Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redefine the data models for all the models #18

Closed
Tracked by #16
migara opened this issue Mar 22, 2023 · 0 comments
Closed
Tracked by #16

Redefine the data models for all the models #18

migara opened this issue Mar 22, 2023 · 0 comments
Assignees
@pimielowski @sebastianczech
Labels
enhancement New feature or request

Comments

@migara
Copy link
Member

migara commented Mar 22, 2023
edited by sebastianczech

Addresses

variables

  • device_group
  • addresses
  • address_groups
 {
    "device_group" = "my_device_group"
    "address_groups" = {
      "dns" = {
        "members" = [
          "google_dns",
          "cloudflare",
        ]
      }
    }
    "addresses" = {
      "cloudflare" = {
        "type" = "ip_netmask"
        "value" = "1.1.1.1"
      }
      "google_dns" = {
        "type" = "ip_netmask"
        "value" = "8.8.8.8"
      }
    }
  }

Services

variables

  • device_group
  • services
  • service_groups
  {
    "device_group" = "my_device_group"
    "service_groups" = {
      "my_services" = {
        "members" = [
          "TCP-8000",
          "TCP-8443",
        ]
      }
    }
    "services" = {
      "TCP-8000" = {
        "destination_port" = "8000"
        "protocol" = "tcp"
      }
      "TCP-8443" = {
        "destination_port" = "8443"
        "protocol" = "tcp"
      }
    }
  }

Tags

variables

  • device_group
  • tags
{
  "device_group" = "my_device_group"
  "tags": {
    "tag_foo": {
      "color": "Blue",
      "comment": "hello world",
      "vsys": "vsys1"
    },
    "tag_bar": {
      "color": "Red"
    }
  }
}

Security Policies

  • device_group
  • security_policies
{
  "allow_rule_group" = {
    rulebase = "pre-rulebase"
    policies_rules = [
      {
        name = "Allow access to DNS Servers"
        tags     = [
          "Outbound",
          "Managed by Terraform"
        ]
        source_zones                       = ["Trust-L3"]
        source_addresses                   = ["RFC1918_Subnets"]
        negate_source                      = "false"
        source_users                       = ["any"]
        hip_profiles                       = ["any"]
        destination_zones                  = ["Untrust-L3"]
        destination_addresses              = ["DNS-Servers"]
        negate_destination                 = "false"
        applications                       = ["dns"]
        services                           = ["application-default"]
        categories                         = ["any"]
        action                             = "allow"
        disable_server_response_inspection = "false"
        log_start                          = "false"
        log_end                            = "true"
        disabled                           = "false"
        virus                              = "default"
        spyware                            = "default"
        vulnerability                      = "default"
      }
    ]
  }
  "block_rule_group" = {
    position_keyword = "bottom"
    rulebase = "pre-rulebase"
    policies_rules = [
       {
        name ="Block Some Traffic"
        tags     = [
          "Outbound",
          "Managed by Terraform"
        ]
        source_zones                       = ["Trust-L3"]
        source_addresses                   = ["10.0.0.100/32"]
        negate_source                      = "false"
        source_users                       = ["any"]
        hip_profiles                       = ["any"]
        destination_zones                  = ["any"]
        destination_addresses              = ["any"]
        negate_destination                 = "false"
        applications                       = ["ssh"]
        services                           = ["any"]
        categories                         = ["any"]
        action                             = "deny"
        disable_server_response_inspection = "false"
        log_start                          = "false"
        log_end                            = "true"
        disabled                           = "false"
      }
    ]
  }
}

NAT Policies

Security Profiles

Management profiles

variable "management_profiles" {
  description = <<-EOF
  Map of the management profiles, where key is the management profile's name:
  - `ping` - (Optional) Allow ping.
  - `telnet` - (Optional) Allow telnet.
  - `ssh` - (Optional) Allow SSH.
  - `http` - (Optional) Allow HTTP.
  - `http_ocsp` - (Optional) Allow HTTP OCSP.
  - `https` - (Optional) Allow HTTPS.
  - `snmp` - (Optional) Allow SNMP.
  - `response_pages` - (Optional) Allow response pages.
  - `userid_service` - (Optional) Allow User ID service.
  - `userid_syslog_listener_ssl` - (Optional) Allow User ID syslog listener for SSL.
  - `userid_syslog_listener_udp` - (Optional) Allow User ID syslog listener for UDP.
  - `permitted_ips` - (Optional) The list of permitted IP addresses or address ranges for this management profile.

  Example:
  {
    "mgmt_default" = {
      ping           = true
      telnet         = false
      ssh            = true
      http           = false
      https          = true
      snmp           = false
      userid_service = null
      permitted_ips  = ["1.1.1.1/32", "2.2.2.2/32"]
    }
  }
  EOF
  default     = {}
  type = map(object({
    ping                       = optional(bool)
    telnet                     = optional(bool)
    ssh                        = optional(bool)
    http                       = optional(bool)
    http_ocsp                  = optional(bool)
    https                      = optional(bool)
    snmp                       = optional(bool)
    response_pages             = optional(bool)
    userid_service             = optional(bool)
    userid_syslog_listener_ssl = optional(bool)
    userid_syslog_listener_udp = optional(bool)
    permitted_ips              = list(string)
  }))
}

Zones

variable "zones" {
  description = <<-EOF
  Map of the zones, where key is the zone's name:
  - `vsys` - The vsys (default: vsys1)
  - `mode` - (Required) The zone's mode. This can be layer3, layer2, virtual-wire, tap, or tunnel.
  - `zone_profile` - The zone protection profile.
  - `log_setting` - Log setting.
  - `enable_user_id` - Boolean to enable user identification.
  - `interfaces` - List of interfaces to associated with this zone. Leave this undefined if you want to use panos_zone_entry resources.
  - `include_acls` - Users from these addresses/subnets will be identified. This can be an address object, an address group, a single IP address, or an IP address subnet.
  - `exclude_acls` - Users from these addresses/subnets will not be identified. This can be an address object, an address group, a single IP address, or an IP address subnet.

