PaloAltoNetworks · pavelrn · Aug 2, 2023 · May 26, 2023 · May 26, 2023 · May 26, 2023
diff --git a/examples/autoscale/README.md b/examples/autoscale/README.md
diff --git a/examples/autoscale/example.tfvars b/examples/autoscale/example.tfvars
@@ -15,3 +15,32 @@ panorama_address        = "1.1.1.1"
 panorama_device_group   = "autoscale-device-group"
 panorama_template_stack = "autoscale-template-stack"
 panorama_vm_auth_key    = "01234567890123456789"
+
+#---------------------------------------------------------------------------------
+# (Optional) Panorama Software Firewall License Plugin
+
+# panorama_auth_key = "_XX__0qweryQWERTYqwertyQWERTGrp"
+
+#---------------------------------------------------------------------------------
+# (Optional) Delicensing Cloud Function
+
+# delicensing_cloud_function_config =   {
+#   name_prefix           = "abc-"
+#   function_name         = "delicensing-cfn"
+#   region                = "us-central1"
+#   bucket_location       = "US"
+#   panorama_address      = "1.1.1.1"
+#   vpc_connector_network = "panorama-vpc"
+#   vpc_connector_cidr    = "10.10.190.0/28"
+# }
+
+#---------------------------------------------------------------------------------
+# (Optional) Test VMs
+
+# test_vms = {
+#   "vm1" = {
+#     "zone" : "us-central1-a"
+#     "machine_type": "e2-micro"
+#   }
+# }
+
diff --git a/examples/autoscale/main.tf b/examples/autoscale/main.tf
@@ -94,6 +94,14 @@ module "vpc_trust" {
       ]
     }
   ]
+
+  routes = [
+    {
+      name              = "default-trust"
+      destination_range = "0.0.0.0/0"
+      next_hop_ilb      = module.intlb.forwarding_rule
+    }
+  ]
 }
 
 # IAM service account for running GCP instances of Palo Alto Networks VM-Series and their GCP plugin access.
@@ -120,14 +128,16 @@ module "autoscale" {
   service_account_email = module.iam_service_account.email
   target_pools          = [module.extlb.target_pool]
 
+  delicensing_cloud_function_config = try(var.delicensing_cloud_function_config, {})
+
   network_interfaces = [
     {
       subnetwork       = module.vpc_untrust.subnets_self_links[0]
       create_public_ip = true
     },
     {
       subnetwork       = module.vpc_mgmt.subnets_self_links[0]
-      create_public_ip = false
+      create_public_ip = true
     },
     {
       subnetwork       = module.vpc_trust.subnets_self_links[0]
@@ -138,7 +148,6 @@ module "autoscale" {
   metadata = {
     type                        = "dhcp-client"
     op-command-modes            = "mgmt-interface-swap"
-    vm-auth-key                 = var.panorama_vm_auth_key
     panorama-server             = var.panorama_address
     dgname                      = var.panorama_device_group
     tplname                     = var.panorama_template_stack
@@ -147,7 +156,11 @@ module "autoscale" {
     dhcp-accept-server-hostname = "yes"
     dhcp-accept-server-domain   = "yes"
     dns-primary                 = "169.254.169.254" # Google DNS required to deliver PAN-OS metrics to Cloud Monitoring
-    dns-secondary               = "4.2.2.2"
+    ssh-keys                    = var.ssh_keys
+    vm-auth-key                 = var.panorama_vm_auth_key
+    authcodes                   = var.authcodes
+    auth-key                    = var.panorama_auth_key
+    plugin-op-commands          = var.panorama_auth_key != null ? "panorama-licensing-mode-on" : null
   }
 
