feat: Remove mode_map var in favor of static internal local value

PaloAltoNetworks · Dec 21, 2023 · 25b4e2d · 25b4e2d
1 parent 5e6a833
commit 25b4e2d
Show file tree

Hide file tree

Showing 51 changed files with 207 additions and 318 deletions.
diff --git a/modules/addresses/README.md b/modules/addresses/README.md
@@ -95,7 +95,6 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_mode"></a> [mode](#input\_mode) | The mode to use for the modules. Valid values are `panorama` and `ngfw`. | `string` | n/a | yes |
-| <a name="input_mode_map"></a> [mode\_map](#input\_mode\_map) | The mode to use for the modules. Valid values are `panorama` and `ngfw`. | <pre>object({<br>    panorama = number<br>    ngfw     = number<br>  })</pre> | <pre>{<br>  "ngfw": 1,<br>  "panorama": 0<br>}</pre> | no |
 | <a name="input_device_group"></a> [device\_group](#input\_device\_group) | Used if `var.mode` is `panorama`, defines the device group for the objects. | `string` | `"shared"` | no |
 | <a name="input_vsys"></a> [vsys](#input\_vsys) | Used if `var.mode` is `ngfw`, defines the vsys for the objects. | `string` | `"vsys1"` | no |
 | <a name="input_addresses_bulk_mode"></a> [addresses\_bulk\_mode](#input\_addresses\_bulk\_mode) | Determines whether each address object is managed as a separate `panos_address_object` resource (when set to `false`) or all within a single `panos_address_objects` resource that is dedicated for bulk operations. | `bool` | `false` | no |

diff --git a/modules/addresses/main.tf b/modules/addresses/main.tf
@@ -1,8 +1,16 @@
+locals {
+  mode_map = {
+    panorama = 0
+    ngfw     = 1
+    # cloud_manager = 2 # Not yet supported
+  }
+}
+
 resource "panos_address_object" "this" {
   for_each = var.addresses_bulk_mode ? {} : var.address_objects
 
-  device_group = var.mode_map[var.mode] == 0 ? var.device_group : null
-  vsys         = var.mode_map[var.mode] == 1 ? var.vsys : null
+  device_group = local.mode_map[var.mode] == 0 ? var.device_group : null
+  vsys         = local.mode_map[var.mode] == 1 ? var.vsys : null
 
   name        = each.key
   value       = each.value.value
@@ -16,10 +24,10 @@ resource "panos_address_object" "this" {
 }
 
 resource "panos_address_objects" "this" {
-  for_each = var.addresses_bulk_mode ? toset([for mode in keys(var.mode_map) : mode if mode == var.mode]) : []
+  for_each = var.addresses_bulk_mode ? toset([for mode in keys(local.mode_map) : mode if mode == var.mode]) : []
 
-  device_group = var.mode_map[var.mode] == 0 ? var.device_group : null
-  vsys         = var.mode_map[var.mode] == 1 ? var.vsys : null
+  device_group = local.mode_map[var.mode] == 0 ? var.device_group : null
+  vsys         = local.mode_map[var.mode] == 1 ? var.vsys : null
 
   dynamic "object" {
     for_each = var.address_objects
@@ -39,7 +47,7 @@ resource "panos_address_objects" "this" {
 }
 
 resource "panos_panorama_address_group" "this" {
-  for_each = var.mode_map[var.mode] == 0 ? var.address_groups : {}
+  for_each = local.mode_map[var.mode] == 0 ? var.address_groups : {}
 
   device_group = var.device_group
 
@@ -59,7 +67,7 @@ resource "panos_panorama_address_group" "this" {
 }
 
 resource "panos_address_group" "this" {
-  for_each = var.mode_map[var.mode] == 1 ? var.address_groups : {}
+  for_each = local.mode_map[var.mode] == 1 ? var.address_groups : {}
 
   vsys = var.vsys
 

diff --git a/modules/addresses/variables.tf b/modules/addresses/variables.tf
@@ -7,19 +7,6 @@ variable "mode" {
   }
 }
 
