PaloAltoNetworks / terraform-aws-vmseries-modules

Terraform Reusable Modules for VM-Series on AWS
https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws
MIT License
40 stars 49 forks source link

Add the possibility to ignore ami change on VMSeries & Panorama #384

Closed David7660 closed 1 year ago

David7660 commented 1 year ago

Is your feature request related to a problem?

I don't have a problem yet but what happen if I deploy Panorama or VMSeries with 10.2.3 version through my terrform code and I do the software upgrade to 10.2.5 directly on the appliance ?

Will I have a change in my terraform plan ? Or is there anyway to upgrade Panorama & VMSeries through terraform ?

Describe the solution you'd like

Maybe we could have the possibility to have the lifecycle meta-argument in the Panorama and VMSeries module to ignore ami_changes.

resource "aws_instance" "example" {
  # ...
  lifecycle {
    ignore_changes = [
      # Ignore changes to ami, e.g. because the appliance was updated from the Web-UI
      ami,
    ]
  }
}

Describe alternatives you've considered.

No response

Additional context

No response

sebastianczech commented 1 year ago

@David7660 regarding upgrade, you have 2 options:

  1. Download software and install it via web UI or PAN-OS CLI - in that case AMI used for EC2 instance is not changed and if initially you used AMI for PAN-OS 10.2.3, then after upgrade of PAN-OS via web UI to version 10.2.4, your AMI used for EC2 instance still be the same
  2. Change panos_version attribute in map for vmseries e.g. in combined design: https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/blob/8d486b82086a0e06e5de3b19fd7eaa7b6225546a/examples/combined_design/example.tfvars#L502 and execute terraform apply, then existing VM-Series instance will be replaced, because different AMI is going to be used e.g.:
 # module.vmseries["vmseries-01"].aws_instance.this must be replaced
-/+ resource "aws_instance" "this" {
      ~ ami                                  = "ami-03b20ccd91df50319" -> "ami-044f760211cc3afa8" # forces replacement

What is more important, in second option, new firewall will be bootstrapped, which needs to be licensed too, so if your target is only upgrade PAN-OS and still have Panorama or VM-Series configured as it is, then I recommend option 1. If you prefer to have new, fresh Panorama or VM-Series in new PAN-OS version, then I recommend option 2.

To summarise - in that case I don't think below code is needed in Panoram or VM-Series module:

resource "aws_instance" "example" {
  # ...
  lifecycle {
    ignore_changes = [
      # Ignore changes to ami, e.g. because the appliance was updated from the Web-UI
      ami,
    ]
  }
}

when you are upgrading PAN-OS via web UI or PAN-OS CLI, because AMI is not being changed.

When you change PAN-OS version directly in the code, then we cannot ignore AMI change - we need to destroy and create new Panorama or VM-Series in specified version.

Is the explanation sufficient ? Can we close the issue ?

David7660 commented 1 year ago

Hello @sebastianczech, thank you for all these information. I thought updating via the GUI would change AMi but in fact it doesn't make sense. So yes, I think this is the best option for my use case. But if I want to upgrade from 10.2 to 11.0, do I have to change the AMI? ? If I remember correctly, on AWS MarketPlace, there is another AMI for 11.0. Other than that, It completely answer my question :) Thank you very much for your feedback.

sebastianczech commented 1 year ago

Hi @David7660 , if you want to upgrade from 10.2 to 11.0, then rules are still the same.

Yes, there is 11.0 in AWS Marketplace, but you have 2 options to upgrade to 11.0:

If it completely answers your question, can I close that issue without changing anything in our public Terraform modules?

David7660 commented 1 year ago

Ok @sebastianczech thank you very much.

I confirm that you can close the issue :) thank you very much