# Palo Alto Networks VM-Series Module on AWS This Terraform module deploys Palo Alto Networks VM-Series to the Amazon Web Services (AWS) Cloud. ## Usage For example usage, refer to the [Examples](https://github.com/aws-ia/terraform-aws-paloalto-vmseries/tree/main/examples) directory in this repository. ### Basic Example Figure 1 shows an example configuration you can deploy using this module. For more details, refer to the [basic deployment example](https://github.com/aws-ia/terraform-aws-paloalto-vmseries/tree/main/examples/basic) in this repository.

Simple

Figure 1. Example configuration of Palo Alto Networks VM-Series on AWS ## Requirements | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 0.14.0 | | [aws](#requirement\_aws) | ~> 3.74 | ## Providers | Name | Version | |------|---------| | [aws](#provider\_aws) | ~> 3.74 | ## Modules No modules. ## Resources | Name | Type | |------|------| | [aws_eip.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip) | resource | | [aws_eip_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eip_association) | resource | | [aws_instance.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource | | [aws_network_interface.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_interface) | resource | | [aws_network_interface_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/network_interface_attachment) | resource | | [aws_ami.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source | | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source | | [aws_kms_alias.current_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source | ## Inputs | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| | [ebs\_kms\_key\_alias](#input\_ebs\_kms\_key\_alias) | The alias for the customer managed KMS key to use for volume encryption.
If this is set to `null` the default master key that protects EBS volumes will be used | `string` | n/a | yes | | [interfaces](#input\_interfaces) | Map of the network interface specifications.
If "mgmt-interface-swap" bootstrap option is enabled, ensure dataplane interface `device_index` is set to 0 and the firewall management interface `device_index` is set to 1.
Available options:
- `device_index` = (Required\|int) Determines order in which interfaces are attached to the instance. Interface with `0` is attached at boot time.
- `subnet_id` = (Required\|string) Subnet ID to create the ENI in.
- `name` = (Optional\|string) Name tag for the ENI. Defaults to instance name suffixed by map's key.
- `description` = (Optional\|string) A descriptive name for the ENI.
- `create_public_ip` = (Optional\|bool) Whether to create a public IP for the ENI. Defaults to false.
- `eip_allocation_id` = (Optional\|string) Associate an existing EIP to the ENI.
- `private_ips` = (Optional\|list) List of private IPs to assign to the ENI. If not set, dynamic allocation is used.
- `public_ipv4_pool` = (Optional\|string) EC2 IPv4 address pool identifier.
- `source_dest_check` = (Optional\|bool) Whether to enable source destination checking for the ENI. Defaults to false.
- `security_group_ids` = (Optional\|list) A list of Security Group IDs to assign to this interface. Defaults to null.

Example:

interfaces = {
  mgmt = {
    device_index       = 0
    subnet_id          = aws_subnet.mgmt.id
    name               = "mgmt"
    create_public_ip   = true
    source_dest_check  = true
    security_group_ids = ["sg-123456"]
  },
  public = {
    device_index     = 1
    subnet_id        = aws_subnet.public.id
    name             = "public"
    create_public_ip = true
  },
  private = {
    device_index = 2
    subnet_id    = aws_subnet.private.id
    name         = "private"
  },
]

| `map(any)` | n/a | yes | | [ssh\_key\_name](#input\_ssh\_key\_name) | Name of AWS keypair to associate with instances. | `string` | n/a | yes | | [bootstrap\_options](#input\_bootstrap\_options) | VM-Series bootstrap options to provide using instance user data. Contents determine type of bootstap method to use.
If empty (the default), bootstrap process is not triggered at all.
For more information on available methods, please refer to VM-Series documentation for specific version.
For 10.0 docs are available [here](https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/bootstrap-the-vm-series-firewall.html). | `string` | `""` | no | | [ebs\_encrypted](#input\_ebs\_encrypted) | Whether to enable EBS encryption on volumes. | `bool` | `true` | no | | [enable\_imdsv2](#input\_enable\_imdsv2) | Whether to enable IMDSv2 on the EC2 instance.
VM-Series version 10.2.0 or higher is required to install VM-Series Plugin 3.0.0.
This release of the plugin introduces enhanced Instance Metadata Service (IMDSv2) for securing instances AWS.
https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/vm-series-plugin/vm-series-plugin-30/vm-series-plugin-300#id126d0957-95d7-4b29-9147-fff20027986e | `string` | `true` | no | | [iam\_instance\_profile](#input\_iam\_instance\_profile) | IAM instance profile. | `string` | `null` | no | | [instance\_type](#input\_instance\_type) | EC2 instance type. | `string` | `"m5.xlarge"` | no | | [name](#input\_name) | Name of the VM-Series instance. | `string` | `null` | no | | [tags](#input\_tags) | Map of additional tags to apply to all resources. | `map(any)` | `{}` | no | | [vmseries\_ami\_id](#input\_vmseries\_ami\_id) | Specific AMI ID to use for VM-Series instance.
If `null` (the default), `vmseries_version` and `vmseries_product_code` vars are used to determine a public image to use. | `string` | `null` | no | | [vmseries\_product\_code](#input\_vmseries\_product\_code) | Product code corresponding to a chosen VM-Series license type model - by default - BYOL.
To check the available license type models and their codes, please refer to the
[VM-Series documentation](https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/deploy-the-vm-series-firewall-on-aws/obtain-the-ami/get-amazon-machine-image-ids.html) | `string` | `"6njl1pau431dv1qxipg63mvah"` | no | | [vmseries\_version](#input\_vmseries\_version) | VM-Series Firewall version to deploy.
To list all available VM-Series versions, run the command provided below.
Please have in mind that the `product-code` may need to be updated - check the `vmseries_product_code` variable for more information.

aws ec2 describe-images --region us-west-1 --filters "Name=product-code,Values=6njl1pau431dv1qxipg63mvah" "Name=name,Values=PA-VM-AWS*" --output json --query "Images[].Description" \| grep -o 'PA-VM-AWS-.*' \| sort

| `string` | `"10.2.0"` | no | ## Outputs | Name | Description | |------|-------------| | [instance](#output\_instance) | Map of VM-Series `aws_instance` objects. | | [interfaces](#output\_interfaces) | Map of VM-Series network interfaces. The entries are `aws_network_interface` objects. | | [public\_ips](#output\_public\_ips) | Map of public IPs created within the module. |