-variable "mode_map" {
-  description = "The mode to use for the modules. Valid values are `panorama` and `ngfw`."
-  default = {
-    panorama = 0
-    ngfw     = 1
-    # cloud_manager = 2 # Not yet supported
-  }
-  type = object({
-    panorama = number
-    ngfw     = number
-  })
-}
-
 variable "device_group" {
   description = "Used if `var.mode` is `panorama`, defines the device group for the objects."
   default     = "shared"

diff --git a/modules/device_groups/README.md b/modules/device_groups/README.md
@@ -74,7 +74,6 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_mode"></a> [mode](#input\_mode) | The mode to use for the modules. Valid values are `panorama` and `ngfw`. | `string` | n/a | yes |
-| <a name="input_mode_map"></a> [mode\_map](#input\_mode\_map) | The mode to use for the modules. Valid values are `panorama` and `ngfw`. | <pre>object({<br>    panorama = number<br>    ngfw     = number<br>  })</pre> | <pre>{<br>  "ngfw": 1,<br>  "panorama": 0<br>}</pre> | no |
 | <a name="input_device_groups"></a> [device\_groups](#input\_device\_groups) | Map of device group where the key is name of the device group.<br>  - `serial` - (Required) The serial number of the firewall.<br>  - `parent` - (Optional) The parent device group name. Leaving this empty / unspecified means to move this device group under the "shared" device group.<br>  - `vsys_list` - (Optional) A subset of all available vsys on the firewall that should be in this device group. If the firewall is a virtual firewall, then this parameter should just be omitted.<pre>{<br>  "aws-test-dg" = {<br>    description = "Device group used for AWS cloud"<br>    device_group_entries = {<br>    serial = "1111222233334444"<br>    parent = "clouds"<br>  }<br>}</pre> | <pre>map(object({<br>    description = string<br>    parent      = optional(string)<br>    serial      = optional(list(string), [])<br>    vsys_list   = optional(list(string), [])<br>  }))</pre> | `{}` | no |
 
 ### Outputs

diff --git a/modules/device_groups/main.tf b/modules/device_groups/main.tf
@@ -1,5 +1,14 @@
+locals {
+  mode_map = {
+    panorama = 0
+    ngfw     = 1
+    # cloud_manager = 2 # Not yet supported
+  }
+  dg_entries = flatten([for dk, dv in var.device_groups : [for ds in dv.serial : { dg = dk, serial = ds, vsys_list = dv.vsys_list }]])
+}
+
 resource "panos_device_group" "this" {
-  for_each = var.mode_map[var.mode] == 0 ? var.device_groups : {}
+  for_each = local.mode_map[var.mode] == 0 ? var.device_groups : {}
 
   name        = each.key
   description = each.value.description
@@ -9,12 +18,8 @@ resource "panos_device_group" "this" {
   }
 }
 
-locals {
-  dg_entries = flatten([for dk, dv in var.device_groups : [for ds in dv.serial : { dg = dk, serial = ds, vsys_list = dv.vsys_list }]])
-}
-
 resource "panos_device_group_entry" "this" {
-  for_each = var.mode_map[var.mode] == 0 ? { for i in local.dg_entries : "${i.dg}_${i.serial}" => i } : {}
+  for_each = local.mode_map[var.mode] == 0 ? { for i in local.dg_entries : "${i.dg}_${i.serial}" => i } : {}
 
   device_group = each.value.dg
   serial       = each.value.serial
@@ -28,7 +33,7 @@ resource "panos_device_group_entry" "this" {
 }
 
 resource "panos_device_group_parent" "this" {
-  for_each = var.mode_map[var.mode] == 0 ? { for k, v in var.device_groups : k => v if try(v.parent, null) != null } : {}
+  for_each = local.mode_map[var.mode] == 0 ? { for k, v in var.device_groups : k => v if try(v.parent, null) != null } : {}
 
   device_group = each.key
   parent       = each.value.parent

diff --git a/modules/device_groups/variables.tf b/modules/device_groups/variables.tf
@@ -7,19 +7,6 @@ variable "mode" {
   }
 }
 
-variable "mode_map" {
-  description = "The mode to use for the modules. Valid values are `panorama` and `ngfw`."
-  default = {
-    panorama = 0
-    ngfw     = 1
-    # cloud_manager = 2 # Not yet supported
-  }
-  type = object({
-    panorama = number
-    ngfw     = number
-  })
-}
-
 variable "device_groups" {
   description = <<-EOF
   Map of device group where the key is name of the device group.

