hashicorp · jackofallops · Aug 10, 2023 · Jun 27, 2023 · Jun 29, 2023 · Jul 3, 2023
@@ -92,6 +92,7 @@ var services = mapOf(
         "nginx" to "Nginx",
         "notificationhub" to "Notification Hub",
         "orbital" to "Orbital",
+        "paloalto" to "Palo Alto",
         "policy" to "Policy",
         "portal" to "Portal",
         "postgres" to "PostgreSQL",

@@ -136,6 +136,8 @@ var serviceTestConfigurationOverrides = mapOf(
         // Network Regional Tire Public IP is only available in
         "network" to testConfiguration(locationOverride = LocationConfiguration("westeurope", "eastus2", "westus", false)),
 
+		"paloalto" to testConfiguration(locationOverride = LocationConfiguration("westeurope", "eastus", "westus", false)),
+
         "policy" to testConfiguration(useAltSubscription = true),
 
         // Private DNS Resolver is only available in certain locations

@@ -0,0 +1,92 @@
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "example" {
+  name     = "${var.prefix}-resources"
+  location = var.location
+}
+
+resource "azurerm_public_ip" "example" {
+  name                = "${var.prefix}-public-ip"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  allocation_method   = "Static"
+  sku                 = "Standard"
+}
+
+resource "azurerm_public_ip" "egress" {
+  name                = "${var.prefix}-public-ip-egress"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  allocation_method   = "Static"
+  sku                 = "Standard"
+}
+
+resource "azurerm_virtual_wan" "example" {
+  name                = "${var.prefix}-virtual-wan"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_resource_group.example.location
+}
+
+resource "azurerm_virtual_hub" "example" {
+  name                = "${var.prefix}-virtual-hub"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = azurerm_resource_group.example.location
+  virtual_wan_id      = azurerm_virtual_wan.example.id
+  address_prefix      = "10.0.1.0/24"
+
+  tags = {
+    hubSaaSPreview = "true"
+  }
+}
+
+resource "azurerm_palo_alto_virtual_network_appliance" "example" {
+  name           = "${var.prefix}-nva"
+  virtual_hub_id = azurerm_virtual_hub.example.id
+}
+
+resource "azurerm_palo_alto_next_generation_firewall_virtual_hub_panorama" "example" {
+  name                   = "${var.prefix}-ngfw-vhub"
+  resource_group_name    = azurerm_resource_group.example.name
+  location               = azurerm_resource_group.example.location
+  panorama_base64_config = var.panorama-config
+
+  network_profile {
+    virtual_hub_id               = azurerm_virtual_hub.example.id
+    network_virtual_appliance_id = azurerm_palo_alto_virtual_network_appliance.example.id
+    public_ip_address_ids        = [azurerm_public_ip.example.id]
+    egress_nat_ip_address_ids    = [azurerm_public_ip.egress.id]
+  }
+
+
+  dns_settings {
+    use_azure_dns = true
+  }
+
+  destination_nat {
+    name     = "${var.prefix}DNAT-1"
+    protocol = "TCP"
+    frontend_config {
+      public_ip_address_id = azurerm_public_ip.example.id
+      port                 = 8081
+    }
+    backend_config {
+      public_ip_address = "10.0.1.101"
+      port              = 18081
+    }
+  }
+
+  destination_nat {
+    name     = "${var.prefix}DNAT-2"
+    protocol = "UDP"
+    frontend_config {
+      public_ip_address_id = azurerm_public_ip.example.id
+      port                 = 8082
+    }
+    backend_config {
+      public_ip_address = "10.0.1.102"
+      port              = 18082
+    }
+  }
+}
@@ -0,0 +1,11 @@
+variable "prefix" {
+  description = "The prefix which should be used for all resources in this example"
+}
+
+variable "location" {
+  description = "The Azure Region in which all resources in this example should be created."
+}
+
+variable "panorama-config" {
+  description = "The Panorama supplied, Base64 Encoded Registration Configuration"
+}
@@ -0,0 +1,158 @@
+provider "azurerm" {
+  features {}
+}
+
+resource "azurerm_resource_group" "example" {
+  name     = "${var.prefix}-resources"
+  location = var.location
+}
+
+resource "azurerm_public_ip" "example" {
+  name                = "${var.prefix}-public-ip"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  allocation_method   = "Static"
+  sku                 = "Standard"
+}
+
+resource "azurerm_public_ip" "egress" {
+  name                = "${var.prefix}-public-ip-egress"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+  allocation_method   = "Static"
+  sku                 = "Standard"
+}
+
+resource "azurerm_network_security_group" "example" {
+  name                = "${var.prefix}SecurityGroup1"
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+}
+
+resource "azurerm_virtual_network" "example" {
+  name                = "${var.prefix}-virtual-network"
+  address_space       = ["10.0.0.0/16"]
+  location            = azurerm_resource_group.example.location
+  resource_group_name = azurerm_resource_group.example.name
+
+  tags = {
+    environment = "ManualTest"
+  }
+}
+
+resource "azurerm_subnet" "trust" {
