diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/alb.md b/products/terraform/docs/swfw/aws/vmseries/modules/alb.md
index 598343315..ed7fac0ca 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/alb.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/alb.md
@@ -141,6 +141,7 @@ No modules.
| [security\_groups](#input\_security\_groups) | A list of security group IDs to use with a Load Balancer.
If security groups are created with a [VPC module](../vpc/README.md) you can use output from that module like this:
security\_groups = [module.vpc.security\_group\_ids["load\_balancer\_security\_group"]]
For more information on the `load_balancer_security_group` key refer to the [VPC module documentation](../vpc/README.md). | `list(string)` | n/a | yes |
| [subnets](#input\_subnets) | Map of subnets used with a Load Balancer. Each key is the availability zone name and the value is an object that has an attribute
`id` identifying AWS subnet.
Examples:
You can define the values directly:subnets = {
"us-east-1a" = { id = "snet-123007" }
"us-east-1b" = { id = "snet-123008" }
}
You can also use output from the `subnet_sets` module:subnets = { for k, v in module.subnet\_sets["untrust"].subnets : k => { id = v.id } }
| map(object({
id = string
}))
| n/a | yes |
| [tags](#input\_tags) | Map of AWS tags to apply to all the created resources. | `map(string)` | `{}` | no |
+| [target\_group\_az](#input\_target\_group\_az) | Availability Zones of Target Group ('all' for target group outside of VPC) | `string` | `null` | no |
| [targets](#input\_targets) | A list of backends accepting traffic. For Application Load Balancer all targets are of type `IP`. This is because this is the only option that allows a direct routing between a Load Balancer and a specific VMSeries' network interface. The Application Load Balancer is meant to be always public, therefore the VMSeries IPs should be from the public facing subnet. An example on how to feed this variable with data:fw\_instance\_ips = { for k, v in var.vmseries : k => module.vmseries[k].interfaces["untrust"].private\_ip }
For format of `var.vmseries` check the [`vmseries` module](../vmseries/README.md). The key is the VM name. By using those keys, we can loop through all vmseries modules and take the private IP from the interface that is assigned to the subnet we require. The subnet can be identified by the subnet set name (like above). In other words, the `for` loop returns the following map:{
vm01 = "1.1.1.1"
vm02 = "2.2.2.2"
...
}
| `map(string)` | n/a | yes |
| [vpc\_id](#input\_vpc\_id) | ID of the security VPC for the Load Balancer. | `string` | n/a | yes |
@@ -149,4 +150,5 @@ No modules.
| Name | Description |
|------|-------------|
| [lb\_fqdn](#output\_lb\_fqdn) | A FQDN for the Load Balancer. |
+| [target\_group](#output\_target\_group) | n/a |
\ No newline at end of file
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/asg.md b/products/terraform/docs/swfw/aws/vmseries/modules/asg.md
index f2d045d80..a3071e747 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/asg.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/asg.md
@@ -76,7 +76,8 @@ No modules.
| [global\_tags](#input\_global\_tags) | Map of AWS tags to apply to all the created resources. | `map(any)` | n/a | yes |
| [instance\_type](#input\_instance\_type) | EC2 instance type. | `string` | `"m5.xlarge"` | no |
| [interfaces](#input\_interfaces) | Map of the network interface specifications.
If "mgmt-interface-swap" bootstrap option is enabled, ensure dataplane interface `device_index` is set to 0 and the firewall management interface `device_index` is set to 1.
Available options:
- `device_index` = (Required\|int) Determines order in which interfaces are attached to the instance. Interface with `0` is attached at boot time.
- `subnet_id` = (Required\|string) Subnet ID to create the ENI in.
- `name` = (Optional\|string) Name tag for the ENI. Defaults to instance name suffixed by map's key.
- `description` = (Optional\|string) A descriptive name for the ENI.
- `create_public_ip` = (Optional\|bool) Whether to create a public IP for the ENI. Defaults to false.
- `eip_allocation_id` = (Optional\|string) Associate an existing EIP to the ENI.
- `private_ips` = (Optional\|list) List of private IPs to assign to the ENI. If not set, dynamic allocation is used.
- `public_ipv4_pool` = (Optional\|string) EC2 IPv4 address pool identifier.
- `source_dest_check` = (Optional\|bool) Whether to enable source destination checking for the ENI. Defaults to false.
- `security_group_ids` = (Optional\|list) A list of Security Group IDs to assign to this interface. Defaults to null.
Example:interfaces = {
mgmt = {
device\_index = 0
subnet\_id = aws\_subnet.mgmt.id
name = "mgmt"
create\_public\_ip = true
source\_dest\_check = true
security\_group\_ids = ["sg-123456"]
},
public = {
device\_index = 1
subnet\_id = aws\_subnet.public.id
name = "public"
create\_public\_ip = true
},
private = {
device\_index = 2
subnet\_id = aws\_subnet.private.id
name = "private"
},
]
| `map(any)` | n/a | yes |
-| [lambda\_timeout](#input\_lambda\_timeout) | Amount of time Lambda Function has to run in seconds. | `number` | `10` | no |
+| [ip\_target\_groups](#input\_ip\_target\_groups) | Target groups (type IP) for load balancers, which are used by Lamda to register VM-Series IP of untrust interface | list(object({
arn = string
port = string
}))
| `[]` | no |
+| [lambda\_timeout](#input\_lambda\_timeout) | Amount of time Lambda Function has to run in seconds. | `number` | `30` | no |
| [lifecycle\_hook\_timeout](#input\_lifecycle\_hook\_timeout) | How long should we wait for lambda to finish | `number` | `300` | no |
| [max\_size](#input\_max\_size) | Maximum size of the Auto Scaling Group. | `number` | `2` | no |
| [min\_size](#input\_min\_size) | Minimum size of the Auto Scaling Group. | `number` | `1` | no |
@@ -92,7 +93,7 @@ No modules.
| [ssh\_key\_name](#input\_ssh\_key\_name) | Name of AWS keypair to associate with instances | `string` | n/a | yes |
| [subnet\_ids](#input\_subnet\_ids) | List of subnet IDs associated with the Lambda function | `list(string)` | `[]` | no |
| [suspended\_processes](#input\_suspended\_processes) | List of processes to suspend for the Auto Scaling Group. The allowed values are Launch, Terminate, HealthCheck, ReplaceUnhealthy, AZRebalance, AlarmNotification, ScheduledActions, AddToLoadBalancer, InstanceRefresh | `list(string)` | `[]` | no |
-| [target\_group\_arn](#input\_target\_group\_arn) | ARN of target group for load balancer | `string` | `null` | no |
+| [target\_group\_arn](#input\_target\_group\_arn) | ARN of target group (type instance) for load balancer, which is used by ASG to register VM-Series instance | `string` | `null` | no |
| [vmseries\_ami\_id](#input\_vmseries\_ami\_id) | The AMI from which to launch the instance. Takes precedence over fw\_version and fw\_license\_type | `string` | `null` | no |
| [vmseries\_iam\_instance\_profile](#input\_vmseries\_iam\_instance\_profile) | IAM instance profile used in launch template | `string` | `""` | no |
| [vmseries\_product\_code](#input\_vmseries\_product\_code) | Product code corresponding to a chosen VM-Series license type model - by default - BYOL.
To check the available license type models and their codes, please refer to the
[VM-Series documentation](https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/deploy-the-vm-series-firewall-on-aws/obtain-the-ami/get-amazon-machine-image-ids.html) | `string` | `"6njl1pau431dv1qxipg63mvah"` | no |
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/gwlb.md b/products/terraform/docs/swfw/aws/vmseries/modules/gwlb.md
index cc50ebf00..1aa4b7d18 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/gwlb.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/gwlb.md
@@ -70,6 +70,7 @@ No modules.
|------|-------------|------|---------|:--------:|
| [allowed\_principals](#input\_allowed\_principals) | List of AWS Principal ARNs who are allowed access to the GWLB Endpoint Service. For example `["arn:aws:iam::123456789000:root"]`. | `list(string)` | `[]` | no |
| [deregistration\_delay](#input\_deregistration\_delay) | See the `aws` provider [documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group#deregistration_delay). | `number` | `null` | no |
+| [enable\_lb\_deletion\_protection](#input\_enable\_lb\_deletion\_protection) | Whether to enable deletion protection on the gateway loadbalancer. | `bool` | `false` | no |
| [endpoint\_service\_tags](#input\_endpoint\_service\_tags) | Map of AWS tags to apply to the created GWLB Endpoint Service. These tags are applied after the `global_tags`. | `map(string)` | `{}` | no |
| [global\_tags](#input\_global\_tags) | Map of AWS tags to apply to all the created resources. | `map(string)` | `{}` | no |
| [health\_check\_enabled](#input\_health\_check\_enabled) | See the `aws` provider [documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group#health_check). | `bool` | `null` | no |
@@ -83,6 +84,7 @@ No modules.
| [lb\_tags](#input\_lb\_tags) | Map of AWS tags to apply to the created Load Balancer object. These tags are applied after the `global_tags`. | `map(string)` | `{}` | no |
| [lb\_target\_group\_tags](#input\_lb\_target\_group\_tags) | Map of AWS tags to apply to the created GWLB Target Group. These tags are applied after the `global_tags`. | `map(string)` | `{}` | no |
| [name](#input\_name) | Name of the created GWLB and its Target Group. Must be unique per AWS region per AWS account. | `string` | n/a | yes |
+| [stickiness\_type](#input\_stickiness\_type) | If `stickiness_type` is `null`, then attribute `enabled` is set to `false` in stickiness configuration block,
value provided in `type` is ignored and by default the Gateway Load Balancer uses 5-tuple to maintain flow stickiness to a specific target appliance.
If `stickiness_type` is not `null`, then attribute `enabled` is set to `true` in stickiness configuration block
and the stickiness `type` can be then customized by using value:
- `source_ip_dest_ip_proto` for 3-tuple (Source IP, Destination IP and Transport Protocol)
- `source_ip_dest_ip` for 2-tuple (Source IP and Destination IP) | `string` | `null` | no |
| [subnets](#input\_subnets) | Map of subnets where to create the GWLB. Each map's key is the availability zone name and each map's object has an attribute
`id` identifying AWS subnet.
Example for users of module `subnet_set`:subnets = module.subnet\_set.subnets
Example:subnets = {
"us-east-1a" = { id = "snet-123007" }
"us-east-1b" = { id = "snet-123008" }
}
| map(object({
id = string
}))
| n/a | yes |
| [target\_instances](#input\_target\_instances) | Map of instances to attach to the GWLB Target Group. | map(object({
id = string
}))
| `{}` | no |
| [unhealthy\_threshold](#input\_unhealthy\_threshold) | The number of failed health checks required before a healthy target becomes unhealthy. Minimum 2 and maximum 10. | `number` | `3` | no |
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/nlb.md b/products/terraform/docs/swfw/aws/vmseries/modules/nlb.md
index 1f551a52e..393890863 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/nlb.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/nlb.md
@@ -71,4 +71,5 @@ No modules.
| Name | Description |
|------|-------------|
| [lb\_fqdn](#output\_lb\_fqdn) | A FQDN for the Load Balancer. |
+| [target\_group](#output\_target\_group) | n/a |
\ No newline at end of file
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/panorama.md b/products/terraform/docs/swfw/aws/vmseries/modules/panorama.md
index faa08c277..66d9d0ea2 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/panorama.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/panorama.md
@@ -63,6 +63,7 @@ No modules.
| [create\_public\_ip](#input\_create\_public\_ip) | If true, create an Elastic IP address for Panorama. | `bool` | `false` | no |
| [ebs\_kms\_key\_alias](#input\_ebs\_kms\_key\_alias) | The alias for the customer managed KMS key to use for volume encryption.
If this is set to `null` the default master key that protects EBS volumes will be used | `string` | `null` | no |
| [ebs\_volumes](#input\_ebs\_volumes) | List of EBS volumes to create and attach to Panorama.
Available options:
- `name` (Optional) Name tag for the EBS volume. If not provided defaults to the value of `var.name`.
- `ebs_device_name` (Required) The EBS device name to expose to the instance (for example, /dev/sdh or xvdh).
See [Device Naming on Linux Instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/device_naming.html#available-ec2-device-names) for more information.
