├── sample-application
    ├── versions.tf
    ├── guestbook.yml
    └── main.tf
├── .github
    ├── dependabot.yml
    └── workflows
    │   └── ci.yml
├── aks
    ├── vnet.tf
    ├── main.tf
    ├── variables.tf
    ├── outputs.tf
    └── cluster.tf
├── cn-series
    ├── outputs.tf
    ├── variables.tf
    └── main.tf
├── .gitignore
├── SUPPORT.md
├── gke
    ├── main.tf
    ├── outputs.tf
    ├── variables.tf
    └── cluster.tf
├── eks
    ├── main.tf
    ├── outputs.tf
    ├── kubernetes.tf
    ├── variables.tf
    ├── locals.tf
    ├── nodegroup.tf
    └── cluster.tf
├── README.md
└── LICENSE


/sample-application/versions.tf:
--------------------------------------------------------------------------------
1 | terraform {
2 |   required_providers {
3 |     panos = {
4 |       source = "paloaltonetworks/panos"
5 |     }
6 |   }
7 |   required_version = ">= 0.13"
8 | }
9 | 


--------------------------------------------------------------------------------
/.github/dependabot.yml:
--------------------------------------------------------------------------------
 1 | version: 2
 2 | updates:
 3 |   - package-ecosystem: "github-actions"
 4 |     directory: "/"
 5 |     schedule:
 6 |       interval: "weekly"
 7 |       
 8 |   - package-ecosystem: "terraform"
 9 |     directory: "/"
10 |     schedule:
11 |       interval: "weekly"
12 | 


--------------------------------------------------------------------------------
/aks/vnet.tf:
--------------------------------------------------------------------------------
 1 | resource "azurerm_virtual_network" "aks_vnet" {
 2 |   name                = "${random_pet.prefix.id}-network"
 3 |   address_space       = ["10.1.0.0/16"]
 4 |   location            = azurerm_resource_group.rg.location
 5 |   resource_group_name = azurerm_resource_group.rg.name
 6 | }
 7 | 
 8 | resource "azurerm_subnet" "aks_subnet" {
 9 |   name                 = "${random_pet.prefix.id}-subnet"
10 |   resource_group_name  = azurerm_resource_group.rg.name
11 |   virtual_network_name = azurerm_virtual_network.aks_vnet.name
12 |   address_prefixes     = ["10.1.0.0/24"]
13 | }
14 | 


--------------------------------------------------------------------------------
/cn-series/outputs.tf:
--------------------------------------------------------------------------------
 1 | ############################################################################################
 2 | # Copyright 2020 Palo Alto Networks.
 3 | #
 4 | # Licensed under the Apache License, Version 2.0 (the "License");
 5 | # you may not use this file except in compliance with the License.
 6 | # You may obtain a copy of the License at
 7 | #
 8 | #   http://www.apache.org/licenses/LICENSE-2.0
 9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # See the License for the specific language governing permissions and
14 | # limitations under the License.
15 | ############################################################################################
16 | 
17 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Local .terraform directories
 2 | **/.terraform/*
 3 | 
 4 | # .tfstate files
 5 | *.tfstate
 6 | *.tfstate.*
 7 | 
 8 | # Crash log files
 9 | crash.log
10 | 
11 | # Ignore any .tfvars files that are generated automatically for each Terraform run. Most
12 | # .tfvars files are managed as part of configuration and so should be included in
13 | # version control.
14 | #
15 | *.tfvars
16 | 
17 | # Ignore override files as they are usually used to override resources locally and so
18 | # are not checked in
19 | override.tf
20 | override.tf.json
21 | *_override.tf
22 | *_override.tf.json
23 | 
24 | # Include override files you do wish to add to version control using negated pattern
25 | #
26 | # !example_override.tf
27 | 
28 | # Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
29 | # example: *tfplan*
30 | 
31 | # Ignore YAML files generated by Terraform
32 | *.yaml


--------------------------------------------------------------------------------
/.github/workflows/ci.yml:
--------------------------------------------------------------------------------
 1 | 
 2 | ---
 3 | name: CI/CD
 4 | on:
 5 |   push:
 6 |   pull_request:
 7 |   
 8 |   # Run at midnight GMT on Fridays.
 9 |   schedule:
10 |     - cron: '0 0 * * 5'
11 | 
12 | jobs:
13 |   validate:
14 |     name: Validate
15 |     runs-on: ubuntu-latest
16 | 
17 |     steps:
18 |       - name: Check out source
19 |         uses: actions/checkout@v2
20 | 
21 |       - name: Set up Terraform
22 |         uses: hashicorp/setup-terraform@v1.3.2
23 | 
24 |       - name: terraform validate
25 |         run: |
26 |           cd ${GITHUB_WORKSPACE}
27 |           for dir in $(find . -type d -not \( -name ".?*" \) -maxdepth 1 -mindepth 1);
28 |           do
29 |             echo "Validating directory ${dir}..."
30 |             cd ${GITHUB_WORKSPACE}/${dir}
31 |             terraform init -backend=false
32 |             terraform validate
33 |           done
34 | 
35 |       - name: terraform fmt
36 |         run: |
37 |           terraform fmt -check -recursive
38 | 


--------------------------------------------------------------------------------
/SUPPORT.md:
--------------------------------------------------------------------------------
 1 | Community Supported
 2 | 
 3 | The software and templates in the repo are released under an as-is, best effort,
 4 | support policy. This software should be seen as community supported and Palo
 5 | Alto Networks will contribute our expertise as and when possible. We do not
 6 | provide technical support or help in using or troubleshooting the components of
 7 | the project through our normal support options such as Palo Alto Networks
 8 | support teams, or ASC (Authorized Support Centers) partners and backline support
 9 | options. The underlying product used (the VM-Series firewall) by the scripts or
10 | templates are still supported, but the support is only for the product
11 | functionality and not for help in deploying or using the template or script
12 | itself. Unless explicitly tagged, all projects or work posted in our GitHub
13 | repository (at https://github.com/PaloAltoNetworks) or sites other than our
14 | official Downloads page on https://support.paloaltonetworks.com are provided
15 | under the best effort policy.
16 | 


--------------------------------------------------------------------------------
/gke/main.tf:
--------------------------------------------------------------------------------
 1 | ############################################################################################
 2 | # Copyright 2020 Palo Alto Networks.
 3 | #
 4 | # Licensed under the Apache License, Version 2.0 (the "License");
 5 | # you may not use this file except in compliance with the License.
 6 | # You may obtain a copy of the License at
 7 | #
 8 | #   http://www.apache.org/licenses/LICENSE-2.0
 9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # See the License for the specific language governing permissions and
14 | # limitations under the License.
15 | ############################################################################################
16 | 
17 | 
18 | terraform {
19 |   required_version = ">= 0.13"
20 | 
21 |   required_providers {
22 |     google = {
23 |       source  = "hashicorp/google"
24 |       version = "~> 3.47.0"
25 |     }
26 |   }
27 | }
28 | 
29 | provider "google" {
30 |   project = var.project
31 |   region  = var.region
32 | }
33 | 
34 | 


--------------------------------------------------------------------------------
/aks/main.tf:
--------------------------------------------------------------------------------
 1 | ############################################################################################
 2 | # Copyright 2020 Palo Alto Networks.
 3 | #
 4 | # Licensed under the Apache License, Version 2.0 (the "License");
 5 | # you may not use this file except in compliance with the License.
 6 | # You may obtain a copy of the License at
 7 | #
 8 | #   http://www.apache.org/licenses/LICENSE-2.0
 9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # See the License for the specific language governing permissions and
14 | # limitations under the License.
15 | ############################################################################################
16 | 
17 | terraform {
18 |   required_version = ">= 0.13"
19 | }
20 | 
21 | provider "azurerm" {
22 |   version = "~> 2.0"
23 |   features {}
24 | }
25 | 
26 | resource "azurerm_resource_group" "rg" {
27 |   name     = "${random_pet.prefix.id}-rg"
28 |   location = var.location
29 | }
30 | 
31 | resource "random_pet" "prefix" {}
32 | 
33 | 


--------------------------------------------------------------------------------
/eks/main.tf:
--------------------------------------------------------------------------------
 1 | ############################################################################################
 2 | # Copyright 2020 Palo Alto Networks.
 3 | #
 4 | # Licensed under the Apache License, Version 2.0 (the "License");
 5 | # you may not use this file except in compliance with the License.
 6 | # You may obtain a copy of the License at
 7 | #
 8 | #   http://www.apache.org/licenses/LICENSE-2.0
 9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # See the License for the specific language governing permissions and
14 | # limitations under the License.
15 | ############################################################################################
16 | 
17 | 
18 | terraform {
19 |   required_version = ">= 0.13"
20 | }
21 | 
22 | provider "aws" {
23 |   version = ">= 2.28.1"
24 |   region  = var.region
25 | }
26 | 
27 | provider "random" {
28 |   version = "~> 2.1"
29 | }
30 | 
31 | provider "null" {
32 |   version = "~> 2.1"
33 | }
34 | 
35 | provider "template" {
36 |   version = "~> 2.1"
37 | }
38 | 


--------------------------------------------------------------------------------
/aks/variables.tf:
--------------------------------------------------------------------------------
 1 | ############################################################################################
 2 | # Copyright 2020 Palo Alto Networks.
 3 | #
 4 | # Licensed under the Apache License, Version 2.0 (the "License");
 5 | # you may not use this file except in compliance with the License.
 6 | # You may obtain a copy of the License at
 7 | #
 8 | #   http://www.apache.org/licenses/LICENSE-2.0
 9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # See the License for the specific language governing permissions and
14 | # limitations under the License.
15 | ############################################################################################
16 | 
17 | 
18 | variable "location" {
19 |   default     = "East US"
20 |   type        = string
21 |   description = "The Azure location"
22 | }
23 | 
24 | variable "k8s_version" {
25 |   default     = "1.19.9"
26 |   type        = string
27 |   description = "The version of Kubernetes"
28 | }
29 | 
30 | variable "ssh_key" {
31 |   type        = string
32 |   description = "The SSH public key"
33 | }
34 | 


--------------------------------------------------------------------------------
/eks/outputs.tf:
--------------------------------------------------------------------------------
 1 | ############################################################################################
 2 | # Copyright 2020 Palo Alto Networks.
 3 | #
 4 | # Licensed under the Apache License, Version 2.0 (the "License");
 5 | # you may not use this file except in compliance with the License.
 6 | # You may obtain a copy of the License at
 7 | #
 8 | #   http://www.apache.org/licenses/LICENSE-2.0
 9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # See the License for the specific language governing permissions and
14 | # limitations under the License.
15 | ############################################################################################
16 | 
17 | output "eks_cluster_name" {
18 |   value = aws_eks_cluster.ControlPlane.name
19 | }
20 | 
21 | output "eks_cluster_endpoint" {
22 |   value = split("//", aws_eks_cluster.ControlPlane.endpoint)[1]
23 | }
24 | 
25 | # output "eks_cluster_certificat_authority" {
26 | #   value = aws_eks_cluster.ControlPlane.certificate_authority
27 | # }
28 | 
29 | # output "config_map_aws_auth" {
30 | #   value = local.config_map_aws_auth
31 | # }
32 | 
33 | # output "kubeconfig" {
34 | #   value = local.kubeconfig
35 | # }
36 | 


