Sync Terraform module documentation

products/terraform/docs/swfw/aws/vmseries/modules/alb.md

@@ -141,6 +141,7 @@ No modules.
 | <a name="input_security_groups"></a> [security\_groups](#input\_security\_groups) | A list of security group IDs to use with a Load Balancer.<br /><br />If security groups are created with a [VPC module](../vpc/README.md) you can use output from that module like this:<pre>security\_groups              = [module.vpc.security\_group\_ids["load\_balancer\_security\_group"]]</pre>For more information on the `load_balancer_security_group` key refer to the [VPC module documentation](../vpc/README.md). | `list(string)` | n/a | yes |
 | <a name="input_subnets"></a> [subnets](#input\_subnets) | Map of subnets used with a Load Balancer. Each key is the availability zone name and the value is an object that has an attribute<br />`id` identifying AWS subnet.<br /><br />Examples:<br /><br />You can define the values directly:<pre>subnets = {<br />  "us-east-1a" = { id = "snet-123007" }<br />  "us-east-1b" = { id = "snet-123008" }<br />}</pre>You can also use output from the `subnet_sets` module:<pre>subnets        = { for k, v in module.subnet\_sets["untrust"].subnets : k => { id = v.id } }</pre> | <pre>map(object({<br />    id = string<br />  }))</pre> | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Map of AWS tags to apply to all the created resources. | `map(string)` | `{}` | no |
+| <a name="input_target_group_az"></a> [target\_group\_az](#input\_target\_group\_az) | Availability Zones of Target Group ('all' for target group outside of VPC) | `string` | `null` | no |
 | <a name="input_targets"></a> [targets](#input\_targets) | A list of backends accepting traffic. For Application Load Balancer all targets are of type `IP`. This is because this is the only option that allows a direct routing between a Load Balancer and a specific VMSeries' network interface. The Application Load Balancer is meant to be always public, therefore the VMSeries IPs should be from the public facing subnet. An example on how to feed this variable with data:<pre>fw\_instance\_ips = { for k, v in var.vmseries : k => module.vmseries[k].interfaces["untrust"].private\_ip }</pre>For format of `var.vmseries` check the [`vmseries` module](../vmseries/README.md). The key is the VM name. By using those keys, we can loop through all vmseries modules and take the private IP from the interface that is assigned to the subnet we require. The subnet can be identified by the subnet set name (like above). In other words, the `for` loop returns the following map:<pre>{<br />  vm01 = "1.1.1.1"<br />  vm02 = "2.2.2.2"<br />  ...<br />}</pre> | `map(string)` | n/a | yes |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | ID of the security VPC for the Load Balancer. | `string` | n/a | yes |
 
@@ -149,4 +150,5 @@ No modules.
 | Name | Description |
 |------|-------------|
 | <a name="output_lb_fqdn"></a> [lb\_fqdn](#output\_lb\_fqdn) | A FQDN for the Load Balancer. |
+| <a name="output_target_group"></a> [target\_group](#output\_target\_group) | n/a |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

