Viewing docs for panos 2.0.12
published on Wednesday, Jun 17, 2026 by paloaltonetworks
published on Wednesday, Jun 17, 2026 by paloaltonetworks
Viewing docs for panos 2.0.12
published on Wednesday, Jun 17, 2026 by paloaltonetworks
published on Wednesday, Jun 17, 2026 by paloaltonetworks
This resource registers a set of dynamic tags against an IP address through the PAN-OS User-ID API. It manages only the tags it declares: tags registered on the same IP by other means (other resources, the User-ID agent, scripts) are left untouched. Registration is non-destructive and idempotent.
Runtime, not configuration. Dynamic IP-to-tag registrations live in the firewall’s User-ID table, not in the candidate config, so this resource does not require a commit and is not importable. Adopt an existing registration simply by declaring it and running
pulumi up— re-registering tags that are already present is a no-op.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as panos from "@pulumi/panos";
// Register tags on an IP directly on a firewall's virtual system.
const vsys = new panos.IpTag("vsys", {
location: {
vsys: {
name: "vsys1",
},
},
ip: "10.0.0.1",
tags: [
"web",
"prod",
],
});
// Register tags directly on Panorama's own User-ID table (no target firewall).
const panorama = new panos.IpTag("panorama", {
location: {
panorama: {},
},
ip: "10.0.0.2",
tags: ["db"],
});
// Register tags on a Panorama-managed firewall, targeted by serial number.
const targetDevice = new panos.IpTag("target_device", {
location: {
targetDevice: {
serial: "0123456789",
vsys: "vsys1",
},
},
ip: "10.0.0.3",
tags: ["dmz"],
});
import pulumi
import pulumi_panos as panos
# Register tags on an IP directly on a firewall's virtual system.
vsys = panos.IpTag("vsys",
location={
"vsys": {
"name": "vsys1",
},
},
ip="10.0.0.1",
tags=[
"web",
"prod",
])
# Register tags directly on Panorama's own User-ID table (no target firewall).
panorama = panos.IpTag("panorama",
location={
"panorama": {},
},
ip="10.0.0.2",
tags=["db"])
# Register tags on a Panorama-managed firewall, targeted by serial number.
target_device = panos.IpTag("target_device",
location={
"target_device": {
"serial": "0123456789",
"vsys": "vsys1",
},
},
ip="10.0.0.3",
tags=["dmz"])
package main
import (
"github.com/pulumi/pulumi-terraform-provider/sdks/go/panos/v2/panos"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
// Register tags on an IP directly on a firewall's virtual system.
_, err := panos.NewIpTag(ctx, "vsys", &panos.IpTagArgs{
Location: &panos.IpTagLocationArgs{
Vsys: &panos.IpTagLocationVsysArgs{
Name: pulumi.String("vsys1"),
},
},
Ip: pulumi.String("10.0.0.1"),
Tags: pulumi.StringArray{
pulumi.String("web"),
pulumi.String("prod"),
},
})
if err != nil {
return err
}
// Register tags directly on Panorama's own User-ID table (no target firewall).
_, err = panos.NewIpTag(ctx, "panorama", &panos.IpTagArgs{
Location: &panos.IpTagLocationArgs{
Panorama: &panos.IpTagLocationPanoramaArgs{},
},
Ip: pulumi.String("10.0.0.2"),
Tags: pulumi.StringArray{
pulumi.String("db"),
},
})
if err != nil {
return err
}
// Register tags on a Panorama-managed firewall, targeted by serial number.
_, err = panos.NewIpTag(ctx, "target_device", &panos.IpTagArgs{
Location: &panos.IpTagLocationArgs{
TargetDevice: &panos.IpTagLocationTargetDeviceArgs{
Serial: pulumi.String("0123456789"),
Vsys: pulumi.String("vsys1"),
},
},
Ip: pulumi.String("10.0.0.3"),
Tags: pulumi.StringArray{
pulumi.String("dmz"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Panos = Pulumi.Panos;
return await Deployment.RunAsync(() =>
{
// Register tags on an IP directly on a firewall's virtual system.