--------------------------------------------------------------------------------
/eks/kubernetes.tf:
--------------------------------------------------------------------------------
 1 | ############################################################################################
 2 | # Copyright 2020 Palo Alto Networks.
 3 | #
 4 | # Licensed under the Apache License, Version 2.0 (the "License");
 5 | # you may not use this file except in compliance with the License.
 6 | # You may obtain a copy of the License at
 7 | #
 8 | #   http://www.apache.org/licenses/LICENSE-2.0
 9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # See the License for the specific language governing permissions and
14 | # limitations under the License.
15 | ############################################################################################
16 | 
17 | 
18 | resource "local_file" "kubeconfig" {
19 |   content  = local.kubeconfig
20 |   filename = "${path.module}/${random_pet.prefix.id}-kubeconfig.yaml"
21 | }
22 | 
23 | resource "local_file" "auth_configmap" {
24 |   content  = local.config_map_aws_auth
25 |   filename = "${path.module}/${random_pet.prefix.id}-auth-configmap.yaml"
26 | }
27 | 
28 | resource "null_resource" "apply_configmap" {
29 |   provisioner "local-exec" {
30 |     command = "kubectl apply -f ${local_file.auth_configmap.filename} --kubeconfig ${local_file.kubeconfig.filename}"
31 |   }
32 | }
33 | 
34 | 


--------------------------------------------------------------------------------
/aks/outputs.tf:
--------------------------------------------------------------------------------
 1 | ############################################################################################
 2 | # Copyright 2020 Palo Alto Networks.
 3 | #
 4 | # Licensed under the Apache License, Version 2.0 (the "License");
 5 | # you may not use this file except in compliance with the License.
 6 | # You may obtain a copy of the License at
 7 | #
 8 | #   http://www.apache.org/licenses/LICENSE-2.0
 9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # See the License for the specific language governing permissions and
14 | # limitations under the License.
15 | ############################################################################################
16 | 
17 | output "az_resource_group" {
18 |   value = azurerm_resource_group.rg.name
19 | }
20 | 
21 | output "az_cluster_name" {
22 |   value = azurerm_kubernetes_cluster.default.name
23 | }
24 | 
25 | output "az_cluster_endpoint" {
26 |   value = azurerm_kubernetes_cluster.default.fqdn
27 | }
28 | 
29 | output "run_this_command_to_configure_kubectl" {
30 |   value = "az aks get-credentials --name ${azurerm_kubernetes_cluster.default.name} --resource-group ${azurerm_resource_group.rg.name}"
31 | }
32 | 
33 | # output "az_cluster_kubeconfig" {
34 | #   value = azurerm_kubernetes_cluster.default.kube_config_raw
35 | # }
36 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # cn-series-deploy
 2 | A set of Terraform plans for deploying a Kubernetes cluster protected by a Palo Alto Networks CN-Series Next-Generation Firewall.  Kubernetes environments supported include GKE, EKS, and AKS.
 3 | 
 4 | ### Documentation
 5 | All documentation for the Terraform plans contained in this repository are located in the project wiki located [here](https://github.com/PaloAltoNetworks/cn-series-deploy/wiki).
 6 | 
 7 | ## Support
 8 | 
 9 | This template/solution is released under an as-is, best effort, support
10 | policy. These scripts should be seen as community supported and Palo
11 | Alto Networks will contribute our expertise as and when possible. We do
12 | not provide technical support or help in using or troubleshooting the
13 | components of the project through our normal support options such as
14 | Palo Alto Networks support teams, or ASC (Authorized Support Centers)
15 | partners and backline support options. The underlying product used (the
16 | VM-Series firewall) by the scripts or templates are still supported, but
17 | the support is only for the product functionality and not for help in
18 | deploying or using the template or script itself.
19 | 
20 | Unless explicitly tagged, all projects or work posted in our GitHub
21 | repository (at <https://github.com/PaloAltoNetworks>) or sites other
22 | than our official Downloads page on <https://support.paloaltonetworks.com>
23 | are provided under the best effort policy.
24 | 


--------------------------------------------------------------------------------
/gke/outputs.tf:
--------------------------------------------------------------------------------
 1 | ############################################################################################
 2 | # Copyright 2020 Palo Alto Networks.
 3 | #
 4 | # Licensed under the Apache License, Version 2.0 (the "License");
 5 | # you may not use this file except in compliance with the License.
 6 | # You may obtain a copy of the License at
 7 | #
 8 | #   http://www.apache.org/licenses/LICENSE-2.0
 9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # See the License for the specific language governing permissions and
14 | # limitations under the License.
15 | ############################################################################################
16 | 
17 | output "cluster_master_ip" {
18 |   value       = google_container_cluster.cluster.endpoint
19 |   description = "The IP endpoint of the GKE cluster master"
20 | }
21 | 
22 | output "cluster_name" {
23 |   value       = google_container_cluster.cluster.name
24 |   description = "The name of the GKE cluster"
25 | }
26 | 
27 | output "cluster_location" {
28 |   value       = google_container_cluster.cluster.location
29 |   description = "The zone in which the GKE cluster resides"
30 | }
31 | 
32 | output "cluster_project" {
33 |   value = google_container_cluster.cluster.project
34 | }
35 | 
36 | output "kubectl_config_command" {
37 |   value = "gcloud container clusters get-credentials ${google_container_cluster.cluster.name} --region ${google_container_cluster.cluster.location} --project ${google_container_cluster.cluster.project}"
38 | }


--------------------------------------------------------------------------------
/eks/variables.tf:
--------------------------------------------------------------------------------
 1 | ############################################################################################
 2 | # Copyright 2020 Palo Alto Networks.
 3 | #
 4 | # Licensed under the Apache License, Version 2.0 (the "License");
 5 | # you may not use this file except in compliance with the License.
 6 | # You may obtain a copy of the License at
 7 | #
 8 | #   http://www.apache.org/licenses/LICENSE-2.0
 9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # See the License for the specific language governing permissions and
14 | # limitations under the License.
15 | ############################################################################################
16 | 
17 | 
18 | # variable "project" {
19 | #   type        = string
20 | #   default     = "cnseries-testing"
21 | #   description = "An identifier for the deployment"
22 | # }
23 | 
24 | variable "ssh_key_name" {
25 |   type        = string
26 |   description = "The SSH key pair name in EC2"
27 | }
28 | 
29 | variable "region" {
30 |   type        = string
31 |   default     = "us-west-2"
32 |   description = "The AWS region"
33 | }
34 | 
35 | # variable "panorama_auth_key" {
36 | #   type        = string
37 | #   description = "The VM auth key generated on Panorama"
38 | # }
39 | 
40 | variable "k8s_version" {
41 |   type        = string
42 |   default     = "1.19"
43 |   description = "Kubernetes version"
44 | }
45 | 
46 | variable "instance_type" {
47 |   type        = string
48 |   default     = "m5.2xlarge"
49 |   description = "The EC2 instance type"
50 | }
51 | 


--------------------------------------------------------------------------------
/gke/variables.tf:
--------------------------------------------------------------------------------
 1 | ############################################################################################
 2 | # Copyright 2020 Palo Alto Networks.
 3 | #
 4 | # Licensed under the Apache License, Version 2.0 (the "License");
 5 | # you may not use this file except in compliance with the License.
 6 | # You may obtain a copy of the License at
 7 | #
 8 | #   http://www.apache.org/licenses/LICENSE-2.0
 9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # See the License for the specific language governing permissions and
14 | # limitations under the License.
15 | ############################################################################################
16 | 
17 | variable "project" {
18 |   type        = string
19 |   description = "The GCP project ID"
20 | }
21 | 
22 | variable "region" {
23 |   type        = string
24 |   description = "The GCP region"
25 | }
26 | 
27 | # Not supported for GKE >= 1.19
28 | # variable "gke_username" {
29 | #   type        = string
30 | #   description = "The cluster master username"
31 | # }
32 | 
33 | # Not supported for GKE >= 1.19
34 | # variable "gke_password" {
35 | #   type        = string
36 | #   description = "The cluster master password"
37 | 
38 | #   validation {
39 | #     condition     = length(var.gke_password) >= 16
40 | #     error_message = "The cluster master passsword must be 16 characters or more."
41 | #   }
42 | # }
43 | 
44 | variable "k8s_version" {
45 |   default     = "1.20" # latest supported version of GKE as of 2021-09-28
46 |   type        = string
47 |   description = "The version of Kubernetes"
48 | }
49 | 


--------------------------------------------------------------------------------
/aks/cluster.tf:
--------------------------------------------------------------------------------
 1 | ############################################################################################
 2 | # Copyright 2020 Palo Alto Networks.
 3 | #
 4 | # Licensed under the Apache License, Version 2.0 (the "License");
 5 | # you may not use this file except in compliance with the License.
 6 | # You may obtain a copy of the License at
 7 | #
 8 | #   http://www.apache.org/licenses/LICENSE-2.0
 9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # See the License for the specific language governing permissions and
14 | # limitations under the License.
15 | ############################################################################################
16 | 
17 | 
18 | resource "azurerm_kubernetes_cluster" "default" {
19 |   name                = "${random_pet.prefix.id}-k8s"
20 |   location            = azurerm_resource_group.rg.location
21 |   resource_group_name = azurerm_resource_group.rg.name
22 |   kubernetes_version  = var.k8s_version
23 |   dns_prefix          = "${random_pet.prefix.id}-k8s"
24 | 
25 |   default_node_pool {
26 |     name               = "default"
27 |     node_count         = 2
28 |     vm_size            = "Standard_D8s_v3"
29 |     vnet_subnet_id     = azurerm_subnet.aks_subnet.id
30 |     availability_zones = ["1", "2"]
31 |   }
32 | 
33 |   linux_profile {
34 |     admin_username = "ubuntu"
35 |     ssh_key {
36 |       key_data = var.ssh_key
37 |     }
38 |   }
39 | 
40 |   identity {
41 |     type = "SystemAssigned"
42 |   }
43 | 
44 |   network_profile {
45 |     network_plugin    = "azure"
46 |     load_balancer_sku = "standard"
47 |   }
48 | }
49 | 


