Merge pull request #37 from PaloAltoNetworks/europe

Updated solution playbook/plans and documentation formatting
PaloAltoNetworks · Nov 12, 2019 · 9ddcd08 · 9ddcd08
2 parents 77d23c7 + abb181f
commit 9ddcd08
Show file tree

Hide file tree

Showing 4 changed files with 71 additions and 44 deletions.
diff --git a/configuration/terraform/main.tf b/configuration/terraform/main.tf
@@ -1,21 +1,21 @@
 provider "panos" {}
 
-resource "panos_ethernet_interface" "eth1" {
+resource "panos_ethernet_interface" "untrust" {
   name                      = "ethernet1/1"
   vsys                      = "vsys1"
   mode                      = "layer3"
   enable_dhcp               = true
   create_dhcp_default_route = true
 }
 
-resource "panos_ethernet_interface" "eth2" {
+resource "panos_ethernet_interface" "web" {
   name        = "ethernet1/2"
   vsys        = "vsys1"
   mode        = "layer3"
   enable_dhcp = true
 }
 
-resource "panos_ethernet_interface" "eth3" {
+resource "panos_ethernet_interface" "db" {
   name        = "ethernet1/3"
   vsys        = "vsys1"
   mode        = "layer3"

diff --git a/docs/03-run/validation.rst b/docs/03-run/validation.rst
@@ -9,12 +9,19 @@ In this activity you will:
 - Post a blog article
 - Verify firewall rule matches
 
-The previous two activities had you deploy and configure the infrastructure supporting our WordPress application.  Now it's time to see if everything works as planned.  If so, you should be able to access the application, post a blog article, and verify that the appropriate firewall rules are being hit.  If not, you will need to troubleshoot your configs and make the necessary corrections.
+The previous two activities had you deploy and configure the infrastructure
+supporting our WordPress application.  Now it's time to see if everything
+works as planned.  If so, you should be able to access the application, post
+a blog article, and verify that the appropriate firewall rules are being hit.
+If not, you will need to troubleshoot your configs and make the necessary
+corrections.
 
 
 Access the Apache web server
 ----------------------------
-The web server is using the firewall's untrust interface address in a destination NAT rule.  Run the following commands to determine the IP address of this interface.
+The web server is using the firewall's untrust interface address in a
+destination NAT rule.  Run the following commands to determine the IP
+address of this interface.
 
 `For GCP:`
 
@@ -30,24 +37,31 @@ The web server is using the firewall's untrust interface address in a destinatio
     $ cd ~/multicloud-automation-lab/deployment/aws
     $ terraform output
 
-Open a new tab in your web browser and go to ``http://<web-server-ip-address>``.  You should see the Apache default home page.
+Open a new tab in your web browser and go to ``http://<web-server-ip-address>``.
+You should see the Apache default home page.
 
 .. figure:: apache.png
    :align: center
 
 
 Access the WordPress application
 --------------------------------
-Append ``/wordpress`` to the end of the web server URL and the WordPress installation page should be displayed.
+Append ``/wordpress`` to the end of the web server URL and the WordPress
+installation page should be displayed.
 
 .. figure:: wordpress-home.png
    :align: center
 
-Fill in values of your choosing for the **Site Name**, **Username**, and **Your Email**.  These are only for testing and do not need to be real values.  
+Fill in values of your choosing for the **Site Name**, **Username**, and
+**Your Email**.  These are only for testing and do not need to be real values.
+
+.. note:: Make sure you copy the password that is provided to your clipboard.
+    Otherwise you may not be able to log in once WordPress is installed.
 
 Click **Install WordPress** when you are done.
 
-On the following page, click on **Log In** to log into the WordPress administrator dashboard.
+On the following page, click on **Log In** to log into the WordPress
+administrator dashboard.
 
 .. figure:: proceed.png
    :align: center
@@ -65,14 +79,17 @@ You will then be presented with the WordPress administrator dashboard.
 
 Post a blog article
 -------------------
-Now that you've successfully logged into the WordPress administrator dashboard, let's post an update to the blog.
+Now that you've successfully logged into the WordPress administrator dashboard,
+let's post an update to the blog.
 