- `ebs_size` (Optional) The size of the EBS volume in GiBs. Defaults to 2000 GiB.
- `ebs_encrypted` (Optional) If true, the Panorama EBS volume will be encrypted.
- `force_detach` (Optional) Set to true if you want to force the volume to detach. Useful if previous attempts failed, but use this option only as a last resort, as this can result in data loss.
- `skip_destroy` (Optional) Set this to true if you do not wish to detach the volume from the instance to which it is attached at destroy time, and instead just remove the attachment from Terraform state.
This is useful when destroying an instance attached to third-party volumes.
Note: Terraform must be running with credentials which have the `GenerateDataKeyWithoutPlaintext` permission on the specified KMS key
as required by the [EBS KMS CMK volume provisioning process](https://docs.aws.amazon.com/kms/latest/developerguide/services-ebs.html#ebs-cmk) to prevent a volume from being created and almost immediately deleted.
If null, the default EBS encryption KMS key in the current region is used.
Example:ebs\_volumes = [
{
name = "ebs-1"
ebs\_device\_name = "/dev/sdb"
ebs\_size = "2000"
ebs\_encrypted = true
},
{
name = "ebs-2"
ebs\_device\_name = "/dev/sdb"
ebs\_size = "2000"
ebs\_encrypted = true
},
{
name = "ebs-3"
ebs\_device\_name = "/dev/sdb"
ebs\_size = "2000"
},
]
| `list(any)` | `[]` | no |
+| [enable\_imdsv2](#input\_enable\_imdsv2) | Whether to enable IMDSv2 on the EC2 instance.
Support for this feature has been added in VM-Series Plugin [3.0.0](https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/vm-series-plugin/vm-series-plugin-30/vm-series-plugin-300#id126d0957-95d7-4b29-9147-fff20027986e), which in turn requires PAN-OS version 10.2.0 at minimum. | `string` | `false` | no |
| [global\_tags](#input\_global\_tags) | A map of tags to assign to the resources.
If configured with a provider `default_tags` configuration block present, tags with matching keys will overwrite those defined at the provider-level." | `map(any)` | `{}` | no |
| [instance\_type](#input\_instance\_type) | EC2 instance type for Panorama. Default set to Palo Alto Networks recommended instance type. | `string` | `"c5.4xlarge"` | no |
| [name](#input\_name) | Name for the Panorama instance. | `string` | `"pan-panorama"` | no |
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/vmseries.md b/products/terraform/docs/swfw/aws/vmseries/modules/vmseries.md
index 932faa63e..64ce1f072 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/vmseries.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/vmseries.md
@@ -68,6 +68,7 @@ No modules.
| [ebs\_encrypted](#input\_ebs\_encrypted) | Whether to enable EBS encryption on volumes. | `bool` | `true` | no |
| [ebs\_kms\_key\_alias](#input\_ebs\_kms\_key\_alias) | The alias for the customer managed KMS key to use for volume encryption. Should be prepended with the word "alias" followed by a forward slash (alias/example-key-alias).
If `null` (the default), the default master key that protects EBS volumes will be used. | `string` | `null` | no |
| [enable\_imdsv2](#input\_enable\_imdsv2) | Whether to enable IMDSv2 on the EC2 instance.
Support for this feature has been added in VM-Series Plugin [3.0.0](https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/vm-series-plugin/vm-series-plugin-30/vm-series-plugin-300#id126d0957-95d7-4b29-9147-fff20027986e), which in turn requires VM-Series version 10.2.0 at minimum. | `string` | `false` | no |
+| [enable\_instance\_termination\_protection](#input\_enable\_instance\_termination\_protection) | Whether to enable termination protection on the EC2 instance. | `bool` | `false` | no |
| [iam\_instance\_profile](#input\_iam\_instance\_profile) | IAM instance profile. | `string` | `null` | no |
| [instance\_type](#input\_instance\_type) | EC2 instance type. | `string` | `"m5.xlarge"` | no |
| [interfaces](#input\_interfaces) | Map of the network interface specifications.
If "mgmt-interface-swap" bootstrap option is enabled, ensure dataplane interface `device_index` is set to 0 and the firewall management interface `device_index` is set to 1.
Available options:
- `device_index` = (Required\|int) Determines order in which interfaces are attached to the instance. Interface with `0` is attached at boot time.
- `subnet_id` = (Required\|string) Subnet ID to create the ENI in.
- `name` = (Optional\|string) Name tag for the ENI. Defaults to instance name suffixed by map's key.
- `description` = (Optional\|string) A descriptive name for the ENI.
- `create_public_ip` = (Optional\|bool) Whether to create a public IP for the ENI. Defaults to false.
- `eip_allocation_id` = (Optional\|string) Associate an existing EIP to the ENI.
- `private_ips` = (Optional\|list) List of private IPs to assign to the ENI. If not set, dynamic allocation is used.
- `public_ipv4_pool` = (Optional\|string) EC2 IPv4 address pool identifier.
- `source_dest_check` = (Optional\|bool) Whether to enable source destination checking for the ENI. Defaults to false.
- `security_group_ids` = (Optional\|list) A list of Security Group IDs to assign to this interface. Defaults to null.
Example:interfaces = {
mgmt = {
device\_index = 0
subnet\_id = aws\_subnet.mgmt.id
name = "mgmt"
create\_public\_ip = true
source\_dest\_check = true
security\_group\_ids = ["sg-123456"]
},
public = {
device\_index = 1
subnet\_id = aws\_subnet.public.id
name = "public"
create\_public\_ip = true
},
private = {
device\_index = 2
subnet\_id = aws\_subnet.private.id
name = "private"
},
]
| `map(any)` | n/a | yes |
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/vpc.md b/products/terraform/docs/swfw/aws/vmseries/modules/vpc.md
index a70ee81b7..e89cec5de 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/vpc.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/vpc.md
@@ -100,7 +100,7 @@ No modules.
| [name](#input\_name) | Name of the VPC to create or use. | `string` | n/a | yes |
| [ntp\_servers](#input\_ntp\_servers) | Specify a list of NTP server addresses for DHCP options set, default to AWS provided | `list(string)` | `[]` | no |
| [secondary\_cidr\_blocks](#input\_secondary\_cidr\_blocks) | Secondary CIDR block to assign to a new VPC. | `list(string)` | `[]` | no |
-| [security\_groups](#input\_security\_groups) | The `security_groups` variable is a map of maps, where each map represents an AWS Security Group.
The key of each entry acts as the Security Group name.
List of available attributes of each Security Group entry:
- `rules`: A list of objects representing a Security Group rule. The key of each entry acts as the name of the rule and
needs to be unique across all rules in the Security Group.
List of attributes available to define a Security Group rule:
- `description`: Security Group description.
- `type`: Specifies if rule will be evaluated on ingress (inbound) or egress (outbound) traffic.
- `cidr_blocks`: List of CIDR blocks - for ingress, determines the traffic that can reach your instance. For egress
Determines the traffic that can leave your instance, and where it can go.
Example:security\_groups = {
vmseries-mgmt = {
name = "vmseries-mgmt"
rules = {
all-outbound = {
description = "Permit All traffic outbound"
type = "egress", from\_port = "0", to\_port = "0", protocol = "-1"
cidr\_blocks = ["0.0.0.0/0"]
}
https-inbound-private = {
description = "Permit HTTPS for VM-Series Management"
type = "ingress", from\_port = "443", to\_port = "443", protocol = "tcp"
cidr\_blocks = ["10.0.0.0/8"]
}
https-inbound-eip = {
description = "Permit HTTPS for VM-Series Management from known public IPs"
type = "ingress", from\_port = "443", to\_port = "443", protocol = "tcp"
cidr\_blocks = ["100.100.100.100/32"]
}
ssh-inbound-eip = {
description = "Permit SSH for VM-Series Management from known public IPs"
type = "ingress", from\_port = "22", to\_port = "22", protocol = "tcp"
cidr\_blocks = ["100.100.100.100/32"]
}
}
}
}
| `any` | `{}` | no |
+| [security\_groups](#input\_security\_groups) | The `security_groups` variable is a map of maps, where each map represents an AWS Security Group.
The key of each entry acts as the Security Group name.
List of available attributes of each Security Group entry:
- `rules`: A list of objects representing a Security Group rule. The key of each entry acts as the name of the rule and
needs to be unique across all rules in the Security Group.
List of attributes available to define a Security Group rule:
- `description`: Security Group description.
- `type`: Specifies if rule will be evaluated on ingress (inbound) or egress (outbound) traffic.
- `cidr_blocks`: List of CIDR blocks - for ingress, determines the traffic that can reach your instance. For egress
Determines the traffic that can leave your instance, and where it can go.
- `prefix_list_ids`: List of Prefix List IDs
Example:security\_groups = {
vmseries-mgmt = {
name = "vmseries-mgmt"
rules = {
all-outbound = {
description = "Permit All traffic outbound"
type = "egress", from\_port = "0", to\_port = "0", protocol = "-1"
cidr\_blocks = ["0.0.0.0/0"]
}
https-inbound-private = {
description = "Permit HTTPS for VM-Series Management"
type = "ingress", from\_port = "443", to\_port = "443", protocol = "tcp"
cidr\_blocks = ["10.0.0.0/8"]
}
https-inbound-eip = {
description = "Permit HTTPS for VM-Series Management from known public IPs"
type = "ingress", from\_port = "443", to\_port = "443", protocol = "tcp"
cidr\_blocks = ["100.100.100.100/32"]
}
ssh-inbound-eip = {
description = "Permit SSH for VM-Series Management from known public IPs"
type = "ingress", from\_port = "22", to\_port = "22", protocol = "tcp"
cidr\_blocks = ["100.100.100.100/32"]
}
https-inbound-prefix-list = {
description = "Permit HTTPS for VM-Series Management for IPs in managed prefix list"
type = "ingress", from\_port = "443", to\_port = "443", protocol = "tcp"
prefix\_list\_ids = ["pl-1a2b3c4d5e6f7g8h9i"]
}
}
}
}
| `any` | `{}` | no |
| [use\_internet\_gateway](#input\_use\_internet\_gateway) | If an existing VPC is provided and has IG attached, set to `true` to reuse it. | `bool` | `false` | no |
| [vpc\_tags](#input\_vpc\_tags) | Optional map of arbitrary tags to apply to VPC resource. | `map` | `{}` | no |
| [vpn\_gateway\_amazon\_side\_asn](#input\_vpn\_gateway\_amazon\_side\_asn) | ASN for the Amazon side of the gateway. | `string` | `null` | no |
diff --git a/products/terraform/docs/swfw/aws/vmseries/reference-architectures/47d0ec0b-9080-4af2-b82b-0445e6910975.png b/products/terraform/docs/swfw/aws/vmseries/reference-architectures/47d0ec0b-9080-4af2-b82b-0445e6910975.png
new file mode 100644
index 000000000..6575f7d9e
Binary files /dev/null and b/products/terraform/docs/swfw/aws/vmseries/reference-architectures/47d0ec0b-9080-4af2-b82b-0445e6910975.png differ
diff --git a/products/terraform/docs/swfw/aws/vmseries/reference-architectures/centralized_design_autoscale.md b/products/terraform/docs/swfw/aws/vmseries/reference-architectures/centralized_design_autoscale.md
new file mode 100644
index 000000000..76d9d0610
--- /dev/null
+++ b/products/terraform/docs/swfw/aws/vmseries/reference-architectures/centralized_design_autoscale.md
@@ -0,0 +1,215 @@
+---
+hide_title: true
+id: centralized_design_autoscale
+keywords:
+- pan-os
+- panos
+- firewall
+- configuration
+- terraform
+- vmseries
+- vm-series
+- aws
+pagination_next: null
+pagination_prev: null
+sidebar_label: Centralized Design Autoscale
+title: 'Reference Architecture with Terraform: VM-Series in AWS, Centralized Design
+ Model, Common NGFW Option'
+---
+
+# Reference Architecture with Terraform: VM-Series in AWS, Centralized Design Model, Common NGFW Option
+
+Palo Alto Networks produces several [validated reference architecture design and deployment documentation guides](https://www.paloaltonetworks.com/resources/reference-architectures), which describe well-architected and tested deployments. When deploying VM-Series in a public cloud, the reference architectures guide users toward the best security outcomes, whilst reducing rollout time and avoiding common integration efforts.
