Cloud NGFW Terraform Provider used for communication between the firewall and the AWS
APIs.
| Where Can I Use This? | What Do I Need? |
|---|
HashiCorp Terraform is an open-source infrastructure as code tool for teams managing
multicloud environments. It allows you to define a configuration that describes the
target state of your cloud infrastructure and uses it to automatically calculate the
necessary steps to reach the defined target while executing the relevant changes to
provision and manage the cloud infrastructure. These Terraform configurations use
plugins called providers. The plugins interact with the providers such as AWS
to facilitate reuse by creating repeatable steps for building and maintaining the
cloud infrastructure, ensuring easy additions to your CI/CD pipeline.
Palo Alto Networks adds the cloudngfwaws provider to automate the process of building
the security infrastructure and to maintain the network security posture using NGFW
rulestacks. This provider acts as a translation layer that facilitates communication
between the client (the device running Terraform) and the APIs that the Cloud NGFW
for AWS service offers.
You can use the Terraform provider in your configuration to:
Use the
cloudngfwaws Terraform provider to access resources to
manage the Cloud NGFW for AWS. The
cloudngfwaws provider
authenticates to
AWS using the STS assume role, which
generates temporary credentials. These
temporary credentials, used briefly during the initial authentication sequence,
include the access key, secret key, and a session token. During this sequence:
- Authentication leverages the AWS STS assume role using the AWS API. You must
enable API access.
- STS credentials are used to refresh the Cloud NGFW admin token using the
Cloud NGFW for AWS API. These credentials are also used to refresh the
rulestack admin token.
- The Cloud NGFW admin token and the rulestack admin token are used for
configuration management using the Cloud NGFW for AWS API.
Consider:
Provider parameters are prioritized in different ways. In the presence of overlapping
values, these parameters are addressed in the following order:
- Statically configured in the provider block.
- Environment variables.
- Retrieved from the JSON configuration file.
Example Terraform Provider for Cloud NGFW
Terraform 0.13 and later:
terraform {
required_providers {
cloudngfwaws = {
source = "paloaltonetworks/terraform-provider-cloudngfwaws"
version = "1.0.0"
}
}
}
provider "cloudngfwaws" {
json_config_file = "~/.cloudngfwaws_creds.json"
}
JSON configuration file:
{
"host": "api.us-east-1.aws.cloudngfw.paloaltonetworks.com",
"region": "us-east-1",
"arn": "arn:aws:iam::123456789:role/MyRole"
}
