feat: Autoscale Delicense feature

[ancoleman]

Description

When utilizing Google Cloud Autoscaling (Managed Instance Groups with Autoscaler Enabled), automatically de-register a firewall with the Panorama Software License Plugin is needed. This de-registration allows the customer to reallocate licenses to their Software NGFW Credit Deployment Profile(s).

Motivation and Context

The drive to support the automatic de-registration of firewalls within Panorama, is to help minimize the operational overhead of knowing when to de-register an abandoned firewall and which firewall to de-register. This module builds all the necessary components to support the de-registration lifecycle of the firewall.

How does this work?

• Generates a Log Sink with Filter to capture the delete operation from a Managed Instance Group Autoscaler
• Log Sink destination is a pub/sub topic which is also generated by this module
• When the log event happens, it messages the topic which a subscription retrieves the message from the topic
• When the subscription retrieves the message, the trigger subscription connected to a Cloud Function is pushed to the CFN
• The CFN consumes the log event with the instance name/instance id and other relevant information.
• The CFN performs an instance details lookup to retrieve the network interfaces associated with the instance
• The CFN retrieves Panorama credentials from Google Secret Manager
• The CFN uses credentials to connect to Panorama over a VPC Connector (the VPC connector is built by the module)
• The CFN queries the Panorama Plugin to review what firewalls are associated with the plugin and matches the mgmt IP of the firewall with what the CFN queried from Google Cloud. If there is a match, a de-register operation is performed against the specific serial number of the firewall, and then a commit is performed.

Other Items Built by the Module:

• CFN service account with necessary roles
• CFN source code package
• PUB/SUB Topic and Subscriptions
• VPC Connector
• LOG Sink

How Has This Been Tested?

This was tested locally on MacOS Ventura using Terraform Version 1.3.9. Pre-commit was performed and all checks passed. An exclusion was necessary for Checkov as there is a false positive on not securing the CFN properly. However, the false positive is due to HTTP trigger not being set to SECURE_ALWAYS. HTTP Trigger is irrelevant for this CFN as it is event-driven with Pub/Sub instead. Checkov should revise their rule to enforce ONLY if http_trigger = true or if event_trigger is present to ignore.

Screenshots (if appropriate)

Types of changes

• New feature (non-breaking change which adds functionality)

Checklist

• [x] I have updated the documentation accordingly.
• [x] I have read the CONTRIBUTING document.
• [x] I have added tests to cover my changes if appropriate.
• [x] All new and existing tests passed.

[ancoleman]

not sure why the validate fails, as I most definitely have this functioning with Terraform 1.3.9

[pavelrn]

Delicensing code has been merged into autoscale example with some minor changes:

• Extra resources are created with TF
  • Storage bucket for Cloud Function code
  • Secret Manager secret
• Cloud Function upgraded to v2 (there are more regions with v2 support then with v1 support)
• Description added in example's README

[welcome-to-palo-alto-networks[bot]]

:tada: Congrats on getting your first pull request merged! We here at Palo Alto Networks are so grateful! :heart: