From 64a67a4981037817165ec483e40ab3241a6ff89d Mon Sep 17 00:00:00 2001
From: Sebastian Czech <sczech@paloaltonetworks.com>
Date: Tue, 6 Feb 2024 14:22:39 +0100
Subject: [PATCH] Fix EBS encrypted setting in Panorama example

---
 examples/panorama_standalone/README.md      | 2 +-
 examples/panorama_standalone/example.tfvars | 3 +--
 examples/panorama_standalone/main.tf        | 3 ++-
 examples/panorama_standalone/variables.tf   | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/examples/panorama_standalone/README.md b/examples/panorama_standalone/README.md
index 89ccdf5..92b4994 100644
--- a/examples/panorama_standalone/README.md
+++ b/examples/panorama_standalone/README.md
@@ -96,7 +96,7 @@ Use a web browser to access https://x.x.x.x and login with admin and your previo
 |------|-------------|------|---------|:--------:|
 | <a name="input_global_tags"></a> [global\_tags](#input\_global\_tags) | Global tags configured for all provisioned resources | `map(any)` | `{}` | no |
 | <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Prefix used in names for the resources (VPCs, EC2 instances, autoscaling groups etc.) | `string` | `""` | no |
-| <a name="input_panoramas"></a> [panoramas](#input\_panoramas) | A map defining Panorama instances<br><br>Following properties are available:<br>- `instances`: map of Panorama instances with attributes:<br>  - `az`: name of the Availability Zone<br>  - `private_ip_address`: private IP address for management interface<br>- `panos_version`: PAN-OS version used for Panorama<br>- `network`: definition of network settings in object with attributes:<br>  - `vpc`: name of the VPC (needs to be one of the keys in map `vpcs`)<br>  - `vpc_subnet`: key of the VPC and subnet connected by '-' character<br>  - `security_group`: security group assigned to ENI used by Panorama<br>  - `create_public_ip`: true, if public IP address for management should be created<br>- `ebs`: EBS settings defined in object with attributes:<br>  - `volumes`: list of EBS volumes attached to each instance<br>  - `kms_key_alias`: KMS key alias used for encrypting Panorama EBS<br>- `iam`: IAM settings in object with attrbiutes:<br>  - `create_role`: enable creation of IAM role<br>  - `role_name`: name of the role to create or use existing one<br>- `enable_imdsv2`: whether to enable IMDSv2 on the EC2 instance<br><br>Example:<pre>{<br>  panorama_ha_pair = {<br>    instances = {<br>      "primary" = {<br>        az                 = "eu-central-1a"<br>        private_ip_address = "10.255.0.4"<br>      }<br>      "secondary" = {<br>        az                 = "eu-central-1b"<br>        private_ip_address = "10.255.1.4"<br>      }<br>    }<br><br>    panos_version = "10.2.3"<br><br>    network = {<br>      vpc              = "management_vpc"<br>      vpc_subnet       = "management_vpc-mgmt"<br>      security_group   = "panorama_mgmt"<br>      create_public_ip = true<br>    }<br><br>    ebs = {<br>      volumes = [<br>        {<br>          name            = "ebs-1"<br>          ebs_device_name = "/dev/sdb"<br>          ebs_size        = "2000"<br>          ebs_encrypted   = true<br>        },<br>        {<br>          name            = "ebs-2"<br>          ebs_device_name = "/dev/sdc"<br>          ebs_size        = "2000"<br>          ebs_encrypted   = true<br>        }<br>      ]<br>      kms_key_alias = "aws/ebs"<br>    }<br><br>    iam = {<br>      create_role = true<br>      role_name   = "panorama"<br>    }<br><br>    enable_imdsv2 = false<br>  }<br>}</pre> | <pre>map(object({<br>    instances = map(object({<br>      az                 = string<br>      private_ip_address = string<br>    }))<br><br>    panos_version = string<br><br>    network = object({<br>      vpc              = string<br>      vpc_subnet       = string<br>      security_group   = string<br>      create_public_ip = bool<br>    })<br><br>    ebs = object({<br>      volumes = list(object({<br>        name            = string<br>        ebs_device_name = string<br>        ebs_size        = string<br>        ebs_encrypted   = bool<br>      }))<br>      kms_key_alias = string<br>    })<br><br>    iam = object({<br>      create_role = bool<br>      role_name   = string<br>    })<br><br>    enable_imdsv2 = bool<br>  }))</pre> | `{}` | no |