--------------------------------------------------------------------------------
/eks/locals.tf:
--------------------------------------------------------------------------------
 1 | ############################################################################################
 2 | # Copyright 2020 Palo Alto Networks.
 3 | #
 4 | # Licensed under the Apache License, Version 2.0 (the "License");
 5 | # you may not use this file except in compliance with the License.
 6 | # You may obtain a copy of the License at
 7 | #
 8 | #   http://www.apache.org/licenses/LICENSE-2.0
 9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # See the License for the specific language governing permissions and
14 | # limitations under the License.
15 | ############################################################################################
16 | 
17 | 
18 | locals {
19 |   config_map_aws_auth = <<CONFIGMAPAWSAUTH
20 |   apiVersion: v1
21 |   kind: ConfigMap
22 |   metadata:
23 |     name: aws-auth
24 |     namespace: kube-system
25 |   data:
26 |     mapRoles: |
27 |       - rolearn: ${aws_iam_role.NodeInstanceRole.arn}
28 |         username: system:node:{{EC2PrivateDNSName}}
29 |         groups:
30 |           - system:bootstrappers
31 |           - system:nodes
32 |   CONFIGMAPAWSAUTH
33 | 
34 |   kubeconfig = <<KUBECONFIG
35 | apiVersion: v1
36 | clusters:
37 | - cluster:
38 |     server: ${aws_eks_cluster.ControlPlane.endpoint}
39 |     certificate-authority-data: ${aws_eks_cluster.ControlPlane.certificate_authority.0.data}
40 |   name: kubernetes
41 | contexts:
42 | - context:
43 |     cluster: kubernetes
44 |     user: aws
45 |   name: aws
46 | current-context: aws
47 | kind: Config
48 | preferences: {}
49 | users:
50 | - name: aws
51 |   user:
52 |     exec:
53 |       apiVersion: client.authentication.k8s.io/v1alpha1
54 |       command: aws-iam-authenticator
55 |       args:
56 |         - "token"
57 |         - "-i"
58 |         - "${aws_eks_cluster.ControlPlane.name}"
59 | KUBECONFIG
60 | 
61 |   map_roles = <<ROLES
62 | - rolearn: arn:aws:iam::932037237461:role/cnseries-testing-NodeInstanceRole
63 |   username: system:node:{{EC2PrivateDNSName}}
64 |   groups:
65 |     - system:bootstrappers
66 |     - system:nodes
67 | ROLES
68 | }
69 | 


--------------------------------------------------------------------------------
/gke/cluster.tf:
--------------------------------------------------------------------------------
  1 | ############################################################################################
  2 | # Copyright 2020 Palo Alto Networks.
  3 | #
  4 | # Licensed under the Apache License, Version 2.0 (the "License");
  5 | # you may not use this file except in compliance with the License.
  6 | # You may obtain a copy of the License at
  7 | #
  8 | #   http://www.apache.org/licenses/LICENSE-2.0
  9 | #
 10 | # Unless required by applicable law or agreed to in writing, software
 11 | # distributed under the License is distributed on an "AS IS" BASIS,
 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 13 | # See the License for the specific language governing permissions and
 14 | # limitations under the License.
 15 | ############################################################################################
 16 | 
 17 | // Project API Services
 18 | 
 19 | resource "google_project_service" "compute" {
 20 |   service = "compute.googleapis.com"
 21 | }
 22 | 
 23 | resource "google_project_service" "container" {
 24 |   service = "container.googleapis.com"
 25 | 
 26 |   # Needs compute.googleapis.com API enabled on Project
 27 |   depends_on = [google_project_service.compute]
 28 | }
 29 | 
 30 | // Cluster definition
 31 | 
 32 | data "google_compute_zones" "available" {
 33 |   # Needs compute.googleapis.com API enabled on Project
 34 |   depends_on = [google_project_service.compute]
 35 | }
 36 | 
 37 | resource "google_container_cluster" "cluster" {
 38 |   name               = "${var.project}-k8s"
 39 |   location           = var.region
 40 |   min_master_version = var.k8s_version
 41 | 
 42 |   # We can't create a cluster with no node pool defined, but we want to only use
 43 |   # separately managed node pools. So we create the smallest possible default
 44 |   # node pool and immediately delete it.
 45 |   remove_default_node_pool = true
 46 |   initial_node_count       = 1
 47 | 
 48 |   network    = "default"
 49 |   subnetwork = "default"
 50 | 
 51 |   network_policy {
 52 |     enabled  = true
 53 |     provider = "CALICO"
 54 |   }
 55 | 
 56 |   ip_allocation_policy {
 57 |     # cluster_secondary_range_name  = var.cluster_secondary_range_name
 58 |     # services_secondary_range_name = var.services_secondary_range_name
 59 |     cluster_ipv4_cidr_block  = "/16"
 60 |     services_ipv4_cidr_block = "/22"
 61 |   }
 62 | 
 63 |   master_auth {
 64 |     #     Not supported for GKE >= 1.19
 65 |     #     username = var.gke_username
 66 |     #     password = var.gke_password
 67 | 
 68 |     client_certificate_config {
 69 |       issue_client_certificate = false
 70 |     }
 71 |   }
 72 | 
 73 |   addons_config {
 74 |     network_policy_config {
 75 |       disabled = false
 76 |     }
 77 |   }
 78 | 
 79 |   # Needs container.googleapis.com API enabled on Project
 80 |   depends_on = [google_project_service.container]
 81 | }
 82 | 
 83 | // Unmanaged node pool definition
 84 | resource "google_container_node_pool" "primary_preemptible_nodes" {
 85 |   name     = "${var.project}-nodepool"
 86 |   location = var.region
 87 |   cluster  = google_container_cluster.cluster.name
 88 | 
 89 |   node_count = 1
 90 | 
 91 |   node_config {
 92 |     preemptible  = true
 93 |     machine_type = "n1-standard-8"
 94 | 
 95 |     metadata = {
 96 |       disable-legacy-endpoints = "true"
 97 |     }
 98 | 
 99 |     oauth_scopes = [
100 |       "https://www.googleapis.com/auth/logging.write",
101 |       "https://www.googleapis.com/auth/monitoring",
102 |     ]
103 |   }
104 | }
105 | 
106 | 
107 | 


--------------------------------------------------------------------------------
/cn-series/variables.tf:
--------------------------------------------------------------------------------
  1 | ############################################################################################
  2 | # Copyright 2020 Palo Alto Networks.
  3 | #
  4 | # Licensed under the Apache License, Version 2.0 (the "License");
  5 | # you may not use this file except in compliance with the License.
  6 | # You may obtain a copy of the License at
  7 | #
  8 | #   http://www.apache.org/licenses/LICENSE-2.0
  9 | #
 10 | # Unless required by applicable law or agreed to in writing, software
 11 | # distributed under the License is distributed on an "AS IS" BASIS,
 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 13 | # See the License for the specific language governing permissions and
 14 | # limitations under the License.
 15 | ############################################################################################
 16 | 
 17 | // Kubernetes
 18 | variable "k8s_environment" {
 19 |   description = "The Kubernetes environment (gke|eks|aks|openshift|native)"
 20 |   type        = string
 21 | }
 22 | 
 23 | // Panorama
 24 | variable "panorama_ip" {
 25 |   description = "The primary Panorama IP address"
 26 |   type        = string
 27 | }
 28 | 
 29 | variable "panorama_ip2" {
 30 |   default     = ""
 31 |   description = "The secondary Panorama IP address"
 32 |   type        = string
 33 | }
 34 | 
 35 | variable "panorama_auth_key" {
 36 |   description = "The Panorama auth key for VM-series registration"
 37 |   type        = string
 38 | }
 39 | 
 40 | variable "panorama_device_group" {
 41 |   description = "The Panorama device group"
 42 |   type        = string
 43 | }
 44 | 
 45 | variable "panorama_template_stack" {
 46 |   description = "The Panorama template stack"
 47 |   type        = string
 48 | }
 49 | 
 50 | variable "panorama_collector_group" {
 51 |   description = "The Panorama log collector group"
 52 |   type        = string
 53 | }
 54 | 
 55 | // CNI container
 56 | variable "k8s_cni_image" {
 57 |   default     = "docker.io/paloaltonetworks/pan_cni"
 58 |   description = "The CNI container image"
 59 |   type        = string
 60 | }
 61 | 
 62 | variable "k8s_cni_version" {
 63 |   default     = "latest"
 64 |   description = "The CNI container image version tag"
 65 |   type        = string
 66 | }
 67 | 
 68 | // MP container
 69 | variable "k8s_mp_init_image" {
 70 |   default     = "docker.io/paloaltonetworks/pan_cn_mgmt_init"
 71 |   description = "The MP init container image"
 72 |   type        = string
 73 | }
 74 | 
 75 | variable "k8s_mp_init_version" {
 76 |   default     = "latest"
 77 |   description = "The MP init container image version tag"
 78 |   type        = string
 79 | }
 80 | 
 81 | variable "k8s_mp_image" {
 82 |   default     = "docker.io/paloaltonetworks/panos_cn_mgmt"
 83 |   description = "The MP container image"
 84 |   type        = string
 85 | }
 86 | 
 87 | variable "k8s_mp_image_version" {
 88 |   default     = "latest"
 89 |   description = "The MP container image version tag"
 90 |   type        = string
 91 | }
 92 | 
 93 | variable "k8s_mp_cpu" {
 94 |   default     = "2"
 95 |   description = "The MP container CPU limit"
 96 |   type        = string
 97 | }
 98 | 
 99 | // DP container
100 | variable "k8s_dp_image" {
101 |   default     = "docker.io/paloaltonetworks/panos_cn_ngfw"
102 |   description = "The DP container image"
103 |   type        = string
104 | }
105 | 
106 | variable "k8s_dp_image_version" {
107 |   default     = "latest"
108 |   description = "The DP container image version tag"
109 |   type        = string
110 | }
111 | 
112 | variable "k8s_dp_cpu" {
113 |   default     = "1"
114 |   description = "The DP container CPU limit"
115 |   type        = string
116 | }
117 | 
118 | 


