Skip to content

Commit

Permalink
Sync Terraform module documentation to pan.dev (#442)
Browse files Browse the repository at this point in the history
  • Loading branch information
1 parent f93cb14 commit a95a6b1
Show file tree
Hide file tree
Showing 27 changed files with 608 additions and 71 deletions.
8 changes: 5 additions & 3 deletions products/terraform/docs/swfw/aws/vmseries/modules/alb.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ A Terraform module for deploying an Application Load Balancer in AWS cloud. This

Example usage:

* The code below is designed to be used with [`vmseries`](../vmseries/README.md), [`vpc`](../vpc/README.md) and [`subnet_set`](../subnet_set/README.md) modules. Check these modules for information on outputs used in this code.
* The code below is designed to be used with [`vmseries`](../vmseries), [`vpc`](../vpc) and [`subnet_set`](../subnet_set) modules. Check these modules for information on outputs used in this code.
* Firewalls' public facing interfaces are placed in a subnet set called *untrust*.
* There are two rules shown below:
* `defaults` rule shows a minimum setup that uses only default values
Expand Down Expand Up @@ -138,15 +138,17 @@ No modules.
| <a name="input_idle_timeout"></a> [idle\_timeout](#input\_idle\_timeout) | The time in seconds that the connection to the Load Balancer can be idle. | `number` | `60` | no |
| <a name="input_lb_name"></a> [lb\_name](#input\_lb\_name) | Name of the Load Balancer to be created. | `string` | n/a | yes |
| <a name="input_rules"></a> [rules](#input\_rules) | An object that contains the listener, listener\_rules, target group, and health check configuration. <br />It consists of maps of applications with their properties, like in the following example:<pre>rules = {<br /> "application\_name" = {<br /> protocol = "communication protocol, since this is an ALB module accepted values are `HTTP` or `HTTPS`"<br /> port = "communication port, defaults to protocol's default port"<br /><br /> certificate\_arn = "(HTTPS ONLY) this is the arn of an existing certificate, this module will not create one for you"<br /> ssl\_policy = "(HTTPS ONLY) name of an ssl policy used by the Load Balancer's listener, defaults to AWS default, for available options see [AWS documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies)"<br /><br /> health\_check\_protocol = "this can be either `HTTP` or `HTTPS`, defaults to communication protocol"<br /> health\_check\_port = "port used by the target group health check, if omitted, `traffic-port` will be used (which will be the same as communication port)"<br /> health\_check\_healthy\_threshold = "number of consecutive health checks before considering target healthy, defaults to 3"<br /> health\_check\_unhealthy\_threshold = "number of consecutive health checks before considering target unhealthy, defaults to 3"<br /> health\_check\_interval = "time between each health check, between 5 and 300 seconds, defaults to 30s"<br /> health\_check\_timeout = "health check probe timeout, defaults to AWS default value"<br /> health\_check\_matcher = "response codes expected during health check, defaults to `200`"<br /> health\_check\_path = "destination used by the health check request, defaults to `/`"<br /><br /> listener\_rules = "a map of rules for a listener created for this application, see `listener\_rules` block below for more information<br /> }<br />}</pre>The `application_name` key is valid only for letters, numbers and a dash (`-`) - that's an AWS limitation.