  Example:
  {
    "default" = {}
  }
  EOF
  default     = {}
  type = map(object({
    vsys           = optional(string, "vsys1")
    mode           = optional(string)
    zone_profile   = optional(string)
    log_setting    = optional(string)
    enable_user_id = optional(bool)
    interfaces     = optional(list(string), [])
    include_acls   = optional(list(string))
    exclude_acls   = optional(list(string))
  }))
  validation {
    condition     = (length(var.zones) > 0 && alltrue([for zone in var.zones : contains(["layer3", "layer2", "virtual-wire", "tap", "tunnel"], zone.mode)]))
    error_message = "Valid types of zone's mode are `layer3`, `layer2`, `virtual-wire`, `tap`, or `tunnel``"
  }
}

Interfaces

variable "interfaces" {
  description = <<-EOF
  Map of the interfaces, where key is the interface's name:
  - `type` - (Required) Type of interface. Valid values are `ethernet`,`loopback`,`tunnel`.
  - `mode` - (Required) The interface mode. This can be any of the following values: layer3, layer2, virtual-wire, tap, ha, decrypt-mirror, or aggregate-group.
  - `zone` - (Required) The zone's name
  - `virtual_router` - (Required) The virtual router's name
  - `vsys` - (Optional) The vsys that will use this interface (default: vsys1). This should be something like vsys1 or vsys3.
  - `static_ips` - (Optional) List of static IPv4 addresses to set for this data interface.
  - `enable_dhcp` - (Optional) Set to true to enable DHCP on this interface.
  - `create_dhcp_default_route` - (Optional) Set to true to create a DHCP default route.
  - `dhcp_default_route_metric` - (Optional) The metric for the DHCP default route.
  - `ipv6_enabled` - (Optional) Set to true to enable IPv6.
  - `management_profile` - (Optional) The management profile.
  - `mtu` - (Optional) The MTU.
  - `adjust_tcp_mss` - (Optional) Adjust TCP MSS (default: false).
  - `netflow_profile - (Optional) The netflow profile.
  - `lldp_enabled` - (Optional) Enable LLDP (default: false).
  - `lldp_profile` - (Optional) LLDP profile.
  - `lldp_ha_passive_pre_negotiation` - (bool) LLDP HA passive pre-negotiation.
  - `lacp_ha_passive_pre_negotiation` - (bool) LACP HA passive pre-negotiation.
  - `link_speed` - (Optional) Link speed. This can be any of the following: 10, 100, 1000, or auto.
  - `link_duplex` - (Optional) Link duplex setting. This can be full, half, or auto.
  - `link_state` - (Optional) The link state. This can be up, down, or auto.
  - `aggregate_group` - (Optional) The aggregate group (applicable for physical firewalls only).
  - `comment` - (Optional) The interface comment.
  - `lacp_port_priority` - (int) LACP port priority.
  - `ipv4_mss_adjust` - (Optional, PAN-OS 7.1+) The IPv4 MSS adjust value.
  - `ipv6_mss_adjust` - (Optional, PAN-OS 7.1+) The IPv6 MSS adjust value.
  - `decrypt_forward` - (Optional, PAN-OS 8.1+) Enable decrypt forwarding.
  - `rx_policing_rate` - (Optional, PAN-OS 8.1+) Receive policing rate in Mbps.
  - `tx_policing_rate` - (Optional, PAN-OS 8.1+) Transmit policing rate in Mbps.
  - `dhcp_send_hostname_enable` - (Optional, PAN-OS 9.0+) For DHCP layer3 interfaces: enable sending the firewall or a custom hostname to DHCP server
  - `dhcp_send_hostname_value` - (Optional, PAN-OS 9.0+) For DHCP layer3 interfaces: the interface hostname. Leaving this unspecified with dhcp_send_hostname_enable set means to send the system hostname.