--------------------------------------------------------------------------------
/cn-series/main.tf:
--------------------------------------------------------------------------------
  1 | ############################################################################################
  2 | # Copyright 2020 Palo Alto Networks.
  3 | #
  4 | # Licensed under the Apache License, Version 2.0 (the "License");
  5 | # you may not use this file except in compliance with the License.
  6 | # You may obtain a copy of the License at
  7 | #
  8 | #   http://www.apache.org/licenses/LICENSE-2.0
  9 | #
 10 | # Unless required by applicable law or agreed to in writing, software
 11 | # distributed under the License is distributed on an "AS IS" BASIS,
 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 13 | # See the License for the specific language governing permissions and
 14 | # limitations under the License.
 15 | ############################################################################################
 16 | 
 17 | terraform {
 18 |   required_version = ">= 0.13"
 19 | }
 20 | 
 21 | provider "helm" {
 22 |   kubernetes {
 23 |     config_path = "~/.kube/config"
 24 |   }
 25 | }
 26 | 
 27 | resource "helm_release" "cn-series" {
 28 |   name       = "cn-series-deploy"
 29 |   repository = "https://paloaltonetworks.github.io/cn-series-helm/"
 30 |   chart      = "cn-series"
 31 |   version    = "0.1.5"
 32 |   timeout    = 600
 33 |   wait       = false
 34 | 
 35 |   // Kubernetes values
 36 |   set {
 37 |     name  = "cluster.deployTo"
 38 |     value = var.k8s_environment
 39 |     type  = "string"
 40 |   }
 41 | 
 42 |   // Panorma values
 43 |   set {
 44 |     name  = "panorama.ip"
 45 |     value = var.panorama_ip
 46 |     type  = "string"
 47 |   }
 48 | 
 49 |   set {
 50 |     name  = "panorama.ip2"
 51 |     value = var.panorama_ip2
 52 |     type  = "string"
 53 |   }
 54 | 
 55 |   set {
 56 |     name  = "panorama.authKey"
 57 |     value = var.panorama_auth_key
 58 |     type  = "string"
 59 |   }
 60 | 
 61 |   set {
 62 |     name  = "panorama.deviceGroup"
 63 |     value = var.panorama_device_group
 64 |     type  = "string"
 65 |   }
 66 | 
 67 |   set {
 68 |     name  = "panorama.template"
 69 |     value = var.panorama_template_stack
 70 |     type  = "string"
 71 |   }
 72 | 
 73 |   set {
 74 |     name  = "panorama.cgName"
 75 |     value = var.panorama_collector_group
 76 |     type  = "string"
 77 |   }
 78 | 
 79 |   // CNI values
 80 |   set {
 81 |     name  = "cni.image"
 82 |     value = var.k8s_cni_image
 83 |     type  = "string"
 84 |   }
 85 | 
 86 |   set {
 87 |     name  = "cni.version"
 88 |     value = var.k8s_cni_version
 89 |     type  = "string"
 90 |   }
 91 | 
 92 |   // MP values
 93 |   set {
 94 |     name  = "mp.initImage"
 95 |     value = var.k8s_mp_init_image
 96 |     type  = "string"
 97 |   }
 98 | 
 99 |   set {
100 |     name  = "mp.initVersion"
101 |     value = var.k8s_mp_init_version
102 |     type  = "string"
103 |   }
104 | 
105 |   set {
106 |     name  = "mp.image"
107 |     value = var.k8s_mp_image
108 |     type  = "string"
109 |   }
110 | 
111 |   set {
112 |     name  = "mp.version"
113 |     value = var.k8s_mp_image_version
114 |     type  = "string"
115 |   }
116 | 
117 |   set {
118 |     name  = "mp.cpuLimit"
119 |     value = var.k8s_mp_cpu
120 |   }
121 | 
122 |   // DP values
123 |   set {
124 |     name  = "dp.image"
125 |     value = var.k8s_dp_image
126 |     type  = "string"
127 |   }
128 | 
129 |   set {
130 |     name  = "dp.version"
131 |     value = var.k8s_dp_image_version
132 |     type  = "string"
133 |   }
134 | 
135 |   set {
136 |     name  = "dp.cpuLimit"
137 |     value = var.k8s_dp_cpu
138 |     type  = "string"
139 |   }
140 | 
141 | 
142 |   // Firewall values
143 |   set {
144 |     name  = "firewall.failoverMode"
145 |     value = "failopen"
146 |     type  = "string"
147 |   }
148 | 
149 |   set {
150 |     name  = "firewall.operationMode"
151 |     value = "daemonset"
152 |     type  = "string"
153 |   }
154 | 
155 |   set {
156 |     name  = "firewall.serviceName"
157 |     value = "pan-mgmt-svc"
158 |     type  = "string"
159 |   }
160 | 
161 |   // Service account values
162 |   set {
163 |     name  = "serviceAccount.create"
164 |     value = "true"
165 |     type  = "string"
166 |   }
167 | }
168 | 


--------------------------------------------------------------------------------
/sample-application/guestbook.yml:
--------------------------------------------------------------------------------
  1 | apiVersion: v1
  2 | kind: Namespace
  3 | metadata:
  4 |   name: sample-app
  5 |   annotations: {
  6 |     paloaltonetworks.com/firewall: pan-fw
  7 |   }
  8 | ---
  9 | apiVersion: apps/v1
 10 | kind: Deployment
 11 | metadata:
 12 |   name: redis-master
 13 |   labels:
 14 |     app: redis
 15 |   namespace: sample-app
 16 | spec:
 17 |   selector:
 18 |     matchLabels:
 19 |       app: redis
 20 |       role: master
 21 |       tier: backend
 22 |   replicas: 1
 23 |   template:
 24 |     metadata:
 25 |       labels:
 26 |         app: redis
 27 |         role: master
 28 |         tier: backend
 29 |     spec:
 30 |       containers:
 31 |       - name: master
 32 |         image: k8s.gcr.io/redis:e2e  # or just image: redis
 33 |         resources:
 34 |           requests:
 35 |             cpu: 100m
 36 |             memory: 100Mi
 37 |         ports:
 38 |         - containerPort: 6379
 39 | ---
 40 | apiVersion: v1
 41 | kind: Service
 42 | metadata:
 43 |   name: redis-master
 44 |   labels:
 45 |     app: redis
 46 |     role: master
 47 |     tier: backend
 48 |   namespace: sample-app
 49 | spec:
 50 |   ports:
 51 |   - port: 6379
 52 |     targetPort: 6379
 53 |   selector:
 54 |     app: redis
 55 |     role: master
 56 |     tier: backend
 57 | ---
 58 | apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
 59 | kind: Deployment
 60 | metadata:
 61 |   name: redis-slave
 62 |   labels:
 63 |     app: redis
 64 |   namespace: sample-app
 65 | spec:
 66 |   selector:
 67 |     matchLabels:
 68 |       app: redis
 69 |       role: slave
 70 |       tier: backend
 71 |   replicas: 2
 72 |   template:
 73 |     metadata:
 74 |       labels:
 75 |         app: redis
 76 |         role: slave
 77 |         tier: backend
 78 |     spec:
 79 |       containers:
 80 |       - name: slave
 81 |         image: gcr.io/google_samples/gb-redisslave:v3
 82 |         resources:
 83 |           requests:
 84 |             cpu: 100m
 85 |             memory: 100Mi
 86 |         env:
 87 |         - name: GET_HOSTS_FROM
 88 |           value: dns
 89 |           # Using `GET_HOSTS_FROM=dns` requires your cluster to
 90 |           # provide a dns service. As of Kubernetes 1.3, DNS is a built-in
 91 |           # service launched automatically. However, if the cluster you are using
 92 |           # does not have a built-in DNS service, you can instead
 93 |           # access an environment variable to find the master
 94 |           # service's host. To do so, comment out the 'value: dns' line above, and
 95 |           # uncomment the line below:
 96 |           # value: env
 97 |         ports:
 98 |         - containerPort: 6379
 99 | ---
100 | apiVersion: v1
101 | kind: Service
102 | metadata:
103 |   name: redis-slave
104 |   labels:
105 |     app: redis
106 |     role: slave
107 |     tier: backend
108 |   namespace: sample-app
109 | spec:
110 |   ports:
111 |   - port: 6379
112 |   selector:
113 |     app: redis
114 |     role: slave
115 |     tier: backend
116 | ---
117 | apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
118 | kind: Deployment
119 | metadata:
120 |   name: frontend
121 |   labels:
122 |     app: guestbook
123 |   namespace: sample-app
124 | spec:
125 |   selector:
126 |     matchLabels:
127 |       app: guestbook
128 |       tier: frontend
129 |   replicas: 3
130 |   template:
131 |     metadata:
132 |       labels:
133 |         app: guestbook
134 |         tier: frontend
135 |     spec:
136 |       containers:
137 |       - name: php-redis
138 |         image: gcr.io/google-samples/gb-frontend:v4
139 |         resources:
140 |           requests:
141 |             cpu: 100m
142 |             memory: 100Mi
143 |         env:
144 |         - name: GET_HOSTS_FROM
145 |           value: dns
146 |           # Using `GET_HOSTS_FROM=dns` requires your cluster to
147 |           # provide a dns service. As of Kubernetes 1.3, DNS is a built-in
148 |           # service launched automatically. However, if the cluster you are using
149 |           # does not have a built-in DNS service, you can instead
150 |           # access an environment variable to find the master
151 |           # service's host. To do so, comment out the 'value: dns' line above, and
152 |           # uncomment the line below:
153 |           # value: env
154 |         ports:
155 |         - containerPort: 80
156 | ---
157 | apiVersion: v1
158 | kind: Service
159 | metadata:
160 |   name: frontend
161 |   labels:
162 |     app: guestbook
163 |     tier: frontend
164 |   namespace: sample-app
165 |   annotations:
166 |     service.beta.kubernetes.io/aws-load-balancer-type: nlb
167 | spec:
168 |   # comment or delete the following line if you want to use a LoadBalancer
169 |   #type: NodePort 
170 |   # if your cluster supports it, uncomment the following to automatically create
171 |   # an external load-balanced IP for the frontend service.
172 |   type: LoadBalancer
173 |   ports:
174 |   - port: 80
175 |   selector:
176 |     app: guestbook
177 |     tier: frontend
178 | 