diff --git a/modules/interfaces/README.md b/modules/interfaces/README.md
@@ -100,7 +100,6 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_mode"></a> [mode](#input\_mode) | The mode to use for the modules. Valid values are `panorama` and `ngfw`. | `string` | n/a | yes |
-| <a name="input_mode_map"></a> [mode\_map](#input\_mode\_map) | The mode to use for the modules. Valid values are `panorama` and `ngfw`. | <pre>object({<br>    panorama = number<br>    ngfw     = number<br>  })</pre> | <pre>{<br>  "ngfw": 1,<br>  "panorama": 0<br>}</pre> | no |
 | <a name="input_template"></a> [template](#input\_template) | The template name. | `string` | `"default"` | no |
 | <a name="input_template_stack"></a> [template\_stack](#input\_template\_stack) | The template stack name. | `string` | `""` | no |
 | <a name="input_interfaces"></a> [interfaces](#input\_interfaces) | Map of the interfaces, where key is the interface's name. Following parameters are available for all interface types:<br>- `type` - (Required) Type of interface. Valid values are `ethernet`,`loopback`,`tunnel`.<br>- `zone` - (Optional) The zone's name<br>- `virtual_router` - (Optional) The virtual router's name<br>- `vsys` - (Optional) The vsys that will use this interface (default: vsys1). This should be something like vsys1 or vsys3.<br>- `static_ips` - (Optional) List of static IPv4 addresses to set for this data interface.<br>- `management_profile` - (Optional) The management profile.<br>- `netflow_profile` - (Optional) The netflow profile.<br>- `mtu` - (Optional) The MTU.<br>- `comment` - (Optional) The interface comment.<br><br>Additional parameters available for `ethernet` and `loopback` interface types:<br>- `adjust_tcp_mss` - (Optional) Adjust TCP MSS (default: false).<br>- `ipv4_mss_adjust` - (Optional, PAN-OS 7.1+) The IPv4 MSS adjust value.<br>- `ipv6_mss_adjust` - (Optional, PAN-OS 7.1+) The IPv6 MSS adjust value.<br><br>Parameters available only for `ethernet` interfaces:<br>- `mode` - (Optional) The interface mode, required for `ethernet` interfaces. This can be any of the following values: layer3, layer2, virtual-wire, tap, ha, decrypt-mirror, or aggregate-group.<br>- `enable_dhcp` - (Optional) Set to true to enable DHCP on this interface.<br>- `create_dhcp_default_route` - (Optional) Set to true to create a DHCP default route.<br>- `dhcp_default_route_metric` - (Optional) The metric for the DHCP default route.<br>- `ipv6_enabled` - (Optional) Set to true to enable IPv6.<br>- `lldp_enabled` - (Optional) Enable LLDP (default: false).<br>- `lldp_profile` - (Optional) LLDP profile.<br>- `lldp_ha_passive_pre_negotiation` - (bool) LLDP HA passive pre-negotiation.<br>- `lacp_ha_passive_pre_negotiation` - (bool) LACP HA passive pre-negotiation.<br>- `link_speed` - (Optional) Link speed. This can be any of the following: 10, 100, 1000, or auto.<br>- `link_duplex` - (Optional) Link duplex setting. This can be full, half, or auto.<br>- `link_state` - (Optional) The link state. This can be up, down, or auto.<br>- `aggregate_group` - (Optional) The aggregate group (applicable for physical firewalls only).<br>- `lacp_port_priority` - (int) LACP port priority.<br>- `decrypt_forward` - (Optional, PAN-OS 8.1+) Enable decrypt forwarding.<br>- `rx_policing_rate` - (Optional, PAN-OS 8.1+) Receive policing rate in Mbps.<br>- `tx_policing_rate` - (Optional, PAN-OS 8.1+) Transmit policing rate in Mbps.<br>- `dhcp_send_hostname_enable` - (Optional, PAN-OS 9.0+) For DHCP layer3 interfaces: enable sending the firewall or a custom hostname to DHCP server<br>- `dhcp_send_hostname_value` - (Optional, PAN-OS 9.0+) For DHCP layer3 interfaces: the interface hostname. Leaving this unspecified with dhcp\_send\_hostname\_enable set means to send the system hostname.<br><br>Example:<pre>{<br>  "ethernet1/1" = {<br>    type                      = "ethernet"<br>    mode                      = "layer3"<br>    management_profile        = "mgmt_default"<br>    link_state                = "up"<br>    enable_dhcp               = true<br>    create_dhcp_default_route = false<br>    comment                   = "mgmt"<br>    virtual_router            = "default"<br>    zone                      = "mgmt"<br>    vsys                      = "vsys1"<br>  }<br>}</pre> | <pre>map(object({<br>    type                            = string<br>    mode                            = optional(string)<br>    zone                            = optional(string)<br>    virtual_router                  = optional(string)<br>    vsys                            = optional(string, "vsys1")<br>    static_ips                      = optional(list(string), [])<br>    enable_dhcp                     = optional(bool, false)<br>    create_dhcp_default_route       = optional(bool, false)<br>    dhcp_default_route_metric       = optional(number)<br>    ipv6_enabled                    = optional(bool)<br>    management_profile              = optional(string)<br>    mtu                             = optional(number)<br>    adjust_tcp_mss                  = optional(bool, false)<br>    netflow_profile                 = optional(string)<br>    lldp_enabled                    = optional(bool, false)<br>    lldp_profile                    = optional(string)<br>    lldp_ha_passive_pre_negotiation = optional(bool)<br>    lacp_ha_passive_pre_negotiation = optional(bool)<br>    link_speed                      = optional(string)<br>    link_duplex                     = optional(string)<br>    link_state                      = optional(string)<br>    aggregate_group                 = optional(string)<br>    comment                         = optional(string)<br>    lacp_port_priority              = optional(number)<br>    ipv4_mss_adjust                 = optional(string)<br>    ipv6_mss_adjust                 = optional(string)<br>    decrypt_forward                 = optional(bool)<br>    rx_policing_rate                = optional(number)<br>    tx_policing_rate                = optional(number)<br>    dhcp_send_hostname_enable       = optional(bool)<br>    dhcp_send_hostname_value        = optional(string)<br>  }))</pre> | `{}` | no |