  Example:
  {
    "ethernet1/1" = {
      type                      = "ethernet"
      mode                      = "layer3"
      management_profile        = "mgmt_default"
      link_state                = "up"
      enable_dhcp               = true
      create_dhcp_default_route = false
      comment                   = "mgmt"
      virtual_router            = "default"
      zone                      = "mgmt"
      vsys                      = "vsys1"
    }
  }
  EOF
  default     = {}
  type = map(object({
    type                            = string
    mode                            = string
    zone                            = string
    virtual_router                  = string
    vsys                            = optional(string, "vsys1")
    static_ips                      = optional(list(string), [])
    enable_dhcp                     = optional(bool, false)
    create_dhcp_default_route       = optional(bool, false)
    dhcp_default_route_metric       = optional(number)
    ipv6_enabled                    = optional(bool)
    management_profile              = optional(string)
    mtu                             = optional(number)
    adjust_tcp_mss                  = optional(bool, false)
    netflow_profile                 = optional(string)
    lldp_enabled                    = optional(bool, false)
    lldp_profile                    = optional(string)
    lldp_ha_passive_pre_negotiation = optional(bool)
    lacp_ha_passive_pre_negotiation = optional(bool)
    link_speed                      = optional(string)
    link_duplex                     = optional(string)
    link_state                      = optional(string)
    aggregate_group                 = optional(string)
    comment                         = optional(string)
    lacp_port_priority              = optional(number)
    ipv4_mss_adjust                 = optional(string)
    ipv6_mss_adjust                 = optional(string)
    decrypt_forward                 = optional(bool)
    rx_policing_rate                = optional(string)
    tx_policing_rate                = optional(string)
    dhcp_send_hostname_enable       = optional(bool)
    dhcp_send_hostname_value        = optional(string)
  }))
  validation {
    condition     = (length(var.interfaces) > 0 && alltrue([for interface in var.interfaces : contains(["layer3", "layer2", "virtual-wire", "tap", "ha", "decrypt-mirror", "aggregate-group"], interface.mode)]))
    error_message = "Valid types of mode are `layer3`, `layer2`, `virtual-wire`, `tap`, `ha`, `decrypt-mirror`, or `aggregate-group`"
  }
  validation {
    condition     = (length(var.interfaces) > 0 && alltrue([for interface in var.interfaces : contains(["ethernet", "loopback", "tunnel"], interface.type)]))
    error_message = "Valid types of interfaces are `ethernet`,`loopback`,`tunnel`"
  }
  validation {
    condition     = (length(var.interfaces) > 0 && alltrue([for interface in var.interfaces : contains(["up", "down", "auto"], interface.link_state)]))
    error_message = "Valid types of link state are `up`, `down`, `auto`"
  }
  validation {
    condition     = (length(var.interfaces) > 0 && alltrue([for interface in var.interfaces : contains(["10", "100", "1000", "auto"], coalesce(interface.link_speed, "auto"))]))
    error_message = "Valid types of link speed are `10`, `100`, `1000`, or `auto`"
  }
  validation {
    condition     = (length(var.interfaces) > 0 && alltrue([for interface in var.interfaces : contains(["full", "half", "auto"], coalesce(interface.link_duplex, "auto"))]))
    error_message = "Valid types of link duplex are `full`, `half`, or `auto`"
  }
}

Virtual routers

variable "virtual_routers" {
  description = <<-EOF
  Map of the virtual routers, where key is the virtual router's name:
  - `vsys` - The vsys (default: vsys1)
  - `static_dist - (int) Admin distance - Static (default: 10).
  - `static_ipv6_dist - (int) Admin distance - Static IPv6 (default: 10).
  - `ospf_int_dist - (int) Admin distance - OSPF Int (default: 30).
  - `ospf_ext_dist - (int) Admin distance - OSPF Ext (default: 110).
  - `ospfv3_int_dist - (int) Admin distance - OSPFv3 Int (default: 30).
  - `ospfv3_ext_dist - (int) Admin distance - OSPFv3 Ext (default: 110).
  - `ibgp_dist - (int) Admin distance - IBGP (default: 200).
  - `ebgp_dist - (int) Admin distance - EBGP (default: 20).
  - `rip_dist - (int) Admin distance - RIP (default: 120).
  - `enable_ecmp - (bool) Enable ECMP.
  - `ecmp_max_path - (int) Maximum number of ECMP paths supported.
  - `ecmp_symmetric_return - (bool) Allows return packets to egress out of the ingress interface of the flow.
  - `ecmp_strict_source_path - (bool) Force VPN traffic to exit interface that the source-ip belongs to.
  - `ecmp_load_balance_method - Load balancing algorithm. Valid values are ip-modulo, ip-hash, weighted-round-robin, or balanced-round-robin.
  - `ecmp_hash_source_only - (bool) For ecmp_load_balance_method = ip-hash: Only use source address for hash.
  - `ecmp_hash_use_port - (bool) For ecmp_load_balance_method = ip-hash: Use source/destination port for hash.
  - `ecmp_hash_seed - (int) For ecmp_load_balance_method = ip-hash: User-specified hash seed.
  - `ecmp_weighted_round_robin_interfaces - (Map of ints) For ecmp_load_balance_method = weighted-round-robin: Interface weight used in weighted ECMP load balancing.