--------------------------------------------------------------------------------
/eks/nodegroup.tf:
--------------------------------------------------------------------------------
  1 | ############################################################################################
  2 | # Copyright 2020 Palo Alto Networks.
  3 | #
  4 | # Licensed under the Apache License, Version 2.0 (the "License");
  5 | # you may not use this file except in compliance with the License.
  6 | # You may obtain a copy of the License at
  7 | #
  8 | #   http://www.apache.org/licenses/LICENSE-2.0
  9 | #
 10 | # Unless required by applicable law or agreed to in writing, software
 11 | # distributed under the License is distributed on an "AS IS" BASIS,
 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 13 | # See the License for the specific language governing permissions and
 14 | # limitations under the License.
 15 | ############################################################################################
 16 | 
 17 | 
 18 | // Nodegroup IAM roles and policies
 19 | resource "aws_iam_role" "NodeInstanceRole" {
 20 |   name = "${random_pet.prefix.id}-NodeInstanceRole"
 21 | 
 22 |   assume_role_policy = <<POLICY
 23 | {
 24 |   "Version": "2012-10-17",
 25 |   "Statement": [
 26 |     {
 27 |       "Effect": "Allow",
 28 |       "Principal": {
 29 |         "Service": "ec2.amazonaws.com"
 30 |       },
 31 |       "Action": "sts:AssumeRole"
 32 |     }
 33 |   ]
 34 | }
 35 | POLICY
 36 | }
 37 | 
 38 | resource "aws_iam_role_policy_attachment" "AmazonEKSWorkerNodePolicy" {
 39 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
 40 |   role       = aws_iam_role.NodeInstanceRole.name
 41 | }
 42 | 
 43 | resource "aws_iam_role_policy_attachment" "AmazonEKS_CNI_Policy" {
 44 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
 45 |   role       = aws_iam_role.NodeInstanceRole.name
 46 | }
 47 | 
 48 | resource "aws_iam_role_policy_attachment" "AmazonEC2ContainerRegistryReadOnly" {
 49 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
 50 |   role       = aws_iam_role.NodeInstanceRole.name
 51 | }
 52 | 
 53 | 
 54 | // Instance profile
 55 | resource "aws_iam_instance_profile" "node_instance_profile" {
 56 |   name = "${random_pet.prefix.id}-eks-instance-profile"
 57 |   role = aws_iam_role.NodeInstanceRole.name
 58 | }
 59 | 
 60 | 
 61 | // Security groups and rules
 62 | resource "aws_security_group" "NodeGroupSecurityGroup" {
 63 |   name        = "${random_pet.prefix.id}-nodegroup-NodeGroupSecurityGroup"
 64 |   description = "Communication between the control plane and worker nodegroups"
 65 |   vpc_id      = aws_vpc.cluster_vpc.id
 66 |   tags = {
 67 |     Name                                                         = "${random_pet.prefix.id}-NodeGroupSecurityGroup"
 68 |     "kubernetes.io/cluster/${aws_eks_cluster.ControlPlane.name}" = "owned"
 69 |   }
 70 | }
 71 | 
 72 | resource "aws_security_group_rule" "EgressInterCluster" {
 73 |   type                     = "egress"
 74 |   description              = "Allow control plane to communicate with worker nodes in group (kubelet and workload TCP ports)"
 75 |   security_group_id        = aws_security_group.ControlPlaneSecurityGroup.id
 76 |   source_security_group_id = aws_security_group.NodeGroupSecurityGroup.id
 77 |   from_port                = 1025
 78 |   to_port                  = 65535
 79 |   protocol                 = "tcp"
 80 | }
 81 | 
 82 | resource "aws_security_group_rule" "EgressNodeGroupAllowAll" {
 83 |   type              = "egress"
 84 |   security_group_id = aws_security_group.NodeGroupSecurityGroup.id
 85 |   cidr_blocks       = ["0.0.0.0/0"]
 86 |   from_port         = 0
 87 |   to_port           = 0
 88 |   protocol          = "-1"
 89 | }
 90 | 
 91 | resource "aws_security_group_rule" "EgressInterClusterAPI" {
 92 |   type                     = "egress"
 93 |   description              = "Allow control plane to communicate with worker nodegroup (workloads using HTTPS port, commonly used with extension API servers)"
 94 |   security_group_id        = aws_security_group.ControlPlaneSecurityGroup.id
 95 |   source_security_group_id = aws_security_group.NodeGroupSecurityGroup.id
 96 |   from_port                = 443
 97 |   to_port                  = 443
 98 |   protocol                 = "tcp"
 99 | }
100 | 
101 | resource "aws_security_group_rule" "IngressInterCluster" {
102 |   type                     = "ingress"
103 |   description              = "Allow worker nodegroup to communicate with control plane (kubelet and workload TCP ports)"
104 |   security_group_id        = aws_security_group.NodeGroupSecurityGroup.id
105 |   source_security_group_id = aws_security_group.ControlPlaneSecurityGroup.id
106 |   from_port                = 1025
107 |   to_port                  = 65535
108 |   protocol                 = "tcp"
109 | }
110 | 
111 | resource "aws_security_group_rule" "IngressInterClusterAPI" {
112 |   type                     = "ingress"
113 |   description              = "Allow worker nodegroup to communicate with control plane (workloads using HTTPS port, commonly used with extension API servers)"
114 |   security_group_id        = aws_security_group.NodeGroupSecurityGroup.id
115 |   source_security_group_id = aws_security_group.ControlPlaneSecurityGroup.id
116 |   from_port                = 443
117 |   to_port                  = 443
118 |   protocol                 = "tcp"
119 | }
120 | 
121 | resource "aws_security_group_rule" "IngressInterClusterCP" {
122 |   type                     = "ingress"
123 |   description              = "Allow control plane to receive API requests from worker nodegroup"
124 |   security_group_id        = aws_security_group.ControlPlaneSecurityGroup.id
125 |   source_security_group_id = aws_security_group.NodeGroupSecurityGroup.id
126 |   from_port                = 443
127 |   to_port                  = 443
128 |   protocol                 = "tcp"
129 | }
130 | 
131 | resource "aws_security_group_rule" "SSHIPv4" {
132 |   type              = "ingress"
133 |   description       = "Allow SSH access to worker nodegroup"
134 |   security_group_id = aws_security_group.NodeGroupSecurityGroup.id
135 |   cidr_blocks       = ["0.0.0.0/0"]
136 |   from_port         = 22
137 |   to_port           = 22
138 |   protocol          = "tcp"
139 | }
140 | 
141 | resource "aws_security_group_rule" "SSHIPv6" {
142 |   type              = "ingress"
143 |   description       = "Allow SSH access to worker nodegroup"
144 |   security_group_id = aws_security_group.NodeGroupSecurityGroup.id
145 |   ipv6_cidr_blocks  = ["::/0"]
146 |   from_port         = 22
147 |   to_port           = 22
148 |   protocol          = "tcp"
149 | }
150 | 
151 | 
152 | // Grab the latest AMI
153 | 
154 | data "aws_ami" "latest_ubuntu" {
155 |   most_recent = true
156 |   owners      = ["099720109477"] # Canonical
157 | 
158 |   filter {
159 |     name   = "name"
160 |     values = ["ubuntu-eks/k8s_${var.k8s_version}/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
161 |   }
162 | 
163 |   filter {
164 |     name   = "virtualization-type"
165 |     values = ["hvm"]
166 |   }
167 | }
168 | 
169 | // Create the user-data field
170 | locals {
171 |   node_group_userdata = <<USERDATA
172 | #!/bin/bash
173 | set -o xtrace
174 | /etc/eks/bootstrap.sh --apiserver-endpoint '${aws_eks_cluster.ControlPlane.endpoint}' --b64-cluster-ca '${aws_eks_cluster.ControlPlane.certificate_authority.0.data}' '${aws_eks_cluster.ControlPlane.name}'
175 | USERDATA
176 | }
177 | 
178 | // Launch template
179 | 
180 | resource "aws_launch_template" "NodeGroupLaunchTemplate" {
181 |   name = "${random_pet.prefix.id}-NodeGroupLaunchTemplate"
182 |   iam_instance_profile {
183 |     name = aws_iam_instance_profile.node_instance_profile.name
184 |   }
185 |   key_name      = var.ssh_key_name
186 |   instance_type = var.instance_type
187 |   image_id      = data.aws_ami.latest_ubuntu.image_id
188 |   user_data     = base64encode(local.node_group_userdata)
189 |   network_interfaces {
190 |     device_index = 0
191 |     security_groups = [
192 |       aws_security_group.ClusterSharedNodeSecurityGroup.id,
193 |       aws_security_group.NodeGroupSecurityGroup.id
194 |     ]
195 |     associate_public_ip_address = true
196 |   }
197 | }
198 | 
199 | // Autoscaling Group
200 | resource "aws_autoscaling_group" "NodeGroup" {
201 |   name = "${random_pet.prefix.id}-NodeGroup"
202 |   # aws_launch_template = aws_launch_template.NodeGroupLaunchTemplate.id
203 |   desired_capacity = 2
204 |   max_size         = 2
205 |   min_size         = 2
206 | 
207 |   vpc_zone_identifier = [
208 |     aws_subnet.public_subnet_a.id,
209 |     aws_subnet.public_subnet_b.id,
210 |     aws_subnet.public_subnet_c.id
211 |   ]
212 | 
213 |   launch_template {
214 |     id      = aws_launch_template.NodeGroupLaunchTemplate.id
215 |     version = "$Latest"
216 |   }
217 | 
218 |   tag {
219 |     key                 = "Name"
220 |     value               = "${random_pet.prefix.id}-Node"
221 |     propagate_at_launch = true
222 |   }
223 | 
224 |   tag {
225 |     key                 = "kubernetes.io/cluster/${aws_eks_cluster.ControlPlane.name}"
226 |     value               = "owned"
227 |     propagate_at_launch = true
228 |   }
229 | }
230 | 


