This Terraform module deploys the Palo Alto Networks vm-series firewalls. Each firewall is a distinct AWS EC2 instance.
module "vmseries" {
source = "github.com/ministryofjustice/terraform-aws-panfw"
name = "fw00"
ssh_key_name = "EC2-key-pair-name"
interfaces = [
{
name = "mgmt"
subnet_id = subnet-00000000000000001
security_groups = [sg-00000000000000001]
create_public_ip = true
}
]
}| Name | Version |
|---|---|
| terraform | >=0.13, <0.15 |
| aws | >= 2.7 |
| Name | Version |
|---|---|
| aws | >= 2.7 |
No modules.
| Name | Type |
|---|---|
| aws_eip.this | resource |
| aws_eip_association.this | resource |
| aws_instance.this | resource |
| aws_network_interface.this | resource |
| aws_network_interface_attachment.this | resource |
| aws_ami.this | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| custom_ami_id | Custom AMI id to use instead of using an AMI published in the Marketplace. | string |
null |
no |
| fw_product | Type of firewall product: one of 'byol', 'bundle-1', 'bundle-2'. | string |
"byol" |
no |
| fw_product_map | Firewall product codes. | map(string) |
{ |
no |
| iam_instance_profile | Firewall instance IAM profile. | string |
null |
no |
| instance_type | EC2 instance type for firewall. | string |
"m5.xlarge" |
no |
| interfaces | List of the network interface specifications. The first should be the Management network interface, which does not participate in data filtering. The remaining ones are the dataplane interfaces. - name: (Required|string) Name tag for the ENI.- description: (Optional|string) A descriptive name for the ENI.- subnet_id: (Required|string) Subnet ID to create the ENI in.- private_ip_address: (Optional|string) Private IP to assign to the ENI. If not set, dynamic allocation is used.- eip_allocation_id: (Optional|string) Associate an existing EIP to the ENI.- create_public_ip: (Optional|bool) Whether to create a public IP for the ENI. Default false.- public_ipv4_pool: (Optional|string) EC2 IPv4 address pool identifier. - source_dest_check: (Optional|bool) Whether to enable source destination checking for the ENI. Default false.- security_groups: (Optional|list) A list of Security Group IDs to assign to this interface. Default null.Example: interfaces =[ |
any |
n/a | yes |
| name | Name of the VM-Series virtual machine. | string |
n/a | yes |
| panos_version | PAN-OS version of the firewall to deploy. | string |
"9.1.9" |
no |
| ssh_key_name | AWS EC2 key pair name. | string |
n/a | yes |
| tags | A map of tags to be associated with the resources created. | map(any) |
{} |
no |
| user_data | User data to provide when launching the instance. | string |
null |
no |
| Name | Description |
|---|---|
| interfaces | Map of VM-Series network interfaces. The keys of the map are interface names. The values of the map are aws_network_interface objects. |
| mgmt_ip_address | VM-Series management IP address. If create_public_ip is true or eip_allocation_id is used, it is a public IP address, otherwise a private IP address. |
| public_ips | Map of public IPs. The keys of the map are interface names. The values of the map are associated public IPs |