search

PaloAltoNetworks / terraform-provider-panos

Terraform Panos provider
https://www.terraform.io/docs/providers/panos/
Mozilla Public License 2.0
87 stars 71 forks source link

Add management interface, management profile #250

Open matthewhembree opened 3 years ago

matthewhembree commented 3 years ago

Is your feature request related to a problem?

There are two concerns driving this feature request:

  1. Ambiguity with the current panos_management_profile. It only applies to regular (non-management) interfaces.
  2. No current way to terraform the management profile (restrictions) for the management interface.

Those two concerns might leave a management interface unprotected. Certainly a greater concern in public cloud deployments, if no cloud security groups are applied to the interface.

Describe the solution you'd like

Possibly:

  1. Add a parameter to resource panos_general_settings: management_profile
    • A little unorthodox as PANOS doesn't use profiles for the management interface.
  2. Add a new resource panos_management_interface_settings
    • Possibly the best way, but would need to leverage clarifications in documentation to be most effective.
      • e.g. panos_management_profile "This is only for use with panos_ethernet_interfaces. Please see panos_managent_interface_settings to configure the management interface."
  3. Add parameters to resource panos_general_settings.
    • This doesn't seem like the most logical place if you're familiar with the webUI/CLI.

Describe alternatives you've considered

At present this can only be configure out of band (CLI, webUI, API). In public clouds, this can be protected with a security group (e.g. resource aws_security_group)

Additional context

This is related to #237.

In public cloud deployments (at least AWS, it depends on how the PAN VM instance is provisioned), the management interface is a normal, public-facing interface. It will typically have unrestricted/unfettered ingress.

Thanks!