  Example:
  {
    "default" = {}
  }
  EOF
  default     = {}
  type = map(object({
    vsys                                 = optional(string, "vsys1")
    static_dist                          = optional(number, 10)
    static_ipv6_dist                     = optional(number, 10)
    ospf_int_dist                        = optional(number, 30)
    ospf_ext_dist                        = optional(number, 110)
    ospfv3_int_dist                      = optional(number, 30)
    ospfv3_ext_dist                      = optional(number, 110)
    ibgp_dist                            = optional(number, 200)
    ebgp_dist                            = optional(number, 20)
    rip_dist                             = optional(number, 120)
    enable_ecmp                          = optional(bool)
    ecmp_max_path                        = optional(number)
    ecmp_symmetric_return                = optional(bool)
    ecmp_strict_source_path              = optional(bool)
    ecmp_load_balance_method             = optional(string)
    ecmp_hash_source_only                = optional(bool)
    ecmp_hash_use_port                   = optional(bool)
    ecmp_hash_seed                       = optional(number)
    ecmp_weighted_round_robin_interfaces = optional(map(number))
  }))
  validation {
    condition     = (length(var.virtual_routers) > 0 && alltrue([for virtual_router in var.virtual_routers : contains(["ip-modulo", "ip-hash", "weighted-round-robin", "balanced-round-robin"], coalesce(virtual_router.ecmp_load_balance_method, "ip-modulo"))]))
    error_message = "Valid types of ECMP load balance method are `ip-modulo`, `ip-hash`, `weighted-round-robin`, or `balanced-round-robin`"
  }
}

Static routes


variable "static_routes" {
  description = <<-EOF
  Map of the static route, where key is the unique name e.g. build in format "{virtual_router}_{route_table}":
  - `virtual_router` - (Required) The virtual router to add the static route to.
  - `route_table` - (Optional) Target routing table to install the route. Valid values are unicast (the default), no install, multicast, or both.
  - `destination` - (Required) Destination IP address / prefix.
  - `interface` - (Optional) Interface to use.
  - `type` - (Optional) The next hop type. Valid values are ip-address (the default), discard, next-vr, or an empty string for None.
  - `next_hop` - (Optional) The value for the type setting.
  - `admin_distance` - (Optional) The admin distance.
  - `metric` - (Optional, int) Metric value / path cost (default: 10).
  - `bfd_profile` - (Optional, PAN-OS 7.1+) BFD configuration.

  Example:
  {
    "vr_default_unicast_0.0.0.0" = {
      virtual_router = "default"
      route_table    = "unicast"
      destination    = "0.0.0.0/0"
      interface      = "ethernet1/1"
      type           = "ip-address"
      next_hop       = "10.1.1.1"
      admin_distance = null
      metric         = 10
    }
  }
  EOF
  default     = {}
  type = map(object({
    virtual_router = string
    route_table    = optional(string, "unicast")
    destination    = string
    interface      = optional(string)
    type           = optional(string, "ip-address")
    next_hop       = optional(string)
    admin_distance = optional(number)
    metric         = optional(number, 10)
    bfd_profile    = optional(string)
  }))
  validation {
    condition     = (length(var.static_routes) > 0 && alltrue(flatten([for static_route in var.static_routes : contains(["unicast", "no install", "multicast", "both"], static_route.route_table)])))
    error_message = "Valid values of route tables are `unicast` (the default), `no install`, `multicast`, or `both`"
  }
  validation {
    condition     = (length(var.static_routes) > 0 && alltrue(flatten([for static_route in var.static_routes : contains(["ip-address", "discard", "next-vr", ""], static_route.type)])))
    error_message = "Valid values type in route are `ip-address` (the default), `discard`, `next-vr`, or an empty string for None"
  }
}

IPSec

variable "ike_crypto_profiles" {
  description = <<-EOF
  Map of the IKE crypto profiles, where key is the IKE crypto profile's name:
  - `dh_groups` - (Required, list) List of DH Group entries. Values should have a prefix if group.
  - `authentications` - (Required, list) List of authentication types. This c
  - `encryptions` - (Required, list) List of encryption types. Valid values are des, 3des, aes-128-cbc, aes-192-cbc, aes-256-cbc, aes-128-gcm (PAN-OS 10.0), and aes-256-gcm (PAN-OS 10.0).
  - `lifetime_type` - The lifetime type. Valid values are seconds, minutes, hours (the default), and days.
  - `lifetime_value` - (int) The lifetime value.
  - `authentication_multiple` - (PAN-OS 7.0+, int) IKEv2 SA reauthentication interval equals authetication-multiple * rekey-lifetime; 0 means reauthentication is disabled

  Example:
  {
     "AES128_default" = {
      dh_groups               = ["group2", "group5"]
      authentications         = ["md5", "sha1"]
      encryptions             = ["aes-128-cbc", "aes-192-cbc"]
      lifetime_type           = "hours"
      lifetime_value          = 24
      authentication_multiple = 0
    }
  }
  EOF
  default     = {}
  type = map(object({
    dh_groups               = list(string)
    authentications         = list(string)
    encryptions             = list(string)
    lifetime_type           = optional(string)
    lifetime_value          = optional(number)
    authentication_multiple = optional(number)
  }))
  validation {
    condition     = (length(var.ike_crypto_profiles) > 0 && alltrue([for ike_crypto_profile in var.ike_crypto_profiles : contains(["seconds", "minutes", "hours", "days"], ike_crypto_profile.lifetime_type)]))
    error_message = "Valid values for the lifetime type are `seconds`, `minutes`, `hours` (the default), and `days`"
  }
  validation {
    condition     = (length(var.ike_crypto_profiles) > 0 && alltrue([for ike_crypto_profile in var.ike_crypto_profiles : length(setsubtract(ike_crypto_profile.encryptions, ["des", "3des", "aes-128-cbc", "aes-192-cbc", "aes-256-cbc", "aes-128-gcm", "aes-256-gcm"])) == 0]))
    error_message = "Valid values for the encryptions are `des`, `3des`, `aes-128-cbc`, `aes-192-cbc`, `aes-256-cbc`, `aes-128-gcm` (PAN-OS 10.0), and `aes-256-gcm`"
  }
}