diff --git a/modules/interfaces/main.tf b/modules/interfaces/main.tf
@@ -1,5 +1,13 @@
+locals {
+  mode_map = {
+    panorama = 0
+    ngfw     = 1
+    # cloud_manager = 2 # Not yet supported
+  }
+}
+
 resource "panos_panorama_ethernet_interface" "this" {
-  for_each = var.mode_map[var.mode] == 0 ? { for name, intf in var.interfaces : name => intf if intf.type == "ethernet" } : {}
+  for_each = local.mode_map[var.mode] == 0 ? { for name, intf in var.interfaces : name => intf if intf.type == "ethernet" } : {}
 
   template = var.template
   ### an argument named "template_stack" is not expected here
@@ -40,7 +48,7 @@ resource "panos_panorama_ethernet_interface" "this" {
 }
 
 resource "panos_ethernet_interface" "this" {
-  for_each = var.mode_map[var.mode] == 1 ? { for name, intf in var.interfaces : name => intf if intf.type == "ethernet" } : {}
+  for_each = local.mode_map[var.mode] == 1 ? { for name, intf in var.interfaces : name => intf if intf.type == "ethernet" } : {}
 
   name                            = each.key
   vsys                            = each.value.vsys
@@ -78,7 +86,7 @@ resource "panos_ethernet_interface" "this" {
 }
 
 resource "panos_panorama_loopback_interface" "this" {
-  for_each = var.mode_map[var.mode] == 0 ? { for name, intf in var.interfaces : name => intf if intf.type == "loopback" } : {}
+  for_each = local.mode_map[var.mode] == 0 ? { for name, intf in var.interfaces : name => intf if intf.type == "loopback" } : {}
 
   template = var.template
   ### an argument named "template_stack" is not expected here
@@ -100,7 +108,7 @@ resource "panos_panorama_loopback_interface" "this" {
 }
 
 resource "panos_loopback_interface" "this" {
-  for_each = var.mode_map[var.mode] == 1 ? { for name, intf in var.interfaces : name => intf if intf.type == "loopback" } : {}
+  for_each = local.mode_map[var.mode] == 1 ? { for name, intf in var.interfaces : name => intf if intf.type == "loopback" } : {}
 
   name               = each.key
   vsys               = each.value.vsys
@@ -119,7 +127,7 @@ resource "panos_loopback_interface" "this" {
 }
 
 resource "panos_panorama_tunnel_interface" "this" {
-  for_each = var.mode_map[var.mode] == 0 ? { for name, intf in var.interfaces : name => intf if intf.type == "tunnel" } : {}
+  for_each = local.mode_map[var.mode] == 0 ? { for name, intf in var.interfaces : name => intf if intf.type == "tunnel" } : {}
 
   template = var.template
   ### an argument named "template_stack" is not expected here
@@ -138,7 +146,7 @@ resource "panos_panorama_tunnel_interface" "this" {
 }
 
 resource "panos_tunnel_interface" "this" {
-  for_each = var.mode_map[var.mode] == 1 ? { for name, intf in var.interfaces : name => intf if intf.type == "tunnel" } : {}
+  for_each = local.mode_map[var.mode] == 1 ? { for name, intf in var.interfaces : name => intf if intf.type == "tunnel" } : {}
 
   name               = each.key
   vsys               = each.value.vsys
@@ -156,8 +164,8 @@ resource "panos_tunnel_interface" "this" {
 resource "panos_virtual_router_entry" "this" {
   for_each = { for k, v in var.interfaces : "${v.virtual_router}_${k}" => { interface = k, virtual_router = v.virtual_router } if try(v.virtual_router, null) != null }
 
