>
    Strata Copilot
    Terraform (Recommended)
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. Strata Cloud Manager Getting Started
    4. Configuration: Strata Cloud Manager
    5. Configuration: IP Tag Collection
    6. Terraform (Recommended)
    Download PDF
    Strata Cloud Manager

    Terraform (Recommended)

    Table of Contents

    Terraform (Recommended)

    Automate cloud IP-Tag collection and distribution in Strata™ Cloud Manager to enable dynamic security policies using Terraform templates.
    This procedure guides you through connecting SCM to your cloud environment for IP-Tag collection using Terraform templates.
    1. Log in to SCM.
    2. Select Configuration IP-Tag Collection
    3. On the IP-Tag Collection page, select Add New Cloud Account.
    4. Select your cloud service provider.
    5. Select Connect via Terraform (Recommended).
    6. Enter a descriptive Name.
    7. Enter the information, depending on your cloud service provider
      • AWS—Enter the Role Name associated with your AWS account.
      • Azure—Enter your Azure Tenant ID and Subscription ID.
      • CGP—Enter your GCP Project ID and Service Account.
    8. Click Next: Integrate Cloud Account to continue.
    9. Download your Terraform template.
      • If you are familiar with Terraform click the Download Terraform.
      • If you are new to Terraform, follow the Guided Steps.
    10. Click Save Configuration.
    11. Verify the cloud service provider account connection status. A successful connection ensures that SCM can communicate with your cloud environment and begin the tag discovery process.

    Configure Tag Distribution

    1. Create a new Tag Distribution for your onboarded AWS account.
      1. On the IP-Tag Collection page, choose a successfully connected cloud account.
      2. Click + Distribute.
    2. Define the scope for tag collection. Specifying regions and VPCs ensures that only relevant IP-to-tag mappings are collected, optimizing performance and data relevance for your security policies.
      1. Enter a descriptive Name.
      2. Enter a Polling Interval in seconds.
      3. Select Regions and VPC (AWS only).
      4. Optional For Azure deployments, select Fetch Service Tags. For more information about Azure service tag and Palo Alto Networks firewalls, see Attributes Monitored on Azure
    3. Select Tag Destination folders containing the firewalls intended to receive the IP-to-tag mappings. Specify the target for tag distribution.
    4. Save the Tag Distribution configuration. Saving the distribution settings makes them active within SCM, preparing them for deployment to your firewalls.
    5. Push the configuration to your firewall.
      1. Navigate to ConfigurationPush Config.
      2. Select the relevant Admin Scope and Folder.
      3. Select Push. This synchronizes the cloud integration and harvested IP-to-tag mappings from Strata Cloud Manager to your managed firewalls, enabling granular Layer 7 security policies based on real-time asset classifications.

    © 2026 Palo Alto Networks, Inc. All rights reserved.