variable "ipsec_crypto_profiles" {
  description = <<-EOF
  Map of the IPSec crypto profiles, where key is the IPSec crypto profile's name:
  - `protocol` - (Optional) The protocol. Valid values are esp (the default) or ah
  - `authentications` - (Required, list) - List of authentication types.
  - `encryptions` - (Required, list) - List of encryption types. Valid values are des, 3des, aes-128-cbc, aes-192-cbc, aes-256-cbc, aes-128-gcm, aes-256-gcm, and null. Note that the "gcm" values are only available in PAN-OS 7.0+.
  - `dh_group` - (Optional) The DH group value. Valid values should start with the string group.
  - `lifetime_type` - (Optional) The lifetime type. Valid values are seconds, minutes, hours (the default), or days.
  - `lifetime_value` - (Optional, int) The lifetime value.
  - `lifesize_type` - (Optional) The lifesize type. Valid values are kb, mb, gb, or tb.
  - `lifesize_value` - (Optional, int) the lifesize value.

  Example:
  {
    "AES128_default" = {
      protocol        = "esp"
      authentications = ["md5", "sha1"]
      encryptions     = ["aes-128-cbc", "aes-192-cbc"]
      dh_group        = "group5"
      lifetime_type   = "hours"
      lifetime_value  = 24
      lifesize_type   = null
      lifesize_value  = null
    }
  }
  EOF
  default     = {}
  type = map(object({
    protocol        = optional(string, "esp")
    authentications = list(string)
    encryptions     = list(string)
    dh_group        = optional(string)
    lifetime_type   = optional(string)
    lifetime_value  = optional(number)
    lifesize_type   = optional(string)
    lifesize_value  = optional(number)
  }))
  validation {
    condition     = (length(var.ipsec_crypto_profiles) > 0 && alltrue([for ipsec_crypto_profile in var.ipsec_crypto_profiles : contains(["esp", "ah"], ipsec_crypto_profile.protocol)]))
    error_message = "Valid values for the protocol are `esp` and `ah`"
  }
  validation {
    condition     = (length(var.ipsec_crypto_profiles) > 0 && alltrue([for ipsec_crypto_profile in var.ipsec_crypto_profiles : contains(["seconds", "minutes", "hours", "days"], ipsec_crypto_profile.lifetime_type)]))
    error_message = "Valid values for the lifetime type are `seconds`, `minutes`, `hours` (the default), and `days`"
  }
  validation {
    condition     = (length(var.ipsec_crypto_profiles) > 0 && alltrue([for ipsec_crypto_profile in var.ipsec_crypto_profiles : contains(["kb", "mb", "gb", "tb"], coalesce(ipsec_crypto_profile.lifesize_type, "kb"))]))
    error_message = "Valid values for the lifesize type are `kb`, `mb`, `gb`, or `tb`"
  }
  validation {
    condition     = (length(var.ipsec_crypto_profiles) > 0 && alltrue([for ipsec_crypto_profile in var.ipsec_crypto_profiles : length(setsubtract(ipsec_crypto_profile.encryptions, ["des", "3des", "aes-128-cbc", "aes-192-cbc", "aes-256-cbc", "aes-128-gcm", "aes-256-gcm"])) == 0]))
    error_message = "Valid values for the encryptions are `des`, `3des`, `aes-128-cbc`, `aes-192-cbc`, `aes-256-cbc`, `aes-128-gcm` and `aes-256-gcm`"
  }
}

