Skip to content
This repository has been archived by the owner on Feb 14, 2024. It is now read-only.

Commit

Permalink
update standalone examples with ngfw_metrics module
Browse files Browse the repository at this point in the history
  • Loading branch information
FoSix committed Nov 17, 2023
1 parent 6bf6996 commit b7a2c95
Show file tree
Hide file tree
Showing 27 changed files with 198 additions and 211 deletions.
3 changes: 3 additions & 0 deletions examples/common_vmseries/example.tfvars
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,9 @@ load_balancers = {
}
}

ngfw_metrics = {
name = "metrics"
}


# # --- VMSERIES PART --- #
Expand Down
32 changes: 16 additions & 16 deletions examples/common_vmseries/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ locals {
# Obtain Public IP address of code deployment machine

data "http" "this" {
count = length(var.bootstrap_storage) > 0 && contains([for v in values(var.bootstrap_storage) : v.storage_acl], true) ? 1 : 0
count = length(var.bootstrap_storage) > 0 && anytrue([for v in values(var.bootstrap_storage) : try(v.storage_acl, false)]) ? 1 : 0
url = "https://ifconfig.me/ip"
}

Expand Down Expand Up @@ -140,23 +140,23 @@ module "load_balancer" {


# create the actual VMSeries VMs and resources
module "ai" {
source = "../../modules/application_insights"
module "ngfw_metrics" {
source = "../../modules/ngfw_metrics"

for_each = toset(
var.application_insights != null ? flatten(
try([var.application_insights.name], [for _, v in var.vmseries : "${v.name}-ai"])
) : []
)
count = var.ngfw_metrics != null ? 1 : 0

name = "${var.name_prefix}${each.key}"
resource_group_name = local.resource_group.name
create_workspace = var.ngfw_metrics.create_workspace

name = "${var.ngfw_metrics.create_workspace ? var.name_prefix : ""}${var.ngfw_metrics.name}"
resource_group_name = var.ngfw_metrics.create_workspace ? local.resource_group.name : coalesce(var.ngfw_metrics.resource_group_name, local.resource_group.name)
location = var.location

workspace_mode = try(var.application_insights.workspace_mode, null)
workspace_name = try(var.application_insights.workspace_name, "${var.name_prefix}${each.key}-wrkspc")
workspace_sku = try(var.application_insights.workspace_sku, null)
metrics_retention_in_days = try(var.application_insights.metrics_retention_in_days, null)
log_analytics_config = {
sku = var.ngfw_metrics.sku
metrics_retention_in_days = var.ngfw_metrics.metrics_retention_in_days
}

application_insights = { for k, v in var.vmseries : k => { name = "${var.name_prefix}${v.name}-ai" } }

tags = var.tags
}
Expand Down Expand Up @@ -184,7 +184,7 @@ resource "local_file" "bootstrap_xml" {
1
)

ai_instr_key = try(module.ai[try(var.application_insights.name, "${each.value.name}-ai")].metrics_instrumentation_key, null)
ai_instr_key = try(module.ngfw_metrics[0].metrics_instrumentation_keys[each.key], null)

ai_update_interval = try(
each.value.bootstrap_storage.ai_update_interval,
Expand All @@ -205,7 +205,7 @@ resource "local_file" "bootstrap_xml" {
)

depends_on = [
module.ai,
module.ngfw_metrics,
module.vnet
]
}
Expand Down
2 changes: 1 addition & 1 deletion examples/common_vmseries/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ output "natgw_public_ips" {

output "metrics_instrumentation_keys" {
description = "The Instrumentation Key of the created instance(s) of Azure Application Insights."
value = var.application_insights != null ? { for k, v in module.ai : k => v.metrics_instrumentation_key } : null
value = try(module.ngfw_metrics[0].metrics_instrumentation_keys, null)
sensitive = true
}