+  name                 = "${var.prefix}-trust-subnet"
+  resource_group_name  = azurerm_resource_group.example.name
+  virtual_network_name = azurerm_virtual_network.example.name
+  address_prefixes     = ["10.0.1.0/24"]
+
+  delegation {
+    name = "trusted"
+
+    service_delegation {
+      name = "PaloAltoNetworks.Cloudngfw/firewalls"
+      actions = [
+        "Microsoft.Network/virtualNetworks/subnets/join/action",
+      ]
+    }
+  }
+}
+
+resource "azurerm_subnet_network_security_group_association" "trust" {
+  subnet_id                 = azurerm_subnet.trust.id
+  network_security_group_id = azurerm_network_security_group.example.id
+}
+
+resource "azurerm_subnet" "untrust" {
+  name                 = "${var.prefix}-untrust-subnet"
+  resource_group_name  = azurerm_resource_group.example.name
+  virtual_network_name = azurerm_virtual_network.example.name
+  address_prefixes     = ["10.0.2.0/24"]
+
+  delegation {
+    name = "untrusted"
+
+    service_delegation {
+      name = "PaloAltoNetworks.Cloudngfw/firewalls"
+      actions = [
+        "Microsoft.Network/virtualNetworks/subnets/join/action",
+      ]
+    }
+  }
+}
+
+resource "azurerm_subnet_network_security_group_association" "untrust" {
+  subnet_id                 = azurerm_subnet.untrust.id
+  network_security_group_id = azurerm_network_security_group.example.id
+}
+
+resource "azurerm_palo_alto_local_rulestack" "example" {
+  name                = "${var.prefix}-rulestack"
+  resource_group_name = azurerm_resource_group.example.name
+  location            = "westeurope"
+}
+
+resource "azurerm_palo_alto_local_rulestack_rule" "example" {
+  name         = "${var.prefix}-rulestack-rule"
+  rulestack_id = azurerm_palo_alto_local_rulestack.example.id
+  priority     = 9999
+  action       = "DenySilent"
+
+  applications = ["any"]
+
+  destination {
+    cidrs = ["any"]
+  }
+
+  source {
+    cidrs = ["any"]
+  }
+}
+
+resource "azurerm_palo_alto_next_generation_firewall_virtual_network_local_rulestack" "example" {
+  name                = "${var.prefix}-ngfw-vnet-lrs"
+  resource_group_name = azurerm_resource_group.example.name
+  rulestack_id        = azurerm_palo_alto_local_rulestack.example.id
+
+  network_profile {
+    public_ip_address_ids     = [azurerm_public_ip.example.id]
+    egress_nat_ip_address_ids = [azurerm_public_ip.egress.id]
+
+    vnet_configuration {
+      virtual_network_id  = azurerm_virtual_network.example.id
+      trusted_subnet_id   = azurerm_subnet.trust.id
+      untrusted_subnet_id = azurerm_subnet.untrust.id
+    }
+  }
+
+
+  dns_settings {
+    use_azure_dns = true
+  }
+
+  destination_nat {
+    name     = "${var.prefix}DNAT-1"
+    protocol = "TCP"
+    frontend_config {
+      public_ip_address_id = azurerm_public_ip.example.id
+      port                 = 8081
+    }
+    backend_config {
+      public_ip_address = "10.0.1.101"
+      port              = 18081
+    }
+  }
+
+  destination_nat {
+    name     = "${var.prefix}DNAT-2"
+    protocol = "UDP"
+    frontend_config {
+      public_ip_address_id = azurerm_public_ip.example.id
+      port                 = 8082
+    }
+    backend_config {
+      public_ip_address = "10.0.1.102"
+      port              = 18082
+    }
+  }
+}
@@ -0,0 +1,7 @@
+variable "prefix" {
+  description = "The prefix which should be used for all resources in this example"
+}
+
+variable "location" {
+  description = "The Azure Region in which all resources in this example should be created."
+}
@@ -109,6 +109,7 @@ import (
 	nginx "github.com/hashicorp/terraform-provider-azurerm/internal/services/nginx/client"
 	notificationhub "github.com/hashicorp/terraform-provider-azurerm/internal/services/notificationhub/client"
 	orbital "github.com/hashicorp/terraform-provider-azurerm/internal/services/orbital/client"
+	paloalto "github.com/hashicorp/terraform-provider-azurerm/internal/services/paloalto/client"
 	policy "github.com/hashicorp/terraform-provider-azurerm/internal/services/policy/client"
 	portal "github.com/hashicorp/terraform-provider-azurerm/internal/services/portal/client"
 	postgres "github.com/hashicorp/terraform-provider-azurerm/internal/services/postgres/client"
@@ -240,6 +241,7 @@ type Client struct {
 	Nginx                        *nginx2.Client
 	NotificationHubs             *notificationhub.Client
 	Orbital                      *orbital.Client
+	PaloAlto                     *paloalto.Client
 	Policy                       *policy.Client
 	Portal                       *portal.Client
 	Postgres                     *postgres.Client
@@ -512,6 +514,9 @@ func (client *Client) Build(ctx context.Context, o *common.ClientOptions) error
 	if client.Policy, err = policy.NewClient(o); err != nil {
 		return fmt.Errorf("building clients for Policy: %+v", err)
 	}
+	if client.PaloAlto, err = paloalto.NewClient(o); err != nil {
+		return fmt.Errorf("building clients for PaloAlto: %+v", err)
+	}
 	if client.Portal, err = portal.NewClient(o); err != nil {
 		return fmt.Errorf("building clients for Portal: %+v", err)
 	}

