Palo Alto Networks Panorama Module for Azure
A terraform module for deploying a working Panorama instance in Azure.
Usage
Accept Azure Marketplace Terms
Accept the Azure Marketplace terms for the Panorama images. In a typical situation use these commands:
az vm image terms accept --publisher paloaltonetworks --offer panorama --plan byol --subscription MySubscription
You can revoke the acceptance later with the az vm image terms cancel command.
The acceptance applies to the entirety of your Azure Subscription.
Example
module "panorama" {
source = "PaloAltoNetworks/vmseries-modules/azurerm//modules/panorama"
panorama_name = var.panorama_name
resource_group_name = azurerm_resource_group.this.name
location = var.location
avzone = var.avzone // Optional Availability Zone number
interface = [ // Only one interface in Panorama VM is supported
{
name = "mgmt"
subnet_id = var.subnet_id
public_ip = true
public_ip_name = "panorama"
}
]
panorama_size = var.panorama_size
username = var.username
password = random_password.this.result
panorama_sku = var.panorama_sku
panorama_version = var.panorama_version
boot_diagnostic_storage_uri = module.bootstrap.storage_account.primary_blob_endpoint
tags = var.tags
}
Reference
Requirements
| Name | Version |
|---|---|
| terraform | >= 1.2, < 2.0 |
| azurerm | ~> 3.25 |
| random | ~> 3.1 |
Providers
| Name | Version |
|---|---|
| azurerm | ~> 3.25 |
Modules
No modules.
Resources
| Name | Type |
|---|---|
| azurerm_managed_disk.this | resource |
| azurerm_network_interface.this | resource |
| azurerm_public_ip.this | resource |
| azurerm_virtual_machine.panorama | resource |
| azurerm_virtual_machine_data_disk_attachment.this | resource |
| azurerm_public_ip.this | data source |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| location | Region to deploy Panorama into. | string | n/a | yes |
| enable_zones | If false, the input avzone is ignored and all created public IPs default not to use Availability Zones (the No-Zone setting). It is intended for the regions that do not yet support Availability Zones. | bool | true | no |
| avzone | The availability zone to use, for example "1", "2", "3". Ignored if enable_zones is false. Use avzone = null to disable the use of Availability Zones. | any | null | no |
| avzones | After provider version 3.x you need to specify in which availability zone(s) you want to place IP. ie: for zone-redundant with 3 availability zone in current region value will be: | list(string) | [] | no |
| name | The Panorama common name. | string | n/a | yes |
| os_disk_name | The name of OS disk. The name is auto-generated when not provided. | string | null | no |
| resource_group_name | The name of the existing resource group where to place all the resources created by this module. | string | n/a | yes |
| panorama_size | Virtual Machine size. | string | "Standard_D5_v2" | no |
| username | Initial administrative username to use for Panorama. Mind the Azure-imposed restrictions. | string | "panadmin" | no |
| password | Initial administrative password to use for Panorama. If not defined the ssh_key variable must be specified. Mind the Azure-imposed restrictions. | string | null | no |
| ssh_keys | A list of initial administrative SSH public keys that allow key-pair authentication. This is a list of strings, so each item should be the actual public key value. If you would like to load them from files instead, following method is available: password variable is also set, VM-Series will accept both authentication methods. | list(string) | [] | no |
| enable_plan | Enable usage of the Offer/Plan on Azure Marketplace. Even plan sku "byol", which means "bring your own license", still requires accepting on the Marketplace (as of 2021). Can be set to false when using a custom image. | bool | true | no |
| panorama_disk_type | Specifies the type of managed disk to create. Possible values are either Standard_LRS, StandardSSD_LRS, Premium_LRS or UltraSSD_LRS. | string | "StandardSSD_LRS" | no |
| panorama_sku | Panorama SKU. | string | "byol" | no |
| panorama_version | Panorama PAN-OS Software version. List published images with az vm image list -o table --all --publisher paloaltonetworks --offer panorama | string | "10.0.3" | no |
| panorama_publisher | Panorama Publisher. | string | "paloaltonetworks" | no |
| panorama_offer | Panorama offer. | string | "panorama" | no |
| custom_image_id | Absolute ID of your own Custom Image to be used for creating Panorama. If set, the username, password, panorama_version, panorama_publisher, panorama_offer, panorama_sku inputs are all ignored (these are used only for published images, not custom ones). The Custom Image is expected to contain PAN-OS software. | string | null | no |
| interfaces | List of the network interface specifications. NOTICE. The ORDER in which you specify the interfaces DOES MATTER. Interfaces will be attached to VM in the order you define here, therefore the first should be the management interface. Options for an interface object: - name - (required|string) Interface name.- subnet_id - (required|string) Identifier of an existing subnet to create interface in.- create_public_ip - (optional|bool) If true, create a public IP for the interface and ignore the public_ip_address_id. Default is false.- private_ip_address - (optional|string) Static private IP to asssign to the interface. If null, dynamic one is allocated.- public_ip_name - (optional|string) Name of an existing public IP to associate to the interface, used only when create_public_ip is false.- public_ip_resource_group - (optional|string) Name of a Resource Group that contains public IP resource to associate to the interface. When not specified defaults to var.resource_group_name. Used only when create_public_ip is false.Example: | list(any) | n/a | yes |
| logging_disks | A map of objects describing the additional disk configuration. The keys of the map are the names and values are { size, zone, lun }. The size value is provided in GB. The recommended size for additional (optional) disks is at least 2TB (2048 GB). Example: | map(any) | {} | no |
| boot_diagnostic_storage_uri | Existing diagnostic storage uri | string | null | no |
| tags | A map of tags to be associated with the resources created. | map(any) | {} | no |
Outputs
| Name | Description |
|---|---|
| mgmt_ip_address | Panorama management IP address. If public_ip was true, it is a public IP address, otherwise a private IP address. |
| interfaces | Map of VM-Series network interfaces. Keys are equal to var.interfaces name properties. |