+The Terraform code presented here will deploy Palo Alto Networks VM-Series firewalls in AWS based on the centralized design; for a discussion of other options, please see the design guide from [the reference architecture guides](https://www.paloaltonetworks.com/resources/reference-architectures).
+
+## Reference Architecture Design
+
+![Simplified High Level Topology Diagram](5199b4a8-2a59-4789-9ec0-870d97133acd.png)
+
+This code implements:
+- a _centralized design_, which secures outbound, inbound, and east-west traffic flows using an AWS transit gateway (TGW). Application resources are segmented across multiple VPCs that connect in a hub-and-spoke topology, with a dedicated VPC for security services where the VM-Series are deployed
+
+## Detailed Architecture and Design
+
+### Centralized Design
+This design supports interconnecting a large number of VPCs, with a scalable solution to secure outbound, inbound, and east-west traffic flows using a transit gateway to connect the VPCs. The centralized design model offers the benefits of a highly scalable design for multiple VPCs connecting to a central hub for inbound, outbound, and VPC-to-VPC traffic control and visibility. In the Centralized design model, you segment application resources across multiple VPCs that connect in a hub-and-spoke topology. The hub of the topology, or transit gateway, is the central point of connectivity between VPCs and Prisma Access or enterprise network resources attached through a VPN or AWS Direct Connect. This model has a dedicated VPC for security services where you deploy VM-Series firewalls for traffic inspection and control. The security VPC does not contain any application resources. The security VPC centralizes resources that multiple workloads can share. The TGW ensures that all spoke-to-spoke and spoke-to-enterprise traffic transits the VM-Series.
+
+![](47d0ec0b-9080-4af2-b82b-0445e6910975.png)
+
+### Auto Scaling VM-Series
+
+Auto scaling: Public-cloud environments focus on scaling out a deployment instead of scaling up. This architectural difference stems primarily from the capability of public-cloud environments to dynamically increase or decrease the number of resources allocated to your environment. Using native AWS services like CloudWatch, auto scaling groups (ASG) and VM-Series automation features, the guide implements VM-Series that will scale in and out dynamically, as your protected workload demands fluctuate. The VM-Series firewalls are deployed in an auto scaling group, and are automatically registered to a Gateway Load Balancer. While bootstrapping the VM-Series, there are associations made automatically between VM-Series subinterfaces and the GWLB endpoints. Each VM-Series contains multiple network interfaces created by an AWS Lambda function.
+
+## Prerequisites
+
+The following steps should be followed before deploying the Terraform code presented here.
+
+1. Deploy Panorama e.g. by using [Panorama example](../../examples/panorama_standalone)
+2. Prepare device group, template, template stack in Panorama
+3. Download and install plugin `sw_fw_license` for managing licenses
+4. Configure bootstrap definition and license manager
+5. Configure [license API key](https://docs.paloaltonetworks.com/vm-series/10-1/vm-series-deployment/license-the-vm-series-firewall/install-a-license-deactivation-api-key)
+6. Configure security rules and NAT rules for outbound traffic
+7. Configure interface management profile to enable health checks from GWLB
+8. Configure network interfaces and subinterfaces, zones and virtual router in template
+
+In example VM-Series are licensed using [Panorama-Based Software Firewall License Management `sw_fw_license`](https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/license-the-vm-series-firewall/use-panorama-based-software-firewall-license-management), from which after configuring license manager values of `panorama-server`, `auth-key`, `dgname`, `tplname` can be used in `terraform.tfvars` file. Another way to bootstrap and license VM-Series is using [VM Auth Key](https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/bootstrap-the-vm-series-firewall/generate-the-vm-auth-key-on-panorama). This approach requires preparing license (auth code) in file stored in S3 bucket or putting it in `authcodes` option. More information can be found in [document describing how to choose a bootstrap method](https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/bootstrap-the-vm-series-firewall/choose-a-bootstrap-method). Please note, that other bootstrapping methods may requires additional changes in example code (e.g. adding options `vm-auth-key`, `authcodes`) and/or creating additional resources (e.g. S3 buckets).
+
+## Usage
+
+1. Copy `example.tfvars` into `terraform.tfvars`
+2. Review `terraform.tfvars` file, especially with lines commented by ` # TODO: update here`
+3. Initialize Terraform: `terraform init`
+5. Prepare plan: `terraform plan`
+6. Deploy infrastructure: `terraform apply -auto-approve`
+7. Destroy infrastructure if needed: `terraform destroy -auto-approve`
+
+## Additional Reading
+
+### Lambda function
+
+[Lambda function](../../modules/asg/lambda.py) is used to handle correct lifecycle action:
+* instance launch or
+* instance terminate
+
+In case of creating VM-Series, there are performed below actions, which cannot be achieved in AWS launch template:
+* change setting `source_dest_check` for first network interface (data plane)
+* setup additional network interfaces (with optional possibility to attach EIP)
+
+In case of destroying VM-Series, there is performed below action:
+* clean EIP
+
+Moreover having Lambda function executed while scaling out or in gives more options for extension e.g. delicesning VM-Series just after terminating instance.
+
+### Autoscaling
+
+[AWS Auto Scaling](https://aws.amazon.com/autoscaling/) monitors VM-Series and automatically adjusts capacity to maintain steady, predictable performance at the lowest possible cost. For autoscaling there are 10 metrics available from `vmseries` plugin:
+
+- `DataPlaneCPUUtilizationPct`
+- `DataPlanePacketBufferUtilization`
+- `panGPGatewayUtilizationPct`
+- `panGPGWUtilizationActiveTunnels`
+- `panSessionActive`
+- `panSessionConnectionsPerSecond`
+- `panSessionSslProxyUtilization`
+- `panSessionThroughputKbps`
+- `panSessionThroughputPps`
+- `panSessionUtilization`
+
+Using that metrics there can be configured different [scaling plans](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscalingplans_scaling_plan). Below there are some examples, which can be used. All examples are based on target tracking configuration in scaling plan. Below code is already embedded into [asg module](../../modules/asg/main.tf):
+
+```
+ scaling_instruction {
+ max_capacity = var.max_size
+ min_capacity = var.min_size
+ resource_id = format("autoScalingGroup/%s", aws_autoscaling_group.this.name)
+ scalable_dimension = "autoscaling:autoScalingGroup:DesiredCapacity"
+ service_namespace = "autoscaling"
+ target_tracking_configuration {
+ customized_scaling_metric_specification {
+ metric_name = var.scaling_metric_name
+ namespace = var.scaling_cloudwatch_namespace
+ statistic = var.scaling_statistic
+ }
+ target_value = var.scaling_target_value
+ }
+ }
+```
+
+Using metrics from ``vmseries`` plugin we can defined multiple scaling configurations e.g.:
+
+- based on number of active sessions:
+
+```
+metric_name = "panSessionActive"
+target_value = 75
+statistic = "Average"
+```
+
+- based on data plane CPU utilization and average value above 75%:
+
+```
+metric_name = "DataPlaneCPUUtilizationPct"
+target_value = 75
+statistic = "Average"
+```
+
+- based on data plane packet buffer utilization and max value above 80%
+
+```
+metric_name = "DataPlanePacketBufferUtilization"
+target_value = 80
+statistic = "Maximum"
+```
+
+## Reference
+
+### Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
+| [aws](#requirement\_aws) | ~> 4.25 |
+| [local](#requirement\_local) | ~> 2.4.0 |
+
+### Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | ~> 4.25 |
+
+### Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [app\_lb](#module\_app\_lb) | ../../modules/nlb | n/a |
+| [gwlb](#module\_gwlb) | ../../modules/gwlb | n/a |
+| [gwlbe\_endpoint](#module\_gwlbe\_endpoint) | ../../modules/gwlb_endpoint_set | n/a |
+| [natgw\_set](#module\_natgw\_set) | ../../modules/nat_gateway_set | n/a |
+| [public\_alb](#module\_public\_alb) | ../../modules/alb | n/a |
+| [public\_nlb](#module\_public\_nlb) | ../../modules/nlb | n/a |
+| [subnet\_sets](#module\_subnet\_sets) | ../../modules/subnet_set | n/a |
+| [transit\_gateway](#module\_transit\_gateway) | ../../modules/transit_gateway | n/a |
+| [transit\_gateway\_attachment](#module\_transit\_gateway\_attachment) | ../../modules/transit_gateway_attachment | n/a |
+| [vm\_series\_asg](#module\_vm\_series\_asg) | ../../modules/asg | n/a |
+| [vpc](#module\_vpc) | ../../modules/vpc | n/a |
+| [vpc\_routes](#module\_vpc\_routes) | ../../modules/vpc_route | n/a |
+
+### Resources
+
+| Name | Type |
+|------|------|
+| [aws_ec2_transit_gateway_route.from_security_to_panorama](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route) | resource |
+| [aws_ec2_transit_gateway_route.from_spokes_to_security](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route) | resource |
+| [aws_iam_instance_profile.vm_series_iam_instance_profile](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
+| [aws_iam_role.vm_series_ec2_iam_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.vm_series_ec2_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_instance.spoke_vms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
+| [aws_ami.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [global\_tags](#input\_global\_tags) | Global tags configured for all provisioned resources | `any` | n/a | yes |
+| [gwlb\_endpoints](#input\_gwlb\_endpoints) | A map defining GWLB endpoints.
Following properties are available:
- `name`: name of the GWLB endpoint
- `gwlb`: key of GWLB
- `vpc`: key of VPC
- `vpc_subnet`: key of the VPC and subnet connected by '-' character
- `act_as_next_hop`: set to `true` if endpoint is part of an IGW route table e.g. for inbound traffic
- `to_vpc_subnets`: subnets to which traffic from IGW is routed to the GWLB endpoint
Example:gwlb\_endpoints = {
security\_gwlb\_eastwest = {
name = "eastwest-gwlb-endpoint"
gwlb = "security\_gwlb"
vpc = "security\_vpc"
vpc\_subnet = "security\_vpc-gwlbe\_eastwest"
act\_as\_next\_hop = false
to\_vpc\_subnets = null
}
}
| map(object({
name = string
gwlb = string
vpc = string
vpc\_subnet = string
act\_as\_next\_hop = bool
to\_vpc\_subnets = string
}))
| `{}` | no |
+| [gwlbs](#input\_gwlbs) | A map defining Gateway Load Balancers.
Following properties are available:
- `name`: name of the GWLB
- `vpc_subnet`: key of the VPC and subnet connected by '-' character
Example:gwlbs = {
security\_gwlb = {
name = "security-gwlb"
vpc\_subnet = "security\_vpc-gwlb"
}
}
| map(object({
name = string
vpc\_subnet = string
}))
| `{}` | no |
+| [name\_prefix](#input\_name\_prefix) | Prefix used in names for the resources (VPCs, EC2 instances, autoscaling groups etc.) | `string` | n/a | yes |
+| [natgws](#input\_natgws) | A map defining NAT Gateways.
Following properties are available:
- `name`: name of NAT Gateway
- `vpc_subnet`: key of the VPC and subnet connected by '-' character
Example:natgws = {
security\_nat\_gw = {
name = "natgw"
vpc\_subnet = "security\_vpc-natgw"
}
}
| map(object({
name = string
vpc\_subnet = string
}))
| `{}` | no |
+| [panorama\_attachment](#input\_panorama\_attachment) | A object defining TGW attachment and CIDR for Panorama.
Following properties are available:
- `transit_gateway_attachment_id`: ID of attachment for Panorama
- `vpc_cidr`: CIDR of the VPC, where Panorama is deployed
Example:panorama = {
transit\_gateway\_attachment\_id = "tgw-attach-123456789"
vpc\_cidr = "10.255.0.0/24"
}
| object({
transit\_gateway\_attachment\_id = string
vpc\_cidr = string
})
| `null` | no |
+| [region](#input\_region) | AWS region used to deploy whole infrastructure | `string` | n/a | yes |
+| [spoke\_lbs](#input\_spoke\_lbs) | A map defining Network Load Balancers deployed in spoke VPCs.