variable "ike_gateways" {
  description = <<-EOF
  Map of the IKE gateways, where key is the IKE gateway's name:
  - `version` - (Optional, PAN-OS 7.0+) The IKE gateway version. Valid values are ikev1, (the default), ikev2, or ikev2-preferred. For PAN-OS 6.1, only ikev1 is acceptable.
  - `enable_ipv6` - (Optional, PAN-OS 7.0+, bool) Enable IPv6 or not.
  - `disabled` - (Optional, PAN-OS 7.0+, bool) Set to true to disable.
  - `peer_ip_type` - (Optional) The peer IP type. Valid values are ip, dynamic, and fqdn (PANOS 8.1+).
  - `peer_ip_value` - (Optional) The peer IP value.
  - `interface` - (Required) The interface.
  - `local_ip_address_type` - (Optional) The local IP address type. Valid values for this are ip, floating-ip, or an empty string (the default) which is None.
  - `local_ip_address_value - (Optional) The IP address if local_ip_address_type is set to ip.
  - `auth_type` - (Optional) The auth type. Valid values are pre-shared-key (the default), or certificate.
  - `pre_shared_key` - (Optional) The pre-shared key value.
  - `local_id_type` - (Optional) The local ID type. Valid values are ipaddr, fqdn, ufqdn, keyid, or dn.
  - `local_id_value` - (Optional) The local ID value.
  - `peer_id_type` - (Optional) The peer ID type. Valid values are ipaddr, fqdn, ufqdn, keyid, or dn.
  - `peer_id_value` - (Optional) The peer ID value.
  - `peer_id_check` - (Optional) Enable peer ID wildcard match for certificate authentication. Valid values are exact or wildcard.
  - `local_cert` - (Optional) The local certificate name.
  - `cert_enable_hash_and_url` - (Optional, PAN-OS 7.0+, bool) Set to true to use hash-and-url for local certificate.
  - `cert_base_url` - (Optional) The host and directory part of URL for local certificates.
  - `cert_use_management_as_source` - (Optional, PAN-OS 7.0+, bool) Set to true to use management interface IP as source to retrieve http certificates
  - `cert_permit_payload_mismatch` - (Optional, bool) Set to true to permit peer identification and certificate payload identification mismatch.
  - `cert_profile` - (Optional) Profile for certificate valdiation during IKE negotiation.
  - `cert_enable_strict_validation` - (Optional, bool) Set to true to enable strict validation of peer's extended key use.
  - `enable_passive_mode` - (Optional, bool) Set to true to enable passive mode (responder only).
  - `enable_nat_traversal` - (Optional, bool) Set to true to enable NAT traversal.
  - `nat_traversal_keep_alive` - (Optional, int) Sending interval for NAT keep-alive packets (in seconds). For versions 6.1 - 8.1, this param, if specified, should be a multiple of 10 between 10 and 3600 to be valid.
  - `nat_traversal_enable_udp_checksum` - (Optional, bool) Set to true to enable NAT traversal UDP checksum.
  - `enable_fragmentation` - (Optional, bool) Set to true to enable fragmentation.
  - `ikev1_exchange_mode` - (Optional) The IKEv1 exchange mode.
  - `ikev1_crypto_profile` - (Optional) IKEv1 crypto profile.
  - `enable_dead_peer_detection` - (Optional, bool) Set to true to enable dead peer detection.
  - `dead_peer_detection_interval` - (Optional, int) The dead peer detection interval.
  - `dead_peer_detection_retry` - (Optional, int) Number of retries before disconnection.
  - `ikev2_crypto_profile` - (Optional, PAN-OS 7.0+) IKEv2 crypto profile.
  - `ikev2_cookie_validation` - (Optional, PAN-OS 7.0+) Set to true to require cookie.
  - `enable_liveness_check` - (Optional, , PAN-OS 7.0+bool) Set to true to enable sending empty information liveness check message.
  - `liveness_check_interval` - (Optional, , PAN-OS 7.0+int) Delay interval before sending probing packets (in seconds).

  Example:
  {
    "IKE-GW-1" = {
      version              = "ikev1"
      disabled             = false
      peer_ip_type         = "ip"
      peer_ip_value        = "5.5.5.5"
      interface            = "ethernet1/1"
      pre_shared_key       = "test12345"
      local_id_type        = "ipaddr"
      local_id_value       = "10.1.1.1"
      peer_id_type         = "ipaddr"
      peer_id_value        = "10.5.1.1"
      ikev1_crypto_profile = "AES128_default"
    }
  }
  EOF
  default     = {}
  type = map(object({
    version                           = optional(string)
    enable_ipv6                       = optional(bool)
    disabled                          = optional(bool)
    peer_ip_type                      = optional(string)
    peer_ip_value                     = optional(string)
    interface                         = string
    local_ip_address_type             = optional(string)
    local_ip_address_value            = optional(string)
    auth_type                         = optional(string, "pre-shared-key")
    pre_shared_key                    = optional(string)
    local_id_type                     = optional(string)
    local_id_value                    = optional(string)
    peer_id_type                      = optional(string)
    peer_id_value                     = optional(string)
    peer_id_check                     = optional(string)
    local_cert                        = optional(string)
    cert_enable_hash_and_url          = optional(bool)
    cert_base_url                     = optional(string)
    cert_use_management_as_source     = optional(bool)
    cert_permit_payload_mismatch      = optional(bool)
    cert_profile                      = optional(string)
    cert_enable_strict_validation     = optional(bool)
    enable_passive_mode               = optional(bool)
    enable_nat_traversal              = optional(bool)
    nat_traversal_keep_alive          = optional(number)
    nat_traversal_enable_udp_checksum = optional(bool)
    enable_fragmentation              = optional(bool)
    ikev1_exchange_mode               = optional(string)
    ikev1_crypto_profile              = optional(string)
    enable_dead_peer_detection        = optional(bool)
    dead_peer_detection_interval      = optional(number)
    dead_peer_detection_retry         = optional(number)
    ikev2_crypto_profile              = optional(string)
    ikev2_cookie_validation           = optional(bool)
    enable_liveness_check             = optional(bool)
    liveness_check_interval           = optional(number)
  }))
  validation {
    condition     = (length(var.ike_gateways) > 0 && alltrue([for ike_gateway in var.ike_gateways : contains(["ikev1", "ikev2", "ikev2-preferred"], ike_gateway.version)]))
    error_message = "Valid values for IKE gateway version are `ikev1`, `ikev2`, `ikev2-preferred`"
  }
  validation {
    condition     = (length(var.ike_gateways) > 0 && alltrue([for ike_gateway in var.ike_gateways : contains(["ipaddr", "fqdn", "ufqdn", "keyid", "dn"], ike_gateway.peer_id_type)]))
    error_message = "Valid values for peer ID type are `ipaddr`, `fqdn`, `ufqdn`, `keyid`, or `dn`"
  }
  validation {
    condition     = (length(var.ike_gateways) > 0 && alltrue([for ike_gateway in var.ike_gateways : contains(["ipaddr", "fqdn", "ufqdn", "keyid", "dn"], ike_gateway.local_id_type)]))
    error_message = "Valid values for local ID type are `ipaddr`, `fqdn`, `ufqdn`, `keyid`, or `dn`"
  }
  validation {
    condition     = (length(var.ike_gateways) > 0 && alltrue([for ike_gateway in var.ike_gateways : contains(["pre-shared-key", "certificate"], ike_gateway.auth_type)]))
    error_message = "Valid values for auth type are `pre-shared-key` (the default), or `certificate`"
  }
}

