PaloAltoNetworks · gfreit · Apr 4, 2024
diff --git a/modules/security_profiles/main.tf b/modules/security_profiles/main.tf
@@ -6,6 +6,23 @@ locals {
   }
 }
 
+resource "panos_security_profile_group" "this" {
+  for_each = var.security_profile_groups
+
+  device_group = local.mode_map[var.mode] == 0 ? var.device_group : null
+  vsys         = local.mode_map[var.mode] == 1 ? var.vsys : null
+  name              = each.key
+  antivirus_profile = try(each.value.antivirus_profile, null)
+  anti_spyware_profile = try(each.value.anti_spyware_profile, null)
+  vulnerability_profile = try(each.value.vulnerability_profile, null)
+  url_filtering_profile = try(each.value.url_filtering_profile, null)
+  file_blocking_profile = try(each.value.file_blocking_profile, null)
+  data_filtering_profile = try(each.value.data_filtering_profile, null)
+  wildfire_analysis_profile = try(each.value.wildfire_analysis_profile, null)
+  gtp_profile = try(each.value.gtp_profile, null)
+  sctp_profile = try(each.value.sctp_profile, null)
+}
+
 # Antivirus profiles
 resource "panos_antivirus_security_profile" "this" {
   for_each = var.antivirus_profiles
@@ -236,6 +253,145 @@ resource "panos_wildfire_analysis_security_profile" "this" {
     }
   }
 
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "panos_url_filtering_security_profile" "this" {
+  for_each = var.url_filtering_profiles
+
+  device_group = local.mode_map[var.mode] == 0 ? var.device_group : null
+  vsys         = local.mode_map[var.mode] == 1 ? var.vsys : null
+
+  name        = each.key
+  description = try(each.value.description, null)
+
+  allow_categories = each.value.allow_categories
+  alert_categories = each.value.alert_categories
+  block_categories = each.value.block_categories
+  continue_categories = each.value.continue_categories
+  override_categories = each.value.override_categories
+  track_container_page = each.value.track_container_page
+  log_container_page_only = each.value.log_container_page_only
+  safe_search_enforcement = each.value.safe_search_enforcement
+  log_http_header_xff = each.value.log_http_header_xff
+  log_http_header_user_agent = each.value.log_http_header_user_agent
+  log_http_header_referer = each.value.log_http_header_referer
+  ucd_mode = each.value.ucd_mode
+  ucd_mode_group_mapping = each.value.ucd_mode_group_mapping
+  ucd_log_severity = each.value.ucd_log_severity
+  ucd_allow_categories = each.value.ucd_allow_categories
+  ucd_alert_categories = each.value.ucd_alert_categories
+  ucd_block_categories = each.value.ucd_block_categories
+  ucd_continue_categories = each.value.ucd_continue_categories
+
+  dynamic "http_header_insertion" {
+    for_each = each.value.http_header_insertion
+
+    content {
+      name       = http_header_insertion.value.name
+      type       = http_header_insertion.value.type
+      domains    = http_header_insertion.value.domains
+
+      dynamic "http_header" {
+        for_each = each.value.http_header_insertion.http_header
+        content {
+          name = http_header.value.name
+          header = http_header.value.header
+          value = http_header.value.value
+          log = http_header.value.log
+        }
+      }
+    }
+  }
+  dynamic "machine_learning_model" {
+    for_each = each.value.machine_learning_model
+
+    content {
+      model              = machine_learning_model.value.model
+      action            = machine_learning_model.value.action
+    }
+  }
+
+  machine_learning_exceptions = each.value.machine_learning_exceptions
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "panos_data_filtering_security_profile" "this" {
+  for_each = var.data_filtering_profiles
+
+  device_group = local.mode_map[var.mode] == 0 ? var.device_group : null
+  vsys         = local.mode_map[var.mode] == 1 ? var.vsys : null
+
+  name        = each.key
+  description = try(each.value.description, null)
+
+  data_capture = each.value.data_capture
+
+  dynamic "rule" {
+    for_each = each.value.rule
+
+    content {
+      data_pattern       = rule.value.data_pattern
+      applications    = rule.value.applications
+      file_types = rule.value.file_types
+      direction = rule.value.direction
+      alert_threshold = rule.value.alert_threshold
+      block_threshold = rule.value.block_threshold
+      log_severity = rule.value.log_severity
+    }
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+  depends_on = [ panos_custom_data_pattern_object.this ]
+}
+
+
+resource "panos_custom_data_pattern_object" "this" {
+  for_each = var.data_pattern_objects
+
+  device_group = local.mode_map[var.mode] == 0 ? var.device_group : null
+  vsys         = local.mode_map[var.mode] == 1 ? var.vsys : null
+
+  name        = each.key
+  description = try(each.value.description, null)
+
+  type = each.value.type
+
+  dynamic "predefined_pattern" {
+    for_each = each.value.predefined_pattern
+
+    content {
+      name           = predefined_pattern.value.name
+      file_types     = predefined_pattern.value.file_types
+    }
+  }
+  dynamic "regex" {
+    for_each = each.value.regex
+
+    content {
+      name           = regex.value.name
+      file_types     = regex.value.file_types
+      regex          = regex.value.regex
+    }
+  }
+  dynamic "file_property" {
+    for_each = each.value.file_property
+
+    content {
+      name           = file_property.value.name
+      file_type      = file_property.value.file_type
+      file_property  = file_property.value.file_property
+      property_value     = file_property.value.property_value
+    }
+  }
+
   lifecycle {
     create_before_destroy = true
   }

diff --git a/modules/security_profiles/variables.tf b/modules/security_profiles/variables.tf
@@ -19,6 +19,42 @@ variable "vsys" {
   type        = string
 }
 
