search

PaloAltoNetworks / terraform-aws-swfw-modules

Terraform Reusable Modules for Software Firewalls on AWS
https://registry.terraform.io/modules/PaloAltoNetworks/swfw-modules/aws
MIT License
14 stars 11 forks source link

[Bug Report] asg submodule only applies a single security group per eni #85

Open sgreathouse-rgare opened 1 week ago

sgreathouse-rgare commented 1 week ago

Describe the bug

https://registry.terraform.io/modules/PaloAltoNetworks/swfw-modules/aws/latest/submodules/asg

I'm passing a list of security groups for each of the 3 interfaces for a NGFW. The Lambda function only attaches the first SG to the interfaces.

I tried passing the subnet_ids & security_group_ids arguments to the lambda in the main module call in addition to passing them in the interfaces block. That resulted in the instance only having one interface. subnet_ids & security_group_ids is not really documented, so some understanding of how they function would be helpful as well.

I also noticed that the interfaces_config environment variable passed to Lambda only receives information for the mgmnt index1 & public index 2 interfaces. Maybe a clue, maybe as-designed.

Thanks for your help.

full module call.

module "ngfw_asg" {
    source  = "../ngfw_asg"
    # global_tags = var.default_tags
    global_tags = {} # fix
    name_prefix = "${var.resource_name}-"
    region = var.aws_region
    ssh_key_name = var.ssh_key_name
    # asg_name = ""
    # delete_timeout = ""
    # delicense_enabled = true
    # delicense_ssm_param_name = ""
    # desired_capacity = ""
    # ebs_kms_id = ""
    fw_license_type = "byol" # default can omit
    # health_check =  { "grace_period": 300, "type": "EC2" } 
    include_deprecated_ami = false # default can omit
    # instance_refresh = see docs
    instance_type = "m5.xlarge"
    # ip_target_groups = see docs, for lambda
    # lambda_execute_pip_install_once = see docs
    launch_template_update_default_version = true
    launch_template_version = "$Latest"
    lifecycle_hook_timeout = 300 # default can omit
    max_size = 1
    min_size = 1
    desired_capacity = 1
    # reserved_concurrent_executions = see docs lambda
    # scaling_cloudwatch_namespace = see docs
    scaling_estimated_instance_warmup = 900 # default can omit
    scaling_metric_name = false # default can omit
    scaling_plan_enabled = false # default can omit
    scaling_statistic = "Average" # default can omit   
    scaling_tags = {}
    scaling_target_value = 70 # default can omit
    # security_group_ids = [aws_security_group.ngfw_appliance.id, aws_security_group.ngfw_egress.id] # see docs lambda
    # subnet_ids = toset(concat(local.egress_subnet_list, local.appliance_subnet_list, local.gwlb_subnet_list)) # see docs lambda
    suspended_processes = [] # see docs
    tag_specifications_targets = [ "instance", "volume", "network-interface" ] # default can omit
    target_group_arn = aws_lb_target_group.appliance.arn
    vmseries_ami_id = null # default can omit
    vmseries_iam_instance_profile = aws_iam_instance_profile.this.name
    vmseries_product_code = "6njl1pau431dv1qxipg63mvah" # default BYOL can omit
    vmseries_version = "10.2.11-h1"
    bootstrap_options = "mgmt-interface-swap=enable\ndns-primary = 169.254.169.253\ndns-secondary = 8.8.8.8\nvmseries-bootstrap-aws-s3bucket = insp-vpc-pan-ngfw-bootstrap-962207273628/\n"
    interfaces = {
        mgmt = {
            device_index       = 1
            name               = "mgmt"
            subnet_id          = local.egress_subnet_map
            create_public_ip   = true
            source_dest_check  = false
            security_group_ids = [aws_security_group.ngfw_appliance.id, aws_security_group.ngfw_egress.id]
        },
        public = {
            device_index     = 2
            name             = "public"
            subnet_id    = local.appliance_subnet_map
            create_public_ip = false
            source_dest_check  = false
            security_group_ids = [aws_security_group.ngfw_appliance.id, aws_security_group.ngfw_egress.id]
        },
        private = {
            device_index = 0
            name         = "private"
            source_dest_check  = false
            subnet_id    = local.gwlb_subnet_map
            create_public_ip   = false
            security_group_ids = [aws_security_group.ngfw_appliance.id, aws_security_group.ngfw_egress.id]
        }
    }
}

Module Version

3.0.0-rc.1

Terraform version

Terraform v1.9.7 on linux_arm64 + provider registry.terraform.io/hashicorp/archive v2.6.0 + provider registry.terraform.io/hashicorp/aws v5.70.0 + provider registry.terraform.io/hashicorp/local v2.5.2 + provider registry.terraform.io/hashicorp/null v3.2.1

Expected behavior

multiple security groups per interface

Current behavior

one security groups per interface

Anything else to add?

No response

sgreathouse-rgare commented 6 days ago

Any progress / ETA?

sgreathouse-rgare commented 5 days ago

BTW, it appears that the 2.0.15 release has the same issue

acelebanski commented 3 days ago

Hello @sgreathouse-rgare, thanks for raising the issue. There was no link between your issue and 2.0.15 release. I analysed it this week and I'm working on it. Once tested, I will create a PR, possibly in a couple of days.

sgreathouse-rgare commented 2 days ago

@acelebanski I just re-tested & 2.0.15 will not attach multiple security groups to an ENI either.