   depends_on = [
@@ -194,3 +207,46 @@ module "mgmt_cloud_nat" {
   router        = "${var.name_prefix}mgmt-router"
   network       = module.vpc_mgmt.network_id
 }
+
+
+#---------------------------------------------------------------------------------
+# The following VM(s) emulate clients
+
+data "google_compute_image" "ubuntu" {
+  family  = "ubuntu-pro-2204-lts"
+  project = "ubuntu-os-pro-cloud"
+}
+
+resource "google_service_account" "test_vm" {
+  count        = length(var.test_vms) > 0 ? 1 : 0
+  account_id   = "${var.name_prefix}test-vm-sa"
+  display_name = "Test VM Service Account"
+}
+
+resource "google_compute_instance" "test_vm" {
+  for_each = var.test_vms
+
+  name         = "${var.name_prefix}${each.key}"
+  machine_type = each.value.machine_type
+  zone         = each.value.zone
+
+  boot_disk {
+    initialize_params {
+      image = data.google_compute_image.ubuntu.id
+      size  = "10"
+    }
+  }
+
+  network_interface {
+    subnetwork = module.vpc_trust.subnets_self_links[0]
+  }
+
+  metadata = {
+    enable-oslogin = true
+  }
+
+  service_account {
+    email  = google_service_account.test_vm[0].email
+    scopes = ["cloud-platform"]
+  }
+}
diff --git a/examples/autoscale/variables.tf b/examples/autoscale/variables.tf
@@ -37,8 +37,14 @@ variable "vmseries_instances_max" {
   default     = 5
 }
 
+variable "ssh_keys" {
+  type        = string
+  default     = ""
+  description = "VM-Series SSH keys. Format: 'admin:<ssh-rsa AAAA...>'"
+}
+
 variable "panorama_address" {
-  description = "The Panorama IP/Domain address.  The Panorama address must be reachable from the management VPC. This build assumes Panorama is reachable via the internet. The management VPC network uses a NAT gateway to communicate to Panorama's external IP addresses."
+  description = "The Panorama IP address/FQDN.  The Panorama must be reachable from the management VPC. This build assumes Panorama is reachable via the internet. The management VPC network uses a NAT gateway to communicate to Panorama's external IP addresses."
   type        = string
 }
 
@@ -55,16 +61,27 @@ variable "panorama_template_stack" {
 variable "panorama_vm_auth_key" {
   description = "Panorama VM authorization key.  To generate, follow this guide https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/bootstrap-the-vm-series-firewall/generate-the-vm-auth-key-on-panorama.html"
   type        = string
+  default     = null
 }
 
+variable "authcodes" {
+  description = "VM-Series authcodes."
+  type        = string
+  default     = null
+}
+
+variable "panorama_auth_key" {
+  description = "Panorama authorization key.  To generate, follow this guide https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/license-the-vm-series-firewall/use-panorama-based-software-firewall-license-management"
+  type        = string
+  default     = null
+}
 
 variable "vmseries_machine_type" {
   description = "(Optional) The instance type for the VM-Series firewalls."
   type        = string
   default     = "n2-standard-4"
 }
 