var vsys = new Panos.IpTag("vsys", new()
{
Location = new Panos.Inputs.IpTagLocationArgs
{
Vsys = new Panos.Inputs.IpTagLocationVsysArgs
{
Name = "vsys1",
},
},
Ip = "10.0.0.1",
Tags = new[]
{
"web",
"prod",
},
});
// Register tags directly on Panorama's own User-ID table (no target firewall).
var panorama = new Panos.IpTag("panorama", new()
{
Location = new Panos.Inputs.IpTagLocationArgs
{
Panorama = null,
},
Ip = "10.0.0.2",
Tags = new[]
{
"db",
},
});
// Register tags on a Panorama-managed firewall, targeted by serial number.
var targetDevice = new Panos.IpTag("target_device", new()
{
Location = new Panos.Inputs.IpTagLocationArgs
{
TargetDevice = new Panos.Inputs.IpTagLocationTargetDeviceArgs
{
Serial = "0123456789",
Vsys = "vsys1",
},
},
Ip = "10.0.0.3",
Tags = new[]
{
"dmz",
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.panos.IpTag;
import com.pulumi.panos.IpTagArgs;
import com.pulumi.panos.inputs.IpTagLocationArgs;
import com.pulumi.panos.inputs.IpTagLocationVsysArgs;
import com.pulumi.panos.inputs.IpTagLocationPanoramaArgs;
import com.pulumi.panos.inputs.IpTagLocationTargetDeviceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
// Register tags on an IP directly on a firewall's virtual system.
var vsys = new IpTag("vsys", IpTagArgs.builder()
.location(IpTagLocationArgs.builder()
.vsys(IpTagLocationVsysArgs.builder()
.name("vsys1")
.build())
.build())
.ip("10.0.0.1")
.tags(
"web",
"prod")
.build());
// Register tags directly on Panorama's own User-ID table (no target firewall).
var panorama = new IpTag("panorama", IpTagArgs.builder()
.location(IpTagLocationArgs.builder()
.panorama(IpTagLocationPanoramaArgs.builder()
.build())
.build())
.ip("10.0.0.2")
.tags("db")
.build());
// Register tags on a Panorama-managed firewall, targeted by serial number.
var targetDevice = new IpTag("targetDevice", IpTagArgs.builder()
.location(IpTagLocationArgs.builder()
.targetDevice(IpTagLocationTargetDeviceArgs.builder()
.serial("0123456789")
.vsys("vsys1")
.build())
.build())
.ip("10.0.0.3")
.tags("dmz")
.build());
}
}
resources:
# Register tags on an IP directly on a firewall's virtual system.
vsys:
type: panos:IpTag
properties:
location:
vsys:
name: vsys1
ip: 10.0.0.1
tags:
- web
- prod
# Register tags directly on Panorama's own User-ID table (no target firewall).
panorama:
type: panos:IpTag
properties:
location:
panorama: {}
ip: 10.0.0.2
tags:
- db
# Register tags on a Panorama-managed firewall, targeted by serial number.
targetDevice:
type: panos:IpTag
name: target_device
properties:
location:
targetDevice:
serial: '0123456789'
vsys: vsys1
ip: 10.0.0.3
tags:
- dmz
Example coming soon!
Drift Reconciliation
On every read the provider intersects the tags it manages with the tags actually present on the firewall, and stores only that intersection in state. Tags it does not manage are ignored entirely.
For example, if this resource manages {web, prod} but the firewall reports
{web, db} for the IP:
webis kept — it is managed and present.proddrifted away (someone unregistered it) — it is dropped from state and re-registered on the nextpulumi up.dbis unmanaged — it is ignored, never added to state, and never removed.
If none of the managed tags remain on the IP, the resource is removed from state.
Limitations
Overlapping ownership. The firewall has no reference counting for registered tags. If two
panos.IpTagresources (or two configurations) register the same tag on the same IP, deleting either one unregisters that shared tag, affecting the other. Avoid declaring the same IP+tag pair from more than one place.
Create IpTag Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new IpTag(name: string, args: IpTagArgs, opts?: CustomResourceOptions);@overload
def IpTag(resource_name: str,
args: IpTagArgs,
opts: Optional[ResourceOptions] = None)
@overload
def IpTag(resource_name: str,
opts: Optional[ResourceOptions] = None,
ip: Optional[str] = None,
location: Optional[IpTagLocationArgs] = None,
tags: Optional[Sequence[str]] = None)func NewIpTag(ctx *Context, name string, args IpTagArgs, opts ...ResourceOption) (*IpTag, error)public IpTag(string name, IpTagArgs args, CustomResourceOptions? opts = null)type: panos:IpTag
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
resource "panos_iptag" "name" {
# resource properties
}Parameters
- name string
- The unique name of the resource.
