Palo Alto Networks VM-Series Module for AWS
A Terraform module for deploying a VM-Series firewall in AWS cloud.
Usage
For example usage, please refer to the examples directory.
VMSeries Lifecycle policy
The changes in user data bootstrap entries will not affect the existing VM-Series EC2 instances. The recommended method to replace existing VM is to use terraform taint.
Reference
Requirements
| Name | Version |
|---|---|
| terraform | >= 1.0.0, < 2.0.0 |
| aws | ~> 5.17 |
Providers
| Name | Version |
|---|---|
| aws | ~> 5.17 |
Modules
No modules.
Resources
| Name | Type |
|---|---|
| aws_eip.this | resource |
| aws_eip_association.this | resource |
| aws_instance.this | resource |
| aws_network_interface.this | resource |
| aws_network_interface_attachment.this | resource |
| aws_ami.this | data source |
| aws_ebs_default_kms_key.current | data source |
| aws_kms_alias.current_arn | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| bootstrap_options | VM-Series bootstrap options to provide using instance user data. Contents determine type of bootstap method to use. If empty (the default), bootstrap process is not triggered at all. For more information on available methods, please refer to VM-Series documentation for specific version. For 10.0 docs are available here. | string | "" | no |
| ebs_encrypted | Whether to enable EBS encryption on volumes. | bool | true | no |
| ebs_kms_key_alias | The alias for the customer managed KMS key to use for volume encryption. Should be prepended with the word "alias" followed by a forward slash (alias/example-key-alias). If null (the default), the default master key that protects EBS volumes will be used. | string | null | no |
| eip_domain | Indicates if this EIP is for use in VPC | string | "vpc" | no |
| enable_imdsv2 | Whether to enable IMDSv2 on the EC2 instance. Support for this feature has been added in VM-Series Plugin 3.0.0, which in turn requires VM-Series version 10.2.0 at minimum. | string | false | no |
| enable_instance_termination_protection | Whether to enable termination protection on the EC2 instance. | bool | false | no |
| iam_instance_profile | IAM instance profile. | string | null | no |
| instance_type | EC2 instance type. | string | "m5.xlarge" | no |
| interfaces | Map of the network interface specifications. If "mgmt-interface-swap" bootstrap option is enabled, ensure dataplane interface device_index is set to 0 and the firewall management interface device_index is set to 1.Available options: - device_index = (Required|int) Determines order in which interfaces are attached to the instance. Interface with 0 is attached at boot time.- subnet_id = (Required|string) Subnet ID to create the ENI in.- name = (Optional|string) Name tag for the ENI. Defaults to instance name suffixed by map's key.- description = (Optional|string) A descriptive name for the ENI.- create_public_ip = (Optional|bool) Whether to create a public IP for the ENI. Defaults to false.- eip_allocation_id = (Optional|string) Associate an existing EIP to the ENI.- private_ips = (Optional|list) List of private IPs to assign to the ENI. If not set, dynamic allocation is used.- public_ipv4_pool = (Optional|string) EC2 IPv4 address pool identifier. - source_dest_check = (Optional|bool) Whether to enable source destination checking for the ENI. Defaults to false.- security_group_ids = (Optional|list) A list of Security Group IDs to assign to this interface. Defaults to null.Example:interfaces = { mgmt = { device_index = 0 subnet_id = aws_subnet.mgmt.id name = "mgmt" create_public_ip = true source_dest_check = true security_group_ids = ["sg-123456"] }, public = { device_index = 1 subnet_id = aws_subnet.public.id name = "public" create_public_ip = true }, private = { device_index = 2 subnet_id = aws_subnet.private.id name = "private" }, ] | map(any) | n/a | yes |
| name | Name of the VM-Series instance. | string | null | no |
| ssh_key_name | Name of AWS keypair to associate with instances. | string | n/a | yes |
| tags | Map of additional tags to apply to all resources. | map(any) | {} | no |
| vmseries_ami_id | Specific AMI ID to use for VM-Series instance. If null (the default), vmseries_version and vmseries_product_code vars are used to determine a public image to use. | string | null | no |
| vmseries_product_code | Product code corresponding to a chosen VM-Series license type model - by default - BYOL. To check the available license type models and their codes, please refer to the VM-Series documentation | string | "6njl1pau431dv1qxipg63mvah" | no |
| vmseries_version | VM-Series Firewall version to deploy. To list all available VM-Series versions, run the command provided below. Please have in mind that the product-code may need to be updated - check the vmseries_product_code variable for more information.aws ec2 describe-images --region us-west-1 --filters "Name=product-code,Values=6njl1pau431dv1qxipg63mvah" "Name=name,Values=PA-VM-AWS*" --output json --query "Images[].Description" | grep -o 'PA-VM-AWS-.*' | sort | string | "10.2.0" | no |
Outputs
| Name | Description |
|---|---|
| instance | n/a |
| interfaces | Map of VM-Series network interfaces. The entries are aws_network_interface objects. |
| public_ips | Map of public IPs created within the module. |