Focus

Cloud NGFW for AWS

Terraform Support for Cloud NGFW AWS

Table of Contents

Terraform Support for Cloud NGFW AWS

Cloud NGFW Terraform Provider used for communication between the firewall and the AWS APIs.

Hashicorp Terraform is an open source infrastructure as code (IaC) tool for teams managing multi-cloud environments. It allows you to define a configuration that describes the target state of your cloud infrastructure and uses it to automatically calculate the necessary steps to reach the defined target while executing the relevant changes to provision and manage the cloud infrastructure. These Terraform configurations use plugins called providers. The plugins interact with the providers such as AWS to facilitate reuse by creating repeatable steps for building and maintaining the cloud infrastructure, ensuring easy additions to your CI/CD pipeline.

Palo Alto Networks adds the cloudngfwaws provider to automate the process of building the security infrastructure and to maintain the network security posture using NGFW rulestacks. This provider acts as a translation layer that facilitates communication between the client (the device running Terraform) and the APIs that the Cloud NGFW for AWS service offers.

Visit the Palo Alto Networks developer documentation to learn more about deploying Cloud NGFW on AWS using Terraform and view the Terraform reference information.

You can use Terraform provider in your configuration to:

Launch the Cloud NGFW.
Configure the rulestack used by the Cloud NGFW to retrieve policy information. The rulestack contains relevant policy information, like security rules, intelligent feeds, and various objects.

Use the cloudngfwaws Terraform provider to access resources to manage the Cloud NGFW for AWS. The cloudngfwaws provider authenticates to AWS using the STS assume role, which generates temporary credentials. These temporary credentials, used briefly during the initial authentication sequence, include the access key, secret key, and a session token. During this sequence:

Authentication leverages the AWS STS assume role using the AWS API. You must enable API access.
STS credentials are used to refresh the Cloud NGFW admin token using the Cloud NGFW for AWS API. These credentials are also used to refresh the rulestack admin token.
The Cloud NGFW admin token and the rulestack admin token are used for configuration management using the Cloud NGFW for AWS API.

Consider:

After successfully authenticating to AWS, the provider retrieves the JWTs for firewall and rulestack administration.
You can statically specify the AWS access and secret key in the provider block. If you do not specify these credentials, they are automatically retrieved from the shared credentials file. Use the access_key and secret_key parameters to statically provide AWS credentials.
When setting up the provider, AWS authentication workflow uses the AWS Go SDK to control variables related to authentication. You can use AWS environment variables to configure credentials used for AWS authentication.
The provider requires API access.

Provider parameters are prioritized in different ways. In the presence of overlapping values, these parameters are addressed in the following order:

Statically configured in the provider block.
Environment variables.
Retrieved from the JSON configuration file.

Example Terraform Provider for Cloud NGFW

Terraform 0.13 and later:

terraform {
  required_providers {
    cloudngfwaws = {
      source  = "paloaltonetworks/terraform-provider-cloudngfwaws"
      version = "1.0.0"
    }
  }
}
provider "cloudngfwaws" {
  json_config_file = "~/.cloudngfwaws_creds.json"
}

JSON config file:

{
"host": "api.us-east-1.aws.cloudngfw.paloaltonetworks.com",
"region": "us-east-1",
"arn": "arn:aws:iam::123456789:role/MyRole"
}

Enable Programmatic Access

Provision Cloud NGFW Resources to your AWS CFT