- args IpTagArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args IpTagArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args IpTagArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args IpTagArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args IpTagArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var ipTagResource = new Panos.IpTag("ipTagResource", new()
{
Ip = "string",
Location = new Panos.Inputs.IpTagLocationArgs
{
Panorama = null,
TargetDevice = new Panos.Inputs.IpTagLocationTargetDeviceArgs
{
Serial = "string",
Vsys = "string",
},
Vsys = new Panos.Inputs.IpTagLocationVsysArgs
{
Name = "string",
NgfwDevice = "string",
},
},
Tags = new[]
{
"string",
},
});
example, err := panos.NewIpTag(ctx, "ipTagResource", &panos.IpTagArgs{
Ip: pulumi.String("string"),
Location: &panos.IpTagLocationArgs{
Panorama: &panos.IpTagLocationPanoramaArgs{},
TargetDevice: &panos.IpTagLocationTargetDeviceArgs{
Serial: pulumi.String("string"),
Vsys: pulumi.String("string"),
},
Vsys: &panos.IpTagLocationVsysArgs{
Name: pulumi.String("string"),
NgfwDevice: pulumi.String("string"),
},
},
Tags: pulumi.StringArray{
pulumi.String("string"),
},
})
resource "panos_iptag" "ipTagResource" {
ip = "string"
location = {
panorama = {}
target_device = {
serial = "string"
vsys = "string"
}
vsys = {
name = "string"
ngfw_device = "string"
}
}
tags = ["string"]
}
var ipTagResource = new IpTag("ipTagResource", IpTagArgs.builder()
.ip("string")
.location(IpTagLocationArgs.builder()
.panorama(IpTagLocationPanoramaArgs.builder()
.build())
.targetDevice(IpTagLocationTargetDeviceArgs.builder()
.serial("string")
.vsys("string")
.build())
.vsys(IpTagLocationVsysArgs.builder()
.name("string")
.ngfwDevice("string")
.build())
.build())
.tags("string")
.build());
ip_tag_resource = panos.IpTag("ipTagResource",
ip="string",
location={
"panorama": {},
"target_device": {
"serial": "string",
"vsys": "string",
},
"vsys": {
"name": "string",
"ngfw_device": "string",
},
},
tags=["string"])
const ipTagResource = new panos.IpTag("ipTagResource", {
ip: "string",
location: {
panorama: {},
targetDevice: {
serial: "string",
vsys: "string",
},
vsys: {
name: "string",
ngfwDevice: "string",
},
},
tags: ["string"],
});
type: panos:IpTag
properties:
ip: string
location:
panorama: {}
targetDevice:
serial: string
vsys: string
vsys:
name: string
ngfwDevice: string
tags:
- string
IpTag Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The IpTag resource accepts the following input properties:
- Ip string
- The IP address to register tags against.
- Location
Ip
Tag Location - The location of this object.
- List<string>
- The set of tags to register against the IP address.
- Ip string
- The IP address to register tags against.
- Location
Ip
Tag Location Args - The location of this object.
- []string
- The set of tags to register against the IP address.
- ip String
- The IP address to register tags against.
- location
Ip
Tag Location - The location of this object.
- List<String>
- The set of tags to register against the IP address.
- ip string
- The IP address to register tags against.
- location
Ip
Tag Location - The location of this object.
- string[]
- The set of tags to register against the IP address.
- ip str
- The IP address to register tags against.
- location
Ip
Tag Location Args - The location of this object.
- Sequence[str]
- The set of tags to register against the IP address.
- ip String
- The IP address to register tags against.
- location Property Map
- The location of this object.
- List<String>
- The set of tags to register against the IP address.