--------------------------------------------------------------------------------
/sample-application/main.tf:
--------------------------------------------------------------------------------
  1 | ############################################################################################
  2 | # Copyright 2020 Palo Alto Networks.
  3 | #
  4 | # Licensed under the Apache License, Version 2.0 (the "License");
  5 | # you may not use this file except in compliance with the License.
  6 | # You may obtain a copy of the License at
  7 | #
  8 | #   http://www.apache.org/licenses/LICENSE-2.0
  9 | #
 10 | # Unless required by applicable law or agreed to in writing, software
 11 | # distributed under the License is distributed on an "AS IS" BASIS,
 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 13 | # See the License for the specific language governing permissions and
 14 | # limitations under the License.
 15 | ############################################################################################
 16 | 
 17 | provider "panos" {}
 18 | 
 19 | variable "device_groups" {
 20 |   default = [
 21 |     "aks-dg",
 22 |     "eks-dg",
 23 |     "gke-dg",
 24 |     "k8s-dg",
 25 |     "openshift-dg"
 26 |   ]
 27 |   type = list(string)
 28 | }
 29 | 
 30 | // Panorama device groups
 31 | resource "panos_panorama_device_group" "aks_dg" {
 32 |   name        = "aks-dg"
 33 |   description = "AKS cluster device group"
 34 | }
 35 | 
 36 | resource "panos_panorama_device_group" "eks_dg" {
 37 |   name        = "eks-dg"
 38 |   description = "EKS cluster device group"
 39 | }
 40 | 
 41 | resource "panos_panorama_device_group" "gke_dg" {
 42 |   name        = "gke-dg"
 43 |   description = "GKE cluster device group"
 44 | }
 45 | 
 46 | resource "panos_panorama_device_group" "k8s_dg" {
 47 |   name        = "k8s-dg"
 48 |   description = "K8s cluster device group"
 49 | }
 50 | 
 51 | resource "panos_panorama_device_group" "openshift_dg" {
 52 |   name        = "openshift-dg"
 53 |   description = "OpenShift cluster device group"
 54 | }
 55 | 
 56 | 
 57 | // Panorama template stacks
 58 | resource "panos_panorama_template_stack" "aks_stack" {
 59 |   name        = "aks-stack"
 60 |   description = "AKS template stack"
 61 |   templates   = ["K8S-Network-Setup"]
 62 | }
 63 | 
 64 | resource "panos_panorama_template_stack" "eks_stack" {
 65 |   name        = "eks-stack"
 66 |   description = "EKS template stack"
 67 |   templates   = ["K8S-Network-Setup"]
 68 | }
 69 | 
 70 | resource "panos_panorama_template_stack" "gke_stack" {
 71 |   name        = "gke-stack"
 72 |   description = "GKE template stack"
 73 |   templates   = ["K8S-Network-Setup"]
 74 | }
 75 | 
 76 | resource "panos_panorama_template_stack" "k8s_stack" {
 77 |   name        = "k8s-stack"
 78 |   description = "K8s template stack"
 79 |   templates   = ["K8S-Network-Setup"]
 80 | }
 81 | 
 82 | resource "panos_panorama_template_stack" "openshift_stack" {
 83 |   name        = "openshift-stack"
 84 |   description = "OpenShift template stack"
 85 |   templates   = ["K8S-Network-Setup"]
 86 | }
 87 | 
 88 | 
 89 | // Log forwarding profile
 90 | resource "panos_panorama_log_forwarding_profile" "cnseries_logs" {
 91 |   name             = "cnseries-logging"
 92 |   device_group     = "shared"
 93 |   description      = "CN-Series log forwarding profile"
 94 |   enhanced_logging = true
 95 | 
 96 |   match_list {
 97 |     name             = "traffic_logs_panorama"
 98 |     log_type         = "traffic"
 99 |     send_to_panorama = true
100 |   }
101 | 
102 |   match_list {
103 |     name             = "threat_logs_panorama"
104 |     log_type         = "threat"
105 |     send_to_panorama = true
106 |   }
107 | 
108 |   match_list {
109 |     name             = "wildfire_logs_panorama"
110 |     log_type         = "wildfire"
111 |     send_to_panorama = true
112 |   }
113 | 
114 |   match_list {
115 |     name             = "url_logs_panorama"
116 |     log_type         = "url"
117 |     send_to_panorama = true
118 |   }
119 | 
120 |   match_list {
121 |     name             = "data_logs_panorama"
122 |     log_type         = "data"
123 |     send_to_panorama = true
124 |   }
125 | 
126 |   match_list {
127 |     name             = "gtp_logs_panorama"
128 |     log_type         = "gtp"
129 |     send_to_panorama = true
130 |   }
131 | 
132 |   match_list {
133 |     name             = "tunnel_logs_panorama"
134 |     log_type         = "tunnel"
135 |     send_to_panorama = true
136 |   }
137 | 
138 |   match_list {
139 |     name             = "auth_logs_panorama"
140 |     log_type         = "auth"
141 |     send_to_panorama = true
142 |   }
143 | 
144 |   match_list {
145 |     name             = "sctp_logs_panorama"
146 |     log_type         = "sctp"
147 |     send_to_panorama = true
148 |   }
149 | }
150 | 
151 | // Service objects
152 | resource "panos_panorama_service_object" "redis_6379" {
153 |   name             = "redis-6379"
154 |   protocol         = "tcp"
155 |   description      = "Redis on tcp/6379"
156 |   destination_port = "6379"
157 | }
158 | 
159 | // Dynamic Address Groups
160 | 
161 | // AKS DAGs
162 | resource "panos_panorama_address_group" "kube_dns_svc" {
163 |   name          = "kube-dns-svc"
164 |   description   = "kube-dns service"
165 |   device_group  = panos_panorama_device_group.aks_dg.name
166 |   dynamic_match = "k8s.cl_aks-cluster.ns_kube-system.svc_kube-dns"
167 | }
168 | 
169 | resource "panos_panorama_address_group" "redis_backend" {
170 |   name          = "redis-backend"
171 |   description   = "redis backend"
172 |   device_group  = panos_panorama_device_group.aks_dg.name
173 |   dynamic_match = "k8s.cl_aks-cluster.ns_sample-app.tier.backend"
174 | }
175 | 
176 | resource "panos_panorama_address_group" "redis_master_svc" {
177 |   name          = "redis-master-svc"
178 |   description   = "redis master service"
179 |   device_group  = panos_panorama_device_group.aks_dg.name
180 |   dynamic_match = "k8s.cl_aks-cluster.ns_sample-app.svc_redis-master"
181 | }
182 | 
183 | resource "panos_panorama_address_group" "redis_slave_svc" {
184 |   name          = "redis-slave-svc"
185 |   description   = "redis slave service"
186 |   device_group  = panos_panorama_device_group.aks_dg.name
187 |   dynamic_match = "k8s.cl_aks-cluster.ns_sample-app.svc_redis-slave"
188 | }
189 | 
190 | resource "panos_panorama_address_group" "web_frontend" {
191 |   name          = "web-frontend"
192 |   description   = "web frontend"
193 |   device_group  = panos_panorama_device_group.aks_dg.name
194 |   dynamic_match = "k8s.cl_aks-cluster.ns_sample-app.svc_frontend"
195 | }
196 | 
197 | // EKS DAGs
198 | 
199 | // GKE DAGs
200 | 
201 | // K8s DAGs
202 | 
203 | // OpenShift DAGs
204 | 
205 | 
206 | // Security rules
207 | resource "panos_panorama_security_rule_group" "guestbook_rules" {
208 |   # for_each     = toset(var.device_groups)
209 |   # device_group = each.value
210 |   # rulebase     = "pre-rulebase"
211 |   device_group = "aks-dg"
212 | 
213 |   rule {
214 |     name                  = "Allow DNS service"
215 |     description           = "Allow access to the kube-dns service"
216 |     source_zones          = ["any"]
217 |     source_addresses      = ["any"]
218 |     source_users          = ["any"]
219 |     hip_profiles          = ["any"]
220 |     destination_zones     = ["any"]
221 |     destination_addresses = [panos_panorama_address_group.kube_dns_svc.name]
222 |     applications          = ["dns"]
223 |     services              = ["application-default"]
224 |     categories            = ["any"]
225 |     action                = "allow"
226 |     log_setting           = panos_panorama_log_forwarding_profile.cnseries_logs.name
227 |   }
228 | 
229 |   rule {
230 |     name                  = "Allow web frontend"
231 |     description           = "Allow access to the web frontend"
232 |     source_zones          = ["any"]
233 |     source_addresses      = ["any"]
234 |     source_users          = ["any"]
235 |     hip_profiles          = ["any"]
236 |     destination_zones     = ["any"]
237 |     destination_addresses = [panos_panorama_address_group.web_frontend.name]
238 |     applications          = ["web-browsing"]
239 |     services              = ["application-default"]
240 |     categories            = ["any"]
241 |     action                = "allow"
242 |     log_setting           = panos_panorama_log_forwarding_profile.cnseries_logs.name
243 |   }
244 | 
245 |   rule {
246 |     name                  = "Allow redis backend"
247 |     description           = "Allow access to the redis backend"
248 |     source_zones          = ["any"]
249 |     source_addresses      = [panos_panorama_address_group.web_frontend.name]
250 |     source_users          = ["any"]
251 |     hip_profiles          = ["any"]
252 |     destination_zones     = ["any"]
253 |     destination_addresses = [panos_panorama_address_group.redis_backend.name]
254 |     applications          = ["redis"]
255 |     services              = ["application-default"]
256 |     categories            = ["any"]
257 |     action                = "allow"
258 |     log_setting           = panos_panorama_log_forwarding_profile.cnseries_logs.name
259 |   }
260 | 
261 |   rule {
262 |     name                  = "Allow redis sync"
263 |     description           = "Allow redis slaves to sync with the redis master"
264 |     source_zones          = ["any"]
265 |     source_addresses      = [panos_panorama_address_group.redis_slave_svc.name]
266 |     source_users          = ["any"]
267 |     hip_profiles          = ["any"]
268 |     destination_zones     = ["any"]
269 |     destination_addresses = [panos_panorama_address_group.redis_master_svc.name]
270 |     applications          = ["any"]
271 |     services              = [panos_panorama_service_object.redis_6379.name]
272 |     categories            = ["any"]
273 |     action                = "allow"
274 |     log_setting           = panos_panorama_log_forwarding_profile.cnseries_logs.name
275 |   }
276 | }
277 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                                  Apache License
  2 |                            Version 2.0, January 2004
  3 |                         http://www.apache.org/licenses/
  4 | 
  5 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  6 | 
  7 |    1. Definitions.
  8 | 
  9 |       "License" shall mean the terms and conditions for use, reproduction,
 10 |       and distribution as defined by Sections 1 through 9 of this document.
 11 | 
 12 |       "Licensor" shall mean the copyright owner or entity authorized by
 13 |       the copyright owner that is granting the License.
 14 | 
 15 |       "Legal Entity" shall mean the union of the acting entity and all
 16 |       other entities that control, are controlled by, or are under common
 17 |       control with that entity. For the purposes of this definition,
 18 |       "control" means (i) the power, direct or indirect, to cause the
 19 |       direction or management of such entity, whether by contract or
 20 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 21 |       outstanding shares, or (iii) beneficial ownership of such entity.
