search

PaloAltoNetworks / terraform-provider-panos

Terraform Panos provider
https://www.terraform.io/docs/providers/panos/
Mozilla Public License 2.0
87 stars 71 forks source link

Add support for additional host headers to allow secure public access to Palo APIs #273

Closed biggles007 closed 2 years ago

biggles007 commented 3 years ago

Is your feature request related to a problem?

Automating deployments in a cloud environment using Terraform requires direct connectivity to Panorama/Palo Firewalls. Currently there are two options to allow deployment.

  1. Add Public IP's to the devices and enable management access
  2. Place agents on the network to allow direct communications.

Describe the solution you'd like

If we were able to add additional header values to the provider API calls, we could use native reverse proxies/API gateways to provide secure access to the Pano/Palo API without requiring additional local agents/Public IPs. By providing an authentication token in a specific header value, the API calls can be passed through to the Pano/Palo API.

provider "panos" {
  additional_headers = {
    my-api-gateway-header-key = "API-GW-TOKEN"
  }
}

Where my-api-gateway-header-key is name to be added to the header and API-GW-TOKEN would be the associated value. The keys/values under additional_headers should be completely customisable.

Additional context

Having a solution as above would allow for less IaaS resources having to be deployed purely to allow the management of the Panorama/Palo instances, resources must be left running for long periods of time to allow pipelines to run, when they aren't required that often. Turning off the pipeline agents is an option but would delay operations whilst they start each time.

It would also help resolve issues of organisations who won't allow management of devices using Public IPs.

Example API gateways/reverse proxies:

shinmog commented 3 years ago

This will be coming in the next minor release of the provider (1.9.0).