AFS
/
xdr-terraform-modules


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129
							#tfsec:ignore:aws-s3-block-public-acls tfsec:ignore:aws-s3-block-public-policy tfsec:ignore:aws-s3-ignore-public-acls
#tfsec:ignore:aws-s3-no-public-buckets Certificate CRLs need to be publicly accessible
resource "aws_s3_bucket" "bucket" {
  count = var.palo_alto_count

  bucket = "xdr-palo-alto-bootstrap-${count.index}"
}

resource "aws_s3_bucket_acl" "s3_acl_bucket" {
  bucket = aws_s3_bucket.bucket.id
  acl    = "private"
}

locals {
  # Bootstrap process requires that folders exist, so we must create them in each bucket. This looks complicated,
  # but it's just doing a foreach bucket: foreach directory: ...
  bucket_folder_map = { for p in setproduct(range(var.palo_alto_count), local.bootstrap_dirs) : "${p[0]}/${p[1]}" => {
    num    = p[0]
    folder = p[1]
    }
  }
}

resource "aws_s3_bucket_object" "bootstrap_dirs" {
  for_each = local.bucket_folder_map

  bucket  = aws_s3_bucket.bucket[each.value["num"]].id
  key     = each.value["folder"]
  content = "/dev/null"
}

resource "aws_s3_bucket_object" "init_cfg" {
  count  = var.palo_alto_count
  bucket = aws_s3_bucket.bucket[count.index].id
  key    = "config/init-cfg.txt"
  content = templatefile("${path.module}/init-cfg.txt.tmpl",
    {
      "hostname"           = "xdr_palo_${var.aws_partition_alias}_${var.environment}_${count.index}"
      "authkey"            = var.palo_alto_auth_keys[count.index]
      "tplname"            = "XDR-Interconnect-Stack-${count.index}"
      "dgname"             = "XDR-Interconnects"
      "op-command-modes"   = "jumbo-frame, mgmt-interface-swap"
      "panorama_primary"   = var.panorama_servers[0]
      "panorama_secondary" = var.panorama_servers[1]
    }
  )
}

# No bootstrap configuration, as we're registered to panorama
# resource "aws_s3_bucket_object" "bootstrap_xml" {
#  count = var.palo_alto_count
#  bucket = aws_s3_bucket.bucket[count.index].id
#  key    = "config/bootstrap.xml"
#  content = templatefile("${path.module}/bootstrap.xml.tmpl",
#    {
#      index = count.index
#    }
#  )
#}

resource "aws_s3_bucket_object" "authcodes" {
  count   = var.palo_alto_count
  bucket  = aws_s3_bucket.bucket[count.index].id
  key     = "license/authcodes"
  content = <<EOF
${var.palo_alto_license_keys[count.index]}
EOF
}

resource "aws_iam_role" "bootstrap_role" {
  count = var.palo_alto_count
  name  = "palo_alto_bootstrap_${count.index}"
  path  = "/instance/"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
      "Service": "ec2.amazonaws.com"
    },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_role_policy" "bootstrap_policy" {
  count = var.palo_alto_count
  name  = "palo_alto_bootstrap_${count.index}"
  role  = aws_iam_role.bootstrap_role[count.index].id

  policy = <<EOF
{
  "Version" : "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:${var.aws_partition}:s3:::${aws_s3_bucket.bucket[count.index].bucket}"
    },
    {
    "Effect": "Allow",
    "Action": "s3:GetObject",
    "Resource": "arn:${var.aws_partition}:s3:::${aws_s3_bucket.bucket[count.index].bucket}/*"
    }
  ]
}
EOF
}

resource "aws_iam_instance_profile" "bootstrap" {
  count = var.palo_alto_count
  name  = "palo_alto_bootstrap_${count.index}"
  role  = aws_iam_role.bootstrap_role[count.index].name
  path  = "/instance/"
}

//AWS Provider outdated arguments <4.4.0
/*resource "aws_s3_bucket" "bucket" {
  count = var.palo_alto_count

  bucket = "xdr-palo-alto-bootstrap-${count.index}"
  acl    = "private"
}
*/