welcome-to-palo-alto-networks[bot]
commented
1 year ago :tada: Thanks for opening your first issue here! Welcome to the community!
Open joaopsys opened 1 year ago
welcome-to-palo-alto-networks[bot]
commented
1 year ago :tada: Thanks for opening your first issue here! Welcome to the community!
Is your feature request related to a problem?
The current terraform provider uses Palo Alto's XMLAPI, which has several limitations when it comes to access controls in the firewalls and Panorama.
In order to automate any kind of small task towards Panorama, we find ourselves creating a service account that has way too much permissions - e.g. if we are building Terraform code that only updates firewall rules in a single device group, the service account used in Panorama will have access to update all device groups.
We try to follow the zero-trust approach and it is quite hard to do it if we need to grant full configuration/commit rights to a service account that only needs to do very specific / isolated tasks in the firewalls/Panorama.
Describe the solution you'd like
A terraform provider that uses Palo Alto's RESTAPI where we can define granular RBAC permissions in the firewalls and get some extra control over what our automation can/can't do.
Describe alternatives you've considered
We have considered using a third party proxy / application gateway that only allows certain types of API calls to Panorama.
Additional context
In larger organizations, the teams developing automation, the teams managing the firewalls and the security teams are usually different, and sometimes even working in different departments.
It's quite hard to get any kind of simple automation approved if, in order to do so, we need to request a full access / pretty much admin account in Panorama - with access to several hundreds of firewalls and all templates / device groups.