welcome-to-palo-alto-networks[bot]
commented
2 years ago :tada: Thanks for opening your first issue here! Welcome to the community!
Closed ShreyasNBS closed 2 years ago
welcome-to-palo-alto-networks[bot]
commented
2 years ago :tada: Thanks for opening your first issue here! Welcome to the community!
shinmog
commented
2 years ago For the first question, yeah, it does seem like there should be a log settings resource. I'll see if I can add this in. When I do, I'll close out this github issue.
As for the second question, for programmatically adding AWS accounts, I think that it was decided that this should be a manual process.
For the third question, I actually don't know if the logging endpoint needs to exist before you can configure it as the logging endpoint.
shinmog
commented
2 years ago Ok, added log profile support. Closing this issue out.
shinmog
commented
2 years ago @ShreyasNBS
Make sure you update cloud-ngfw-aws-go as well, there are changes there that you'll need.
ShreyasNBS
commented
2 years ago Thanks @shinmog.
shinmog
commented
2 years ago @ShreyasNBS
Just making sure you saw it: I have (and will likely continue to make) more changes that will break compatibility with any currently deployed resources. I've done it a few times now.
Just make sure you terraform destroy before you update either this repo or the SDK repo, then you can terraform apply again. This provider should be considered beta, it will be stable once it's officially released and available from the Terraform registry.
Hi,
First of all thank you for this provider.
I have a few questions: @shinmog @btorresgil @migara
In the NGFW resource, I do not see an option to specify log settings. Is this meant to be done via the UI for now? I understand that I will need an IAM role with Trust Account ID (Palo AWS Account that handles the firewall interaction), but that will merely grant firewall rights to push the logs to intended destination (for example, CloudWatch). https://docs.paloaltonetworks.com/cloud-ngfw/aws/cloud-ngfw-on-aws/create-cloud-ngfw-instances-and-endpoints/configure-logging-for-the-cloud-ngfw-on-aws.
Secondly, is there a way to programmatically add AWS Account to the NGFW? I forgot to download the CFT (Cloud Formation Stack) when I setup my account, but I was able to go into the CFTs in AWS Console later, and download the stack. At the bottom of the stack, there seems to be a message that is placed onto a SNS topic that informs Palo about the various ARN's for cross-account IAM roles. Can this be terraformed?
Thirdly, from what I can see, when I supply the log settings in CloudFormation (Cloudwatch, Kinesis firehose), from what I gather, those logging endpoints are only designated, but not actually created. Does this mean I will have to create a Cloudwatch Namespace/LogGroup and Kinesis Firehose before I can start using the Firewall?
That's a question too many, but it would be clarify a lot of things :)
Thanks, Shreyas