Outputs
All input properties are implicitly available as output properties. Additionally, the IpTag resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing IpTag Resource
Get an existing IpTag resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: IpTagState, opts?: CustomResourceOptions): IpTag@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
ip: Optional[str] = None,
location: Optional[IpTagLocationArgs] = None,
tags: Optional[Sequence[str]] = None) -> IpTagfunc GetIpTag(ctx *Context, name string, id IDInput, state *IpTagState, opts ...ResourceOption) (*IpTag, error)public static IpTag Get(string name, Input<string> id, IpTagState? state, CustomResourceOptions? opts = null)public static IpTag get(String name, Output<String> id, IpTagState state, CustomResourceOptions options)resources: _: type: panos:IpTag get: id: ${id}import {
to = panos_iptag.example
id = "${id}"
}
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Ip string
- The IP address to register tags against.
- Location
Ip
Tag Location - The location of this object.
- List<string>
- The set of tags to register against the IP address.
- Ip string
- The IP address to register tags against.
- Location
Ip
Tag Location Args - The location of this object.
- []string
- The set of tags to register against the IP address.
- ip String
- The IP address to register tags against.
- location
Ip
Tag Location - The location of this object.
- List<String>
- The set of tags to register against the IP address.
- ip string
- The IP address to register tags against.
- location
Ip
Tag Location - The location of this object.
- string[]
- The set of tags to register against the IP address.
- ip str
- The IP address to register tags against.
- location
Ip
Tag Location Args - The location of this object.
- Sequence[str]
- The set of tags to register against the IP address.
- ip String
- The IP address to register tags against.
- location Property Map
- The location of this object.
- List<String>
- The set of tags to register against the IP address.
Supporting Types
IpTagLocation, IpTagLocationArgs
- Panorama
Ip
Tag Location Panorama - Registered directly on Panorama's own User-ID table (no target firewall).
- Target
Device IpTag Location Target Device - A firewall managed by Panorama, targeted by serial number.
- Vsys
Ip
Tag Location Vsys - Located in a specific Virtual System on an NGFW.
- Panorama
Ip
Tag Location Panorama - Registered directly on Panorama's own User-ID table (no target firewall).
- Target
Device IpTag Location Target Device - A firewall managed by Panorama, targeted by serial number.
- Vsys
Ip
Tag Location Vsys - Located in a specific Virtual System on an NGFW.
- panorama
Ip
Tag Location Panorama - Registered directly on Panorama's own User-ID table (no target firewall).
- target
Device IpTag Location Target Device - A firewall managed by Panorama, targeted by serial number.
- vsys
Ip
Tag Location Vsys - Located in a specific Virtual System on an NGFW.
- panorama
Ip
Tag Location Panorama - Registered directly on Panorama's own User-ID table (no target firewall).
- target
Device IpTag Location Target Device - A firewall managed by Panorama, targeted by serial number.
- vsys
Ip
Tag Location Vsys - Located in a specific Virtual System on an NGFW.
- panorama
Ip
Tag Location Panorama - Registered directly on Panorama's own User-ID table (no target firewall).
- target_
device IpTag Location Target Device - A firewall managed by Panorama, targeted by serial number.
- vsys
Ip
Tag Location Vsys - Located in a specific Virtual System on an NGFW.
- panorama Property Map
- Registered directly on Panorama's own User-ID table (no target firewall).
- target
Device Property Map - A firewall managed by Panorama, targeted by serial number.
- vsys Property Map
- Located in a specific Virtual System on an NGFW.
IpTagLocationTargetDevice, IpTagLocationTargetDeviceArgs
IpTagLocationVsys, IpTagLocationVsysArgs
- Name string
- The Virtual System name.
- Ngfw
Device string - The NGFW device name.
- Name string
- The Virtual System name.
- Ngfw
Device string - The NGFW device name.
- name string
- The Virtual System name.
- ngfw_
device string - The NGFW device name.
- name String
- The Virtual System name.
- ngfw
Device String - The NGFW device name.
- name string
- The Virtual System name.
- ngfw
Device string - The NGFW device name.
- name str
- The Virtual System name.
- ngfw_
device str - The NGFW device name.
- name String
- The Virtual System name.
- ngfw
Device String - The NGFW device name.
Package Details
- Repository
- panos paloaltonetworks/terraform-provider-panos
- License
- Notes
- This Pulumi package is based on the
panosTerraform Provider.
Viewing docs for panos 2.0.12
published on Wednesday, Jun 17, 2026 by paloaltonetworks
published on Wednesday, Jun 17, 2026 by paloaltonetworks