backend_pool_id, null)
       enable_backend_pool = true
     },
     {
@@ -215,7 +217,7 @@ module "outbound_vmseries" {
     {
       name                = "${each.key}-private"
       subnet_id           = lookup(module.vnet.subnet_ids, "subnet-private", null)
-      lb_backend_pool_id  = module.outbound_lb.backend_pool_id
+      lb_backend_pool_id  = try(module.outbound_lb.backend_pool_id, null)
       enable_backend_pool = true
 
       # Optional static private IP

diff --git a/examples/transit_vnet_dedicated/variables.tf b/examples/transit_vnet_dedicated/variables.tf
@@ -230,4 +230,9 @@ variable "avzones" {
   EOF
   default     = []
   type        = list(string)
+}
+
+variable "storage_acl" {
+  description = "If `true`, storage account network rules will be activated with Deny default statement."
+  type        = bool
 }
diff --git a/examples/vmseries/README.md b/examples/vmseries/README.md
@@ -76,6 +76,7 @@ terraform destroy
 | <a name="input_location"></a> [location](#input\_location) | The Azure region to use. | `string` | n/a | yes |
 | <a name="input_resource_group_name"></a> [resource\_group\_name](#input\_resource\_group\_name) | Name of the Resource Group to create. | `string` | n/a | yes |
 | <a name="input_storage_account_name"></a> [storage\_account\_name](#input\_storage\_account\_name) | Default name of the storage account to create.<br>The name you choose must be unique across Azure. The name also must be between 3 and 24 characters in length, and may include only numbers and lowercase letters. | `string` | `"pantfstorage"` | no |
+| <a name="input_storage_acl"></a> [storage\_acl](#input\_storage\_acl) | If `true`, storage account network rules will be activated with Deny defaul statement. | `bool` | n/a | yes |
 | <a name="input_storage_share_name"></a> [storage\_share\_name](#input\_storage\_share\_name) | Name of storage share to be created that holds `files` for bootstrapping. | `string` | n/a | yes |
 | <a name="input_username"></a> [username](#input\_username) | Initial administrative username. Mind the [Azure-imposed restrictions](https://docs.microsoft.com/en-us/azure/virtual-machines/linux/faq#what-are-the-username-requirements-when-creating-a-vm). | `string` | n/a | yes |
 | <a name="input_vm_series_version"></a> [vm\_series\_version](#input\_vm\_series\_version) | VMSeries PanOS Version | `string` | `"10.1.0"` | no |

diff --git a/examples/vmseries/example.tfvars b/examples/vmseries/example.tfvars
@@ -11,6 +11,7 @@ vm_series_version = "10.1.5"
 
 storage_account_name = "pantfstoragep"
 storage_share_name   = "ibootstrapshare"
+storage_acl          = false
 
 files = {
   "files/authcodes"    = "license/authcodes" # authcode is required only with common_vmseries_sku = "byol"