+| <a name="input_panoramas"></a> [panoramas](#input\_panoramas) | A map defining Panorama instances<br><br>Following properties are available:<br>- `instances`: map of Panorama instances with attributes:<br>  - `az`: name of the Availability Zone<br>  - `private_ip_address`: private IP address for management interface<br>- `panos_version`: PAN-OS version used for Panorama<br>- `network`: definition of network settings in object with attributes:<br>  - `vpc`: name of the VPC (needs to be one of the keys in map `vpcs`)<br>  - `vpc_subnet`: key of the VPC and subnet connected by '-' character<br>  - `security_group`: security group assigned to ENI used by Panorama<br>  - `create_public_ip`: true, if public IP address for management should be created<br>- `ebs`: EBS settings defined in object with attributes:<br>  - `volumes`: list of EBS volumes attached to each instance<br>  - `kms_key_alias`: KMS key alias used for encrypting Panorama EBS<br>- `iam`: IAM settings in object with attrbiutes:<br>  - `create_role`: enable creation of IAM role<br>  - `role_name`: name of the role to create or use existing one<br>- `enable_imdsv2`: whether to enable IMDSv2 on the EC2 instance<br><br>Example:<pre>{<br>  panorama_ha_pair = {<br>    instances = {<br>      "primary" = {<br>        az                 = "eu-central-1a"<br>        private_ip_address = "10.255.0.4"<br>      }<br>      "secondary" = {<br>        az                 = "eu-central-1b"<br>        private_ip_address = "10.255.1.4"<br>      }<br>    }<br><br>    panos_version = "10.2.3"<br><br>    network = {<br>      vpc              = "management_vpc"<br>      vpc_subnet       = "management_vpc-mgmt"<br>      security_group   = "panorama_mgmt"<br>      create_public_ip = true<br>    }<br><br>    ebs = {<br>      volumes = [<br>        {<br>          name            = "ebs-1"<br>          ebs_device_name = "/dev/sdb"<br>          ebs_size        = "2000"<br>          ebs_encrypted   = true<br>        },<br>        {<br>          name            = "ebs-2"<br>          ebs_device_name = "/dev/sdc"<br>          ebs_size        = "2000"<br>          ebs_encrypted   = true<br>        }<br>      ]<br>      kms_key_alias = "aws/ebs"<br>    }<br><br>    iam = {<br>      create_role = true<br>      role_name   = "panorama"<br>    }<br><br>    enable_imdsv2 = false<br>  }<br>}</pre> | <pre>map(object({<br>    instances = map(object({<br>      az                 = string<br>      private_ip_address = string<br>    }))<br><br>    panos_version = string<br><br>    network = object({<br>      vpc              = string<br>      vpc_subnet       = string<br>      security_group   = string<br>      create_public_ip = bool<br>    })<br><br>    ebs = object({<br>      volumes = list(object({<br>        name            = string<br>        ebs_device_name = string<br>        ebs_size        = string<br>      }))<br>      encrypted     = bool<br>      kms_key_alias = string<br>    })<br><br>    iam = object({<br>      create_role = bool<br>      role_name   = string<br>    })<br><br>    enable_imdsv2 = bool<br>  }))</pre> | `{}` | no |
 | <a name="input_region"></a> [region](#input\_region) | AWS region used to deploy whole infrastructure | `string` | n/a | yes |
 | <a name="input_ssh_key_name"></a> [ssh\_key\_name](#input\_ssh\_key\_name) | Name of the SSH key pair existing in AWS key pairs and used to authenticate to VM-Series or test boxes | `string` | n/a | yes |
 | <a name="input_vpcs"></a> [vpcs](#input\_vpcs) | A map defining VPCs with security groups and subnets.