Following properties are available:
- `vpc_subnet`: key of the VPC and subnet connected by '-' character
- `vms`: keys of spoke VMs
Example:spoke\_lbs = {
"app1-nlb" = {
vpc\_subnet = "app1\_vpc-app1\_lb"
vms = ["app1\_vm01", "app1\_vm02"]
}
}
| map(object({
vpc\_subnet = string
vms = list(string)
}))
| `{}` | no |
+| [spoke\_vms](#input\_spoke\_vms) | A map defining VMs in spoke VPCs.
Following properties are available:
- `az`: name of the Availability Zone
- `vpc`: name of the VPC (needs to be one of the keys in map `vpcs`)
- `vpc_subnet`: key of the VPC and subnet connected by '-' character
- `security_group`: security group assigned to ENI used by VM
- `type`: EC2 type VM
Example:spoke\_vms = {
"app1\_vm01" = {
az = "eu-central-1a"
vpc = "app1\_vpc"
vpc\_subnet = "app1\_vpc-app1\_vm"
security\_group = "app1\_vm"
type = "t2.micro"
}
}
| map(object({
az = string
vpc = string
vpc\_subnet = string
security\_group = string
type = string
}))
| `{}` | no |
+| [ssh\_key\_name](#input\_ssh\_key\_name) | Name of the SSH key pair existing in AWS key pairs and used to authenticate to VM-Series or test boxes | `string` | n/a | yes |
+| [tgw](#input\_tgw) | A object defining Transit Gateway.
Following properties are available:
- `create`: set to false, if existing TGW needs to be reused
- `id`: id of existing TGW or null
- `name`: name of TGW to create or use
- `asn`: ASN number
- `route_tables`: map of route tables
- `attachments`: map of TGW attachments
Example:tgw = {
create = true
id = null
name = "tgw"
asn = "64512"
route\_tables = {
"from\_security\_vpc" = {
create = true
name = "from\_security"
}
}
attachments = {
security = {
name = "vmseries"
vpc\_subnet = "security\_vpc-tgw\_attach"
route\_table = "from\_security\_vpc"
propagate\_routes\_to = "from\_spoke\_vpc"
}
}
}
| object({
create = bool
id = string
name = string
asn = string
route\_tables = map(object({
create = bool
name = string
}))
attachments = map(object({
name = string
vpc\_subnet = string
route\_table = string
propagate\_routes\_to = string
}))
})
| `null` | no |
+| [vmseries\_asgs](#input\_vmseries\_asgs) | A map defining Autoscaling Groups with VM-Series instances.
Following properties are available:
- `bootstrap_options`: VM-Seriess bootstrap options used to connect to Panorama
- `panos_version`: PAN-OS version used for VM-Series
- `ebs_kms_id`: alias for AWS KMS used for EBS encryption in VM-Series
- `vpc`: key of VPC
- `gwlb`: key of GWLB
- `interfaces`: configuration of network interfaces for VM-Series used by Lamdba while provisioning new VM-Series in autoscaling group
- `subinterfaces`: configuration of network subinterfaces used to map with GWLB endpoints
- `asg`: the number of Amazon EC2 instances that should be running in the group (desired, minimum, maximum)
- `scaling_plan`: scaling plan with attributes
- `enabled`: `true` if automatic dynamic scaling policy should be created
- `metric_name`: name of the metric used in dynamic scaling policy
- `target_value`: target value for the metric used in dynamic scaling policy
- `statistic`: statistic of the metric. Valid values: Average, Maximum, Minimum, SampleCount, Sum
- `cloudwatch_namespace`: name of CloudWatch namespace, where metrics are available (it should be the same as namespace configured in VM-Series plugin in PAN-OS)
- `tags`: tags configured for dynamic scaling policy
Example:vmseries\_asgs = {
main\_asg = {
bootstrap\_options = {
mgmt-interface-swap = "enable"
plugin-op-commands = "panorama-licensing-mode-on,aws-gwlb-inspect:enable,aws-gwlb-overlay-routing:enable" # TODO: update here
panorama-server = "" # TODO: update here
auth-key = "" # TODO: update here
dgname = "" # TODO: update here
tplname = "" # TODO: update here
dhcp-send-hostname = "yes" # TODO: update here
dhcp-send-client-id = "yes" # TODO: update here
dhcp-accept-server-hostname = "yes" # TODO: update here
dhcp-accept-server-domain = "yes" # TODO: update here
}
panos\_version = "10.2.3" # TODO: update here
ebs\_kms\_id = "alias/aws/ebs" # TODO: update here
vpc = "security\_vpc"
gwlb = "security\_gwlb"
interfaces = {
private = {
device\_index = 0
security\_group = "vmseries\_private"
subnet = {
"privatea" = "eu-central-1a",
"privateb" = "eu-central-1b"
}
create\_public\_ip = false
source\_dest\_check = false
}
mgmt = {
device\_index = 1
security\_group = "vmseries\_mgmt"
subnet = {
"mgmta" = "eu-central-1a",
"mgmtb" = "eu-central-1b"
}
create\_public\_ip = true
source\_dest\_check = true
}
public = {
device\_index = 2
security\_group = "vmseries\_public"
subnet = {
"publica" = "eu-central-1a",
"publicb" = "eu-central-1b"
}
create\_public\_ip = false
source\_dest\_check = false
}
}
subinterfaces = {
inbound = {
app1 = {
gwlb\_endpoint = "app1\_inbound"
subinterface = "ethernet1/1.11"
}
app2 = {
gwlb\_endpoint = "app2\_inbound"
subinterface = "ethernet1/1.12"
}
}
outbound = {
only\_1\_outbound = {
gwlb\_endpoint = "security\_gwlb\_outbound"
subinterface = "ethernet1/1.20"
}
}
eastwest = {
only\_1\_eastwest = {
gwlb\_endpoint = "security\_gwlb\_eastwest"
subinterface = "ethernet1/1.30"
}
}
}
asg = {
desired\_cap = 2
min\_size = 2
max\_size = 4
}
scaling\_plan = {
enabled = true # TODO: update here
metric\_name = "panSessionActive" # TODO: update here
target\_value = 75 # TODO: update here
statistic = "Average" # TODO: update here
cloudwatch\_namespace = "example-vmseries" # TODO: update here
tags = {
ManagedBy = "terraform"
}
}
application\_lb = null
network\_lb = null
}
}
| map(object({
bootstrap\_options = object({
mgmt-interface-swap = string
plugin-op-commands = string
panorama-server = string
auth-key = string
dgname = string
tplname = string
dhcp-send-hostname = string
dhcp-send-client-id = string
dhcp-accept-server-hostname = string
dhcp-accept-server-domain = string
})
panos\_version = string
ebs\_kms\_id = string
vpc = string
gwlb = string
interfaces = map(object({
device\_index = number
security\_group = string
subnet = map(string)
create\_public\_ip = bool
source\_dest\_check = bool
}))
subinterfaces = map(map(object({
gwlb\_endpoint = string
subinterface = string
})))
asg = object({
desired\_cap = number
min\_size = number
max\_size = number
})
scaling\_plan = object({
enabled = bool
metric\_name = string
target\_value = number
statistic = string
cloudwatch\_namespace = string
tags = map(string)
})
application\_lb = object({
name = string
rules = any
})
network\_lb = object({
name = string
rules = any
})
}))
| `{}` | no |
+| [vpcs](#input\_vpcs) | A map defining VPCs with security groups and subnets.
Following properties are available:
- `name`: VPC name
- `cidr`: CIDR for VPC
- `security_groups`: map of security groups
- `subnets`: map of subnets with properties:
- `az`: availability zone
- `set`: internal identifier referenced by main.tf
- `routes`: map of routes with properties:
- `vpc_subnet` - built from key of VPCs concatenate with `-` and key of subnet in format: `VPCKEY-SUBNETKEY`
- `next_hop_key` - must match keys use to create TGW attachment, IGW, GWLB endpoint or other resources
- `next_hop_type` - internet\_gateway, nat\_gateway, transit\_gateway\_attachment or gwlbe\_endpoint
Example:vpcs = {
example\_vpc = {
name = "example-spoke-vpc"
cidr = "10.104.0.0/16"
nacls = {
trusted\_path\_monitoring = {
name = "trusted-path-monitoring"
rules = {
allow\_inbound = {
rule\_number = 300
egress = false
protocol = "-1"
rule\_action = "allow"
cidr\_block = "0.0.0.0/0"
from\_port = null
to\_port = null
}
}
}
}
security\_groups = {
example\_vm = {
name = "example\_vm"
rules = {
all\_outbound = {
description = "Permit All traffic outbound"
type = "egress", from\_port = "0", to\_port = "0", protocol = "-1"
cidr\_blocks = ["0.0.0.0/0"]
}
}
}
}
subnets = {
"10.104.0.0/24" = { az = "eu-central-1a", set = "vm", nacl = null }
"10.104.128.0/24" = { az = "eu-central-1b", set = "vm", nacl = null }
}
routes = {
vm\_default = {
vpc\_subnet = "app1\_vpc-app1\_vm"
to\_cidr = "0.0.0.0/0"
next\_hop\_key = "app1"
next\_hop\_type = "transit\_gateway\_attachment"
}
}
}
}
| map(object({
name = string
cidr = string
nacls = map(object({
name = string
rules = map(object({
rule\_number = number
egress = bool
protocol = string
rule\_action = string
cidr\_block = string
from\_port = string
to\_port = string
}))
}))
security\_groups = map(object({
name = string
rules = map(object({
description = string
type = string,
from\_port = string
to\_port = string,
protocol = string
cidr\_blocks = list(string)
}))
}))
subnets = map(object({
az = string
set = string
nacl = string
}))
routes = map(object({
vpc\_subnet = string
to\_cidr = string
next\_hop\_key = string
next\_hop\_type = string
}))
}))
| `{}` | no |
+
+### Outputs
+
+| Name | Description |
+|------|-------------|
+| [app\_inspected\_dns\_name](#output\_app\_inspected\_dns\_name) | FQDN of App Internal Load Balancer.
Can be used in VM-Series configuration to balance traffic between the application instances. |
+| [public\_alb\_dns\_name](#output\_public\_alb\_dns\_name) | FQDN of VM-Series External Application Load Balancer used in centralized design. |
+| [public\_nlb\_dns\_name](#output\_public\_nlb\_dns\_name) | FQDN of VM-Series External Network Load Balancer used in centralized design. |
+
\ No newline at end of file
diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/appgw.md b/products/terraform/docs/swfw/azure/vmseries/modules/appgw.md
index 711b733db..4dc434689 100644
--- a/products/terraform/docs/swfw/azure/vmseries/modules/appgw.md
+++ b/products/terraform/docs/swfw/azure/vmseries/modules/appgw.md
@@ -232,7 +232,7 @@ An example invocation (assuming usage of other Palo Alto's Azure modules) with a
```hcl
module "Application Gateway" {
- source = "../modules/Application Gateway"
+ source = "PaloAltoNetworks/vmseries-modules/azurerm//modules/appgw"
name = "Application Gateway"
resource_group_name = azurerm_resource_group.this.name
@@ -516,9 +516,9 @@ No modules.
| [vmseries\_ips](#input\_vmseries\_ips) | IP addresses of VMSeries' interfaces that will serve as backends for the Application Gateway. | `list(string)` | `[]` | no |
| [rules](#input\_rules) | A map of rules for the Application Gateway. A rule combines listener, http settings and health check configuration.
A key is an application name that is used to prefix all components inside Application Gateway that are created for this application.
Details on configuration can be found [here](#rules-property-explained). | `any` | n/a | yes |
| [ssl\_policy\_type](#input\_ssl\_policy\_type) | Type of an SSL policy. Possible values are `Predefined` or `Custom`.
If the value is `Custom` the following values are mandatory: `ssl_policy_cipher_suites` and `ssl_policy_min_protocol_version`. | `string` | `"Predefined"` | no |
-| [ssl\_policy\_name](#input\_ssl\_policy\_name) | Name of an SSL policy. Supported only for `ssl_policy_type` set to `Predefined`. Normally you can set it also for `Custom` policies but the name is discarded on Azure side causing an update to Application Gateway each time terraform code is run. Therefore this property is omitted in the code for `Custom` policies.
