This is the official Terraform Provider for the Palo Alto Networks Cortex Cloud platform.
terraform {
required_providers {
cortexcloud = {
source = "paloaltonetworks/cortexcloud"
version = "1.0.7"
}
}
}
# Configure the Cortex Cloud provider
provider "cortexcloud" {
api_url = "https://api-cortexcloud.xdr.us.paloaltonetworks.com"
api_key = "your-api-key-here"
api_key_id = 100
api_key_type = "advanced" # Possible values are "standard" or "advanced". Defaults to "advanced".
}Before you begin using the provider, you will need to create an API key in your Cortex Cloud tenant. This can be done by opening the console in your web browser and navigating to Settings > Configurations, selecting API Keys under the Integrations section, and clicking the New Key button in the top-right corner.
You will also need to retrieve your API URL by clicking the Copy API URL button on the same page, next to the New Key button. If you cannot access this page, you can derive your API URL by taking your tenant's FQDN and prepending api- to it (i.e. https://api-{fqdn}).
Note
It is recommended that you create a dedicated API key for use with the Cortex Cloud Terraform provider so that you may easily track any changes to your configurations made via Terraform.
Note
While not a hard requirement, we recommend using an Advanced API Key for added security. Additional information on API key types can be found in the official documentation as well as the schema breakdown below.
Ensure that the provider's api_key_type value matches the type of API key being provided ("standard" for a standard key or "advanced" for an advanced key).
There are multiple ways to specify the provider configuration values. The supported methods are listed below, in the order in which they are applied:
- Parameters in the provider block
- Environment variables
- Configuration file (in JSON format)
Credentials can be provided through the cortexcloud provider block:
provider "cortexcloud" {
# Required
api_url = "https://api-cortexcloud.xdr.us.paloaltonetworks.com"
api_key = "your-api-key-here"
api_key_id = 100
# Optional
api_key_type = "advanced"
sdk_log_level = "info"
request_timeout = 60
request_max_retries = 3
request_max_retry_delay = 60
crash_stack_dir = "/var/tmp"
}Credentials can be provided by using the CORTEXCLOUD_API_URL, CORTEXCLOUD_API_KEY, CORTEXCLOUD_API_KEY_ID environment variables.
If you are using an Advanced API key, you will also need to set the api_key_type attribute using the CORTEXCLOUD_API_KEY_TYPE environment variable.
Example:
provider "cortexcloud" {}export CORTEXCLOUD_API_URL="https://api-cortexcloud.xdr.us.paloaltonetworks.com"
export CORTEXCLOUD_API_KEY="your-api-key-here"
export CORTEXCLOUD_API_KEY_ID=100
export CORTEXCLOUD_API_KEY_TYPE="advanced"Credentials can be provided by creating a JSON file with the following structure and configuring the provider's config_file attribute with the full or relative filepath:
provider "cortexcloud" {
config_file = "./cortexcloud_config.json"
}{
"api_url": "https://api-cortexcloud.xdr.us.paloaltonetworks.com",
"api_key": "your-api-key-here",
"api_key_id": 100,
"api_key_type": "advanced",
"sdk_log_level": "info",
"request_timeout": 60,
"request_max_retries": 3,
"request_max_retry_delay": 60,
"crash_stack_dir": "/var/tmp"
}- Updated provider documentation and schema reference for all resources and data sources
- Fixed version reference in provider usage example
- Enriched User-Agent header with Terraform provider and CLI version information
- Added auto-pagination for compliance and AppSec data sources
- Added input validation for various resource attributes
- Updated Azure cloud integration template documentation with onboarding instructions
- Improved resource examples across multiple domains
- Fixed compliance data sources not honoring practitioner-configured pagination controls
- Removed Cortex API credentials from debug log messages
- New Resource:
cortexcloud_appsec_rule - New Resource:
cortexcloud_appsec_policy - New Resource:
cortexcloud_cloudsec_rule - New Resource:
cortexcloud_cloudsec_policy - New Resource:
cortexcloud_compliance_assessment_profile - New Resource:
cortexcloud_compliance_control - New Resource:
cortexcloud_compliance_standard - New Resource:
cortexcloud_cwp_policy - New Resource:
cortexcloud_notification_forwarding_config_agent_audit_logs - New Resource:
cortexcloud_notification_forwarding_config_mgmt_audit_logs - New Resource:
cortexcloud_notification_forwarding_config_cases - New Resource:
cortexcloud_notification_forwarding_config_issues - New Resource:
cortexcloud_vulnerability_policy - New Data Source:
cortexcloud_appsec_rule - New Data Source:
cortexcloud_appsec_rules - New Data Source:
cortexcloud_appsec_rule_labels - New Data Source:
cortexcloud_appsec_policy - New Data Source:
cortexcloud_appsec_policies - New Data Source:
cortexcloud_cloudsec_policy - New Data Source:
cortexcloud_cloudsec_rule - New Data Source:
cortexcloud_cloudsec_rules - New Data Source:
cortexcloud_compliance_assessment_profile - New Data Source:
cortexcloud_compliance_control - New Data Source:
cortexcloud_compliance_controls - New Data Source:
cortexcloud_compliance_standard - New Data Source:
cortexcloud_compliance_standards - New Data Source:
cortexcloud_cwp_policy - New Data Source:
cortexcloud_cwp_policies - New Data Source:
cortexcloud_vulnerability_policy - New Data Source:
cortexcloud_vulnerability_policies
- Addressed missing attribute descriptions in various resource and data sources across all domains
- Added validation check against the
api_key_typeattribute in the provider configuration block.
- Fixed
cortexcloud_user_groupresource not accounting for users with effective membership via SSO/JIT authentication against one or more of the configured SAML groups. Theusersattribute now reflects only users that have been directly added to the group in the Terraform resource. See resource documentation page for more information. - Changed attribute types for the
cortexcloud_user_groupresource'sidp_groups,nested_groupsandusersattributes from List to Set to preserve ordering from the upstream API response. - Fixed
outpost_idnot being honored on create or update for thecortexcloud_cloud_integration_template_aws,cortexcloud_cloud_integration_template_azure, andcortexcloud_cloud_integration_template_gcpresources. The configured outpost (or the platform-managed outpost used when thescan_modeattribute is set to"MANAGED") is now correctly applied and refreshed on read. - Fixed an incorrect attribute description on the
collectorfield of thecortexcloud_cloud_integration_instancedata source, which previously mirrored thecloud_providerdescription.
- The provider's
fqdnconfiguration attribute and theCORTEXCLOUD_FQDNenvironment variable have been removed. Useapi_url(orCORTEXCLOUD_API_URL) instead.
- Updated documentation for outpost resources and data sources with additional details and improved clarity.
- Correct reference to unreleased version in usage example in README
- Updated examples for asset group resource with working implementation and an additional example for static scope filters.
- Various minor updates to project documentation.
- Fixed sprawling attribute schema in asset group resource documentation and added patch step to prevent overwriting in future doc updates.
- Initial GA release