There are two concerns driving this feature request:
Ambiguity with the current panos_management_profile. It only applies to regular (non-management) interfaces.
No current way to terraform the management profile (restrictions) for the management interface.
Those two concerns might leave a management interface unprotected. Certainly a greater concern in public cloud deployments, if no cloud security groups are applied to the interface.
Describe the solution you'd like
Possibly:
Add a parameter to resource panos_general_settings: management_profile
A little unorthodox as PANOS doesn't use profiles for the management interface.
Add a new resource panos_management_interface_settings
Possibly the best way, but would need to leverage clarifications in documentation to be most effective.
e.g. panos_management_profile "This is only for use with panos_ethernet_interfaces. Please see panos_managent_interface_settings to configure the management interface."
Add parameters to resource panos_general_settings.
This doesn't seem like the most logical place if you're familiar with the webUI/CLI.
Describe alternatives you've considered
At present this can only be configure out of band (CLI, webUI, API). In public clouds, this can be protected with a security group (e.g. resource aws_security_group)
Additional context
This is related to #237.
In public cloud deployments (at least AWS, it depends on how the PAN VM instance is provisioned), the management interface is a normal, public-facing interface. It will typically have unrestricted/unfettered ingress.
Is your feature request related to a problem?
There are two concerns driving this feature request:
panos_management_profile. It only applies to regular (non-management) interfaces.Those two concerns might leave a management interface unprotected. Certainly a greater concern in public cloud deployments, if no cloud security groups are applied to the interface.
Describe the solution you'd like
Possibly:
panos_general_settings:management_profilepanos_management_interface_settingspanos_ethernet_interfaces. Please seepanos_managent_interface_settingsto configure the management interface."panos_general_settings.Describe alternatives you've considered
At present this can only be configure out of band (CLI, webUI, API). In public clouds, this can be protected with a security group (e.g.
resource aws_security_group)Additional context
This is related to #237.
In public cloud deployments (at least AWS, it depends on how the PAN VM instance is provisioned), the management interface is a normal, public-facing interface. It will typically have unrestricted/unfettered ingress.
Thanks!