Expand Down
52 changes: 23 additions & 29 deletions examples/common_vmseries/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -293,42 +293,36 @@ variable "availability_sets" {
type = any
}

variable "application_insights" {
variable "ngfw_metrics" {
description = <<-EOF
A map defining Azure Application Insights. There are three ways to use this variable:
A map defining metrics related resources for Next Generation Firewall.
* when the value is set to `null` (default) no AI is created
* when the value is a map containing `name` key (other keys are optional) a single AI instance will be created under the name that is the value of the `name` key
* when the value is an empty map or a map w/o the `name` key, an AI instance per each VMSeries VM will be created. All instances will share the same configuration. All instances will have names corresponding to their VM name.
All the settings available below are common to the Log Analytics Workspace and Application Insight instances.
Names for all AI instances are prefixed with `var.name_prefix`.
> [!Note]
> We do not explicitly define Application Insights instances. Each Virtual Machine will receive one automatically
> as long as this object is not `null`.
> The name of the Application Insights instance will be derived from the VM's name and suffixed with `-ai`.
Properties supported (for details on each property see [modules documentation](../../modules/application_insights/README.md)):
- `name` : (optional, string) a name of a single AI instance
- `workspace_mode` : (optional, bool) defaults to `true`, use AI Workspace mode instead of the Classical (deprecated)
- `workspace_name` : (optional, string) defaults to AI name suffixed with `-wrkspc`, name of the Log Analytics Workspace created when AI is deployed in Workspace mode
- `workspace_sku` : (optional, string) defaults to PerGB2018, SKU used by WAL, see module documentation for details
- `metrics_retention_in_days` : (optional, number) defaults to current Azure default value, see module documentation for details
Example of an AIs created per VM, in Workspace mode, with metrics retention set to 1 year:
```
vmseries = {
'vm-1' = {
....
}
'vm-2' = {
....
}
}
Following properties are available:
application_insights = {
metrics_retention_in_days = 365
}
```
- `name` - (`string`, required) name of the (common) Log Analytics Workspace
- `create_workspace` - (`bool`, optional, defaults to `true`) controls whether we create or source an existing Log
Analytics Workspace
- `resource_group_name` - (`string`, optional, defaults to `var.resource_group_name`) name of the Resource Group hosting
the Log Analytics Workspace
- `sku` - (`string`, optional, defaults to module defaults) the SKU of the Log Analytics Workspace.
- `metrics_retention_in_days` - (`number`, optional, defaults to module defaults) workspace and insights data retention in
days, possible values are between 30 and 730.
EOF
default = null
type = map(string)
type = object({
name = string
create_workspace = optional(bool, true)
resource_group_name = optional(string)
sku = optional(string)
metrics_retention_in_days = optional(number)
})
}

variable "bootstrap_storage" {
Expand Down
2 changes: 1 addition & 1 deletion examples/common_vmseries_and_autoscale/example.tfvars
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# --- GENERAL --- #
location = "North Europe"
resource_group_name = "autoscale-common"
name_prefix = "fosix-"
name_prefix = "example-"
tags = {
"CreatedBy" = "Palo Alto Networks"
"CreatedWith" = "Terraform"
Expand Down
12 changes: 8 additions & 4 deletions examples/dedicated_vmseries/example.tfvars
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# --- GENERAL --- #
location = "North Europe"
resource_group_name = "transit-vnet-dedicated"
name_prefix = "example-"
name_prefix = "fosix-"
tags = {
"CreatedBy" = "Palo Alto Networks"
"CreatedWith" = "Terraform"
Expand All @@ -23,7 +23,7 @@ vnets = {
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_address_prefixes = ["1.2.3.4"] # TODO: whitelist public IP addresses that will be used to manage the appliances
source_address_prefixes = ["0.0.0.0/0"] # TODO: whitelist public IP addresses that will be used to manage the appliances
source_port_range = "*"
destination_address_prefix = "10.0.0.0/28"
destination_port_ranges = ["22", "443"]
Expand Down Expand Up @@ -159,7 +159,7 @@ load_balancers = {

bootstrap_storage = {
bootstrap = {
name = "xmplbootstrapdedicated"
name = "fosixbootstrap"
public_snet_key = "public"
private_snet_key = "private"
storage_acl = true
Expand All @@ -170,10 +170,14 @@ bootstrap_storage = {
subnet_key = "management"
}
}
storage_allow_inbound_public_ips = ["1.2.3.4"] # TODO: whitelist public IP addresses subnets (minimum /30 CIDR) that will be used to apply the terraform code from
storage_allow_inbound_public_ips = ["134.238.135.14", "134.238.135.140"] # TODO: whitelist public IP addresses subnets (minimum /30 CIDR) that will be used to apply the terraform code from
}
}