variable "ipsec_tunnels" {
  description = <<-EOF
  Map of the IPSec tunnels, where key is the IPSec tunnel's name:
  - `tunnel_interface` - (Required) The tunnel interface.
  - `anti_replay` - (Optional, bool) Set to true to enable Anti-Replay check on this tunnel.
  - `enable_ipv6` - (Optional, PAN-OS 7.0+, bool) Set to true to enable IPv6.
  - `copy_tos` - (Optional, bool) Set to true to copy IP TOS bits from inner packet to IPSec packet (not recommended).
  - `copy_flow_label` - (Optional, PAN-OS 7.0+, bool) Set to true to copy IPv6 flow label for 6in6 tunnel from inner packet to IPSec packet (not recommended).
  - `disabled` - (Optional, PAN-OS 7.0+, bool) Set to true to disable this IPSec tunnel.
  - `type` - (Optional) The type. Valid values are auto-key (the default), manual-key, or global-protect-satellite.
  - `ak_ike_gateway` - (Optional) IKE gateway name.
  - `ak_ipsec_crypto_profile` - (Optional) IPSec crypto profile name.
  - `mk_local_spi` - (Optional) Outbound SPI, hex format.
  - `mk_remote_spi` - (Optional) Inbound SPI, hex format.
  - `mk_local_address_ip` - (Optional) Specify exact IP address if interface has multiple addresses.
  - `mk_local_address_floating_ip` - (Optional) Floating IP address in HA Active-Active configuration.
  - `mk_protocol` - (Optional) Manual key protocol. Valid valies are esp or ah.
  - `mk_auth_type` - (Optional) Authentication algorithm. Valid values are md5, sha1, sha256, sha384, sha512, or none.
  - `mk_auth_key` - (Optional) The auth key for the given auth type.
  - `mk_esp_encryption_type` - (Optional) The encryption algorithm. Valid values are des, 3des, aes-128-cbc, aes-192-cbc, aes-256-cbc, or null.
  - `mk_esp_encryption_key` - (Optional) The encryption key.
  - `gps_interface` - (Optional) Interface to communicate with portal.
  - `gps_portal_address` - (Optional) GlobalProtect portal address.
  - `gps_prefer_ipv6` - (Optional, PAN-OS 8.0+, bool) Prefer to register the portal in IPv6. Only applicable to FQDN portal-address.
  - `gps_interface_ip_ipv4` - (Optional) specify exact IP address if interface has multiple addresses (IPv4).
  - `gps_interface_ip_ipv6` - (Optional, PAN-OS 8.0+) specify exact IP address if interface has multiple addresses (IPv6).
  - `gps_interface_floating_ip_ipv4` - (Optional, PAN-OS 7.0+) Floating IPv4 address in HA Active-Active configuration.
  - `gps_interface_floating_ip_ipv6` - (Optional, PAN-OS 8.0+) Floating IPv6 address in HA Active-Active configuration.
  - `gps_publish_connected_routes` - (Optional, bool) Set to true to to publish connected and static routes.
  - `gps_publish_routes` - (Optional, list) Specify list of routes to publish to Global Protect Gateway.
  - `gps_local_certificate` - (Optional) GlobalProtect satellite certificate file name.
  - `gps_certificate_profile` - (Optional) Profile for authenticating GlobalProtect gateway certificates.
  - `enable_tunnel_monitor` - (Optional, bool) Enable tunnel monitoring on this tunnel.
  - `tunnel_monitor_destination_ip` - (Optional) Destination IP to send ICMP probe.
  - `tunnel_monitor_source_ip` - (Optional) Source IP to send ICMP probe
  - `tunnel_monitor_profile` - (Optional) Tunnel monitor profile.
  - `tunnel_monitor_proxy_id` - (Optional, PAN-OS 7.0+) Which proxy-id (or proxy-id-v6) the monitoring traffic will use.

