Skip to main content

Palo Alto Networks VM-Series Module for AWS

A Terraform module for deploying a VM-Series firewall in AWS cloud.

GitHub Logo Terraform Logo

Usage

For example usage, please refer to the examples directory.

VMSeries Lifecycle policy

The changes in user data bootstrap entries will not affect the existing VM-Series EC2 instances. The recommended method to replace existing VM is to use terraform taint.

Reference

Requirements

NameVersion
terraform>= 1.0.0, < 2.0.0
aws~> 5.17

Providers

NameVersion
aws~> 5.17

Modules

No modules.

Resources

NameType
aws_eip.thisresource
aws_eip_association.thisresource
aws_instance.thisresource
aws_network_interface.thisresource
aws_network_interface_attachment.thisresource
aws_ami.thisdata source
aws_ebs_default_kms_key.currentdata source
aws_kms_alias.current_arndata source

Inputs

NameDescriptionTypeDefaultRequired
bootstrap_optionsVM-Series bootstrap options to provide using instance user data. Contents determine type of bootstap method to use.
If empty (the default), bootstrap process is not triggered at all.
For more information on available methods, please refer to VM-Series documentation for specific version.
For 10.0 docs are available here.		string""no
ebs_encryptedWhether to enable EBS encryption on volumes.booltrueno
ebs_kms_key_aliasThe alias for the customer managed KMS key to use for volume encryption. Should be prepended with the word "alias" followed by a forward slash (alias/example-key-alias).
If null (the default), the default master key that protects EBS volumes will be used.		stringnullno
eip_domainIndicates if this EIP is for use in VPCstring"vpc"no
enable_imdsv2Whether to enable IMDSv2 on the EC2 instance.
Support for this feature has been added in VM-Series Plugin 3.0.0, which in turn requires VM-Series version 10.2.0 at minimum.		stringfalseno
enable_instance_termination_protectionWhether to enable termination protection on the EC2 instance.boolfalseno
iam_instance_profileIAM instance profile.stringnullno
instance_typeEC2 instance type.string"m5.xlarge"no
interfacesMap of the network interface specifications.
If "mgmt-interface-swap" bootstrap option is enabled, ensure dataplane interface device_index is set to 0 and the firewall management interface device_index is set to 1.
Available options:
- device_index = (Required|int) Determines order in which interfaces are attached to the instance. Interface with 0 is attached at boot time.
- subnet_id = (Required|string) Subnet ID to create the ENI in.
- name = (Optional|string) Name tag for the ENI. Defaults to instance name suffixed by map's key.
- description = (Optional|string) A descriptive name for the ENI.
- create_public_ip = (Optional|bool) Whether to create a public IP for the ENI. Defaults to false.
- eip_allocation_id = (Optional|string) Associate an existing EIP to the ENI.
- private_ips = (Optional|list) List of private IPs to assign to the ENI. If not set, dynamic allocation is used.
- public_ipv4_pool = (Optional|string) EC2 IPv4 address pool identifier.
- source_dest_check = (Optional|bool) Whether to enable source destination checking for the ENI. Defaults to false.
- security_group_ids = (Optional|list) A list of Security Group IDs to assign to this interface. Defaults to null.

Example:
interfaces = {
  mgmt = {
    device_index       = 0
    subnet_id          = aws_subnet.mgmt.id
    name               = "mgmt"
    create_public_ip   = true
    source_dest_check  = true
    security_group_ids = ["sg-123456"]
  },
  public = {
    device_index     = 1
    subnet_id        = aws_subnet.public.id
    name             = "public"
    create_public_ip = true
  },
  private = {
    device_index = 2
    subnet_id    = aws_subnet.private.id
    name         = "private"
  },
]
map(any)n/ayes
nameName of the VM-Series instance.stringnullno
ssh_key_nameName of AWS keypair to associate with instances.stringn/ayes
tagsMap of additional tags to apply to all resources.map(any){}no
vmseries_ami_idSpecific AMI ID to use for VM-Series instance.
If null (the default), vmseries_version and vmseries_product_code vars are used to determine a public image to use.		stringnullno
vmseries_product_codeProduct code corresponding to a chosen VM-Series license type model - by default - BYOL.
To check the available license type models and their codes, please refer to the
VM-Series documentation		string"6njl1pau431dv1qxipg63mvah"no
vmseries_versionVM-Series Firewall version to deploy.
To list all available VM-Series versions, run the command provided below.
Please have in mind that the product-code may need to be updated - check the vmseries_product_code variable for more information.
aws ec2 describe-images --region us-west-1 --filters "Name=product-code,Values=6njl1pau431dv1qxipg63mvah" "Name=name,Values=PA-VM-AWS" --output json --query "Images[].Description" | grep -o 'PA-VM-AWS-.' | sort
string"10.2.0"no

Outputs

NameDescription
instancen/a
interfacesMap of VM-Series network interfaces. The entries are aws_network_interface objects.
public_ipsMap of public IPs created within the module.