<br /><br /><hr /><br />There is always one listener created per application. The listener has always a default action that responds with `503`. This should be treated as a `catch-all` rule. For the listener to send traffic to backends a listener rule has to be created. This is controlled via the `listener_rules` map. <br /><br />A key in this map is the priority of the listener rule. Priority can be between `1` and `50000` (AWS specifics). All properties under a particular key refer to either rule's condition(s) or the target group that should receive traffic if a rule is met. <br /><br />Rule conditions - at least one but not more than five of: `host_headers`, `http_headers`, `http_request_method`, `path_pattern`, `query_strings` or `source_ip` has to be set. For more information on what conditions can be set for each type refer to [documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule#condition-blocks).<br /><br />Target group - keep in mind that all target group attachments are always pointing to VMSeries' public interfaces. The difference between target groups for each rule is the protocol and/or port to which the traffic is being directed. And these are the only properties you can configure (`target_protocol`, `protocol_version` and `target_port` respectively).<br /><br />The `listener_rules` map presents as follows:<pre>listener\_rules = {<br /> "rule\_priority" = { # string representation of a rule's priority (number from 1 - 50000)<br /> target\_port = "port on which the target is listening for requests"<br /> target\_protocol = "target protocol, can be `HTTP` or `HTTPS`"<br /> protocol\_version = "one of `HTTP1`, `HTTP/2` or `GRPC`, defaults to `HTTP1`"<br /><br /> round\_robin = "bool, if set to true (default) the `round-robin` load balancing algorithm is used, otherwise a target attachment with least outstanding requests is chosen.<br /> <br /> host\_headers = "a list of possible host headers, case insensitive, wildcards (`*`,`?`) are supported"<br /> http\_headers = "a map of key-value pairs, where key is a name of an HTTP header and value is a list of possible values, same rules apply like for `host\_headers`"<br /> http\_request\_method = "a list of possible HTTP request methods, case sensitive (upper case only), strict matching (no wildcards)"<br /> path\_pattern = "a list of path patterns (w/o query strings), case sensitive, wildcards supported"<br /> query\_strings = "a map of key-value pairs, key is a query string key pattern and value is a query string value pattern, case insensitive, wildcards supported, it is possible to match only a value pattern (the key value should be prefixed with `nokey\_`)"<br /> source\_ip = "a list of source IP CDIR notation to match"<br /> }<br />}</pre><hr /><br />EXAMPLE<pre>listener\_rules = {<br /> "1" = {<br /> target\_port = 8080<br /> target\_protocol = "HTTP"<br /> host\_headers = ["public-alb-1050443040.eu-west-1.elb.amazonaws.com"]<br /> http\_headers = {<br /> "X-Forwarded-For" = ["192.168.1.*"]<br /> }<br /> http\_request\_method = ["GET"]<br /> }<br /> "99" = {<br /> host\_headers = ["www.else.org"]<br /> target\_port = 8081<br /> target\_protocol = "HTTP"<br /> path\_pattern = ["/", "/login.php"]<br /> query\_strings = {<br /> "lang" = "us"<br /> "nokey\_1" = "test"<br /> }<br /> source\_ip = ["10.0.0.0/8"]<br /> }<br />}</pre> | `any` | n/a | yes |
| <a name="input_security_groups"></a> [security\_groups](#input\_security\_groups) | A list of security group IDs to use with a Load Balancer.<br /><br />If security groups are created with a [VPC module](../vpc/README.md) you can use output from that module like this:<pre>security\_groups = [module.vpc.security\_group\_ids["load\_balancer\_security\_group"]]</pre>For more information on the `load_balancer_security_group` key refer to the [VPC module documentation](../vpc/README.md). | `list(string)` | n/a | yes |