 22 | 
 23 |       "You" (or "Your") shall mean an individual or Legal Entity
 24 |       exercising permissions granted by this License.
 25 | 
 26 |       "Source" form shall mean the preferred form for making modifications,
 27 |       including but not limited to software source code, documentation
 28 |       source, and configuration files.
 29 | 
 30 |       "Object" form shall mean any form resulting from mechanical
 31 |       transformation or translation of a Source form, including but
 32 |       not limited to compiled object code, generated documentation,
 33 |       and conversions to other media types.
 34 | 
 35 |       "Work" shall mean the work of authorship, whether in Source or
 36 |       Object form, made available under the License, as indicated by a
 37 |       copyright notice that is included in or attached to the work
 38 |       (an example is provided in the Appendix below).
 39 | 
 40 |       "Derivative Works" shall mean any work, whether in Source or Object
 41 |       form, that is based on (or derived from) the Work and for which the
 42 |       editorial revisions, annotations, elaborations, or other modifications
 43 |       represent, as a whole, an original work of authorship. For the purposes
 44 |       of this License, Derivative Works shall not include works that remain
 45 |       separable from, or merely link (or bind by name) to the interfaces of,
 46 |       the Work and Derivative Works thereof.
 47 | 
 48 |       "Contribution" shall mean any work of authorship, including
 49 |       the original version of the Work and any modifications or additions
 50 |       to that Work or Derivative Works thereof, that is intentionally
 51 |       submitted to Licensor for inclusion in the Work by the copyright owner
 52 |       or by an individual or Legal Entity authorized to submit on behalf of
 53 |       the copyright owner. For the purposes of this definition, "submitted"
 54 |       means any form of electronic, verbal, or written communication sent
 55 |       to the Licensor or its representatives, including but not limited to
 56 |       communication on electronic mailing lists, source code control systems,
 57 |       and issue tracking systems that are managed by, or on behalf of, the
 58 |       Licensor for the purpose of discussing and improving the Work, but
 59 |       excluding communication that is conspicuously marked or otherwise
 60 |       designated in writing by the copyright owner as "Not a Contribution."
 61 | 
 62 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 63 |       on behalf of whom a Contribution has been received by Licensor and
 64 |       subsequently incorporated within the Work.
 65 | 
 66 |    2. Grant of Copyright License. Subject to the terms and conditions of
 67 |       this License, each Contributor hereby grants to You a perpetual,
 68 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 69 |       copyright license to reproduce, prepare Derivative Works of,
 70 |       publicly display, publicly perform, sublicense, and distribute the
 71 |       Work and such Derivative Works in Source or Object form.
 72 | 
 73 |    3. Grant of Patent License. Subject to the terms and conditions of
 74 |       this License, each Contributor hereby grants to You a perpetual,
 75 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 76 |       (except as stated in this section) patent license to make, have made,
 77 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 78 |       where such license applies only to those patent claims licensable
 79 |       by such Contributor that are necessarily infringed by their
 80 |       Contribution(s) alone or by combination of their Contribution(s)
 81 |       with the Work to which such Contribution(s) was submitted. If You
 82 |       institute patent litigation against any entity (including a
 83 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 84 |       or a Contribution incorporated within the Work constitutes direct
 85 |       or contributory patent infringement, then any patent licenses
 86 |       granted to You under this License for that Work shall terminate
 87 |       as of the date such litigation is filed.
 88 | 
 89 |    4. Redistribution. You may reproduce and distribute copies of the
 90 |       Work or Derivative Works thereof in any medium, with or without
 91 |       modifications, and in Source or Object form, provided that You
 92 |       meet the following conditions:
 93 | 
 94 |       (a) You must give any other recipients of the Work or
 95 |           Derivative Works a copy of this License; and
 96 | 
 97 |       (b) You must cause any modified files to carry prominent notices
 98 |           stating that You changed the files; and
 99 | 
100 |       (c) You must retain, in the Source form of any Derivative Works
101 |           that You distribute, all copyright, patent, trademark, and
102 |           attribution notices from the Source form of the Work,
103 |           excluding those notices that do not pertain to any part of
104 |           the Derivative Works; and
105 | 
106 |       (d) If the Work includes a "NOTICE" text file as part of its
107 |           distribution, then any Derivative Works that You distribute must
108 |           include a readable copy of the attribution notices contained
109 |           within such NOTICE file, excluding those notices that do not
110 |           pertain to any part of the Derivative Works, in at least one
111 |           of the following places: within a NOTICE text file distributed
112 |           as part of the Derivative Works; within the Source form or
113 |           documentation, if provided along with the Derivative Works; or,
114 |           within a display generated by the Derivative Works, if and
115 |           wherever such third-party notices normally appear. The contents
116 |           of the NOTICE file are for informational purposes only and
117 |           do not modify the License. You may add Your own attribution
118 |           notices within Derivative Works that You distribute, alongside
119 |           or as an addendum to the NOTICE text from the Work, provided
120 |           that such additional attribution notices cannot be construed
121 |           as modifying the License.
122 | 
123 |       You may add Your own copyright statement to Your modifications and
124 |       may provide additional or different license terms and conditions
125 |       for use, reproduction, or distribution of Your modifications, or
126 |       for any such Derivative Works as a whole, provided Your use,
127 |       reproduction, and distribution of the Work otherwise complies with
128 |       the conditions stated in this License.
129 | 
130 |    5. Submission of Contributions. Unless You explicitly state otherwise,
131 |       any Contribution intentionally submitted for inclusion in the Work
132 |       by You to the Licensor shall be under the terms and conditions of
133 |       this License, without any additional terms or conditions.
134 |       Notwithstanding the above, nothing herein shall supersede or modify
135 |       the terms of any separate license agreement you may have executed
136 |       with Licensor regarding such Contributions.
137 | 
138 |    6. Trademarks. This License does not grant permission to use the trade
139 |       names, trademarks, service marks, or product names of the Licensor,
140 |       except as required for reasonable and customary use in describing the
141 |       origin of the Work and reproducing the content of the NOTICE file.
142 | 
143 |    7. Disclaimer of Warranty. Unless required by applicable law or
144 |       agreed to in writing, Licensor provides the Work (and each
145 |       Contributor provides its Contributions) on an "AS IS" BASIS,
146 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
147 |       implied, including, without limitation, any warranties or conditions
148 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
149 |       PARTICULAR PURPOSE. You are solely responsible for determining the
150 |       appropriateness of using or redistributing the Work and assume any
151 |       risks associated with Your exercise of permissions under this License.
152 | 
153 |    8. Limitation of Liability. In no event and under no legal theory,
154 |       whether in tort (including negligence), contract, or otherwise,
155 |       unless required by applicable law (such as deliberate and grossly
156 |       negligent acts) or agreed to in writing, shall any Contributor be
157 |       liable to You for damages, including any direct, indirect, special,
158 |       incidental, or consequential damages of any character arising as a
159 |       result of this License or out of the use or inability to use the
160 |       Work (including but not limited to damages for loss of goodwill,
161 |       work stoppage, computer failure or malfunction, or any and all
162 |       other commercial damages or losses), even if such Contributor
163 |       has been advised of the possibility of such damages.
164 | 
165 |    9. Accepting Warranty or Additional Liability. While redistributing
166 |       the Work or Derivative Works thereof, You may choose to offer,
167 |       and charge a fee for, acceptance of support, warranty, indemnity,
168 |       or other liability obligations and/or rights consistent with this
169 |       License. However, in accepting such obligations, You may act only
170 |       on Your own behalf and on Your sole responsibility, not on behalf
171 |       of any other Contributor, and only if You agree to indemnify,
172 |       defend, and hold each Contributor harmless for any liability
173 |       incurred by, or claims asserted against, such Contributor by reason
174 |       of your accepting any such warranty or additional liability.
175 | 
176 |    END OF TERMS AND CONDITIONS
177 | 
178 |    APPENDIX: How to apply the Apache License to your work.
179 | 
180 |       To apply the Apache License to your work, attach the following
181 |       boilerplate notice, with the fields enclosed by brackets "[]"
182 |       replaced with your own identifying information. (Don't include
183 |       the brackets!)  The text should be enclosed in the appropriate
184 |       comment syntax for the file format. We also recommend that a
185 |       file or class name and description of purpose be included on the
186 |       same "printed page" as the copyright notice for easier
187 |       identification within third-party archives.
188 | 
189 |    Copyright [yyyy] [name of copyright owner]
190 | 
191 |    Licensed under the Apache License, Version 2.0 (the "License");
192 |    you may not use this file except in compliance with the License.
193 |    You may obtain a copy of the License at
194 | 
195 |        http://www.apache.org/licenses/LICENSE-2.0
196 | 
197 |    Unless required by applicable law or agreed to in writing, software
198 |    distributed under the License is distributed on an "AS IS" BASIS,
199 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
200 |    See the License for the specific language governing permissions and
201 |    limitations under the License.
202 | 