products/terraform/docs/swfw/aws/vmseries/modules/asg.md

@@ -76,7 +76,8 @@ No modules.
 | <a name="input_global_tags"></a> [global\_tags](#input\_global\_tags) | Map of AWS tags to apply to all the created resources. | `map(any)` | n/a | yes |
 | <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | EC2 instance type. | `string` | `"m5.xlarge"` | no |
 | <a name="input_interfaces"></a> [interfaces](#input\_interfaces) | Map of the network interface specifications.<br />If "mgmt-interface-swap" bootstrap option is enabled, ensure dataplane interface `device_index` is set to 0 and the firewall management interface `device_index` is set to 1.<br />Available options:<br />- `device_index`       = (Required\|int) Determines order in which interfaces are attached to the instance. Interface with `0` is attached at boot time.<br />- `subnet_id`          = (Required\|string) Subnet ID to create the ENI in.<br />- `name`               = (Optional\|string) Name tag for the ENI. Defaults to instance name suffixed by map's key.<br />- `description`        = (Optional\|string) A descriptive name for the ENI.<br />- `create_public_ip`   = (Optional\|bool) Whether to create a public IP for the ENI. Defaults to false.<br />- `eip_allocation_id`  = (Optional\|string) Associate an existing EIP to the ENI.<br />- `private_ips`        = (Optional\|list) List of private IPs to assign to the ENI. If not set, dynamic allocation is used.<br />- `public_ipv4_pool`   = (Optional\|string) EC2 IPv4 address pool identifier.<br />- `source_dest_check`  = (Optional\|bool) Whether to enable source destination checking for the ENI. Defaults to false.<br />- `security_group_ids` = (Optional\|list) A list of Security Group IDs to assign to this interface. Defaults to null.<br /><br />Example:<pre>interfaces = {<br />  mgmt = {<br />    device\_index       = 0<br />    subnet\_id          = aws\_subnet.mgmt.id<br />    name               = "mgmt"<br />    create\_public\_ip   = true<br />    source\_dest\_check  = true<br />    security\_group\_ids = ["sg-123456"]<br />  },<br />  public = {<br />    device\_index     = 1<br />    subnet\_id        = aws\_subnet.public.id<br />    name             = "public"<br />    create\_public\_ip = true<br />  },<br />  private = {<br />    device\_index = 2<br />    subnet\_id    = aws\_subnet.private.id<br />    name         = "private"<br />  },<br />]</pre> | `map(any)` | n/a | yes |
-| <a name="input_lambda_timeout"></a> [lambda\_timeout](#input\_lambda\_timeout) | Amount of time Lambda Function has to run in seconds. | `number` | `10` | no |
+| <a name="input_ip_target_groups"></a> [ip\_target\_groups](#input\_ip\_target\_groups) | Target groups (type IP) for load balancers, which are used by Lamda to register VM-Series IP of untrust interface | <pre>list(object({<br />    arn  = string<br />    port = string<br />  }))</pre> | `[]` | no |
+| <a name="input_lambda_timeout"></a> [lambda\_timeout](#input\_lambda\_timeout) | Amount of time Lambda Function has to run in seconds. | `number` | `30` | no |
 | <a name="input_lifecycle_hook_timeout"></a> [lifecycle\_hook\_timeout](#input\_lifecycle\_hook\_timeout) | How long should we wait for lambda to finish | `number` | `300` | no |
 | <a name="input_max_size"></a> [max\_size](#input\_max\_size) | Maximum size of the Auto Scaling Group. | `number` | `2` | no |
 | <a name="input_min_size"></a> [min\_size](#input\_min\_size) | Minimum size of the Auto Scaling Group. | `number` | `1` | no |
@@ -92,7 +93,7 @@ No modules.
 | <a name="input_ssh_key_name"></a> [ssh\_key\_name](#input\_ssh\_key\_name) | Name of AWS keypair to associate with instances | `string` | n/a | yes |
 | <a name="input_subnet_ids"></a> [subnet\_ids](#input\_subnet\_ids) | List of subnet IDs associated with the Lambda function | `list(string)` | `[]` | no |
 | <a name="input_suspended_processes"></a> [suspended\_processes](#input\_suspended\_processes) | List of processes to suspend for the Auto Scaling Group. The allowed values are Launch, Terminate, HealthCheck, ReplaceUnhealthy, AZRebalance, AlarmNotification, ScheduledActions, AddToLoadBalancer, InstanceRefresh | `list(string)` | `[]` | no |
-| <a name="input_target_group_arn"></a> [target\_group\_arn](#input\_target\_group\_arn) | ARN of target group for load balancer | `string` | `null` | no |
+| <a name="input_target_group_arn"></a> [target\_group\_arn](#input\_target\_group\_arn) | ARN of target group (type instance) for load balancer, which is used by ASG to register VM-Series instance | `string` | `null` | no |
 | <a name="input_vmseries_ami_id"></a> [vmseries\_ami\_id](#input\_vmseries\_ami\_id) | The AMI from which to launch the instance. Takes precedence over fw\_version and fw\_license\_type | `string` | `null` | no |
 | <a name="input_vmseries_iam_instance_profile"></a> [vmseries\_iam\_instance\_profile](#input\_vmseries\_iam\_instance\_profile) | IAM instance profile used in launch template | `string` | `""` | no |
 | <a name="input_vmseries_product_code"></a> [vmseries\_product\_code](#input\_vmseries\_product\_code) | Product code corresponding to a chosen VM-Series license type model - by default - BYOL.<br />To check the available license type models and their codes, please refer to the<br />[VM-Series documentation](https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/deploy-the-vm-series-firewall-on-aws/obtain-the-ami/get-amazon-machine-image-ids.html) | `string` | `"6njl1pau431dv1qxipg63mvah"` | no |