-
 variable "autoscaler_metrics" {
   description = <<-EOF
   The map with the keys being metrics identifiers (e.g. custom.googleapis.com/VMSeries/panSessionUtilization).
@@ -97,4 +114,73 @@ variable "cidr_trust" {
   description = "The CIDR range of the trust subnetwork."
   type        = string
   default     = "10.0.2.0/28"
+}
+
+#---------------------------------------------------------------------------------
+# The following variables are used for delicensing Cloud Function
+
+variable "delicensing_cloud_function_config" {
+  description = <<-EOF
+  Defining `delicensing_cloud_function_config` enables creation of delicesing cloud function and related resources.
+  The variable contains the following configuration parameters that are related to Cloud Function:
+  - `name_prefix`           - Resource name prefix
+  - `function_name`         - Cloud Function base name
+  - `region`                - Cloud Function region
+  - `bucket_location`       - Cloud Function source code bucket location 
+  - `panorama_address`      - Panorama IP address/FQDN
+  - `vpc_connector_network` - Panorama VPC network Name
+  - `vpc_connector_cidr`    - VPC connector /28 CIDR.
+                              VPC connector will be user for delicensing CFN to access Panorama VPC network.
+
+  Example:
+
+  ```
+  {
+    name_prefix           = "abc-"
+    function_name         = "delicensing-cfn"
+    region                = "us-central1"
+    bucket_location       = "US"
+    panorama_address      = "1.1.1.1"
+    panorama2_address      = null
+    vpc_connector_network = "panorama-vpc"
+    vpc_connector_cidr    = "10.10.190.0/28"
+  }
+  ```
+  EOF
+  type = object({
+    name_prefix           = string
+    function_name         = string
+    region                = string
+    bucket_location       = string
+    panorama_address      = string
+    panorama2_address     = string
+    vpc_connector_network = string
+    vpc_connector_cidr    = string
+  })
+  default = null
+}
+
+#---------------------------------------------------------------------------------
+# The following variables are used for test VMs
+
+variable "test_vms" {
+  description = <<-EOF
+  Test VMs
+
+  Example:
+
+  ```
+  {
+    "vm1" = {
+      "zone" : "us-central1-a"
+      "machine_type": "e2-micro"
+    }
+  }
+  ```
+  EOF
+  type = map(object({
+    zone         = string
+    machine_type = string
+  }))
+  default = {}
 }
diff --git a/modules/autoscale/README.md b/modules/autoscale/README.md
@@ -13,7 +13,9 @@
 
 | Name | Version |
 |------|---------|
+| <a name="provider_archive"></a> [archive](#provider\_archive) | n/a |
 | <a name="provider_google"></a> [google](#provider\_google) | ~> 4.54 |
+| <a name="provider_random"></a> [random](#provider\_random) | n/a |
 
 ### Modules
 
@@ -23,16 +25,30 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [google_cloudfunctions2_function.delicensing_cfn](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloudfunctions2_function) | resource |
 | [google_compute_autoscaler.zonal](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_autoscaler) | resource |
 | [google_compute_instance_group_manager.zonal](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance_group_manager) | resource |
 | [google_compute_instance_template.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance_template) | resource |
 | [google_compute_region_autoscaler.regional](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_region_autoscaler) | resource |
 | [google_compute_region_instance_group_manager.regional](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_region_instance_group_manager) | resource |
+| [google_logging_project_sink.delicensing_cfn](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/logging_project_sink) | resource |
+| [google_project_iam_member.delicensing_cfn](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
+| [google_project_iam_member.delicensing_cfn_invoker](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
 | [google_pubsub_subscription.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription) | resource |
 | [google_pubsub_subscription_iam_member.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription_iam_member) | resource |
+| [google_pubsub_topic.delicensing_cfn](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic) | resource |
 | [google_pubsub_topic.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic) | resource |
+| [google_pubsub_topic_iam_member.pubsub_sink_member](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic_iam_member) | resource |
+| [google_secret_manager_secret.delicensing_cfn_pano_creds](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/secret_manager_secret) | resource |
+| [google_service_account.delicensing_cfn](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/service_account) | resource |
+| [google_storage_bucket.delicensing_cfn](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket) | resource |
+| [google_storage_bucket_object.delicensing_cfn](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/storage_bucket_object) | resource |
+| [google_vpc_access_connector.delicensing_cfn](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/vpc_access_connector) | resource |
+| [random_id.postfix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
+| [archive_file.delicensing_cfn](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source |
 | [google_compute_default_service_account.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_default_service_account) | data source |
 | [google_compute_zones.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_zones) | data source |
+| [google_project.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/project) | data source |
 