@@ -94,6 +94,7 @@ import (
 	"github.com/hashicorp/terraform-provider-azurerm/internal/services/nginx"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/services/notificationhub"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/services/orbital"
+	"github.com/hashicorp/terraform-provider-azurerm/internal/services/paloalto"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/services/policy"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/services/portal"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/services/postgres"
@@ -180,6 +181,7 @@ func SupportedTypedServices() []sdk.TypedServiceRegistration {
 		networkfunction.Registration{},
 		newrelic.Registration{},
 		nginx.Registration{},
+		paloalto.Registration{},
 		policy.Registration{},
 		privatednsresolver.Registration{},
 		recoveryservices.Registration{},

@@ -0,0 +1,26 @@
+package client
+
+import (
+	"fmt"
+
+	paloalto_2022_08_29 "github.com/hashicorp/go-azure-sdk/resource-manager/paloaltonetworks/2022-08-29"
+	"github.com/hashicorp/go-azure-sdk/sdk/client/resourcemanager"
+	"github.com/hashicorp/terraform-provider-azurerm/internal/common"
+)
+
+type Client struct {
+	*paloalto_2022_08_29.Client
+}
+
+func NewClient(o *common.ClientOptions) (*Client, error) {
+	client, err := paloalto_2022_08_29.NewClientWithBaseURI(o.Environment.ResourceManager, func(c *resourcemanager.Client) {
+		o.Configure(c, o.Authorizers.ResourceManager)
+	})
+	if err != nil {
+		return nil, fmt.Errorf("building clients for Network: %+v", err)
+	}
+
+	return &Client{
+		Client: client,
+	}, nil
+}