<br><br>Following properties are available:<br>- `name`: VPC name<br>- `cidr`: CIDR for VPC<br>- `security_groups`: map of security groups<br>- `subnets`: map of subnets with properties:<br>   - `az`: availability zone<br>   - `set`: internal identifier referenced by main.tf<br>- `routes`: map of routes with properties:<br>   - `vpc_subnet`: built from key of VPCs concatenate with `-` and key of subnet in format: `VPCKEY-SUBNETKEY`<br>   - `to_cidr`: destination IP range<br>   - `next_hop_key`: must match keys use to create TGW attachment, IGW, GWLB endpoint or other resources<br>   - `next_hop_type`: internet\_gateway, nat\_gateway, transit\_gateway\_attachment or gwlbe\_endpoint<br><br>Example:<pre>{<br>  security_vpc = {<br>    name = "security-vpc"<br>    cidr = "10.100.0.0/16"<br>    security_groups = {<br>      panorama_mgmt = {<br>        name = "panorama_mgmt"<br>        rules = {<br>          all_outbound = {<br>            description = "Permit All traffic outbound"<br>            type        = "egress", from_port = "0", to_port = "0", protocol = "-1"<br>            cidr_blocks = ["0.0.0.0/0"]<br>          }<br>          https = {<br>            description = "Permit HTTPS"<br>            type        = "ingress", from_port = "443", to_port = "443", protocol = "tcp"<br>            cidr_blocks = ["130.41.247.0/24"]<br>          }<br>          ssh = {<br>            description = "Permit SSH"<br>            type        = "ingress", from_port = "22", to_port = "22", protocol = "tcp"<br>            cidr_blocks = ["130.41.247.0/24"]<br>          }<br>        }<br>      }<br>    }<br>    subnets = {<br>      "10.100.0.0/24"  = { az = "eu-central-1a", set = "mgmt" }<br>      "10.100.64.0/24" = { az = "eu-central-1b", set = "mgmt" }<br>    }<br>    routes = {<br>      mgmt_default = {<br>        vpc_subnet    = "security_vpc-mgmt"<br>        to_cidr       = "0.0.0.0/0"<br>        next_hop_key  = "security_vpc"<br>        next_hop_type = "internet_gateway"<br>      }<br>    }<br>  }<br>}</pre> | <pre>map(object({<br>    name            = string<br>    cidr            = string<br>    security_groups = any<br>    subnets = map(object({<br>      az  = string<br>      set = string<br>    }))<br>    routes = map(object({<br>      vpc_subnet    = string<br>      to_cidr       = string<br>      next_hop_key  = string<br>      next_hop_type = string<br>    }))<br>  }))</pre> | `{}` | no |
diff --git a/examples/panorama_standalone/example.tfvars b/examples/panorama_standalone/example.tfvars
index 0ea17b1..b11ea35 100644
--- a/examples/panorama_standalone/example.tfvars
+++ b/examples/panorama_standalone/example.tfvars
@@ -86,15 +86,14 @@ panoramas = {
           name            = "ebs-1"
           ebs_device_name = "/dev/sdb"
           ebs_size        = "2000"
-          ebs_encrypted   = true
         },
         {
           name            = "ebs-2"
           ebs_device_name = "/dev/sdc"
           ebs_size        = "2000"
-          ebs_encrypted   = true
         }
       ]
+      encrypted     = true
       kms_key_alias = "aws/ebs"
     }
 
diff --git a/examples/panorama_standalone/main.tf b/examples/panorama_standalone/main.tf
index 7937cbd..2482ab1 100644
--- a/examples/panorama_standalone/main.tf
+++ b/examples/panorama_standalone/main.tf
@@ -141,7 +141,7 @@ data "aws_ebs_default_kms_key" "this" {
 }
 
 data "aws_kms_alias" "this" {
-  for_each = { for panorama in local.panorama_instances : "${panorama.group}-${panorama.instance}" => panorama if anytrue([for ebs in panorama.common.ebs.volumes : ebs.ebs_encrypted]) }
+  for_each = { for panorama in local.panorama_instances : "${panorama.group}-${panorama.instance}" => panorama if panorama.common.ebs.encrypted }
 
   name = each.value.common.ebs.kms_key_alias != null ? "alias/${each.value.common.ebs.kms_key_alias}" : data.aws_ebs_default_kms_key.this.key_arn
 }
@@ -167,6 +167,7 @@ module "panorama" {
   create_public_ip       = each.value.common.network.create_public_ip
   private_ip_address     = each.value.private_ip_address
   ebs_volumes            = each.value.common.ebs.volumes
+  ebs_encrypted          = each.value.common.ebs.encrypted
   panorama_version       = each.value.common.panos_version
   ssh_key_name           = var.ssh_key_name
   ebs_kms_key_alias      = try(data.aws_kms_alias.this[each.key].target_key_arn, null)
diff --git a/examples/panorama_standalone/variables.tf b/examples/panorama_standalone/variables.tf
index 1d0b3bb..5ad11a4 100644
--- a/examples/panorama_standalone/variables.tf
+++ b/examples/panorama_standalone/variables.tf
@@ -194,8 +194,8 @@ variable "panoramas" {
         name            = string
         ebs_device_name = string
         ebs_size        = string
-        ebs_encrypted   = bool
       }))
+      encrypted     = bool
       kms_key_alias = string
     })