-Click on **Write your first blog post** under the **Next Steps** section.  You will be presented with the **Add New Post** editor.
+Click on **Write your first blog post** under the **Next Steps** section.  You
+will be presented with the **Add New Post** editor.
 
 .. figure:: new-post.png
    :align: center
 
-Enter a title for your post and some sample content.  Then click on **Publish** to post the update.
+Enter a title for your post and some sample content.  Then click on **Publish**
+to post the update.
 
 You can then click on **Preview** to see the published blog update.
 
@@ -81,29 +98,39 @@ You can then click on **Preview** to see the published blog update.
 
 Verify firewall rule matches
 ----------------------------
-Now that we've confirmed the WordPress application is working properly, let's see what is happening with our firewall rules.
+Now that we've confirmed the WordPress application is working properly, let's
+see what is happening with our firewall rules.
 
-Log into the firewall administrator web interface at ``https://<firewall-management-ip>`` and navigate to **Policies > Security**.
+Log into the firewall administrator web interface at ``https://<firewall-management-ip>``
+and navigate to **Policies > Security**.
 
-If you scroll to the right you will see details on the security rules that are being hit.
+If you scroll to the right you will see details on the security rules that are
+being hit.
 
 .. figure:: hit-count.png
    :align: center
 
-Scroll back to the left, find the security rule entitled *Allow web inbound*.  Then click on the drop-down menu icon to the right of the rule name and select **Log Viewer*.
+Scroll back to the left, find the security rule entitled *Allow web inbound*.
+Then click on the drop-down menu icon to the right of the rule name and
+select **Log Viewer*.
 
 .. figure:: web-hits.png
    :align: center
 
-You will see all of the logs associated with inbound web traffic.  Notice the applications identified are *web-browsing* and *blog-posting*.
+You will see all of the logs associated with inbound web traffic.  Notice the
+applications identified are *web-browsing* and *blog-posting*.
 
-.. note:: You may find source IPs other than your own as the web server is open to the public and will likely be discovered by web crawlers and other discovery tools aimed at public cloud providers.
+.. note:: You may find source IPs other than your own as the web server is open
+    to the public and will likely be discovered by web crawlers and other discovery
+    tools aimed at public cloud providers.
 
-Navigate back to **Policies > Security** and click on the **Log Viewer** for the *Allow web to db* rule.
+Navigate back to **Policies > Security** and click on the **Log Viewer** for
+the *Allow web to db* rule.
 
 .. figure:: db-hits.png
    :align: center
 
-You will see all of the MySQL (actually MariaDB) database traffic between the WordPress web server and the database backend.
+You will see all of the MySQL (actually MariaDB) database traffic between the
+WordPress web server and the database backend.
 
 
diff --git a/solution/main-aws.tf b/solution/main-aws.tf
@@ -1,6 +1,6 @@
 provider "panos" {}
 
-resource "panos_ethernet_interface" "eth1" {
+resource "panos_ethernet_interface" "untrust" {
   name                      = "ethernet1/1"
   comment                   = "untrust interface"
   vsys                      = "vsys1"
@@ -9,15 +9,15 @@ resource "panos_ethernet_interface" "eth1" {
   create_dhcp_default_route = true
 }
 
-resource "panos_ethernet_interface" "eth2" {
+resource "panos_ethernet_interface" "web" {
   name        = "ethernet1/2"
   comment     = "web interface"
   vsys        = "vsys1"
   mode        = "layer3"
   enable_dhcp = true
 }
 
-resource "panos_ethernet_interface" "eth3" {
+resource "panos_ethernet_interface" "db" {
   name        = "ethernet1/3"
   comment     = "database interface"
   vsys        = "vsys1"
@@ -29,26 +29,26 @@ resource "panos_virtual_router" "lab_vr" {
   name = "default"
 
   interfaces = [
-    "${panos_ethernet_interface.eth1.name}",
-    "${panos_ethernet_interface.eth2.name}",
-    "${panos_ethernet_interface.eth3.name}",
+    "${panos_ethernet_interface.untrust.name}",
+    "${panos_ethernet_interface.web.name}",
+    "${panos_ethernet_interface.db.name}",
   ]
 }
 