| <a name="input_security_groups"></a> [security\_groups](#input\_security\_groups) | A list of security group IDs to use with a Load Balancer.<br /><br />If security groups are created with a [VPC module](../vpc) you can use output from that module like this:<pre>security\_groups = [module.vpc.security\_group\_ids["load\_balancer\_security\_group"]]</pre>For more information on the `load_balancer_security_group` key refer to the [VPC module documentation](../vpc). | `list(string)` | n/a | yes |
| <a name="input_subnets"></a> [subnets](#input\_subnets) | Map of subnets used with a Load Balancer. Each key is the availability zone name and the value is an object that has an attribute<br />`id` identifying AWS subnet.<br /><br />Examples:<br /><br />You can define the values directly:<pre>subnets = {<br /> "us-east-1a" = { id = "snet-123007" }<br /> "us-east-1b" = { id = "snet-123008" }<br />}</pre>You can also use output from the `subnet_sets` module:<pre>subnets = { for k, v in module.subnet\_sets["untrust"].subnets : k => { id = v.id } }</pre> | <pre>map(object({<br /> id = string<br /> }))</pre> | n/a | yes |
| <a name="input_tags"></a> [tags](#input\_tags) | Map of AWS tags to apply to all the created resources. | `map(string)` | `{}` | no |
| <a name="input_targets"></a> [targets](#input\_targets) | A list of backends accepting traffic. For Application Load Balancer all targets are of type `IP`. This is because this is the only option that allows a direct routing between a Load Balancer and a specific VMSeries' network interface. The Application Load Balancer is meant to be always public, therefore the VMSeries IPs should be from the public facing subnet. An example on how to feed this variable with data:<pre>fw\_instance\_ips = { for k, v in var.vmseries : k => module.vmseries[k].interfaces["untrust"].private\_ip }</pre>For format of `var.vmseries` check the [`vmseries` module](../vmseries/README.md). The key is the VM name. By using those keys, we can loop through all vmseries modules and take the private IP from the interface that is assigned to the subnet we require. The subnet can be identified by the subnet set name (like above). In other words, the `for` loop returns the following map:<pre>{<br /> vm01 = "1.1.1.1"<br /> vm02 = "2.2.2.2"<br /> ...<br />}</pre> | `map(string)` | n/a | yes |
| <a name="input_target_group_az"></a> [target\_group\_az](#input\_target\_group\_az) | Availability Zones of Target Group ('all' for target group outside of VPC) | `string` | `null` | no |
| <a name="input_targets"></a> [targets](#input\_targets) | A list of backends accepting traffic. For Application Load Balancer all targets are of type `IP`. This is because this is the only option that allows a direct routing between a Load Balancer and a specific VMSeries' network interface. The Application Load Balancer is meant to be always public, therefore the VMSeries IPs should be from the public facing subnet. An example on how to feed this variable with data:<pre>fw\_instance\_ips = { for k, v in var.vmseries : k => module.vmseries[k].interfaces["untrust"].private\_ip }</pre>For format of `var.vmseries` check the [`vmseries` module](../vmseries). The key is the VM name. By using those keys, we can loop through all vmseries modules and take the private IP from the interface that is assigned to the subnet we require. The subnet can be identified by the subnet set name (like above). In other words, the `for` loop returns the following map:<pre>{<br /> vm01 = "1.1.1.1"<br /> vm02 = "2.2.2.2"<br /> ...<br />}</pre> | `map(string)` | n/a | yes |
| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the security VPC for the Load Balancer. | `string` | n/a | yes |

