Closed David7660 closed 1 year ago
@David7660 regarding upgrade, you have 2 options:
panos_version
attribute in map for vmseries
e.g. in combined design: https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/blob/8d486b82086a0e06e5de3b19fd7eaa7b6225546a/examples/combined_design/example.tfvars#L502 and execute terraform apply
, then existing VM-Series instance will be replaced, because different AMI is going to be used e.g.: # module.vmseries["vmseries-01"].aws_instance.this must be replaced
-/+ resource "aws_instance" "this" {
~ ami = "ami-03b20ccd91df50319" -> "ami-044f760211cc3afa8" # forces replacement
What is more important, in second option, new firewall will be bootstrapped, which needs to be licensed too, so if your target is only upgrade PAN-OS and still have Panorama or VM-Series configured as it is, then I recommend option 1. If you prefer to have new, fresh Panorama or VM-Series in new PAN-OS version, then I recommend option 2.
To summarise - in that case I don't think below code is needed in Panoram or VM-Series module:
resource "aws_instance" "example" {
# ...
lifecycle {
ignore_changes = [
# Ignore changes to ami, e.g. because the appliance was updated from the Web-UI
ami,
]
}
}
when you are upgrading PAN-OS via web UI or PAN-OS CLI, because AMI is not being changed.
When you change PAN-OS version directly in the code, then we cannot ignore AMI change - we need to destroy and create new Panorama or VM-Series in specified version.
Is the explanation sufficient ? Can we close the issue ?
Hello @sebastianczech, thank you for all these information. I thought updating via the GUI would change AMi but in fact it doesn't make sense. So yes, I think this is the best option for my use case. But if I want to upgrade from 10.2 to 11.0, do I have to change the AMI? ? If I remember correctly, on AWS MarketPlace, there is another AMI for 11.0. Other than that, It completely answer my question :) Thank you very much for your feedback.
Hi @David7660 , if you want to upgrade from 10.2 to 11.0, then rules are still the same.
Yes, there is 11.0 in AWS Marketplace, but you have 2 options to upgrade to 11.0:
terraform.tfvars
and then replace VM-Series instance (you will get new, fresh firewall instance)If it completely answers your question, can I close that issue without changing anything in our public Terraform modules?
Ok @sebastianczech thank you very much.
I confirm that you can close the issue :) thank you very much
Is your feature request related to a problem?
I don't have a problem yet but what happen if I deploy Panorama or VMSeries with 10.2.3 version through my terrform code and I do the software upgrade to 10.2.5 directly on the appliance ?
Will I have a change in my terraform plan ? Or is there anyway to upgrade Panorama & VMSeries through terraform ?
Describe the solution you'd like
Maybe we could have the possibility to have the lifecycle meta-argument in the Panorama and VMSeries module to ignore ami_changes.
Describe alternatives you've considered.
No response
Additional context
No response