ngfw_metrics = {
name = "metrics"
}

vmseries_version = "10.2.3"
vmseries_vm_size = "Standard_DS3_v2"
vmseries = {
Expand Down
32 changes: 17 additions & 15 deletions examples/dedicated_vmseries/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,7 @@ module "vnet" {
tags = var.tags
}


module "natgw" {
source = "../../modules/natgw"

Expand Down Expand Up @@ -137,24 +138,25 @@ module "load_balancer" {




# create the actual VMSeries VMs and resources
module "ai" {
source = "../../modules/application_insights"
module "ngfw_metrics" {
source = "../../modules/ngfw_metrics"

for_each = toset(
var.application_insights != null ? flatten(
try([var.application_insights.name], [for _, v in var.vmseries : "${v.name}-ai"])
) : []
)
count = var.ngfw_metrics != null ? 1 : 0

name = "${var.name_prefix}${each.key}"
resource_group_name = local.resource_group.name
create_workspace = var.ngfw_metrics.create_workspace

name = "${var.ngfw_metrics.create_workspace ? var.name_prefix : ""}${var.ngfw_metrics.name}"
resource_group_name = var.ngfw_metrics.create_workspace ? local.resource_group.name : coalesce(var.ngfw_metrics.resource_group_name, local.resource_group.name)
location = var.location

workspace_mode = try(var.application_insights.workspace_mode, null)
workspace_name = try(var.application_insights.workspace_name, "${var.name_prefix}${each.key}-wrkspc")
workspace_sku = try(var.application_insights.workspace_sku, null)
metrics_retention_in_days = try(var.application_insights.metrics_retention_in_days, null)
log_analytics_config = {
sku = var.ngfw_metrics.sku
metrics_retention_in_days = var.ngfw_metrics.metrics_retention_in_days
}

application_insights = { for k, v in var.vmseries : k => { name = "${var.name_prefix}${v.name}-ai" } }

tags = var.tags
}
Expand Down Expand Up @@ -182,7 +184,7 @@ resource "local_file" "bootstrap_xml" {
1
)

ai_instr_key = try(module.ai[try(var.application_insights.name, "${each.value.name}-ai")].metrics_instrumentation_key, null)
ai_instr_key = try(module.ngfw_metrics[0].metrics_instrumentation_keys[each.key], null)

ai_update_interval = try(
each.value.bootstrap_storage.ai_update_interval,
Expand All @@ -203,7 +205,7 @@ resource "local_file" "bootstrap_xml" {
)

depends_on = [
module.ai,
module.ngfw_metrics,
module.vnet
]
}
Expand Down
2 changes: 1 addition & 1 deletion examples/dedicated_vmseries/outputs.tf
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ output "natgw_public_ips" {

output "metrics_instrumentation_keys" {
description = "The Instrumentation Key of the created instance(s) of Azure Application Insights."
value = var.application_insights != null ? { for k, v in module.ai : k => v.metrics_instrumentation_key } : null
value = try(module.ngfw_metrics[0].metrics_instrumentation_keys, null)
sensitive = true
}

Expand Down
55 changes: 24 additions & 31 deletions examples/dedicated_vmseries/variables.tf
Original file line number Diff line number Diff line change
Expand Up @@ -293,42 +293,36 @@ variable "availability_sets" {
type = any
}

variable "application_insights" {
variable "ngfw_metrics" {
description = <<-EOF
A map defining Azure Application Insights. There are three ways to use this variable:
A map defining metrics related resources for Next Generation Firewall.
* when the value is set to `null` (default) no AI is created
* when the value is a map containing `name` key (other keys are optional) a single AI instance will be created under the name that is the value of the `name` key
* when the value is an empty map or a map w/o the `name` key, an AI instance per each VMSeries VM will be created. All instances will share the same configuration. All instances will have names corresponding to their VM name.
All the settings available below are common to the Log Analytics Workspace and Application Insight instances.
Names for all AI instances are prefixed with `var.name_prefix`.
> [!Note]
> We do not explicitly define Application Insights instances. Each Virtual Machine will receive one automatically
> as long as this object is not `null`.
> The name of the Application Insights instance will be derived from the VM's name and suffixed with `-ai`.
Properties supported (for details on each property see [modules documentation](../../modules/application_insights/README.md)):
- `name` : (optional, string) a name of a single AI instance
- `workspace_mode` : (optional, bool) defaults to `true`, use AI Workspace mode instead of the Classical (deprecated)
- `workspace_name` : (optional, string) defaults to AI name suffixed with `-wrkspc`, name of the Log Analytics Workspace created when AI is deployed in Workspace mode
- `workspace_sku` : (optional, string) defaults to PerGB2018, SKU used by WAL, see module documentation for details
- `metrics_retention_in_days` : (optional, number) defaults to current Azure default value, see module documentation for details
Example of an AIs created per VM, in Workspace mode, with metrics retention set to 1 year:
```
vmseries = {
'vm-1' = {
....
}
'vm-2' = {
....
}
}
Following properties are available:
application_insights = {
metrics_retention_in_days = 365
}
```
- `name` - (`string`, required) name of the (common) Log Analytics Workspace
- `create_workspace` - (`bool`, optional, defaults to `true`) controls whether we create or source an existing Log
Analytics Workspace
- `resource_group_name` - (`string`, optional, defaults to `var.resource_group_name`) name of the Resource Group hosting
the Log Analytics Workspace
- `sku` - (`string`, optional, defaults to module defaults) the SKU of the Log Analytics Workspace.
- `metrics_retention_in_days` - (`number`, optional, defaults to module defaults) workspace and insights data retention in
days, possible values are between 30 and 730.
EOF
default = null
type = map(string)
type = object({
name = string
create_workspace = optional(bool, true)
resource_group_name = optional(string)
sku = optional(string)
metrics_retention_in_days = optional(number)
})
}

variable "bootstrap_storage" {
Expand All @@ -342,8 +336,7 @@ variable "bootstrap_storage" {
- `resource_group_name` : (defaults to `var.resource_group_name`) name of the Resource Group hosting the Storage Account (existing or newly created). The RG has to exist.
- `storage_acl` : (defaults to `false`) enables network ACLs on the Storage Account. If this is enabled - `storage_allow_vnet_subnets` and `storage_allow_inbound_public_ips` options become available. The ACL defaults to default `Deny`.
- `storage_allow_vnet_subnets` : (defaults to `[]`) whitelist containing the allowed vnet and associated subnets that are allowed to access the Storage Account. Note that the respective subnets require `enable_storage_service_endpoint` set to `true` to work properly.
- `storage_allow_inbound_public_ips` : (defaults to `[]`) whitelist containing the allowed public IP subnets that can access the Storage Account. Note that the code automatically tried to query https://ifconfig.me/ip to obtain the public IP address of the machine executing the code so that the bootstrap files are successfully uploaded to the Storage Account.
- `storage_allow_inbound_public_ips` : (defaults to `[]`) whitelist containing the allowed public IP subnets that can access the Storage Account. Note that the code automatically tries to query https://ifconfig.me/ip to obtain the public IP address of the machine executing the code so that the bootstrap files can be successfully uploaded to the Storage Account.
The properties below do not directly change anything in the Storage Account settings. They can be used to control common parts of the `DAY0` configuration (used only when full bootstrap is used). These properties can also be specified per firewall, but when specified here they tak higher precedence:
- `public_snet_key` : required, name of the key in `var.vnets` map defining a public subnet, required to calculate the Azure router IP for the public subnet.
Expand Down
2 changes: 1 addition & 1 deletion examples/dedicated_vmseries_and_autoscale/example.tfvars
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# --- GENERAL --- #
location = "North Europe"
resource_group_name = "autoscale-dedicated"
name_prefix = "fosix-"
name_prefix = "example-"
tags = {
"CreatedBy" = "Palo Alto Networks"
"CreatedWith" = "Terraform"
Expand Down
Loading

0 comments on commit b7a2c95

Please sign in to comment.