-  template       = var.mode_map[var.mode] == 0 ? (var.template_stack == "" ? var.template : null) : null
-  template_stack = var.mode_map[var.mode] == 0 ? var.template_stack == "" ? null : var.template_stack : null
+  template       = local.mode_map[var.mode] == 0 ? (var.template_stack == "" ? var.template : null) : null
+  template_stack = local.mode_map[var.mode] == 0 ? var.template_stack == "" ? null : var.template_stack : null
 
   virtual_router = try(each.value.virtual_router, "default")
   interface      = each.value.interface
@@ -179,8 +187,8 @@ resource "panos_virtual_router_entry" "this" {
 resource "panos_zone_entry" "this" {
   for_each = { for k, v in var.interfaces : "${v.zone}_${k}" => { interface = k, zone = v.zone, vsys = v.vsys } if try(v.zone, null) != null }
 
-  template       = var.mode_map[var.mode] == 0 ? (var.template_stack == "" ? var.template : null) : null
-  template_stack = var.mode_map[var.mode] == 0 ? var.template_stack == "" ? null : var.template_stack : null
+  template       = local.mode_map[var.mode] == 0 ? (var.template_stack == "" ? var.template : null) : null
+  template_stack = local.mode_map[var.mode] == 0 ? var.template_stack == "" ? null : var.template_stack : null
 
   vsys      = try(each.value.vsys, "vsys1")
   zone      = each.value.zone

diff --git a/modules/interfaces/variables.tf b/modules/interfaces/variables.tf
@@ -7,19 +7,6 @@ variable "mode" {
   }
 }
 
-variable "mode_map" {
-  description = "The mode to use for the modules. Valid values are `panorama` and `ngfw`."
-  default = {
-    panorama = 0
-    ngfw     = 1
-    # cloud_manager = 2 # Not yet supported
-  }
-  type = object({
-    panorama = number
-    ngfw     = number
-  })
-}
-
 variable "template" {
   description = "The template name."
   default     = "default"

diff --git a/modules/ipsec/README.md b/modules/ipsec/README.md
@@ -143,7 +143,6 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_mode"></a> [mode](#input\_mode) | The mode to use for the modules. Valid values are `panorama` and `ngfw`. | `string` | n/a | yes |
-| <a name="input_mode_map"></a> [mode\_map](#input\_mode\_map) | The mode to use for the modules. Valid values are `panorama` and `ngfw`. | <pre>object({<br>    panorama = number<br>    ngfw     = number<br>  })</pre> | <pre>{<br>  "ngfw": 1,<br>  "panorama": 0<br>}</pre> | no |
 | <a name="input_template"></a> [template](#input\_template) | The template name. | `string` | `"default"` | no |
 | <a name="input_template_stack"></a> [template\_stack](#input\_template\_stack) | The template stack name. | `string` | `""` | no |
 | <a name="input_ike_crypto_profiles"></a> [ike\_crypto\_profiles](#input\_ike\_crypto\_profiles) | Map of the IKE crypto profiles, where key is the IKE crypto profile's name:<br>- `dh_groups` - (Required, list) List of DH Group entries. Values should have a prefix if group.<br>- `authentications` - (Required, list) List of authentication types. This c<br>- `encryptions` - (Required, list) List of encryption types. Valid values are des, 3des, aes-128-cbc, aes-192-cbc, aes-256-cbc, aes-128-gcm (PAN-OS 10.0), and aes-256-gcm (PAN-OS 10.0).<br>- `lifetime_type` - The lifetime type. Valid values are seconds, minutes, hours (the default), and days.<br>- `lifetime_value` - (int) The lifetime value.<br>- `authentication_multiple` - (PAN-OS 7.0+, int) IKEv2 SA reauthentication interval equals authetication-multiple * rekey-lifetime; 0 means reauthentication is disabled<br><br>Example:<pre>{<br>   "AES128_default" = {<br>    dh_groups               = ["group2", "group5"]<br>    authentications         = ["md5", "sha1"]<br>    encryptions             = ["aes-128-cbc", "aes-192-cbc"]<br>    lifetime_type           = "hours"<br>    lifetime_value          = 24<br>    authentication_multiple = 0<br>  }<br>}</pre> | <pre>map(object({<br>    dh_groups               = list(string)<br>    authentications         = list(string)<br>    encryptions             = list(string)<br>    lifetime_type           = optional(string)<br>    lifetime_value          = optional(number)<br>    authentication_multiple = optional(number)<br>  }))</pre> | `{}` | no |