+variable "security_profile_groups" {
+  description = <<-EOF
+    Map of security profile groups where the key is name of the security profile group.:
+    - `antivirus_profile`: (optional) The AV profile name.
+    - `anti_spyware_profile`: (optional) Anti Spyware profile name.
+    - `vulnerability_profile`: (optional) Vulnerability profile name.
+    - `url_filtering_profile`: (optional) URL filtering profile name.
+    - `file_blocking_profile`: (optional) File blocking profile name.
+    - `data_filtering_profile`: (optional) Data filtering profile name.
+    - `wildfire_analysis_profile`: (optional) Wildfire analysis profile name.
+    - `gtp_profile`: (optional) GTP profile name.
+    - `sctp_profile`: (optional) SCTP profile name.
+    Example:
+    ```
+    {
+      "myGroup" = {
+        antivirus_profile = "default"
+        anti_spyware_profile = "anti-spyware1"
+      }
+    }
+    ```
+    EOF
+    default = {}
+    type = map(object({
+    antivirus_profile = optional(string)
+    anti_spyware_profile = optional(string)
+    vulnerability_profile = optional(string)
+    url_filtering_profile = optional(string)
+    file_blocking_profile = optional(string)
+    data_filtering_profile = optional(string)
+    wildfire_analysis_profile = optional(string)
+    gtp_profile = optional(string)
+    sctp_profile = optional(string)
+  }))
+}
+
 variable "antivirus_profiles" {
   description = <<-EOF
   List with the Antivirus profile objects. Each item supports following parameters:
@@ -197,7 +233,7 @@ variable "antispyware_profiles" {
           packet_capture = "single-packet"
         }
       ]
-      sinkhole_ipv4_address = "72.5.65.111"
+      sinkhole_ipv4_address = "sinkhole.paloaltonetworks.com"
       sinkhole_ipv6_address = "2600:5200::1"
       rules =
       [
@@ -657,4 +693,122 @@ variable "wildfire_analysis_profiles" {
     ])
     error_message = "Valid 'analysis' values are: 'public-cloud', 'private-cloud'."
   }
+}
+
+variable "url_filtering_profiles" {
+  description = <<-EOF
+  List of the Url Filtering security profile objects. Each item supports following parameters:
+  - `name`: (required) Identifier of the Url Filtering security profile.
+  - `description`: (optional) The description of the Url Filtering profile.
+
+  Example:
+  ```
+
+  ```
+  EOF
+
+  default = {}
+  type = map(object({
+    description = optional(string)
+    allow_categories = optional(list(string))
+    alert_categories = optional(list(string))
+    block_categories = optional(list(string))
+    continue_categories = optional(list(string))
+    override_categories = optional(list(string))
+    track_container_page = optional(bool)
+    log_container_page_only = optional(bool)
+    safe_search_enforcement = optional(bool)
+    log_http_header_xff = optional(bool)
+    log_http_header_user_agent = optional(bool)
+    log_http_header_referer = optional(bool)
+    # ucd stuff no idea what this is...  Skipping for now.
+    ucd_mode = optional(string, "disabled")
+    ucd_mode_group_mapping = optional(string)
+    ucd_log_severity = optional(string)
+    ucd_allow_categories = optional(list(string))
+    ucd_alert_categories = optional(list(string))
+    ucd_block_categories = optional(list(string))
+    ucd_continue_categories = optional(list(string))
+    http_header_insertion = optional(list(object({
+      name              = string
+      type              = optional(string) # this is a specific list but do not want to bother validation now
+      domains           = optional(list(string))
+      http_header       = optional(list(object( {
+        name = string
+        header = string
+        value = string
+        log = optional(bool, false)
+      })), [])
+    })), [])
+    machine_learning_model = optional(list(object({
+      model              = string
+      action              = optional(string, "any")
+    })), [])
+    machine_learning_exceptions = optional(list(string))
+  }))
+
+}
+
+variable "data_filtering_profiles" {
+  description = <<-EOF
+  List of the Data Filtering security profile objects. Each item supports following parameters:
+  - `name`: (required) Identifier of the Data Filtering security profile.
+  - `description`: (optional) The description of the Data Filtering profile.
+
+  Example:
+  ```
+
+  ```
+  EOF
+
+  default = {}
+  type = map(object({
+    description = optional(string)
+    data_capture = optional(bool)
+    rule = optional(list(object({
+      data_pattern      = string
+      applications      = optional(list(string), ["any"])
+      file_types        = optional(list(string), ["any"])
+      direction         = optional(string, "both")
+      alert_threshold   = optional(number, 0)
+      block_threshold   = optional(number, 0)
+      log_severity      = optional(string, "informational")
+    })), [])
+  }))
+
+}
+
+variable "data_pattern_objects" {
+  description = <<-EOF
+  List of the Data Pattern objects. Each item supports following parameters:
+  - `name`: (required) Identifier of the Data Pattern object.
+  - `description`: (optional) The description of the Data Pattern object.
+
+  Example:
+  ```
+
+  ```
+  EOF
+
+  default = {}
+  type = map(object({
+    description = optional(string)
+    type = optional(string, "file-properties")
+    predefined_pattern = optional(list(object({
+      name              = string
+      file_types       = optional(list(string))
+    })), [])
+    regex = optional(list(object({
+      name              = string
+      file_types       = list(string)
+      regex            = string
+    })), [])
+    file_property = optional(list(object({
+      name              = string
+      file_type       = string
+      file_property     = string
+      property_value        = string
+    })), [])
+  }))
+
 }