products/terraform/docs/swfw/aws/vmseries/modules/gwlb.md

@@ -70,6 +70,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_allowed_principals"></a> [allowed\_principals](#input\_allowed\_principals) | List of AWS Principal ARNs who are allowed access to the GWLB Endpoint Service. For example `["arn:aws:iam::123456789000:root"]`. | `list(string)` | `[]` | no |
 | <a name="input_deregistration_delay"></a> [deregistration\_delay](#input\_deregistration\_delay) | See the `aws` provider [documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group#deregistration_delay). | `number` | `null` | no |
+| <a name="input_enable_lb_deletion_protection"></a> [enable\_lb\_deletion\_protection](#input\_enable\_lb\_deletion\_protection) | Whether to enable deletion protection on the gateway loadbalancer. | `bool` | `false` | no |
 | <a name="input_endpoint_service_tags"></a> [endpoint\_service\_tags](#input\_endpoint\_service\_tags) | Map of AWS tags to apply to the created GWLB Endpoint Service. These tags are applied after the `global_tags`. | `map(string)` | `{}` | no |
 | <a name="input_global_tags"></a> [global\_tags](#input\_global\_tags) | Map of AWS tags to apply to all the created resources. | `map(string)` | `{}` | no |
 | <a name="input_health_check_enabled"></a> [health\_check\_enabled](#input\_health\_check\_enabled) | See the `aws` provider [documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group#health_check). | `bool` | `null` | no |
@@ -83,6 +84,7 @@ No modules.
 | <a name="input_lb_tags"></a> [lb\_tags](#input\_lb\_tags) | Map of AWS tags to apply to the created Load Balancer object. These tags are applied after the `global_tags`. | `map(string)` | `{}` | no |
 | <a name="input_lb_target_group_tags"></a> [lb\_target\_group\_tags](#input\_lb\_target\_group\_tags) | Map of AWS tags to apply to the created GWLB Target Group. These tags are applied after the `global_tags`. | `map(string)` | `{}` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of the created GWLB and its Target Group. Must be unique per AWS region per AWS account. | `string` | n/a | yes |
+| <a name="input_stickiness_type"></a> [stickiness\_type](#input\_stickiness\_type) | If `stickiness_type` is `null`, then attribute `enabled` is set to `false` in stickiness configuration block,<br />value provided in `type` is ignored and by default the Gateway Load Balancer uses 5-tuple to maintain flow stickiness to a specific target appliance.<br />If `stickiness_type` is not `null`, then attribute `enabled` is set to `true` in stickiness configuration block<br />and the stickiness `type` can be then customized by using value:<br />- `source_ip_dest_ip_proto` for 3-tuple (Source IP, Destination IP and Transport Protocol)<br />- `source_ip_dest_ip` for 2-tuple (Source IP and Destination IP)<pre></pre> | `string` | `null` | no |
 | <a name="input_subnets"></a> [subnets](#input\_subnets) | Map of subnets where to create the GWLB. Each map's key is the availability zone name and each map's object has an attribute<br />`id` identifying AWS subnet.<br />Example for users of module `subnet_set`:<pre>subnets = module.subnet\_set.subnets</pre>Example:<pre>subnets = {<br />  "us-east-1a" = { id = "snet-123007" }<br />  "us-east-1b" = { id = "snet-123008" }<br />}</pre> | <pre>map(object({<br />    id = string<br />  }))</pre> | n/a | yes |
 | <a name="input_target_instances"></a> [target\_instances](#input\_target\_instances) | Map of instances to attach to the GWLB Target Group. | <pre>map(object({<br />    id = string<br />  }))</pre> | `{}` | no |
 | <a name="input_unhealthy_threshold"></a> [unhealthy\_threshold](#input\_unhealthy\_threshold) | The number of failed health checks required before a healthy target becomes unhealthy. Minimum 2 and maximum 10. | `number` | `3` | no |

