Skip to main content

Palo Alto Networks Panorama Module for AWS

A Terraform module for deploying Panorama in AWS cloud.

Panorama deployed on AWS is Bring Your Own License (BYOL), supports all deployment modes (Panorama, Log Collector, and Management Only), and shares the same processes and functionality as the M-Series hardware appliances. For more information on Panorama modes, see Panorama Models.

GitHub Logo Terraform Logo

Usage

For usage, check the "examples" folder in the root of the repository.

Reference

Requirements

NameVersion
terraform>= 1.0.0, < 2.0.0
aws~> 5.17

Providers

NameVersion
aws~> 5.17

Modules

No modules.

Resources

NameType
aws_ebs_volume.thisresource
aws_eip.thisresource
aws_instance.thisresource
aws_volume_attachment.thisresource
aws_ami.thisdata source
aws_ebs_default_kms_key.currentdata source
aws_kms_alias.current_arndata source

Inputs

NameDescriptionTypeDefaultRequired
availability_zoneAvailability zone in which Panorama will be deployed.stringn/ayes
create_public_ipIf true, create an Elastic IP address for Panorama.boolfalseno
ebs_encryptedWhether to enable EBS encryption on root volume.booltrueno
ebs_kms_key_aliasThe alias for the customer managed KMS key to use for volume encryption.
If this is set to null the default master key that protects EBS volumes will be used
stringnullno
ebs_volumesList of EBS volumes to create and attach to Panorama.
Available options:
- name (Optional) Name tag for the EBS volume. If not provided defaults to the value of var.name.
- ebs_device_name (Required) The EBS device name to expose to the instance (for example, /dev/sdh or xvdh).
See Device Naming on Linux Instances for more information.
- ebs_size (Optional) The size of the EBS volume in GiBs. Defaults to 2000 GiB.
- force_detach (Optional) Set to true if you want to force the volume to detach. Useful if previous attempts failed, but use this option only as a last resort, as this can result in data loss.
- skip_destroy (Optional) Set this to true if you do not wish to detach the volume from the instance to which it is attached at destroy time, and instead just remove the attachment from Terraform state.
This is useful when destroying an instance attached to third-party volumes.

Note: Terraform must be running with credentials which have the GenerateDataKeyWithoutPlaintext permission on the specified KMS key
as required by the EBS KMS CMK volume provisioning process to prevent a volume from being created and almost immediately deleted.
If null, the default EBS encryption KMS key in the current region is used.

Example:ebs_volumes = [
{
name = "ebs-1"
ebs_device_name = "/dev/sdb"
ebs_size = "2000"
},
{
name = "ebs-2"
ebs_device_name = "/dev/sdb"
ebs_size = "2000"
},
{
name = "ebs-3"
ebs_device_name = "/dev/sdb"
ebs_size = "2000"
},
]
list(any)[]no
eip_domainIndicates if this EIP is for use in VPCstring"vpc"no
enable_imdsv2Whether to enable IMDSv2 on the EC2 instance.
Support for this feature has been added in VM-Series Plugin 3.0.0, which in turn requires PAN-OS version 10.2.0 at minimum.
stringfalseno
global_tagsA map of tags to assign to the resources.
If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level."
map(any){}no
instance_typeEC2 instance type for Panorama. Default set to Palo Alto Networks recommended instance type.string"c5.4xlarge"no
nameName for the Panorama instance.string"pan-panorama"no
panorama_ami_idSpecific AMI ID to use for Panorama instance.
If null (the default), panorama_version and product_code vars are used to determine a public image to use.
stringnullno
panorama_iam_roleIAM Role attached to Panorama instance contained curated IAM Policy.stringn/ayes
panorama_versionPanorama PAN-OS Software version. List published images with:aws ec2 describe-images \
--filters "Name=product-code,Values=eclz7j04vu9lf8ont8ta3n17o" "Name=name,Values=Panorama-AWS*" \
--output json --query "Images[].Description" | grep -o 'Panorama-AWS-.*' | tr -d '",'
string"10.1.5"no
private_ip_addressIf provided, associates a private IP address to the Panorama instance.stringnullno
product_codeProduct code for Panorama BYOL license.string"eclz7j04vu9lf8ont8ta3n17o"no
ssh_key_nameAWS EC2 key pair name.stringn/ayes
subnet_idVPC Subnet ID to launch Panorama in.stringn/ayes
vpc_security_group_idsA list of security group IDs to associate Panorama with.list(any)[]no

Outputs

NameDescription
mgmt_ip_private_addressPanorama private IP address.
mgmt_ip_public_addressPanorama management IP address. If create_public_ip is set to true, it will output the public IP address otherwise it will show the 'no public IP assigned to Panorama' message.