diff --git a/examples/vmseries/main.tf b/examples/vmseries/main.tf
@@ -78,4 +78,5 @@ module "bootstrap" {
   storage_account_name = var.storage_account_name
   storage_share_name   = var.storage_share_name
   files                = var.files
+  storage_acl          = var.storage_acl
 }
diff --git a/examples/vmseries/variables.tf b/examples/vmseries/variables.tf
@@ -62,4 +62,9 @@ variable "avzones" {
   EOF
   default     = []
   type        = list(string)
+}
+
+variable "storage_acl" {
+  description = "If `true`, storage account network rules will be activated with Deny defaul statement."
+  type        = bool
 }
diff --git a/examples/vmseries_scaleset/README.md b/examples/vmseries_scaleset/README.md
@@ -129,6 +129,7 @@ terraform destroy
 | <a name="input_create_inbound_resource_group"></a> [create\_inbound\_resource\_group](#input\_create\_inbound\_resource\_group) | If true, create a new Resource Group for inbound VM-Series. Otherwise use a pre-existing group. | `bool` | `true` | no |
 | <a name="input_create_outbound_resource_group"></a> [create\_outbound\_resource\_group](#input\_create\_outbound\_resource\_group) | If true, create a new Resource Group for outbound VM-Series. Otherwise use a pre-existing group. | `bool` | `true` | no |
 | <a name="input_create_virtual_network"></a> [create\_virtual\_network](#input\_create\_virtual\_network) | If true, create the Virtual Network, otherwise just use a pre-existing network. | `bool` | `true` | no |
+| <a name="input_disable_password_authentication"></a> [disable\_password\_authentication](#input\_disable\_password\_authentication) | If true, disables password-based authentication on VM-Series instances. | `bool` | `true` | no |
 | <a name="input_enable_zones"></a> [enable\_zones](#input\_enable\_zones) | If true, Public IP addresses will have `Zone-Redundant` setting, otherwise `No-Zone`. The latter is intended for the regions that do not yet support Availability Zones. | `bool` | `true` | no |
 | <a name="input_inbound_count_maximum"></a> [inbound\_count\_maximum](#input\_inbound\_count\_maximum) | Maximal number of inbound VM-Series to scale out to. | `number` | `2` | no |
 | <a name="input_inbound_count_minimum"></a> [inbound\_count\_minimum](#input\_inbound\_count\_minimum) | Minimal number of inbound VM-Series to deploy. | `number` | `1` | no |
@@ -167,7 +168,10 @@ terraform destroy
 | <a name="input_scaleout_statistic"></a> [scaleout\_statistic](#input\_scaleout\_statistic) | Aggregation to use within each minute (the time grain) for metrics coming from different virtual machines. Possible values are Average, Min and Max. | `string` | `"Max"` | no |
 | <a name="input_scaleout_time_aggregation"></a> [scaleout\_time\_aggregation](#input\_scaleout\_time\_aggregation) | Specifies how the metric should be combined over the time `scaleout_window_minutes`. Possible values are Average, Count, Maximum, Minimum, Last and Total. | `string` | `"Maximum"` | no |
 | <a name="input_scaleout_window_minutes"></a> [scaleout\_window\_minutes](#input\_scaleout\_window\_minutes) | This is amount of time in minutes that autoscale engine will look back for metrics. For example, 10 minutes means that every time autoscale runs,<br>it will query metrics for the past 10 minutes. This allows metrics to stabilize and avoids reacting to transient spikes.<br>Must be between 5 and 720 minutes. | `number` | `10` | no |
+| <a name="input_ssh_key"></a> [ssh\_key](#input\_ssh\_key) | Administrator user SSH key | `string` | `null` | no |
 | <a name="input_storage_account_name"></a> [storage\_account\_name](#input\_storage\_account\_name) | Default name of the storage account to create.<br>The name you choose must be unique across Azure. The name also must be between 3 and 24 characters in length, and may include only numbers and lowercase letters. | `string` | `"pantfstorage"` | no |
+| <a name="input_storage_acl"></a> [storage\_acl](#input\_storage\_acl) | If `true`, storage account network rules will be activated with Deny defaul statement. | `bool` | n/a | yes |
+| <a name="input_storage_allow_inbound_public_ips"></a> [storage\_allow\_inbound\_public\_ips](#input\_storage\_allow\_inbound\_public\_ips) | List of IP CIDR ranges (like `["23.23.23.23"]`) that are allowed to access the storage.<br>Only public IPs are allowed - RFC1918 address space is not permitted. | `list(string)` | `null` | no |
 | <a name="input_subnets"></a> [subnets](#input\_subnets) | Map of Subnets to create. Refer to the `vnet` module documentation for more information. | `any` | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Azure tags to apply to the created cloud resources. A map, for example `{ team = "NetAdmin", costcenter = "CIO42" }` | `map(string)` | `{}` | no |
 | <a name="input_username"></a> [username](#input\_username) | Initial administrative username to use for all systems. | `string` | `"panadmin"` | no |

diff --git a/examples/vmseries_scaleset/example.tfvars b/examples/vmseries_scaleset/example.tfvars
@@ -8,6 +8,8 @@ outbound_name_prefix         = "outbound-"
 outbound_lb_name             = "outbound-private-ilb"
 inbound_lb_name              = "inbound-public-elb"
 name_scale_set               = "VMSS" # the suffix
+ssh_key                      = "<admin_ssh_public_key>"
+
 
 tags = {}
 
@@ -43,6 +45,7 @@ subnets = {
   "management" = {
     address_prefixes       = ["10.110.255.0/24"]
     network_security_group = "sg_mgmt"
+    storage_private_access = true
   },
   "outbound_private" = {
     address_prefixes       = ["10.110.0.0/24"]
@@ -125,9 +128,11 @@ scalein_time_aggregation = "Average"
 scalein_window_minutes   = 60
 scalein_cooldown_minutes = 10080
 
-storage_account_name        = "vmssexample"
-inbound_storage_share_name  = "ibbootstrapshare"
-outbound_storage_share_name = "obbootstrapshare"
+storage_account_name             = "vmssexample"
+inbound_storage_share_name       = "ibbootstrapshare"
+outbound_storage_share_name      = "obbootstrapshare"
+storage_allow_inbound_public_ips = ["<public IP 1>", "public IP 2"]
+storage_acl                      = true
 
 inbound_files = {
   # "inbound_files/authcodes"    = "license/authcodes" # this line is only needed for common_vmseries_sku  = "byol"