For the `Predefined` polcies, check the [Microsoft documentation](https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview) for possible values as they tend to change over time. The default value is currently (Q1 2022) a Microsoft's default. | `string` | `"AppGwSslPolicy20150501"` | no |
-| [ssl\_policy\_min\_protocol\_version](#input\_ssl\_policy\_min\_protocol\_version) | Minimum version of the TLS protocol for SSL Policy. Required only for `ssl_policy_type` set to `Custom`.
Possible values are: `TLSv1_0`, `TLSv1_1`, `TLSv1_2` or `null` (only to be used with a `Predefined` policy). | `string` | `null` | no |
-| [ssl\_policy\_cipher\_suites](#input\_ssl\_policy\_cipher\_suites) | A list of accepted cipher suites. Required only for `ssl_policy_type` set to `Custom`.
For possible values see [documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway#cipher_suites). | `list(string)` | `null` | no |
+| [ssl\_policy\_name](#input\_ssl\_policy\_name) | Name of an SSL policy. Supported only for `ssl_policy_type` set to `Predefined`. Normally you can set it also for `Custom` policies but the name is discarded on Azure side causing an update to Application Gateway each time terraform code is run. Therefore this property is omitted in the code for `Custom` policies.
For the `Predefined` polcies, check the [Microsoft documentation](https://docs.microsoft.com/en-us/azure/application-gateway/application-gateway-ssl-policy-overview) for possible values as they tend to change over time. The default value is currently (Q1 2022) a Microsoft's default. | `string` | `"AppGwSslPolicy20220101S"` | no |
+| [ssl\_policy\_min\_protocol\_version](#input\_ssl\_policy\_min\_protocol\_version) | Minimum version of the TLS protocol for SSL Policy. Required only for `ssl_policy_type` set to `Custom`.
Possible values are: `TLSv1_0`, `TLSv1_1`, `TLSv1_2` or `null` (only to be used with a `Predefined` policy). | `string` | `"TLSv1_2"` | no |
+| [ssl\_policy\_cipher\_suites](#input\_ssl\_policy\_cipher\_suites) | A list of accepted cipher suites. Required only for `ssl_policy_type` set to `Custom`.
For possible values see [documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/application_gateway#cipher_suites). | `list(string)` | [
"TLS\_ECDHE\_ECDSA\_WITH\_AES\_128\_GCM\_SHA256",
"TLS\_ECDHE\_ECDSA\_WITH\_AES\_256\_GCM\_SHA384",
"TLS\_ECDHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256",
"TLS\_ECDHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384"
]
| no |
| [ssl\_profiles](#input\_ssl\_profiles) | A map of SSL profiles that can be later on referenced in HTTPS listeners by providing a name of the profile in the `ssl_profile_name` property.
The structure of the map is as follows:{
profile\_name = {
ssl\_policy\_type = string
ssl\_policy\_min\_protocol\_version = string
ssl\_policy\_cipher\_suites = list
}
}
For possible values check the: `ssl_policy_type`, `ssl_policy_min_protocol_version` and `ssl_policy_cipher_suites` variables as SSL profile is a named SSL policy - same properties apply. The only difference is that you cannot name an SSL policy inside an SSL profile. | `map(any)` | `{}` | no |
| [tags](#input\_tags) | Azure tags to apply to the created resources. | `map(string)` | `{}` | no |
diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/application_insights.md b/products/terraform/docs/swfw/azure/vmseries/modules/application_insights.md
index 3ec438f2a..b39af0a61 100644
--- a/products/terraform/docs/swfw/azure/vmseries/modules/application_insights.md
+++ b/products/terraform/docs/swfw/azure/vmseries/modules/application_insights.md
@@ -46,7 +46,7 @@ The following snippet deploys Application Insights in Workspace mode, setting th
```hcl
module "ai" {
- source = "../../modules/application_insights"
+ source = "PaloAltoNetworks/vmseries-modules/azurerm//modules/application_insights"
name = "vmseries-ai
metrics_retention_in_days = 365
diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/bootstrap.md b/products/terraform/docs/swfw/azure/vmseries/modules/bootstrap.md
index cd3c85fdb..5a8f673f5 100644
--- a/products/terraform/docs/swfw/azure/vmseries/modules/bootstrap.md
+++ b/products/terraform/docs/swfw/azure/vmseries/modules/bootstrap.md
@@ -29,7 +29,7 @@ Simple example usage is shown below. For more *real life* code please check [exa
```hcl
module "bootstrap" {
- source = "../modules/bootstrap"
+ source = "PaloAltoNetworks/vmseries-modules/azurerm//modules/bootstrap"
storage_account_name = "accountname"
resource_group_name = "rg-name"
@@ -107,6 +107,11 @@ No modules.
| [storage\_share\_quota](#input\_storage\_share\_quota) | Maximum size of a File Share. | `number` | `50` | no |
| [storage\_share\_access\_tier](#input\_storage\_share\_access\_tier) | Access tier for the File Share. | `string` | `"Cool"` | no |
| [tags](#input\_tags) | A map of tags to be associated with the resources created. | `map(string)` | `{}` | no |
+| [retention\_policy\_days](#input\_retention\_policy\_days) | Log retention policy in days | `number` | `7` | no |
+| [blob\_delete\_retention\_policy\_days](#input\_blob\_delete\_retention\_policy\_days) | Specifies the number of days that the blob should be retained | `number` | `7` | no |
+| [storage\_allow\_inbound\_public\_ips](#input\_storage\_allow\_inbound\_public\_ips) | List of IP CIDR ranges (like `["23.23.23.23"]`) that are allowed to access the Storage Account.
Only public IPs are allowed - RFC1918 address space is not permitted. | `list(string)` | `[]` | no |
+| [storage\_allow\_vnet\_subnet\_ids](#input\_storage\_allow\_vnet\_subnet\_ids) | List of the allowed VNet subnet ids.
Note that this option requires network service endpoint enabled for Microsoft Storage for the specified subnets.
If you are using [vnet module](../vnet/README.md) - set `storage_private_access` to true for the specific subnet.
Example:[
module.vnet.subnet\_ids["subnet-mgmt"],
module.vnet.subnet\_ids["subnet-pub"],
module.vnet.subnet\_ids["subnet-priv"]
]
| `list(string)` | `[]` | no |
+| [storage\_acl](#input\_storage\_acl) | If `true`, storage account network rules will be activated with `Deny` as the default action. In such case, at least one of `storage_allow_inbound_public_ips` or `storage_allow_vnet_subnet_ids` must be a non-empty list. | `bool` | `true` | no |
### Outputs
diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/natgw.md b/products/terraform/docs/swfw/azure/vmseries/modules/natgw.md
index a2c953d35..829648ede 100644
--- a/products/terraform/docs/swfw/azure/vmseries/modules/natgw.md
+++ b/products/terraform/docs/swfw/azure/vmseries/modules/natgw.md
@@ -30,7 +30,7 @@ To deploy this resource in it's minimum configuration following code snippet can
```terraform
module "natgw" {
- source = "../modules/natgw"
+ source = "PaloAltoNetworks/vmseries-modules/azurerm//modules/natgw"
name = "NATGW_name"
resource_group_name = "resource_group_name"
diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/panorama.md b/products/terraform/docs/swfw/azure/vmseries/modules/panorama.md
index a4c9f0dc8..35b5af952 100644
--- a/products/terraform/docs/swfw/azure/vmseries/modules/panorama.md
+++ b/products/terraform/docs/swfw/azure/vmseries/modules/panorama.md
@@ -25,7 +25,6 @@ A terraform module for deploying a working Panorama instance in Azure.
```hcl
module "panorama" {
source = "PaloAltoNetworks/vmseries-modules/azurerm//modules/panorama"
- version = "0.1.0"
panorama_name = var.panorama_name
resource_group_name = azurerm_resource_group.this.name
diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/vmss.md b/products/terraform/docs/swfw/azure/vmseries/modules/vmss.md
index 0e05acb60..51598fb63 100644
--- a/products/terraform/docs/swfw/azure/vmseries/modules/vmss.md
+++ b/products/terraform/docs/swfw/azure/vmseries/modules/vmss.md
@@ -39,7 +39,7 @@ provider "azurerm" {
```hcl
module "vmss" {
- source = "github.com/PaloAltoNetworks/terraform-azurerm-vmseries-modules//modules/vmss"
+ source = "PaloAltoNetworks/vmseries-modules/azurerm//modules/vmss"
location = "Australia Central"
name_prefix = "pan"
@@ -91,7 +91,8 @@ No modules.
| [interfaces](#input\_interfaces) | List of the network interface specifications.
NOTICE. The ORDER in which you specify the interfaces DOES MATTER.
Interfaces will be attached to VM in the order you define here, therefore:
* The first should be the management interface, which does not participate in data filtering.
* The remaining ones are the dataplane interfaces.
Options for an interface object:
- `name` - (required\|string) Interface name.
- `subnet_id` - (required\|string) Identifier of an existing subnet to create interface in.
- `create_pip` - (optional\|bool) If true, create a public IP for the interface
- `lb_backend_pool_ids` - (optional\|list(string)) A list of identifiers of an existing Load Balancer backend pools to associate interface with.
- `appgw_backend_pool_ids` - (optional\|list(String)) A list of identifier of the Application Gateway backend pools to associate interface with.
- `pip_domain_name_label` - (optional\|string) The Prefix which should be used for the Domain Name Label for each Virtual Machine Instance.
Example:[
{
name = "management"
subnet\_id = azurerm\_subnet.my\_mgmt\_subnet.id
create\_pip = true
},
{
name = "private"
subnet\_id = azurerm\_subnet.my\_priv\_subnet.id
},
{
name = "public"
subnet\_id = azurerm\_subnet.my\_pub\_subnet.id
lb\_backend\_pool\_ids = [azurerm\_lb\_backend\_address\_pool.lb\_backend.id]
}
]
| `list(any)` | n/a | yes |
| [username](#input\_username) | Initial administrative username to use for VM-Series. | `string` | `"panadmin"` | no |
| [password](#input\_password) | Initial administrative password to use for VM-Series. | `string` | n/a | yes |
-| [disable\_password\_authentication](#input\_disable\_password\_authentication) | If true, disables password-based authentication on VM-Series instances. | `bool` | `false` | no |
+| [ssh\_keys](#input\_ssh\_keys) | A list of initial administrative SSH public keys that allow key-pair authentication. If not defined the `password` variable must be specified.
This is a list of strings, so each item should be the actual public key value. If you would like to load them from files instead, following method is available:[
file("/path/to/public/keys/key\_1.pub"),
file("/path/to/public/keys/key\_2.pub")
]
| `list(string)` | `[]` | no |
+| [disable\_password\_authentication](#input\_disable\_password\_authentication) | If true, disables password-based authentication on VM-Series instances. | `bool` | `true` | no |
| [encryption\_at\_host\_enabled](#input\_encryption\_at\_host\_enabled) | See the [provider documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine_scale_set#encryption_at_host_enabled). | `bool` | `null` | no |
| [overprovision](#input\_overprovision) | See the [provider documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine_scale_set). | `bool` | `false` | no |
| [platform\_fault\_domain\_count](#input\_platform\_fault\_domain\_count) | See the [provider documentation](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/linux_virtual_machine_scale_set). | `number` | `null` | no |
diff --git a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries.md b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries.md
index 1643cd4cf..59806a405 100644
--- a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries.md
+++ b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries.md
@@ -163,6 +163,7 @@ terraform destroy
| Name | Version |
|------|---------|
| [random](#provider\_random) | n/a |
+| [http](#provider\_http) | n/a |
| [azurerm](#provider\_azurerm) | n/a |
| [local](#provider\_local) | n/a |
@@ -188,6 +189,7 @@ terraform destroy
| [local_file.bootstrap_xml](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
| [random_password.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
| [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [http_http.this](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
### Inputs
@@ -199,7 +201,7 @@ terraform destroy
| [create\_resource\_group](#input\_create\_resource\_group) | When set to `true` it will cause a Resource Group creation. Name of the newly specified RG is controlled by `resource_group_name`.
When set to `false` the `resource_group_name` parameter is used to specify a name of an existing Resource Group. | `bool` | `true` | no |
| [resource\_group\_name](#input\_resource\_group\_name) | Name of the Resource Group. | `string` | n/a | yes |
| [enable\_zones](#input\_enable\_zones) | If `true`, enable zone support for resources. | `bool` | `true` | no |
-| [vnets](#input\_vnets) | A map defining VNETs.
