Aviatrix Terraform module for firenet deployment in multiple clouds, to be used in conjunction with mc-transit module.
| Module version | Terraform version | Controller version | Terraform provider version | mc-transit module version |
|---|---|---|---|---|
| v1.5.4 | >=1.1.0 | >= 7.1 | ~> 3.1.0 | ~> v2.5.2 |
Check release notes for more details. Check Compatibility list for older versions.
module "mc_transit" {
source = "terraform-aviatrix-modules/mc-transit/aviatrix"
version = "v2.5.2"
cloud = "AWS"
cidr = "10.1.0.0/23"
region = "eu-central-1"
account = "AWS"
enable_transit_firenet = true
}
module "firenet_1" {
source = "terraform-aviatrix-modules/mc-firenet/aviatrix"
version = "v1.5.4"
transit_module = module.mc_transit
firewall_image = "Palo Alto Networks VM-Series Next-Generation Firewall Bundle 1"
}The following variables are required:
| key | value |
|---|---|
| firewall_image | The firewall image to be used to deploy the NGFW's. Use "aviatrix" to deploy Aviatrix FQDN egress filtering GW's (AWS/Azure/GCP). |
| transit_module | Refer to the mc-transit module that built the transit. This module plugs directly into it's output to build firenet on top of it. |
The following variables are optional:
= AWS, 
= Azure, 
= GCP, 
= OCI, 
= Alibaba
| Key | Supported_CSP's | Default value | Description |
|---|---|---|---|
| associated |     |
true | Associate firewalls with transit gateway. |
| attached | |
true | Attach firewall instances. |
| bootstrap_bucket_name_1 | |
Name of bootstrap bucket to pull firewall config from. (If bootstrap_bucket_name_2 is not set, this will used for all NGFW instances) | |
| bootstrap_bucket_name_2 | |
Name of bootstrap bucket to pull firewall config from. (Only used if 2 or more FW instances are deployed, e.g. when ha_gw is true. Applies to "even" fw instances (2,4,6 etc)) | |
| bootstrap_storage_name_1 | |
Storagename to get bootstrap files from (PANW only). (If bootstrap_storage_name_2 is not set, this will used for all NGFW instances) | |
| bootstrap_storage_name_2 | |
Storagename to get bootstrap files from (PANW only) (Only used when HA FW instance is deployed) | |
| custom_fw_names | |
[] | If set, the NGFW instances will be deployed with the names provided in this list. First half of the list for instances in az1, second half for az2. |
| east_west_inspection_excluded_cidrs | |
Network List Excluded From East-West Inspection. | |
| egress_cidr | |
CIDR For Egress VPC for GCP Firenet. Only required when deploying in GCP and enable_transit_firenet is true. | |
| egress_enabled | |
false | Enable/disable internet egress via NGFW. |
| egress_static_cidrs | |
[] | List of egress static CIDRs. Egress is required to be enabled. Example: ["1.171.15.184/32", "1.171.15.185/32"]. |
| egress_subnet_1 | |
Subnet for firenet egress interface (odd instances). Only used when mc-transit was built with an existing VNET. | |
| egress_subnet_2 | |
Subnet for firenet egress interface (even instances). Only used when mc-transit was built with an existing VNET. | |
| file_share_folder_1 | |
Name of the folder containing the bootstrap files (PANW only) (If file_share_folder_2 is not set, this will used for all NGFW instances) | |
| file_share_folder_2 | |
Name of the folder containing the bootstrap files (PANW only) (Only used when HA FW instance is deployed) | |
| firewall_image_id | |
Firewall image ID. Use AMI ID. | |
| firewall_image_version | |
When not provided, latest available will be used. | |
| fw_amount | |
The amount of NGFW instances to deploy. These will be deployed accross multiple AZ's. Amount must be even and only applies when transit is HA. | |
| hashing_algorithim | |
5-Tuple | Hashing algorithm to load balance traffic across the firewall. Valid values: 2-Tuple, 5-Tuple. Default value: 5-Tuple. |
| iam_role_1 | |
IAM Role used to access bootstrap bucket. (If iam_role_2 is not set, this will used for all NGFW instances) | |
| iam_role_2 | |
IAM Role used to access bootstrap bucket. (Only used if 2 or more FW instances are deployed, e.g. when ha_gw is true. Applies to "even" fw instances (2,4,6 etc)) | |
| inspection_enabled | |
true | Enable/disable east/west + north/south inspection via NGFW. |
| instance_size | |
c5.xlarge Standard_D3_v2 n1-standard-4 VM.Standard2.4 |
Size of the NGFW instances |
| keep_alive_via_lan_interface_enabled | |
False | Enable Keep Alive via Firewall LAN Interface. |
| key_name | |
Applicable to AWS deployment only. AWS Key Pair name. If not provided a Key Pair will be generated. | |
| mgmt_cidr | |
CIDR For Management VPC for GCP Firenet. Only required when deploying in GCP and enable_transit_firenet is true and deploying Palo Alto NGFW. | |
| mgmt_subnet_1 | |
Subnet for firenet management interface (odd instances). Only used when mc-transit was built with an existing VNET. | |
| mgmt_subnet_2 | |
Subnet for firenet management interface (even instances). Only used when mc-transit was built with an existing VNET. | |
| password | |
Aviatrix#1234 | Default initial password for firewall instances |
| ssh_public_key | |
Initial SSH public key for firewall instances. You can either set a password or an SSH key, but not both. | |
| storage_access_key_1 | |
Storage_access_key to access bootstrap storage (PANW only) (If storage_access_key_2 is not set, this will used for all NGFW instances) | |
| storage_access_key_2 | |
Storage_access_key to access bootstrap storage (PANW only) (Only used when HA FW instance is deployed) | |
| tags | |
Map of tags to assign to the firewall or FQDN egress gw's. | |
| sic_key | |
Sic key. Applicable to Check Point Series deployment only. | |
| user_data_1 | |
Userdata to bootstrap FortiGate or Checkpoint Firewall. | |
| user_data_2 | |
Userdata to bootstrap FortiGate or Checkpoint Firewall. If not set, user_data_1 will be used. | |
| username | |
fwadmin | Applicable to Azure or AzureGov deployment only. "admin" as a username is not accepted. (For Checkpoint it is always admin) |
This module will return the following objects:
| key | description |
|---|---|
| aviatrix_firenet | The created Aviatrix firenet object with all of it's attributes. |
| aviatrix_firewall_instance | A list of the created firewall instances and their attributes. |
| egress_vpc | The aviatrix_vpc object that created the egress VPC with all it's attributes. Only in GCP. |
| management_vpc | The aviatrix_vpc object that created the management VPC with all it's attributes. Only for Palo Alto deployments in GCP. |
| module_metadata | Information about the module, like module version. |
When using a firewall_image string that does not exist, a data lookup will fail and throw the error below. Make sure you are using a valid firewall_image. These can differ between clouds. Check the Aviatrix controller UI to see available firewall images.
│ Error: Invalid index
│
│ on variables.tf line 172:
│ (source code not available)
│
│ The given key does not identify an element in this collection value: the collection has no elements.