### Outputs

| Name | Description |
|------|-------------|
| <a name="output_lb_fqdn"></a> [lb\_fqdn](#output\_lb\_fqdn) | A FQDN for the Load Balancer. |
| <a name="output_target_group"></a> [target\_group](#output\_target\_group) | n/a |
<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
5 changes: 3 additions & 2 deletions products/terraform/docs/swfw/aws/vmseries/modules/asg.md
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,8 @@ No modules.
| <a name="input_global_tags"></a> [global\_tags](#input\_global\_tags) | Map of AWS tags to apply to all the created resources. | `map(any)` | n/a | yes |
| <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | EC2 instance type. | `string` | `"m5.xlarge"` | no |
| <a name="input_interfaces"></a> [interfaces](#input\_interfaces) | Map of the network interface specifications.<br />If "mgmt-interface-swap" bootstrap option is enabled, ensure dataplane interface `device_index` is set to 0 and the firewall management interface `device_index` is set to 1.<br />Available options:<br />- `device_index` = (Required\|int) Determines order in which interfaces are attached to the instance. Interface with `0` is attached at boot time.<br />- `subnet_id` = (Required\|string) Subnet ID to create the ENI in.<br />- `name` = (Optional\|string) Name tag for the ENI. Defaults to instance name suffixed by map's key.<br />- `description` = (Optional\|string) A descriptive name for the ENI.<br />- `create_public_ip` = (Optional\|bool) Whether to create a public IP for the ENI. Defaults to false.<br />- `eip_allocation_id` = (Optional\|string) Associate an existing EIP to the ENI.<br />- `private_ips` = (Optional\|list) List of private IPs to assign to the ENI. If not set, dynamic allocation is used.<br />- `public_ipv4_pool` = (Optional\|string) EC2 IPv4 address pool identifier.<br />- `source_dest_check` = (Optional\|bool) Whether to enable source destination checking for the ENI. Defaults to false.<br />- `security_group_ids` = (Optional\|list) A list of Security Group IDs to assign to this interface. Defaults to null.<br /><br />Example:<pre>interfaces = {<br /> mgmt = {<br /> device\_index = 0<br /> subnet\_id = aws\_subnet.mgmt.id<br /> name = "mgmt"<br /> create\_public\_ip = true<br /> source\_dest\_check = true<br /> security\_group\_ids = ["sg-123456"]<br /> },<br /> public = {<br /> device\_index = 1<br /> subnet\_id = aws\_subnet.public.id<br /> name = "public"<br /> create\_public\_ip = true<br /> },<br /> private = {<br /> device\_index = 2<br /> subnet\_id = aws\_subnet.private.id<br /> name = "private"<br /> },<br />]</pre> | `map(any)` | n/a | yes |
| <a name="input_lambda_timeout"></a> [lambda\_timeout](#input\_lambda\_timeout) | Amount of time Lambda Function has to run in seconds. | `number` | `10` | no |
| <a name="input_ip_target_groups"></a> [ip\_target\_groups](#input\_ip\_target\_groups) | Target groups (type IP) for load balancers, which are used by Lamda to register VM-Series IP of untrust interface | <pre>list(object({<br /> arn = string<br /> port = string<br /> }))</pre> | `[]` | no |
| <a name="input_lambda_timeout"></a> [lambda\_timeout](#input\_lambda\_timeout) | Amount of time Lambda Function has to run in seconds. | `number` | `30` | no |
| <a name="input_lifecycle_hook_timeout"></a> [lifecycle\_hook\_timeout](#input\_lifecycle\_hook\_timeout) | How long should we wait for lambda to finish | `number` | `300` | no |
| <a name="input_max_size"></a> [max\_size](#input\_max\_size) | Maximum size of the Auto Scaling Group. | `number` | `2` | no |
| <a name="input_min_size"></a> [min\_size](#input\_min\_size) | Minimum size of the Auto Scaling Group. | `number` | `1` | no |
Expand All @@ -92,7 +93,7 @@ No modules.
| <a name="input_ssh_key_name"></a> [ssh\_key\_name](#input\_ssh\_key\_name) | Name of AWS keypair to associate with instances | `string` | n/a | yes |
| <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | List of subnet IDs associated with the Lambda function | `list(string)` | `[]` | no |
| <a name="input_suspended_processes"></a> [suspended\_processes](#input\_suspended\_processes) | List of processes to suspend for the Auto Scaling Group. The allowed values are Launch, Terminate, HealthCheck, ReplaceUnhealthy, AZRebalance, AlarmNotification, ScheduledActions, AddToLoadBalancer, InstanceRefresh | `list(string)` | `[]` | no |
| <a name="input_target_group_arn"></a> [target\_group\_arn](#input\_target\_group\_arn) | ARN of target group for load balancer | `string` | `null` | no |
| <a name="input_target_group_arn"></a> [target\_group\_arn](#input\_target\_group\_arn) | ARN of target group (type instance) for load balancer, which is used by ASG to register VM-Series instance | `string` | `null` | no |
| <a name="input_vmseries_ami_id"></a> [vmseries\_ami\_id](#input\_vmseries\_ami\_id) | The AMI from which to launch the instance. Takes precedence over fw\_version and fw\_license\_type | `string` | `null` | no |
| <a name="input_vmseries_iam_instance_profile"></a> [vmseries\_iam\_instance\_profile](#input\_vmseries\_iam\_instance\_profile) | IAM instance profile used in launch template | `string` | `""` | no |
| <a name="input_vmseries_product_code"></a> [vmseries\_product\_code](#input\_vmseries\_product\_code) | Product code corresponding to a chosen VM-Series license type model - by default - BYOL.<br />To check the available license type models and their codes, please refer to the<br />[VM-Series documentation](https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/deploy-the-vm-series-firewall-on-aws/obtain-the-ami/get-amazon-machine-image-ids.html) | `string` | `"6njl1pau431dv1qxipg63mvah"` | no |
Expand Down
Loading

0 comments on commit a95a6b1

Please sign in to comment.