For detailed documentation on each property refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-azurerm-vmseries-modules/blob/v0.5.4/modules/vnet/README.md)
- `name` : A name of a VNET.
- `create_virtual_network` : (default: `true`) when set to `true` will create a VNET, `false` will source an existing VNET, in both cases the name of the VNET is specified with `name`
- `address_space` : a list of CIDRs for VNET
- `resource_group_name` : (default: current RG) a name of a Resource Group in which the VNET will reside
- `create_subnets` : (default: `true`) if true, create the Subnets inside the Virtual Network, otherwise use pre-existing subnets
- `subnets` : map of Subnets to create
- `network_security_groups` : map of Network Security Groups to create
- `route_tables` : map of Route Tables to create. | `any` | n/a | yes |
+| [vnets](#input\_vnets) | A map defining VNETs.
For detailed documentation on each property refer to [module documentation](../../modules/vnet/README.md)
- `name` : A name of a VNET.
- `create_virtual_network` : (default: `true`) when set to `true` will create a VNET, `false` will source an existing VNET, in both cases the name of the VNET is specified with `name`
- `address_space` : a list of CIDRs for VNET
- `resource_group_name` : (default: current RG) a name of a Resource Group in which the VNET will reside
- `create_subnets` : (default: `true`) if true, create the Subnets inside the Virtual Network, otherwise use pre-existing subnets
- `subnets` : map of Subnets to create
- `network_security_groups` : map of Network Security Groups to create
- `route_tables` : map of Route Tables to create. | `any` | n/a | yes |
| [natgws](#input\_natgws) | A map defining Nat Gateways.
Please note that a NatGW is a zonal resource, this means it's always placed in a zone (even when you do not specify one explicitly). Please refer to Microsoft documentation for notes on NatGW's zonal resiliency.
Following properties are supported:
- `name` : a name of the newly created NatGW.
- `create_natgw` : (default: `true`) create or source (when `false`) an existing NatGW. Created or sourced: the NatGW will be assigned to a subnet created by the `vnet` module.
- `resource_group_name : name of a Resource Group hosting the NatGW (newly create or the existing one).
- `zone` : Availability Zone in which the NatGW will be placed, when skipped AzureRM will pick a zone.
- `idle\_timeout` : connection IDLE timeout in minutes, for newly created resources
- `vnet\_key` : a name (key value) of a VNET defined in `var.vnets` that hosts a subnet this NatGW will be assigned to.
- `subnet\_keys` : a list of subnets (key values) the NatGW will be assigned to, defined in `var.vnets` for a VNET described by `vnet\_name`.
- `create\_pip` : (default: `true`) create a Public IP that will be attached to a NatGW
- `existing\_pip\_name` : when `create\_pip` is set to `false`, source and attach and existing Public IP to the NatGW
- `existing\_pip\_resource\_group\_name` : when `create\_pip` is set to `false`, name of the Resource Group hosting the existing Public IP
- `create\_pip\_prefix` : (default: `false`) create a Public IP Prefix that will be attached to the NatGW.
- `pip\_prefix\_length` : length of the newly created Public IP Prefix, can bet between 0 and 31 but this actually supported value depends on the Subscription.
- `existing\_pip\_prefix\_name` : when `create\_pip\_prefix` is set to `false`, source and attach and existing Public IP Prefix to the NatGW
- `existing\_pip\_prefix\_resource\_group\_name` : when `create\_pip\_prefix` is set to `false`, name of the Resource Group hosting the existing Public IP Prefix.
Example:
`natgws = {
"natgw" = {
name = "public-natgw"
vnet\_key = "transit-vnet"
subnet\_keys = ["public"]
zone = 1
}
}
| `any` | `{}` | no |
| [load\_balancers](#input\_load\_balancers) | A map containing configuration for all (private and public) Load Balancer that will be created in this deployment.
Following properties are available (for details refer to module's documentation):
- `name`: name of the Load Balancer resource.
- `network_security_group_name`: (public LB) a name of a security group, an ingress rule will be created in that NSG for each listener. **NOTE** this is the FULL NAME of the NSG (including prefixes).
- `network_security_group_rg_name`: (public LB) a name of a resource group for the security group, to be used when the NSG is hosted in a different RG than the one described in `var.resource_group_name`.
- `network_security_allow_source_ips`: (public LB) a list of IP addresses that will used in the ingress rules.
- `avzones`: (both) for regional Load Balancers, a list of supported zones (this has different meaning for public and private LBs - please refer to module's documentation for details).
- `frontend_ips`: (both) a map configuring both a listener and a load balancing rule, key is the name that will be used as an application name inside LB config as well as to create a rule in NSG (for public LBs), value is an object with the following properties:
- `create_public_ip`: (public LB) defaults to `false`, when set to `true` a Public IP will be created and associated with a listener
- `public_ip_name`: (public LB) defaults to `null`, when `create_public_ip` is set to `false` this property is used to reference an existing Public IP object in Azure
- `public_ip_resource_group`: (public LB) defaults to `null`, when using an existing Public IP created in a different Resource Group than the currently used use this property is to provide the name of that RG
- `private_ip_address`: (private LB) defaults to `null`, specify a static IP address that will be used by a listener
- `vnet_key`: (private LB) defaults to `null`, when `private_ip_address` is set specifies a vnet's key (as defined in `vnet` variable). This will be the VNET hosting this Load Balancer
- `subnet_key`: (private LB) defaults to `null`, when `private_ip_address` is set specifies a subnet's key (as defined in `vnet` variable) to which the LB will be attached, in case of VMSeries this should be a internal/trust subnet
- `rules` - a map configuring the actual rules load balancing rules, a key is a rule name, a value is an object with the following properties:
- `protocol`: protocol used by the rule, can be one the following: `TCP`, `UDP` or `All` when creating an HA PORTS rule
- `port`: port used by the rule, for HA PORTS rule set this to `0`
Example of a public Load Balancer:"public\_lb" = {
name = "https\_app\_lb"
network\_security\_group\_name = "untrust\_nsg"
network\_security\_allow\_source\_ips = ["1.2.3.4"]
avzones = ["1", "2", "3"]
frontend\_ips = {
"https\_app\_1" = {
create\_public\_ip = true
rules = {
"balanceHttps" = {
protocol = "Tcp"
port = 443
}
}
}
}
}
Example of a private Load Balancer with HA PORTS rule:"private\_lb" = {
name = "ha\_ports\_internal\_lb
frontend\_ips = {
"ha-ports" = {
vnet\_key = "trust\_vnet"
subnet\_key = "trust\_snet"
private\_ip\_address = "10.0.0.1"
rules = {
HA\_PORTS = {
port = 0
protocol = "All"
}
}
}
}
}
| `map` | `{}` | no |
| [vmseries\_version](#input\_vmseries\_version) | VM-Series PAN-OS version - list available with `az vm image list -o table --all --publisher paloaltonetworks`. It's also possible to specify the Pan-OS version per firewall, see `var.vmseries` variable. | `string` | n/a | yes |
@@ -208,10 +210,10 @@ terraform destroy
| [vmseries\_username](#input\_vmseries\_username) | Initial administrative username to use for all systems. | `string` | `"panadmin"` | no |
| [vmseries\_password](#input\_vmseries\_password) | Initial administrative password to use for all systems. Set to null for an auto-generated password. | `string` | `null` | no |
| [availability\_set](#input\_availability\_set) | A map defining availability sets. Can be used to provide infrastructure high availability when zones cannot be used.
Following properties are supported:
- `name` - name of the Application Insights.
- `update_domain_count` - specifies the number of update domains that are used, defaults to 5 (Azure defaults).
- `fault_domain_count` - specifies the number of fault domains that are used, defaults to 3 (Azure defaults).
Please keep in mind that Azure defaults are not working for each region (especially the small ones, w/o any Availability Zones). Please verify how many update and fault domain are supported in a region before deploying this resource. | `any` | `{}` | no |
-| [application\_insights](#input\_application\_insights) | A map defining Azure Application Insights. There are three ways to use this variable:
* when the value is set to `null` (default) no AI is created
* when the value is a map containing `name` key (other keys are optional) a single AI instance will be created under the name that is the value of the `name` key
* when the value is an empty map or a map w/o the `name` key, an AI instance per each VMSeries VM will be created. All instances will share the same configuration. All instances will have names corresponding to their VM name.
Names for all AI instances are prefixed with `var.name_prefix`.
Properties supported (for details on each property see [modules documentation](../modules/application\_insights/README.md)):
- `name` : (optional, string) a name of a single AI instance
- `workspace_mode` : (optional, bool) defaults to `true`, use AI Workspace mode instead of the Classical (deprecated)
- `workspace_name` : (optional, string) defaults to AI name suffixed with `-wrkspc`, name of the Log Analytics Workspace created when AI is deployed in Workspace mode
- `workspace_sku` : (optional, string) defaults to PerGB2018, SKU used by WAL, see module documentation for details
- `metrics_retention_in_days` : (optional, number) defaults to current Azure default value, see module documentation for details
Example of an AIs created per VM, in Workspace mode, with metrics retention set to 1 year:vmseries = {
'vm-1' = {
....
}
'vm-2' = {
....
}
}
application\_insights = {
metrics\_retention\_in\_days = 365
}
| `map(string)` | `null` | no |
-| [bootstrap\_storage](#input\_bootstrap\_storage) | A map defining Azure Storage Accounts used to host file shares for bootstrapping NGFWs. This variable defines only Storage Accounts, file shares are defined per each VM. See `vmseries` variable, `bootstrap_storage` property.
Following properties are supported (except for name, all are optional):
- `name` : name of the Storage Account. Please keep in mind that storage account name has to be globally unique. This name will not be prefixed with the value of `var.name_prefix`.
- `create_storage_account` : (defaults to `true`) create or source (when `false`) an existing Storage Account.
- `resource_group_name` : (defaults to `var.resource_group_name`) name of the Resource Group hosting the Storage Account (existing or newly created). The RG has to exist.
The properties below do not directly change anything in the Storage Account settings. They can be used to control common parts of the `DAY0` configuration (used only when full bootstrap is used). These properties can also be specified per firewall, but when specified here they tak higher precedence:
- `public_snet_key` : required, name of the key in `var.vnets` map defining a public subnet, required to calculate the Azure router IP for the public subnet.
- `private_snet_key` : required, name of the key in `var.vnets` map defining a private subnet, required to calculate the Azure router IP for the private subnet.
- `intranet_cidr` : optional, CIDR of the private networks required to build a general static route to resources protected by this firewall, when skipped the 1st CIDR from `vnet_name` address space will be used.
- `ai_update_interval` : if Application Insights are used this property can override the default metrics update interval (in minutes). | `any` | `{}` | no |
+| [application\_insights](#input\_application\_insights) | A map defining Azure Application Insights. There are three ways to use this variable:
* when the value is set to `null` (default) no AI is created
* when the value is a map containing `name` key (other keys are optional) a single AI instance will be created under the name that is the value of the `name` key
* when the value is an empty map or a map w/o the `name` key, an AI instance per each VMSeries VM will be created. All instances will share the same configuration. All instances will have names corresponding to their VM name.
Names for all AI instances are prefixed with `var.name_prefix`.
Properties supported (for details on each property see [modules documentation](../../modules/application\_insights/README.md)):
- `name` : (optional, string) a name of a single AI instance
- `workspace_mode` : (optional, bool) defaults to `true`, use AI Workspace mode instead of the Classical (deprecated)
- `workspace_name` : (optional, string) defaults to AI name suffixed with `-wrkspc`, name of the Log Analytics Workspace created when AI is deployed in Workspace mode
- `workspace_sku` : (optional, string) defaults to PerGB2018, SKU used by WAL, see module documentation for details
- `metrics_retention_in_days` : (optional, number) defaults to current Azure default value, see module documentation for details
Example of an AIs created per VM, in Workspace mode, with metrics retention set to 1 year:vmseries = {
'vm-1' = {
....
}
'vm-2' = {
....