  Example:
  {
    "some_tunnel" = {
      virtual_router                = "internal"
      tunnel_interface              = "tunnel.42"
      type                          = "auto-key"
      disabled                      = false
      ak_ike_gateway                = "IKE-GW-1"
      ak_ipsec_crypto_profile       = "AES128_DH14"
      anti_replay                   = false
      copy_flow_label               = false
      enable_tunnel_monitor         = false
      tunnel_monitor_destination_ip = null
      tunnel_monitor_source_ip      = null
      tunnel_monitor_profile        = null
      tunnel_monitor_proxy_id       = null
      proxy_subnets                 = "example1,10.10.10.0/24,10.10.20.0/24;example2,10.10.10.0/24,10.10.30.0/24"
    }
  }
  EOF
  default     = {}
  type = map(object({
    tunnel_interface               = string
    anti_replay                    = optional(bool)
    enable_ipv6                    = optional(bool)
    copy_tos                       = optional(bool)
    copy_flow_label                = optional(bool)
    disabled                       = optional(bool)
    type                           = optional(string, "auto-key")
    ak_ike_gateway                 = optional(string)
    ak_ipsec_crypto_profile        = optional(string)
    mk_local_spi                   = optional(string)
    mk_remote_spi                  = optional(string)
    mk_local_address_ip            = optional(string)
    mk_local_address_floating_ip   = optional(string)
    mk_protocol                    = optional(string)
    mk_auth_type                   = optional(string)
    mk_auth_key                    = optional(string)
    mk_esp_encryption_type         = optional(string)
    mk_esp_encryption_key          = optional(string)
    gps_interface                  = optional(string)
    gps_portal_address             = optional(string)
    gps_prefer_ipv6                = optional(bool)
    gps_interface_ip_ipv4          = optional(string)
    gps_interface_ip_ipv6          = optional(string)
    gps_interface_floating_ip_ipv4 = optional(string)
    gps_interface_floating_ip_ipv6 = optional(string)
    gps_publish_connected_routes   = optional(bool)
    gps_publish_routes             = optional(list(string))
    gps_local_certificate          = optional(string)
    gps_certificate_profile        = optional(string)
    enable_tunnel_monitor          = optional(bool)
    tunnel_monitor_destination_ip  = optional(string)
    tunnel_monitor_source_ip       = optional(string)
    tunnel_monitor_profile         = optional(string)
    tunnel_monitor_proxy_id        = optional(string)
  }))
  validation {
    condition     = (length(var.ipsec_tunnels) > 0 && alltrue([for ipsec_tunnel in var.ipsec_tunnels : contains(["auto-key", "manual-key", "global-protect-satellite"], ipsec_tunnel.type)]))
    error_message = "Valid values for type are `auto-key` (the default), `manual-key`, or `global-protect-satellite`"
  }
  validation {
    condition     = (length(var.ipsec_tunnels) > 0 && alltrue([for ipsec_tunnel in var.ipsec_tunnels : contains(["md5", "sha1", "sha256", "sha384", "sha512", "none"], coalesce(ipsec_tunnel.mk_auth_type, "md5"))]))
    error_message = "Valid values for auth type are `md5`, `sha1`, `sha256`, `sha384`, `sha512`, or `none`"
  }
  validation {
    condition     = (length(var.ipsec_tunnels) > 0 && alltrue([for ipsec_tunnel in var.ipsec_tunnels : contains(["esp", "ah"], coalesce(ipsec_tunnel.mk_protocol, "esp"))]))
    error_message = "Valid values for the protocol are `esp` and `ah`"
  }
  validation {
    condition     = (length(var.ipsec_tunnels) > 0 && alltrue([for ipsec_tunnel in var.ipsec_tunnels : contains(["des", "3des", "aes-128-cbc", "aes-192-cbc", "aes-256-cbc"], coalesce(ipsec_tunnel.mk_esp_encryption_type, "des"))]))
    error_message = "Valid values for the encryptions are `des`, `3des`, `aes-ipsec_tunnel-cbc`, `aes-192-cbc`, `aes-256-cbc`"
  }
}

variable "ipsec_tunnels_proxy" {
  description = <<-EOF
  Map of the IPSec tunnel proxy, where key is the IPSec tunnel proxy's name:
  - `ipsec_tunnel` - (Required) The auto key IPSec tunnel to attach this proxy ID to.
  - `local` - (Optional) IP subnet or IP address represents local network.
  - `remote` - (Optional) IP subnet or IP address represents remote network.
  - `protocol_any` - (Optional, bool) Set to true for any IP protocol.
  - `protocol_number` - (Optional, int) IP protocol number.
  - `protocol_tcp_local` - (Optional, int) Local TCP port number.
  - `protocol_tcp_remote` - (Optional, int) Remote TCP port number.
  - `protocol_udp_local` - (Optional, int) Local UDP port number.
  - `protocol_udp_remote` - (Optional, int) Remote UDP port number.

  Example:
  {
    ipsec_tunnel = "some_tunnel"
  }
  EOF
  default     = {}
  type = map(object({
    ipsec_tunnel        = string
    local               = optional(string)
    remote              = optional(string)
    protocol_any        = optional(bool, true)
    protocol_number     = optional(number)
    protocol_tcp_local  = optional(number)
    protocol_tcp_remote = optional(number)
    protocol_udp_local  = optional(number)
    protocol_udp_remote = optional(number)
  }))
}
@migara migara mentioned this issue Mar 22, 2023
Closed
14 tasks
@pimielowski pimielowski self-assigned this Apr 7, 2023
@pimielowski pimielowski added the enhancement New feature or request label Apr 7, 2023
@sebastianczech sebastianczech mentioned this issue Apr 17, 2023
Merged
4 tasks
@sebastianczech sebastianczech self-assigned this Apr 18, 2023
@michalbil michalbil mentioned this issue May 26, 2023
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pimielowski pimielowski

@sebastianczech sebastianczech

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pimielowski @migara @sebastianczech