Skip to main content


This Terraform Module creates a PAN-OS bootstrap package in an AWS S3 bucket to be used for bootstrapping Palo Alto Networks VM-Series virtual firewall instances. A bootstrap package must include an init-cfg.txt file that provides the basic configuration details to configure the VM-Series instance and register it with its Panorama management console. If this file does not exist, it will be generated by this module using the variables provided.

The bootstrap package may optionally include a PAN-OS software image, application and threat signature updates, VM-Series plug-ins, and/or license files.

GitHub Logo Terraform Logo

Directory and file structure

The root directory of the Terraform plan calling this module should include a files directory containing a subdirectory structure similar to the one below.

├── config
├── content
├── license
├── plugins
└── software



provider "aws" {
region = var.bootstrap_region

module "panos-bootstrap" {
source = "../../modules/bootstrap"

hostname = "my-firewall"
panorama-server = ""
panorama-server2 = ""
tplname = "My Firewall Template"
dgname = "My Firewalls"
vm-auth-key = "supersecretauthkey"
plugin-op-commands = "aws-gwlb-inspect:enable"


  1. Define a file that calls the module and provides any required and optional variables.
  2. Define a file that declares the variables that will be utilized.
  3. (OPTIONAL) Define an file to capture and display the module return values.
  4. Create the directories files/config, files/software, files/content, files/license, and files/plugins.
  5. (OPTIONAL) Add software images, content updates, plugins, and license files to their respective subdirectories.
  6. (OPTIONAL) Define a terraform.tfvars file containing the required variables and associated values.
  7. Initialize the providers and modules with the terraform init command.
  8. Validate the plan using the terraform plan command.
  9. Apply the plan using the terraform apply command.



terraform>= 1.0.0, < 2.0.0
aws~> 5.17
random~> 3.3.2


aws~> 5.17
random~> 3.3.2


No modules.


aws_iam_role.thisdata source
aws_partition.thisdata source
aws_s3_bucket.thisdata source


bootstrap_directoriesList of subdirectories to be created inside the bucket (whether or not they exist locally inside the source_root_directory). A hardcoded pan-os requirement.list(string)
bucket_nameName of a bucket to reuse or create (depending on create_bucket value). In the latter case - if empty, the name will be auto-generated.string""no
create_bucketIf true, a new bucket will be created. When false, name of existing bucket to use has to be provided in bucket_name variable.booltrueno
create_iam_role_policyIf true, a new IAM role with policy will be created. When false, name of existing IAM role to use has to be provided in iam_role_name variable.booltrueno
dgnameThe Panorama device group name.string""no
dhcp_accept_server_domainThe DHCP server determines a value of yes or no. If yes, the firewall accepts its DNS server from the DHCP server.string"yes"no
dhcp_accept_server_hostnameThe DHCP server determines a value of yes or no. If yes, the firewall accepts its hostname from the DHCP server.string"yes"no
dhcp_send_client_idThe DHCP server determines a value of yes or no. If yes, the firewall sends its client ID to the DHCP server.string"yes"no
dhcp_send_hostnameThe DHCP server determines a value of yes or no. If yes, the firewall sends its hostname to the DHCP server.string"yes"no
dns-primaryThe IP address of the primary DNS server.string""no
dns-secondaryThe IP address of the secondary DNS server.string""no
force_destroySet to false to prevent Terraform from destroying a bucket with unknown objects or locked objects.booltrueno
global_tagsMap of arbitrary tags to apply to all{}no
hostnameThe hostname of the VM-series instance.string""no
iam_instance_profile_nameName of the instance profile to create. If empty, name will be auto-generated.string""no
iam_role_nameName of a IAM role to reuse or create (depending on create_iam_role_policy value).stringnullno
op-command-modesSet jumbo-frame and/or mgmt-interface-swap.string""no
panorama-serverThe FQDN or IP address of the primary Panorama server.string""no
panorama-server2The FQDN or IP address of the secondary Panorama server.string""no
plugin-op-commandsSet plugin-op-commands.string""no
prefixThe prefix to use for bucket name, IAM role name, and IAM role policy name. It is allowed to use dash "-" as the last character.string"bootstrap-"no
source_root_directoryThe source directory to become the bucket's root directory. If empty uses files subdirectory of a Terraform configuration root directory.string""no
tplnameThe Panorama template stack name.string""no
vm-auth-keyVirtual machine authentication key.string""no


bucket_domain_nameGlobal domain name of the bucket.
bucket_idAWS identifier of the bucket.
bucket_nameName of the bucket.
bucket_regional_domain_nameRegional domain name of the bucket.
iam_role_arnARN of created or used IAM role
iam_role_nameName of created or used IAM role
instance_profile_nameName of created IAM instance profile.