}
}
application\_insights = {
metrics\_retention\_in\_days = 365
}
| `map(string)` | `null` | no |
+| [bootstrap\_storage](#input\_bootstrap\_storage) | A map defining Azure Storage Accounts used to host file shares for bootstrapping NGFWs. This variable defines only Storage Accounts, file shares are defined per each VM. See `vmseries` variable, `bootstrap_storage` property.
Following properties are supported (except for name, all are optional):
- `name` : name of the Storage Account. Please keep in mind that storage account name has to be globally unique. This name will not be prefixed with the value of `var.name_prefix`.
- `create_storage_account` : (defaults to `true`) create or source (when `false`) an existing Storage Account.
- `resource_group_name` : (defaults to `var.resource_group_name`) name of the Resource Group hosting the Storage Account (existing or newly created). The RG has to exist.
- `storage_acl` : (defaults to `false`) enables network ACLs on the Storage Account. If this is enabled - `storage_allow_vnet_subnets` and `storage_allow_inbound_public_ips` options become available. The ACL defaults to default `Deny`.
- `storage_allow_vnet_subnets` : (defaults to `[]`) whitelist containing the allowed vnet and associated subnets that are allowed to access the Storage Account. Note that the respective subnets require `enable_storage_service_endpoint` set to `true` to work properly.
- `storage_allow_inbound_public_ips` : (defaults to `[]`) whitelist containing the allowed public IP subnets that can access the Storage Account. Note that the code automatically tries to query [https://ifconfig.me/ip](https://ifconfig.me/ip) to obtain the public IP address of the machine executing the code so that the bootstrap files can be successfully uploaded to the Storage Account.
The properties below do not directly change anything in the Storage Account settings. They can be used to control common parts of the `DAY0` configuration (used only when full bootstrap is used). These properties can also be specified per firewall, but when specified here they tak higher precedence:
- `public_snet_key` : required, name of the key in `var.vnets` map defining a public subnet, required to calculate the Azure router IP for the public subnet.
- `private_snet_key` : required, name of the key in `var.vnets` map defining a private subnet, required to calculate the Azure router IP for the private subnet.
- `intranet_cidr` : optional, CIDR of the private networks required to build a general static route to resources protected by this firewall, when skipped the 1st CIDR from `vnet_name` address space will be used.
- `ai_update_interval` : if Application Insights are used this property can override the default metrics update interval (in minutes). | `any` | `{}` | no |
| [vmseries](#input\_vmseries) | Map of virtual machines to create to run VM-Series - inbound firewalls. Following properties are supported:
- `name` : name of the VMSeries virtual machine.
- `vm_size` : size of the VMSeries virtual machine, when specified overrides `var.vmseries_vm_size`.
- `version` : PanOS version, when specified overrides `var.vmseries_version`.
- `vnet_key` : a key of a VNET defined in the `var.vnets` map. This value will be used during network interfaces creation.
- `add_to_appgw_backend` : bool, `false` by default, set this to `true` to add this backend to an Application Gateway.
- `avzone`: the Azure Availability Zone identifier ("1", "2", "3"). Default is "1".
- `availability_set_name` : a name of an Availability Set as declared in `availability_set` property. Specify when HA is required but cannot go for zonal deployment.
- `bootstrap_options` : string, optional bootstrap options to pass to VM-Series instances, semicolon separated values. When defined this precedence over `bootstrap_storage`
- `bootstrap_storage` : a map containing definition of the bootstrap package content. When present triggers a creation of a File Share in an existing Storage Account, following properties supported:
- `name` : a name of a key in `var.bootstrap_storage` variable defining a Storage Account
- `static_files` : a map where key is a path to a file, value is the location of the file in the bootstrap package (file share). All files in this map are copied 1:1 to the bootstrap package
- `template_bootstrap_xml` : path to the `bootstrap.xml` template. When defined it will trigger creation of the `bootstrap.xml` file and the file will be uploaded to the storage account. This is a simple `day 0` configuration file that should set up only basic networking. Specifying this property forces additional properties that are required to properly template the file. They can be defined per each VM or globally for all VMs (in this case place them in the bootstrap storage definition). The properties are listed below.
- `public_snet_key` : required, name of the key in `var.vnets` map defining a public subnet, required to calculate the Azure router IP for the public subnet.
- `private_snet_key` : required, name of the key in `var.vnets` map defining a private subnet, required to calculate the Azure router IP for the private subnet.
- `intranet_cidr` : optional, CIDR of the private networks required to build a general static route to resources protected by this firewall, when skipped the 1st CIDR from `vnet_name` address space will be used.
- `ai_update_interval` : if Application Insights are used this property can override the default metrics update interval (in minutes).
- `interfaces` : configuration of all NICs assigned to a VM. A list of maps, each map is a NIC definition. Notice that the order DOES matter. NICs are attached to VMs in Azure in the order they are defined in this list, therefore the management interface has to be defined first. Following properties are available:
- `name`: string that will form the NIC name
- `subnet_key` : (string) a key of a subnet as defined in `var.vnets`
- `create_pip` : (boolean) flag to create Public IP for an interface, defaults to `false`
- `public_ip_name` : (string) when `create_pip` is set to `false` a name of a Public IP resource that should be associated with this Network Interface
- `public_ip_resource_group` : (string) when associating an existing Public IP resource, name of the Resource Group the IP is placed in, defaults to the `var.resource_group_name`
- `load_balancer_key` : (string) key of a Load Balancer defined in the `var.loadbalancers` variable, defaults to `null`
- `private_ip_address` : (string) a static IP address that should be assigned to an interface, defaults to `null` (in that case DHCP is used)
Example:{
"fw01" = {
name = "firewall01"
bootstrap\_storage = {
name = "storageaccountname"
static\_files = { "files/init-cfg.txt" = "config/init-cfg.txt" }
template\_bootstrap\_xml = "templates/bootstrap\_common.tmpl"
public\_snet\_key = "public"
private\_snet\_key = "private"
}
avzone = 1
vnet\_key = "trust"
interfaces = [
{
name = "mgmt"
subnet\_key = "mgmt"
create\_pip = true
private\_ip\_address = "10.0.0.1"
},
{
name = "trust"
subnet\_key = "private"
private\_ip\_address = "10.0.1.1"
load\_balancer\_key = "private\_lb"
},
{
name = "untrust"
subnet\_key = "public"
private\_ip\_address = "10.0.2.1"
load\_balancer\_key = "public\_lb"
public\_ip\_name = "existing\_public\_ip"
}
]
}
}
| `any` | n/a | yes |
-| [appgws](#input\_appgws) | A map defining all Application Gateways in the current deployment.
For detailed documentation on how to configure this resource, for available properties, especially for the defaults and the `rules` property refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-azurerm-vmseries-modules/blob/main/modules/appgw/README.md).
Following properties are supported:
- `name` : name of the Application Gateway.
- `vnet_key` : a key of a VNET defined in the `var.vnets` map.
- `subnet_key` : a key of a subnet as defined in `var.vnets`. This has to be a subnet dedicated to Application Gateways v2.
- `zones` : for zonal deployment this is a list of all zones in a region - this property is used by both: the Application Gateway and the Public IP created in front of the AppGW.
- `capacity` : (optional) number of Application Gateway instances, not used when autoscalling is enabled (see `capacity_min`)
- `capacity_min` : (optional) when set enables autoscaling and becomes the minimum capacity
- `capacity_max` : (optional) maximum capacity for autoscaling
- `enable_http2` : enable HTTP2 support on the Application Gateway
- `waf_enabled` : (optional) enables WAF Application Gateway, defining WAF rules is not supported, defaults to `false`
- `vmseries_public_nic_name` : name of the public VMSeries interface as defined in `interfaces` property.
- `managed_identities` : (optional) a list of existing User-Assigned Managed Identities, which Application Gateway uses to retrieve certificates from Key Vault
- `ssl_policy_type` : (optional) type of an SSL policy, defaults to `Predefined`
- `ssl_policy_name` : (optional) name of an SSL policy, for `ssl_policy_type` set to `Predefined`
- `ssl_policy_min_protocol_version` : (optional) minimum version of the TLS protocol for SSL Policy, for `ssl_policy_type` set to `Custom`
- `ssl_policy_cipher_suites` : (optional) a list of accepted cipher suites, for `ssl_policy_type` set to `Custom`
- `ssl_profiles` : (optional) a map of SSL profiles that can be later on referenced in HTTPS listeners by providing a name of the profile in the `ssl_profile_name` property | `map` | `{}` | no |
+| [appgws](#input\_appgws) | A map defining all Application Gateways in the current deployment.
For detailed documentation on how to configure this resource, for available properties, especially for the defaults and the `rules` property refer to [module documentation](../../modules/appgw/README.md).
Following properties are supported:
- `name` : name of the Application Gateway.
- `vnet_key` : a key of a VNET defined in the `var.vnets` map.
- `subnet_key` : a key of a subnet as defined in `var.vnets`. This has to be a subnet dedicated to Application Gateways v2.
- `zones` : for zonal deployment this is a list of all zones in a region - this property is used by both: the Application Gateway and the Public IP created in front of the AppGW.
- `capacity` : (optional) number of Application Gateway instances, not used when autoscalling is enabled (see `capacity_min`)
- `capacity_min` : (optional) when set enables autoscaling and becomes the minimum capacity
- `capacity_max` : (optional) maximum capacity for autoscaling
- `enable_http2` : enable HTTP2 support on the Application Gateway
- `waf_enabled` : (optional) enables WAF Application Gateway, defining WAF rules is not supported, defaults to `false`
- `vmseries_public_nic_name` : name of the public VMSeries interface as defined in `interfaces` property.
- `managed_identities` : (optional) a list of existing User-Assigned Managed Identities, which Application Gateway uses to retrieve certificates from Key Vault
- `ssl_policy_type` : (optional) type of an SSL policy, defaults to `Predefined`
- `ssl_policy_name` : (optional) name of an SSL policy, for `ssl_policy_type` set to `Predefined`
- `ssl_policy_min_protocol_version` : (optional) minimum version of the TLS protocol for SSL Policy, for `ssl_policy_type` set to `Custom`
- `ssl_policy_cipher_suites` : (optional) a list of accepted cipher suites, for `ssl_policy_type` set to `Custom`
- `ssl_profiles` : (optional) a map of SSL profiles that can be later on referenced in HTTPS listeners by providing a name of the profile in the `ssl_profile_name` property | `map` | `{}` | no |
### Outputs
diff --git a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries.md b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries.md
index f4e8f9b42..ba0c7d82e 100644
--- a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries.md
+++ b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries.md
@@ -165,6 +165,7 @@ terraform destroy
| Name | Version |
|------|---------|
| [random](#provider\_random) | n/a |
+| [http](#provider\_http) | n/a |
| [azurerm](#provider\_azurerm) | n/a |
| [local](#provider\_local) | n/a |
@@ -190,6 +191,7 @@ terraform destroy
| [local_file.bootstrap_xml](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
| [random_password.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource |
| [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source |
+| [http_http.this](https://registry.terraform.io/providers/hashicorp/http/latest/docs/data-sources/http) | data source |
### Inputs
@@ -201,7 +203,7 @@ terraform destroy
| [create\_resource\_group](#input\_create\_resource\_group) | When set to `true` it will cause a Resource Group creation. Name of the newly specified RG is controlled by `resource_group_name`.
When set to `false` the `resource_group_name` parameter is used to specify a name of an existing Resource Group. | `bool` | `true` | no |
| [resource\_group\_name](#input\_resource\_group\_name) | Name of the Resource Group. | `string` | n/a | yes |
| [enable\_zones](#input\_enable\_zones) | If `true`, enable zone support for resources. | `bool` | `true` | no |
-| [vnets](#input\_vnets) | A map defining VNETs.
For detailed documentation on each property refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-azurerm-vmseries-modules/blob/v0.5.4/modules/vnet/README.md)
- `name` : A name of a VNET.
- `create_virtual_network` : (default: `true`) when set to `true` will create a VNET, `false` will source an existing VNET, in both cases the name of the VNET is specified with `name`
- `address_space` : a list of CIDRs for VNET
- `resource_group_name` : (default: current RG) a name of a Resource Group in which the VNET will reside
- `create_subnets` : (default: `true`) if true, create the Subnets inside the Virtual Network, otherwise use pre-existing subnets
- `subnets` : map of Subnets to create
- `network_security_groups` : map of Network Security Groups to create
- `route_tables` : map of Route Tables to create. | `any` | n/a | yes |
+| [vnets](#input\_vnets) | A map defining VNETs.