-resource "panos_zone" "untrust" {
+resource "panos_zone" "untrust_zone" {
   name       = "untrust-zone"
   mode       = "layer3"
-  interfaces = ["${panos_ethernet_interface.eth1.name}"]
+  interfaces = ["${panos_ethernet_interface.untrust.name}"]
 }
 
-resource "panos_zone" "web" {
+resource "panos_zone" "web_zone" {
   name       = "web-zone"
   mode       = "layer3"
-  interfaces = ["${panos_ethernet_interface.eth2.name}"]
+  interfaces = ["${panos_ethernet_interface.web.name}"]
 }
 
-resource "panos_zone" "database" {
+resource "panos_zone" "db_zone" {
   name       = "db-zone"
   mode       = "layer3"
-  interfaces = ["${panos_ethernet_interface.eth3.name}"]
+  interfaces = ["${panos_ethernet_interface.db.name}"]
 }
diff --git a/solution/main-gcp.tf b/solution/main-gcp.tf
@@ -1,6 +1,6 @@
 provider "panos" {}
 
-resource "panos_ethernet_interface" "eth1" {
+resource "panos_ethernet_interface" "untrust" {
   name                      = "ethernet1/1"
   comment                   = "untrust interface"
   vsys                      = "vsys1"
@@ -9,15 +9,15 @@ resource "panos_ethernet_interface" "eth1" {
   create_dhcp_default_route = true
 }
 
-resource "panos_ethernet_interface" "eth2" {
+resource "panos_ethernet_interface" "web" {
   name        = "ethernet1/2"
   comment     = "web interface"
   vsys        = "vsys1"
   mode        = "layer3"
   enable_dhcp = true
 }
 
-resource "panos_ethernet_interface" "eth3" {
+resource "panos_ethernet_interface" "db" {
   name        = "ethernet1/3"
   comment     = "database interface"
   vsys        = "vsys1"
@@ -29,50 +29,50 @@ resource "panos_virtual_router" "lab_vr" {
   name = "default"
 
   interfaces = [
-    "${panos_ethernet_interface.eth1.name}",
-    "${panos_ethernet_interface.eth2.name}",
-    "${panos_ethernet_interface.eth3.name}",
+    "${panos_ethernet_interface.untrust.name}",
+    "${panos_ethernet_interface.web.name}",
+    "${panos_ethernet_interface.db.name}",
   ]
 }
 
 resource "panos_static_route_ipv4" "outbound" {
   name           = "outbound"
   virtual_router = "${panos_virtual_router.lab_vr.name}"
   destination    = "0.0.0.0/0"
-  interface      = "ethernet1/1"
+  interface      = "${panos_ethernet_interface.untrust.name}"
   next_hop       = "10.5.1.1"
 }
 
 resource "panos_static_route_ipv4" "to-web" {
   name           = "to-web"
   virtual_router = "${panos_virtual_router.lab_vr.name}"
   destination    = "10.5.2.0/24"
-  interface      = "ethernet1/2"
+  interface      = "${panos_ethernet_interface.web.name}"
   next_hop       = "10.5.2.1"
 }
 
 resource "panos_static_route_ipv4" "to-db" {
   name           = "to-db"
   virtual_router = "${panos_virtual_router.lab_vr.name}"
   destination    = "10.5.3.0/24"
-  interface      = "ethernet1/3"
+  interface      = "${panos_ethernet_interface.db.name}"
   next_hop       = "10.5.3.1"
 }
 
 resource "panos_zone" "untrust" {
   name       = "untrust-zone"
   mode       = "layer3"
-  interfaces = ["${panos_ethernet_interface.eth1.name}"]
+  interfaces = ["${panos_ethernet_interface.untrust.name}"]
 }
 
 resource "panos_zone" "web" {
   name       = "web-zone"
   mode       = "layer3"
-  interfaces = ["${panos_ethernet_interface.eth2.name}"]
+  interfaces = ["${panos_ethernet_interface.web.name}"]
 }
 
 resource "panos_zone" "database" {
   name       = "db-zone"
   mode       = "layer3"
-  interfaces = ["${panos_ethernet_interface.eth3.name}"]
+  interfaces = ["${panos_ethernet_interface.db.name}"]
 }