Focus

Cloud NGFW for AWS

Configure Automated Account Onboarding

Table of Contents

Provision Cloud NGFW Resources to Your AWS CFT

Automate account onboarding for your Cloud NGFW resource.

Where Can I Use This?	What Do I Need?
Cloud NGFW for AWS	Cloud NGFW subscription Palo Alto Networks Customer Support Account (CSP) AWS Marketplace account User role (either tenant or administrator)

Cloud NGFW for AWS now supports automated account onboarding for environments serving large amounts of AWS accounts. With this functionality, you no longer need to manually onboard individual accounts. When using automated account onboarding, consider:

Up to 100 accounts can be onboarded at a time. To onboard more than 100 accounts you must define multiple modules, each containing 100 accounts. See the Terraform documentation for more information.
Automated account onboarding can take approximately 10 minutes to complete.
If you're using an AWS profile for AUTH, use the CloudNGFWGAccountAdmin profile for account onboarding.
Create a role with CloudFormation template (CFT) and apply permissions in each of the accounts that you want to onboard.
Be subscribed to the Cloud NGFW via marketplace, and the account should be successfully onboarded.
Two roles are required:
- Create a CloudNGFWAccountAdmin role in the admin account.
- Create a role that allows running CFTs in each of the accounts that you want to onboard using Terraform.

These roles are described in the procedure below.

To access the automated account onboarding feature you’ll need to download the latest Terraform template, and enable programmatic access.

To configure automated account onboarding:

Create an AccountAdmin programmatic access role for any currently onboarded account. Follow steps 1-4 in Enable Programmatic Access to create a role with the tag CloudNGFWAccountAdmin.

In each account you want to onboard, create a role to run the CloudFormation template (CFT):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::ACCOUNT_ID:user/USERNAME"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

The role's permission policy is defined using the Create Inline Policy. For example:

"Statement": [
        {
            "Action": [
                "lambda:CreateFunction",
                "iam:GetRole",
                "lambda:AddPermission",
                "cloudformation:ListStacks",
                "cloudformation:CreateStack",
                "lambda:InvokeFunction",
                "lambda:GetFunction",
                "iam:CreateRole",
                "iam:DeleteRole",
                "lambda:GetFunctionConfiguration",
                "lambda:GetPolicy",
                "cloudformation:DescribeStacks",
                "cloudformation:DescribeStackEvents",
                "cloudformation:GetTemplate",
                "cloudformation:DeleteStack",
                "lambda:DeleteFunction",
                "iam:DeleteRolePolicy",
                "iam:DetachRolePolicy",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "iam:PassRole"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "VisualEditor1"
        }
    ]
}

The example of a trust relationship (above) represents a specific user in a specific account, given permission to run the CFT. For more information on how to define your own trust policy, see How to use trust policies with IAM roles.

Run Terraform Apply.
After applying the changes to the CFT, the Cloud NGFW resource onboards each account:
- The account onboarding module runs the account role setup CFT in the account.
- The cross-account role CFT sends role ARNs to the Cloud NGFW resource.
The account onboarding module waits for time, which may take upwards of 10 minutes to successfully onboard all accounts.

Example Terraform File

The following example illustrates a Terraform file containing the provider and module definitions. In this example, account_admin_arn refers to the programmatic access role that was created in step 1. The field account_ids represents the list of AWS accounts that need to be onboarded. The field cft_role_name represents the role that was created in step 2 in each of the onboarded accounts.

terraform {
    required_providers {
        cloudngfwaws = {
            source = "paloaltonetworks/cloudngfwaws"
        }
    }
}
provider "cloudngfwaws" {
  account_admin_arn = "arn:aws:iam::11222333344:role/fwaas_prog_onboard"
  json_config_file = "./.cloudngfwaws_creds.json"
}
module "account_onboarding1" {
    source = “github.com/PaloAltoNetworks/terraform-provider-cloudngfwaws/modules/account_onboarding"
    account_ids = ["ACCOUNT_1", "ACCOUNT_2"...., “ACCOUNT_100”]
    cft_role_name = "cft_apply_role"
}
module "account_onboarding2" {
    source = “github.com/PaloAltoNetworks/terraform-provider-cloudngfwaws/modules/account_onboarding"
    account_ids = ["ACCOUNT_101", "ACCOUNT_102"...., “ACCOUNT_200”]
    cft_role_name = "cft_apply_role"
}

Delete an Onboarded Account

Use Terraform destroy. For more information, see the Terraform documentation.

List an Onboarded Account

Use the Terraform list. For more information, see the Terraform documentation.

Terraform Support for Cloud NGFW AWS

Provision Cloud NGFW Resources to Your AWS CFT

Cloud NGFW for AWS Docs

Configure Automated Account Onboarding

Cloud NGFW for AWS Docs