--------------------------------------------------------------------------------
/eks/cluster.tf:
--------------------------------------------------------------------------------
  1 | ############################################################################################
  2 | # Copyright 2020 Palo Alto Networks.
  3 | #
  4 | # Licensed under the Apache License, Version 2.0 (the "License");
  5 | # you may not use this file except in compliance with the License.
  6 | # You may obtain a copy of the License at
  7 | #
  8 | #   http://www.apache.org/licenses/LICENSE-2.0
  9 | #
 10 | # Unless required by applicable law or agreed to in writing, software
 11 | # distributed under the License is distributed on an "AS IS" BASIS,
 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 13 | # See the License for the specific language governing permissions and
 14 | # limitations under the License.
 15 | ############################################################################################
 16 | 
 17 | 
 18 | // Random ID
 19 | resource "random_pet" "prefix" {}
 20 | 
 21 | // Get the availability zones
 22 | data "aws_availability_zones" "available" {}
 23 | 
 24 | 
 25 | // Cluster IAM roles and policies
 26 | resource "aws_iam_role" "ServiceRole" {
 27 |   name = "${random_pet.prefix.id}-ServiceRole"
 28 | 
 29 |   assume_role_policy = <<POLICY
 30 | {
 31 |   "Version": "2012-10-17",
 32 |   "Statement": [
 33 |     {
 34 |       "Effect": "Allow",
 35 |       "Principal": {
 36 |         "Service": "eks.amazonaws.com"
 37 |       },
 38 |       "Action": "sts:AssumeRole"
 39 |     }
 40 |   ]
 41 | }
 42 | POLICY
 43 | }
 44 | 
 45 | resource "aws_iam_role_policy_attachment" "AmazonEKSClusterPolicy" {
 46 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
 47 |   role       = aws_iam_role.ServiceRole.name
 48 | }
 49 | 
 50 | resource "aws_iam_role_policy_attachment" "AmazonEKSServicePolicy" {
 51 |   policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
 52 |   role       = aws_iam_role.ServiceRole.name
 53 | }
 54 | 
 55 | resource "aws_iam_role_policy" "PolicyNLB" {
 56 |   name   = "${random_pet.prefix.id}-PolicyNLB"
 57 |   role   = aws_iam_role.ServiceRole.name
 58 |   policy = <<EOF
 59 | {
 60 |     "Version": "2012-10-17",
 61 |     "Statement": [
 62 |         {
 63 |             "Action": [
 64 |                 "elasticloadbalancing:*",
 65 |                 "ec2:CreateSecurityGroup",
 66 |                 "ec2:Describe*"
 67 |             ],
 68 |             "Effect": "Allow",
 69 |             "Resource": "*"
 70 |         }
 71 |     ]
 72 | }
 73 | EOF
 74 | }
 75 | 
 76 | resource "aws_iam_role_policy" "PolicyCloudWatchMetrics" {
 77 |   name   = "${random_pet.prefix.id}-PolicyCloudWatchMetrics"
 78 |   role   = aws_iam_role.ServiceRole.name
 79 |   policy = <<EOF
 80 | {
 81 |     "Version": "2012-10-17",
 82 |     "Statement": [
 83 |         {
 84 |             "Action": [
 85 |                 "cloudwatch:PutMetricData"
 86 |             ],
 87 |             "Effect": "Allow",
 88 |             "Resource": "*"
 89 |         }
 90 |     ]
 91 | }
 92 | EOF
 93 | }
 94 | 
 95 | 
 96 | // VPC build
 97 | resource "aws_vpc" "cluster_vpc" {
 98 |   cidr_block           = "192.168.0.0/16"
 99 |   enable_dns_hostnames = true
100 | 
101 |   tags = {
102 |     Name = "${random_pet.prefix.id}-VPC"
103 |   }
104 |   lifecycle {
105 |     ignore_changes = [
106 |       tags
107 |     ]
108 |   }
109 | }
110 | 
111 | // Public and private subnets
112 | resource "aws_subnet" "public_subnet_a" {
113 |   vpc_id                  = aws_vpc.cluster_vpc.id
114 |   cidr_block              = "192.168.0.0/19"
115 |   availability_zone       = data.aws_availability_zones.available.names[0]
116 |   map_public_ip_on_launch = true
117 |   tags = {
118 |     Name                     = "${random_pet.prefix.id}-PublicSubnetA",
119 |     "kubernetes.io/role/elb" = "1"
120 |   }
121 |   lifecycle {
122 |     ignore_changes = [
123 |       tags
124 |     ]
125 |   }
126 | }
127 | 
128 | resource "aws_subnet" "public_subnet_b" {
129 |   vpc_id                  = aws_vpc.cluster_vpc.id
130 |   cidr_block              = "192.168.32.0/19"
131 |   availability_zone       = data.aws_availability_zones.available.names[1]
132 |   map_public_ip_on_launch = true
133 |   tags = {
134 |     Name                     = "${random_pet.prefix.id}-PublicSubnetB",
135 |     "kubernetes.io/role/elb" = "1"
136 |   }
137 |   lifecycle {
138 |     ignore_changes = [
139 |       tags
140 |     ]
141 |   }
142 | }
143 | 
144 | resource "aws_subnet" "public_subnet_c" {
145 |   vpc_id                  = aws_vpc.cluster_vpc.id
146 |   cidr_block              = "192.168.64.0/19"
147 |   availability_zone       = data.aws_availability_zones.available.names[2]
148 |   map_public_ip_on_launch = true
149 |   tags = {
150 |     Name                     = "${random_pet.prefix.id}-PublicSubnetC",
151 |     "kubernetes.io/role/elb" = "1"
152 |   }
153 |   lifecycle {
154 |     ignore_changes = [
155 |       tags
156 |     ]
157 |   }
158 | }
159 | 
160 | resource "aws_subnet" "private_subnet_a" {
161 |   vpc_id                  = aws_vpc.cluster_vpc.id
162 |   cidr_block              = "192.168.96.0/19"
163 |   availability_zone       = data.aws_availability_zones.available.names[0]
164 |   map_public_ip_on_launch = false
165 |   tags = {
166 |     Name                              = "${random_pet.prefix.id}-PrivateSubnetA",
167 |     "kubernetes.io/role/internal-elb" = "1"
168 |   }
169 |   lifecycle {
170 |     ignore_changes = [
171 |       tags
172 |     ]
173 |   }
174 | }
175 | 
176 | resource "aws_subnet" "private_subnet_b" {
177 |   vpc_id                  = aws_vpc.cluster_vpc.id
178 |   cidr_block              = "192.168.128.0/19"
179 |   availability_zone       = data.aws_availability_zones.available.names[1]
180 |   map_public_ip_on_launch = false
181 |   tags = {
182 |     Name                              = "${random_pet.prefix.id}-PrivateSubnetB",
183 |     "kubernetes.io/role/internal-elb" = "1"
184 |   }
185 |   lifecycle {
186 |     ignore_changes = [
187 |       tags
188 |     ]
189 |   }
190 | }
191 | 
192 | resource "aws_subnet" "private_subnet_c" {
193 |   vpc_id                  = aws_vpc.cluster_vpc.id
194 |   cidr_block              = "192.168.160.0/19"
195 |   availability_zone       = data.aws_availability_zones.available.names[2]
196 |   map_public_ip_on_launch = false
197 |   tags = {
198 |     Name                              = "${random_pet.prefix.id}-PrivateSubnetC",
199 |     "kubernetes.io/role/internal-elb" = "1"
200 |   }
201 |   lifecycle {
202 |     ignore_changes = [
203 |       tags
204 |     ]
205 |   }
206 | }
207 | 
208 | // Route tables and subnet associations
209 | resource "aws_route_table" "private_route_table_a" {
210 |   vpc_id = aws_vpc.cluster_vpc.id
211 |   route {
212 |     cidr_block     = "0.0.0.0/0"
213 |     nat_gateway_id = aws_nat_gateway.ngw.id
214 |   }
215 |   tags = {
216 |     Name = "${random_pet.prefix.id}-PrivateRouteTableA"
217 |   }
218 | }
219 | 
220 | resource "aws_route_table" "private_route_table_b" {
221 |   vpc_id = aws_vpc.cluster_vpc.id
222 |   route {
223 |     cidr_block     = "0.0.0.0/0"
224 |     nat_gateway_id = aws_nat_gateway.ngw.id
225 |   }
226 |   tags = {
227 |     Name = "${random_pet.prefix.id}-PrivateRouteTableB"
228 |   }
229 | }
230 | 
231 | resource "aws_route_table" "private_route_table_c" {
232 |   vpc_id = aws_vpc.cluster_vpc.id
233 |   route {
234 |     cidr_block     = "0.0.0.0/0"
235 |     nat_gateway_id = aws_nat_gateway.ngw.id
236 |   }
237 |   tags = {
238 |     Name = "${random_pet.prefix.id}-PrivateRouteTableC"
239 |   }
240 | }
241 | 
242 | resource "aws_route_table" "public_route_table" {
243 |   vpc_id = aws_vpc.cluster_vpc.id
244 |   route {
245 |     cidr_block = "0.0.0.0/0"
246 |     gateway_id = aws_internet_gateway.igw.id
247 |   }
248 |   tags = {
249 |     Name = "${random_pet.prefix.id}-PublicRouteTable"
250 |   }
251 | }
252 | 
253 | resource "aws_route_table_association" "private_table_assoc_a" {
254 |   subnet_id      = aws_subnet.private_subnet_a.id
255 |   route_table_id = aws_route_table.private_route_table_a.id
256 | }
257 | 
258 | resource "aws_route_table_association" "private_table_assoc_b" {
259 |   subnet_id      = aws_subnet.private_subnet_b.id
260 |   route_table_id = aws_route_table.private_route_table_b.id
261 | }
262 | 
263 | resource "aws_route_table_association" "private_table_assoc_c" {
264 |   subnet_id      = aws_subnet.private_subnet_c.id
265 |   route_table_id = aws_route_table.private_route_table_c.id
266 | }
267 | 
268 | resource "aws_route_table_association" "public_table_assoc_a" {
269 |   subnet_id      = aws_subnet.public_subnet_a.id
270 |   route_table_id = aws_route_table.public_route_table.id
271 | }
272 | 
273 | resource "aws_route_table_association" "public_table_assoc_b" {
274 |   subnet_id      = aws_subnet.public_subnet_b.id
275 |   route_table_id = aws_route_table.public_route_table.id
276 | }
277 | 
278 | resource "aws_route_table_association" "public_table_assoc_c" {
279 |   subnet_id      = aws_subnet.public_subnet_c.id
280 |   route_table_id = aws_route_table.public_route_table.id
281 | }
282 | 
283 | // Internet gateway
284 | resource "aws_internet_gateway" "igw" {
285 |   vpc_id = aws_vpc.cluster_vpc.id
286 |   tags = {
287 |     Name = "${random_pet.prefix.id}-IGW"
288 |   }
289 | }
290 | 
291 | // Elastic IP for the NAT gateway
292 | resource "aws_eip" "eip" {
293 |   vpc = true
294 |   tags = {
295 |     Name = "${random_pet.prefix.id}-EIP"
296 |   }
297 | }
298 | 
299 | // NAT gateway
300 | resource "aws_nat_gateway" "ngw" {
301 |   allocation_id = aws_eip.eip.id
302 |   subnet_id     = aws_subnet.public_subnet_a.id
303 |   tags = {
304 |     Name = "${random_pet.prefix.id}-NGW"
305 |   }
306 | }
307 | 
308 | // Security groups and rules
309 | resource "aws_security_group" "ControlPlaneSecurityGroup" {
310 |   name        = "${random_pet.prefix.id}-cluster-ControlPlaneSecurityGroup"
311 |   description = "Communication between the control plane and worker nodegroups"
312 |   vpc_id      = aws_vpc.cluster_vpc.id
313 |   tags = {
314 |     Name = "${random_pet.prefix.id}-ControlPlaneSecurityGroup"
315 |   }
316 | }
317 | 
318 | resource "aws_security_group" "ClusterSharedNodeSecurityGroup" {
319 |   name        = "${random_pet.prefix.id}-cluster-ClusterSharedNodeSecurityGroup"
320 |   description = "Communication between all nodes in the cluster"
321 |   vpc_id      = aws_vpc.cluster_vpc.id
322 |   tags = {
323 |     Name = "${random_pet.prefix.id}-ClusterSharedNodeSecurityGroup"
324 |   }
325 | }
326 | 
327 | resource "aws_security_group_rule" "IngressDefaultClusterToNodeSG" {
328 |   type                     = "ingress"
329 |   description              = "Allow managed and unmanaged nodes to communicate with each other (all ports)"
330 |   security_group_id        = aws_security_group.ClusterSharedNodeSecurityGroup.id
331 |   source_security_group_id = aws_eks_cluster.ControlPlane.vpc_config[0].cluster_security_group_id
332 |   from_port                = 0
333 |   to_port                  = 65535
334 |   protocol                 = "-1"
335 | }
336 | 
337 | resource "aws_security_group_rule" "IngressInterNodeGroupSG" {
338 |   type                     = "ingress"
339 |   description              = "Allow nodes to communicate with each other (all ports)"
340 |   security_group_id        = aws_security_group.ClusterSharedNodeSecurityGroup.id
341 |   source_security_group_id = aws_security_group.ClusterSharedNodeSecurityGroup.id
342 |   from_port                = 0
343 |   to_port                  = 65535
344 |   protocol                 = "-1"
345 | }
346 | 
347 | resource "aws_security_group_rule" "IngressNodeToDefaultClusterSG" {
348 |   type                     = "ingress"
349 |   description              = "Allow unmanaged nodes to communicate with control plane (all ports)"
350 |   security_group_id        = aws_eks_cluster.ControlPlane.vpc_config[0].cluster_security_group_id
351 |   source_security_group_id = aws_security_group.ClusterSharedNodeSecurityGroup.id
352 |   from_port                = 0
353 |   to_port                  = 65535
354 |   protocol                 = "-1"
355 | }
356 | 
357 | resource "aws_security_group_rule" "EgressClusterSharedNodeAllowAll" {
358 |   type              = "egress"
359 |   security_group_id = aws_security_group.ClusterSharedNodeSecurityGroup.id
360 |   cidr_blocks       = ["0.0.0.0/0"]
361 |   from_port         = 0
362 |   to_port           = 0
363 |   protocol          = "-1"
364 | }
365 | 
366 | // Cluster
367 | resource "aws_eks_cluster" "ControlPlane" {
368 |   name     = "${random_pet.prefix.id}-K8s"
369 |   role_arn = aws_iam_role.ServiceRole.arn
370 |   version  = var.k8s_version
371 | 
372 |   vpc_config {
373 |     security_group_ids = [aws_security_group.ControlPlaneSecurityGroup.id]
374 |     subnet_ids = [
375 |       aws_subnet.private_subnet_a.id,
376 |       aws_subnet.private_subnet_b.id,
377 |       aws_subnet.private_subnet_c.id,
378 |       aws_subnet.public_subnet_a.id,
379 |       aws_subnet.public_subnet_b.id,
380 |       aws_subnet.public_subnet_c.id
381 |     ]
382 |   }
383 |   depends_on = [
384 |     aws_iam_role_policy_attachment.AmazonEKSClusterPolicy,
385 |     aws_iam_role_policy_attachment.AmazonEKSServicePolicy
386 |   ]
387 | }
388 | 
389 | 


--------------------------------------------------------------------------------