products/terraform/docs/swfw/aws/vmseries/modules/nlb.md

@@ -71,4 +71,5 @@ No modules.
 | Name | Description |
 |------|-------------|
 | <a name="output_lb_fqdn"></a> [lb\_fqdn](#output\_lb\_fqdn) | A FQDN for the Load Balancer. |
+| <a name="output_target_group"></a> [target\_group](#output\_target\_group) | n/a |
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

products/terraform/docs/swfw/aws/vmseries/modules/panorama.md

@@ -63,6 +63,7 @@ No modules.
 | <a name="input_create_public_ip"></a> [create\_public\_ip](#input\_create\_public\_ip) | If true, create an Elastic IP address for Panorama. | `bool` | `false` | no |
 | <a name="input_ebs_kms_key_alias"></a> [ebs\_kms\_key\_alias](#input\_ebs\_kms\_key\_alias) | The alias for the customer managed KMS key to use for volume encryption.<br />If this is set to `null` the default master key that protects EBS volumes will be used | `string` | `null` | no |
 | <a name="input_ebs_volumes"></a> [ebs\_volumes](#input\_ebs\_volumes) | List of EBS volumes to create and attach to Panorama.<br />Available options:<br />- `name`              (Optional) Name tag for the EBS volume. If not provided defaults to the value of `var.name`.<br />- `ebs_device_name`   (Required) The EBS device name to expose to the instance (for example, /dev/sdh or xvdh). <br />See [Device Naming on Linux Instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/device_naming.html#available-ec2-device-names) for more information.<br />- `ebs_size`          (Optional) The size of the EBS volume in GiBs. Defaults to 2000 GiB.<br />- `ebs_encrypted`     (Optional) If true, the Panorama EBS volume will be encrypted.<br />- `force_detach`      (Optional) Set to true if you want to force the volume to detach. Useful if previous attempts failed, but use this option only as a last resort, as this can result in data loss.<br />- `skip_destroy`      (Optional) Set this to true if you do not wish to detach the volume from the instance to which it is attached at destroy time, and instead just remove the attachment from Terraform state. <br />This is useful when destroying an instance attached to third-party volumes.<br /><br />Note: Terraform must be running with credentials which have the `GenerateDataKeyWithoutPlaintext` permission on the specified KMS key <br />as required by the [EBS KMS CMK volume provisioning process](https://docs.aws.amazon.com/kms/latest/developerguide/services-ebs.html#ebs-cmk) to prevent a volume from being created and almost immediately deleted.<br />If null, the default EBS encryption KMS key in the current region is used.<br /><br />Example:<pre>ebs\_volumes = [<br />  {<br />    name              = "ebs-1"<br />    ebs\_device\_name   = "/dev/sdb"<br />    ebs\_size          = "2000"<br />    ebs\_encrypted     = true<br />  },<br />  {<br />    name              = "ebs-2"<br />    ebs\_device\_name   = "/dev/sdb"<br />    ebs\_size          = "2000"<br />    ebs\_encrypted     = true<br />  },<br />  {<br />    name              = "ebs-3"<br />    ebs\_device\_name   = "/dev/sdb"<br />    ebs\_size          = "2000"<br />  },<br />]</pre> | `list(any)` | `[]` | no |
+| <a name="input_enable_imdsv2"></a> [enable\_imdsv2](#input\_enable\_imdsv2) | Whether to enable IMDSv2 on the EC2 instance.<br />Support for this feature has been added in VM-Series Plugin [3.0.0](https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/vm-series-plugin/vm-series-plugin-30/vm-series-plugin-300#id126d0957-95d7-4b29-9147-fff20027986e), which in turn requires PAN-OS version 10.2.0 at minimum. | `string` | `false` | no |
 | <a name="input_global_tags"></a> [global\_tags](#input\_global\_tags) | A map of tags to assign to the resources.<br />If configured with a provider `default_tags` configuration block present, tags with matching keys will overwrite those defined at the provider-level." | `map(any)` | `{}` | no |
 | <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | EC2 instance type for Panorama. Default set to Palo Alto Networks recommended instance type. | `string` | `"c5.4xlarge"` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name for the Panorama instance. | `string` | `"pan-panorama"` | no |

