From 9c346f09484ea7383110cb04f8b4df735b3d093b Mon Sep 17 00:00:00 2001 From: Greg Freiter Date: Thu, 4 Apr 2024 17:24:19 -0400 Subject: [PATCH] Additions to panos_security_profile_group, panos_url_filtering_security_profile, panos_custom_data_pattern_object, and panos_data_filtering_security_profile --- modules/security_profiles/main.tf | 156 +++++++++++++++++++++++++ modules/security_profiles/variables.tf | 156 ++++++++++++++++++++++++- 2 files changed, 311 insertions(+), 1 deletion(-) diff --git a/modules/security_profiles/main.tf b/modules/security_profiles/main.tf index 1fe84bf..87ca243 100644 --- a/modules/security_profiles/main.tf +++ b/modules/security_profiles/main.tf @@ -6,6 +6,23 @@ locals { } } +resource "panos_security_profile_group" "this" { + for_each = var.security_profile_groups + + device_group = local.mode_map[var.mode] == 0 ? var.device_group : null + vsys = local.mode_map[var.mode] == 1 ? var.vsys : null + name = each.key + antivirus_profile = try(each.value.antivirus_profile, null) + anti_spyware_profile = try(each.value.anti_spyware_profile, null) + vulnerability_profile = try(each.value.vulnerability_profile, null) + url_filtering_profile = try(each.value.url_filtering_profile, null) + file_blocking_profile = try(each.value.file_blocking_profile, null) + data_filtering_profile = try(each.value.data_filtering_profile, null) + wildfire_analysis_profile = try(each.value.wildfire_analysis_profile, null) + gtp_profile = try(each.value.gtp_profile, null) + sctp_profile = try(each.value.sctp_profile, null) +} + # Antivirus profiles resource "panos_antivirus_security_profile" "this" { for_each = var.antivirus_profiles @@ -236,6 +253,145 @@ resource "panos_wildfire_analysis_security_profile" "this" { } } + lifecycle { + create_before_destroy = true + } +} + +resource "panos_url_filtering_security_profile" "this" { + for_each = var.url_filtering_profiles + + device_group = local.mode_map[var.mode] == 0 ? var.device_group : null + vsys = local.mode_map[var.mode] == 1 ? var.vsys : null + + name = each.key + description = try(each.value.description, null) + + allow_categories = each.value.allow_categories + alert_categories = each.value.alert_categories + block_categories = each.value.block_categories + continue_categories = each.value.continue_categories + override_categories = each.value.override_categories + track_container_page = each.value.track_container_page + log_container_page_only = each.value.log_container_page_only + safe_search_enforcement = each.value.safe_search_enforcement + log_http_header_xff = each.value.log_http_header_xff + log_http_header_user_agent = each.value.log_http_header_user_agent + log_http_header_referer = each.value.log_http_header_referer + ucd_mode = each.value.ucd_mode + ucd_mode_group_mapping = each.value.ucd_mode_group_mapping + ucd_log_severity = each.value.ucd_log_severity + ucd_allow_categories = each.value.ucd_allow_categories + ucd_alert_categories = each.value.ucd_alert_categories + ucd_block_categories = each.value.ucd_block_categories + ucd_continue_categories = each.value.ucd_continue_categories + + dynamic "http_header_insertion" { + for_each = each.value.http_header_insertion + + content { + name = http_header_insertion.value.name + type = http_header_insertion.value.type + domains = http_header_insertion.value.domains + + dynamic "http_header" { + for_each = each.value.http_header_insertion.http_header + content { + name = http_header.value.name + header = http_header.value.header + value = http_header.value.value + log = http_header.value.log + } + } + } + } + dynamic "machine_learning_model" { + for_each = each.value.machine_learning_model + + content { + model = machine_learning_model.value.model + action = machine_learning_model.value.action + } + } + + machine_learning_exceptions = each.value.machine_learning_exceptions + + lifecycle { + create_before_destroy = true + } +} + +resource "panos_data_filtering_security_profile" "this" { + for_each = var.data_filtering_profiles + + device_group = local.mode_map[var.mode] == 0 ? var.device_group : null + vsys = local.mode_map[var.mode] == 1 ? var.vsys : null + + name = each.key + description = try(each.value.description, null) + + data_capture = each.value.data_capture + + dynamic "rule" { + for_each = each.value.rule + + content { + data_pattern = rule.value.data_pattern + applications = rule.value.applications + file_types = rule.value.file_types + direction = rule.value.direction + alert_threshold = rule.value.alert_threshold + block_threshold = rule.value.block_threshold + log_severity = rule.value.log_severity + } + } + + lifecycle { + create_before_destroy = true + } + depends_on = [ panos_custom_data_pattern_object.this ] +} + + +resource "panos_custom_data_pattern_object" "this" { + for_each = var.data_pattern_objects + + device_group = local.mode_map[var.mode] == 0 ? var.device_group : null + vsys = local.mode_map[var.mode] == 1 ? var.vsys : null + + name = each.key + description = try(each.value.description, null) + + type = each.value.type + + dynamic "predefined_pattern" { + for_each = each.value.predefined_pattern + + content { + name = predefined_pattern.value.name + file_types = predefined_pattern.value.file_types + } + } + dynamic "regex" { + for_each = each.value.regex + + content { + name = regex.value.name + file_types = regex.value.file_types + regex = regex.value.regex + } + } + dynamic "file_property" { + for_each = each.value.file_property + + content { + name = file_property.value.name + file_type = file_property.value.file_type + file_property = file_property.value.file_property + property_value = file_property.value.property_value + } + } + lifecycle { create_before_destroy = true } diff --git a/modules/security_profiles/variables.tf b/modules/security_profiles/variables.tf index ef4b134..e37b9e3 100644 --- a/modules/security_profiles/variables.tf +++ b/modules/security_profiles/variables.tf @@ -19,6 +19,42 @@ variable "vsys" { type = string } +variable "security_profile_groups" { + description = <<-EOF + Map of security profile groups where the key is name of the security profile group.: + - `antivirus_profile`: (optional) The AV profile name. + - `anti_spyware_profile`: (optional) Anti Spyware profile name. + - `vulnerability_profile`: (optional) Vulnerability profile name. + - `url_filtering_profile`: (optional) URL filtering profile name. + - `file_blocking_profile`: (optional) File blocking profile name. + - `data_filtering_profile`: (optional) Data filtering profile name. + - `wildfire_analysis_profile`: (optional) Wildfire analysis profile name. + - `gtp_profile`: (optional) GTP profile name. + - `sctp_profile`: (optional) SCTP profile name. + Example: + ``` + { + "myGroup" = { + antivirus_profile = "default" + anti_spyware_profile = "anti-spyware1" + } + } + ``` + EOF + default = {} + type = map(object({ + antivirus_profile = optional(string) + anti_spyware_profile = optional(string) + vulnerability_profile = optional(string) + url_filtering_profile = optional(string) + file_blocking_profile = optional(string) + data_filtering_profile = optional(string) + wildfire_analysis_profile = optional(string) + gtp_profile = optional(string) + sctp_profile = optional(string) + })) +} + variable "antivirus_profiles" { description = <<-EOF List with the Antivirus profile objects. Each item supports following parameters: @@ -197,7 +233,7 @@ variable "antispyware_profiles" { packet_capture = "single-packet" } ] - sinkhole_ipv4_address = "72.5.65.111" + sinkhole_ipv4_address = "sinkhole.paloaltonetworks.com" sinkhole_ipv6_address = "2600:5200::1" rules = [ @@ -657,4 +693,122 @@ variable "wildfire_analysis_profiles" { ]) error_message = "Valid 'analysis' values are: 'public-cloud', 'private-cloud'." } +} + +variable "url_filtering_profiles" { + description = <<-EOF + List of the Url Filtering security profile objects. Each item supports following parameters: + - `name`: (required) Identifier of the Url Filtering security profile. + - `description`: (optional) The description of the Url Filtering profile. + + Example: + ``` + + ``` + EOF + + default = {} + type = map(object({ + description = optional(string) + allow_categories = optional(list(string)) + alert_categories = optional(list(string)) + block_categories = optional(list(string)) + continue_categories = optional(list(string)) + override_categories = optional(list(string)) + track_container_page = optional(bool) + log_container_page_only = optional(bool) + safe_search_enforcement = optional(bool) + log_http_header_xff = optional(bool) + log_http_header_user_agent = optional(bool) + log_http_header_referer = optional(bool) + # ucd stuff no idea what this is... Skipping for now. + ucd_mode = optional(string, "disabled") + ucd_mode_group_mapping = optional(string) + ucd_log_severity = optional(string) + ucd_allow_categories = optional(list(string)) + ucd_alert_categories = optional(list(string)) + ucd_block_categories = optional(list(string)) + ucd_continue_categories = optional(list(string)) + http_header_insertion = optional(list(object({ + name = string + type = optional(string) # this is a specific list but do not want to bother validation now + domains = optional(list(string)) + http_header = optional(list(object( { + name = string + header = string + value = string + log = optional(bool, false) + })), []) + })), []) + machine_learning_model = optional(list(object({ + model = string + action = optional(string, "any") + })), []) + machine_learning_exceptions = optional(list(string)) + })) + +} + +variable "data_filtering_profiles" { + description = <<-EOF + List of the Data Filtering security profile objects. Each item supports following parameters: + - `name`: (required) Identifier of the Data Filtering security profile. + - `description`: (optional) The description of the Data Filtering profile. + + Example: + ``` + + ``` + EOF + + default = {} + type = map(object({ + description = optional(string) + data_capture = optional(bool) + rule = optional(list(object({ + data_pattern = string + applications = optional(list(string), ["any"]) + file_types = optional(list(string), ["any"]) + direction = optional(string, "both") + alert_threshold = optional(number, 0) + block_threshold = optional(number, 0) + log_severity = optional(string, "informational") + })), []) + })) + +} + +variable "data_pattern_objects" { + description = <<-EOF + List of the Data Pattern objects. Each item supports following parameters: + - `name`: (required) Identifier of the Data Pattern object. + - `description`: (optional) The description of the Data Pattern object. + + Example: + ``` + + ``` + EOF + + default = {} + type = map(object({ + description = optional(string) + type = optional(string, "file-properties") + predefined_pattern = optional(list(object({ + name = string + file_types = optional(list(string)) + })), []) + regex = optional(list(object({ + name = string + file_types = list(string) + regex = string + })), []) + file_property = optional(list(object({ + name = string + file_type = string + file_property = string + property_value = string + })), []) + })) + } \ No newline at end of file