 ### Inputs
 
@@ -41,6 +57,7 @@ No modules.
 | <a name="input_autoscaler_metrics"></a> [autoscaler\_metrics](#input\_autoscaler\_metrics) | A map with the keys being metrics identifiers (e.g. custom.googleapis.com/VMSeries/panSessionUtilization). Each of the contained objects has attribute `target` which is a numerical threshold for a scale-out or a scale-in. Each zonal group grows until it satisfies all the targets. Additional optional attribute `type` defines the metric as either `GAUGE`, `DELTA_PER_SECOND`, or `DELTA_PER_MINUTE`. For full specification, see the `metric` inside the [provider doc](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_autoscaler). | `map` | <pre>{<br>  "custom.googleapis.com/VMSeries/panSessionThroughputKbps": {<br>    "target": 700000<br>  },<br>  "custom.googleapis.com/VMSeries/panSessionUtilization": {<br>    "target": 70<br>  }<br>}</pre> | no |
 | <a name="input_cooldown_period"></a> [cooldown\_period](#input\_cooldown\_period) | The number of seconds that the autoscaler should wait before it starts collecting information from a new VM-Series. This prevents the autoscaler from collecting information when the VM-Series is initializing, during which the collected usage would not be reliable. Virtual machine initialization times might vary because of numerous factors. | `number` | `480` | no |
 | <a name="input_create_pubsub_topic"></a> [create\_pubsub\_topic](#input\_create\_pubsub\_topic) | Set to `true` to create a Pub/Sub topic and subscription. The Panorama Google Cloud Plugin can use this Pub/Sub to trigger actions when the VM-Series Instance Group descales. Actions include, removal of VM-Series from Panorama and automatic delicensing (if VM-Series BYOL licensing is used). For more information, please see [Autoscaling the VM-Series on GCP](https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/set-up-the-vm-series-firewall-on-google-cloud-platform/autoscaling-on-google-cloud-platform). | `bool` | `true` | no |
+| <a name="input_delicensing_cloud_function_config"></a> [delicensing\_cloud\_function\_config](#input\_delicensing\_cloud\_function\_config) | Defining `delicensing_cloud_function_config` enables creation of delicesing cloud function and related resources.<br>The variable contains the following configuration parameters that are related to Cloud Function:<br>- `name_prefix`           - Resource name prefix<br>- `function_name`         - Cloud Function base name<br>- `region`                - Cloud Function region<br>- `bucket_location`       - Cloud Function source code bucket location <br>- `panorama_address`      - Panorama IP address/FQDN<br>- `panorama2_address`     - Panorama 2 IP address/FQDN. Set if Panorama is in HA mode<br>- `vpc_connector_network` - Panorama VPC network Name<br>- `vpc_connector_cidr`    - VPC connector /28 CIDR.<br>                            VPC connector will be user for delicensing CFN to access Panorama VPC network.<br> <br><br>Example:<pre>{<br>  name_prefix           = "abc-"<br>  function_name         = "delicensing-cfn"<br>  region                = "europe-central1"<br>  bucket_location       = "EU"<br>  panorama_address      = "1.1.1.1"<br>  panorama2_address     = ""<br>  vpc_connector_network = "panorama-vpc"<br>  vpc_connector_cidr    = "10.10.190.0/28"<br>}</pre> | <pre>object({<br>    name_prefix           = string<br>    function_name         = string<br>    region                = string<br>    bucket_location       = string<br>    panorama_address      = string<br>    panorama2_address     = string<br>    vpc_connector_network = string<br>    vpc_connector_cidr    = string<br>  })</pre> | `null` | no |
 | <a name="input_disk_type"></a> [disk\_type](#input\_disk\_type) | The disk type that is attached to the instances of the VM-Series firewalls. | `string` | `"pd-ssd"` | no |
 | <a name="input_image"></a> [image](#input\_image) | Link to VM-Series PAN-OS image. Can be either a full self\_link, or one of the shortened forms per the [provider doc](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#image). | `string` | `"https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries-byol-1014"` | no |
 | <a name="input_machine_type"></a> [machine\_type](#input\_machine\_type) | The instance type for the VM-Series firewalls. | `string` | `"n2-standard-4"` | no |