products/terraform/docs/swfw/aws/vmseries/modules/vmseries.md

@@ -68,6 +68,7 @@ No modules.
 | <a name="input_ebs_encrypted"></a> [ebs\_encrypted](#input\_ebs\_encrypted) | Whether to enable EBS encryption on volumes. | `bool` | `true` | no |
 | <a name="input_ebs_kms_key_alias"></a> [ebs\_kms\_key\_alias](#input\_ebs\_kms\_key\_alias) | The alias for the customer managed KMS key to use for volume encryption. Should be prepended with the word "alias" followed by a forward slash (alias/example-key-alias).<br />If `null` (the default), the default master key that protects EBS volumes will be used. | `string` | `null` | no |
 | <a name="input_enable_imdsv2"></a> [enable\_imdsv2](#input\_enable\_imdsv2) | Whether to enable IMDSv2 on the EC2 instance.<br />Support for this feature has been added in VM-Series Plugin [3.0.0](https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/vm-series-plugin/vm-series-plugin-30/vm-series-plugin-300#id126d0957-95d7-4b29-9147-fff20027986e), which in turn requires VM-Series version 10.2.0 at minimum. | `string` | `false` | no |
+| <a name="input_enable_instance_termination_protection"></a> [enable\_instance\_termination\_protection](#input\_enable\_instance\_termination\_protection) | Whether to enable termination protection on the EC2 instance. | `bool` | `false` | no |
 | <a name="input_iam_instance_profile"></a> [iam\_instance\_profile](#input\_iam\_instance\_profile) | IAM instance profile. | `string` | `null` | no |
 | <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | EC2 instance type. | `string` | `"m5.xlarge"` | no |
 | <a name="input_interfaces"></a> [interfaces](#input\_interfaces) | Map of the network interface specifications.<br />If "mgmt-interface-swap" bootstrap option is enabled, ensure dataplane interface `device_index` is set to 0 and the firewall management interface `device_index` is set to 1.<br />Available options:<br />- `device_index`       = (Required\|int) Determines order in which interfaces are attached to the instance. Interface with `0` is attached at boot time.<br />- `subnet_id`          = (Required\|string) Subnet ID to create the ENI in.<br />- `name`               = (Optional\|string) Name tag for the ENI. Defaults to instance name suffixed by map's key.<br />- `description`        = (Optional\|string) A descriptive name for the ENI.<br />- `create_public_ip`   = (Optional\|bool) Whether to create a public IP for the ENI. Defaults to false.<br />- `eip_allocation_id`  = (Optional\|string) Associate an existing EIP to the ENI.<br />- `private_ips`        = (Optional\|list) List of private IPs to assign to the ENI. If not set, dynamic allocation is used.<br />- `public_ipv4_pool`   = (Optional\|string) EC2 IPv4 address pool identifier. <br />- `source_dest_check`  = (Optional\|bool) Whether to enable source destination checking for the ENI. Defaults to false.<br />- `security_group_ids` = (Optional\|list) A list of Security Group IDs to assign to this interface. Defaults to null.<br /><br />Example:<pre>interfaces = {<br />  mgmt = {<br />    device\_index       = 0<br />    subnet\_id          = aws\_subnet.mgmt.id<br />    name               = "mgmt"<br />    create\_public\_ip   = true<br />    source\_dest\_check  = true<br />    security\_group\_ids = ["sg-123456"]<br />  },<br />  public = {<br />    device\_index     = 1<br />    subnet\_id        = aws\_subnet.public.id<br />    name             = "public"<br />    create\_public\_ip = true<br />  },<br />  private = {<br />    device\_index = 2<br />    subnet\_id    = aws\_subnet.private.id<br />    name         = "private"<br />  },<br />]</pre> | `map(any)` | n/a | yes |