For detailed documentation on each property refer to [module documentation](../../modules/vnet/README.md)
- `name` : A name of a VNET.
- `create_virtual_network` : (default: `true`) when set to `true` will create a VNET, `false` will source an existing VNET, in both cases the name of the VNET is specified with `name`
- `address_space` : a list of CIDRs for VNET
- `resource_group_name` : (default: current RG) a name of a Resource Group in which the VNET will reside
- `create_subnets` : (default: `true`) if true, create the Subnets inside the Virtual Network, otherwise use pre-existing subnets
- `subnets` : map of Subnets to create
- `network_security_groups` : map of Network Security Groups to create
- `route_tables` : map of Route Tables to create. | `any` | n/a | yes |
| [natgws](#input\_natgws) | A map defining Nat Gateways.
Please note that a NatGW is a zonal resource, this means it's always placed in a zone (even when you do not specify one explicitly). Please refer to Microsoft documentation for notes on NatGW's zonal resiliency.
Following properties are supported:
- `name` : a name of the newly created NatGW.
- `create_natgw` : (default: `true`) create or source (when `false`) an existing NatGW. Created or sourced: the NatGW will be assigned to a subnet created by the `vnet` module.
- `resource_group_name : name of a Resource Group hosting the NatGW (newly create or the existing one).
- `zone` : Availability Zone in which the NatGW will be placed, when skipped AzureRM will pick a zone.
- `idle\_timeout` : connection IDLE timeout in minutes, for newly created resources
- `vnet\_key` : a name (key value) of a VNET defined in `var.vnets` that hosts a subnet this NatGW will be assigned to.
- `subnet\_keys` : a list of subnets (key values) the NatGW will be assigned to, defined in `var.vnets` for a VNET described by `vnet\_name`.
- `create\_pip` : (default: `true`) create a Public IP that will be attached to a NatGW
- `existing\_pip\_name` : when `create\_pip` is set to `false`, source and attach and existing Public IP to the NatGW
- `existing\_pip\_resource\_group\_name` : when `create\_pip` is set to `false`, name of the Resource Group hosting the existing Public IP
- `create\_pip\_prefix` : (default: `false`) create a Public IP Prefix that will be attached to the NatGW.
- `pip\_prefix\_length` : length of the newly created Public IP Prefix, can bet between 0 and 31 but this actually supported value depends on the Subscription.
- `existing\_pip\_prefix\_name` : when `create\_pip\_prefix` is set to `false`, source and attach and existing Public IP Prefix to the NatGW
- `existing\_pip\_prefix\_resource\_group\_name` : when `create\_pip\_prefix` is set to `false`, name of the Resource Group hosting the existing Public IP Prefix.
Example:
`natgws = {
"natgw" = {
name = "public-natgw"
vnet\_key = "transit-vnet"
subnet\_keys = ["public"]
zone = 1
}
}
| `any` | `{}` | no |
| [load\_balancers](#input\_load\_balancers) | A map containing configuration for all (private and public) Load Balancer that will be created in this deployment.
Following properties are available (for details refer to module's documentation):
- `name`: name of the Load Balancer resource.
- `network_security_group_name`: (public LB) a name of a security group, an ingress rule will be created in that NSG for each listener. **NOTE** this is the FULL NAME of the NSG (including prefixes).
- `network_security_group_rg_name`: (public LB) a name of a resource group for the security group, to be used when the NSG is hosted in a different RG than the one described in `var.resource_group_name`.
- `network_security_allow_source_ips`: (public LB) a list of IP addresses that will used in the ingress rules.
- `avzones`: (both) for regional Load Balancers, a list of supported zones (this has different meaning for public and private LBs - please refer to module's documentation for details).
- `frontend_ips`: (both) a map configuring both a listener and a load balancing rule, key is the name that will be used as an application name inside LB config as well as to create a rule in NSG (for public LBs), value is an object with the following properties:
- `create_public_ip`: (public LB) defaults to `false`, when set to `true` a Public IP will be created and associated with a listener
- `public_ip_name`: (public LB) defaults to `null`, when `create_public_ip` is set to `false` this property is used to reference an existing Public IP object in Azure
- `public_ip_resource_group`: (public LB) defaults to `null`, when using an existing Public IP created in a different Resource Group than the currently used use this property is to provide the name of that RG
- `private_ip_address`: (private LB) defaults to `null`, specify a static IP address that will be used by a listener
- `vnet_key`: (private LB) defaults to `null`, when `private_ip_address` is set specifies a vnet's key (as defined in `vnet` variable). This will be the VNET hosting this Load Balancer
- `subnet_key`: (private LB) defaults to `null`, when `private_ip_address` is set specifies a subnet's key (as defined in `vnet` variable) to which the LB will be attached, in case of VMSeries this should be a internal/trust subnet
- `rules` - a map configuring the actual rules load balancing rules, a key is a rule name, a value is an object with the following properties:
- `protocol`: protocol used by the rule, can be one the following: `TCP`, `UDP` or `All` when creating an HA PORTS rule
- `port`: port used by the rule, for HA PORTS rule set this to `0`
Example of a public Load Balancer:"public\_lb" = {
name = "https\_app\_lb"
network\_security\_group\_name = "untrust\_nsg"
network\_security\_allow\_source\_ips = ["1.2.3.4"]
avzones = ["1", "2", "3"]
frontend\_ips = {
"https\_app\_1" = {
create\_public\_ip = true
rules = {
"balanceHttps" = {
protocol = "Tcp"
port = 443
}
}
}
}
}
Example of a private Load Balancer with HA PORTS rule:"private\_lb" = {
name = "ha\_ports\_internal\_lb
frontend\_ips = {
"ha-ports" = {
vnet\_key = "trust\_vnet"
subnet\_key = "trust\_snet"
private\_ip\_address = "10.0.0.1"
rules = {
HA\_PORTS = {
port = 0
protocol = "All"
}
}
}
}
}
| `map` | `{}` | no |
| [vmseries\_version](#input\_vmseries\_version) | VM-Series PAN-OS version - list available with `az vm image list -o table --all --publisher paloaltonetworks`. It's also possible to specify the Pan-OS version per firewall, see `var.vmseries` variable. | `string` | n/a | yes |
@@ -210,10 +212,10 @@ terraform destroy
| [vmseries\_username](#input\_vmseries\_username) | Initial administrative username to use for all systems. | `string` | `"panadmin"` | no |
| [vmseries\_password](#input\_vmseries\_password) | Initial administrative password to use for all systems. Set to null for an auto-generated password. | `string` | `null` | no |
| [availability\_set](#input\_availability\_set) | A map defining availability sets. Can be used to provide infrastructure high availability when zones cannot be used.
Following properties are supported:
- `name` - name of the Application Insights.
- `update_domain_count` - specifies the number of update domains that are used, defaults to 5 (Azure defaults).
- `fault_domain_count` - specifies the number of fault domains that are used, defaults to 3 (Azure defaults).
Please keep in mind that Azure defaults are not working for each region (especially the small ones, w/o any Availability Zones). Please verify how many update and fault domain are supported in a region before deploying this resource. | `any` | `{}` | no |
-| [application\_insights](#input\_application\_insights) | A map defining Azure Application Insights. There are three ways to use this variable:
* when the value is set to `null` (default) no AI is created
* when the value is a map containing `name` key (other keys are optional) a single AI instance will be created under the name that is the value of the `name` key
* when the value is an empty map or a map w/o the `name` key, an AI instance per each VMSeries VM will be created. All instances will share the same configuration. All instances will have names corresponding to their VM name.
Names for all AI instances are prefixed with `var.name_prefix`.
Properties supported (for details on each property see [modules documentation](../modules/application\_insights/README.md)):
- `name` : (optional, string) a name of a single AI instance
- `workspace_mode` : (optional, bool) defaults to `true`, use AI Workspace mode instead of the Classical (deprecated)
- `workspace_name` : (optional, string) defaults to AI name suffixed with `-wrkspc`, name of the Log Analytics Workspace created when AI is deployed in Workspace mode
- `workspace_sku` : (optional, string) defaults to PerGB2018, SKU used by WAL, see module documentation for details
- `metrics_retention_in_days` : (optional, number) defaults to current Azure default value, see module documentation for details
Example of an AIs created per VM, in Workspace mode, with metrics retention set to 1 year:vmseries = {
'vm-1' = {
....
}
'vm-2' = {
....
}
}
application\_insights = {
metrics\_retention\_in\_days = 365
}
| `map(string)` | `null` | no |
-| [bootstrap\_storage](#input\_bootstrap\_storage) | A map defining Azure Storage Accounts used to host file shares for bootstrapping NGFWs. This variable defines only Storage Accounts, file shares are defined per each VM. See `vmseries` variable, `bootstrap_storage` property.
Following properties are supported (except for name, all are optional):
- `name` : name of the Storage Account. Please keep in mind that storage account name has to be globally unique. This name will not be prefixed with the value of `var.name_prefix`.
- `create_storage_account` : (defaults to `true`) create or source (when `false`) an existing Storage Account.
- `resource_group_name` : (defaults to `var.resource_group_name`) name of the Resource Group hosting the Storage Account (existing or newly created). The RG has to exist.
The properties below do not directly change anything in the Storage Account settings. They can be used to control common parts of the `DAY0` configuration (used only when full bootstrap is used). These properties can also be specified per firewall, but when specified here they tak higher precedence:
- `public_snet_key` : required, name of the key in `var.vnets` map defining a public subnet, required to calculate the Azure router IP for the public subnet.
- `private_snet_key` : required, name of the key in `var.vnets` map defining a private subnet, required to calculate the Azure router IP for the private subnet.
- `intranet_cidr` : optional, CIDR of the private networks required to build a general static route to resources protected by this firewall, when skipped the 1st CIDR from `vnet_name` address space will be used.
- `ai_update_interval` : if Application Insights are used this property can override the default metrics update interval (in minutes). | `any` | `{}` | no |
+| [application\_insights](#input\_application\_insights) | A map defining Azure Application Insights. There are three ways to use this variable:
* when the value is set to `null` (default) no AI is created
* when the value is a map containing `name` key (other keys are optional) a single AI instance will be created under the name that is the value of the `name` key
* when the value is an empty map or a map w/o the `name` key, an AI instance per each VMSeries VM will be created. All instances will share the same configuration. All instances will have names corresponding to their VM name.
Names for all AI instances are prefixed with `var.name_prefix`.
Properties supported (for details on each property see [modules documentation](../../modules/application\_insights/README.md)):
- `name` : (optional, string) a name of a single AI instance
- `workspace_mode` : (optional, bool) defaults to `true`, use AI Workspace mode instead of the Classical (deprecated)
- `workspace_name` : (optional, string) defaults to AI name suffixed with `-wrkspc`, name of the Log Analytics Workspace created when AI is deployed in Workspace mode
- `workspace_sku` : (optional, string) defaults to PerGB2018, SKU used by WAL, see module documentation for details
- `metrics_retention_in_days` : (optional, number) defaults to current Azure default value, see module documentation for details
Example of an AIs created per VM, in Workspace mode, with metrics retention set to 1 year:vmseries = {
'vm-1' = {
....
}
'vm-2' = {
....
}
}
application\_insights = {
metrics\_retention\_in\_days = 365
}
| `map(string)` | `null` | no |
+| [bootstrap\_storage](#input\_bootstrap\_storage) | A map defining Azure Storage Accounts used to host file shares for bootstrapping NGFWs. This variable defines only Storage Accounts, file shares are defined per each VM. See `vmseries` variable, `bootstrap_storage` property.
Following properties are supported (except for name, all are optional):
- `name` : name of the Storage Account. Please keep in mind that storage account name has to be globally unique. This name will not be prefixed with the value of `var.name_prefix`.
- `create_storage_account` : (defaults to `true`) create or source (when `false`) an existing Storage Account.
- `resource_group_name` : (defaults to `var.resource_group_name`) name of the Resource Group hosting the Storage Account (existing or newly created). The RG has to exist.
- `storage_acl` : (defaults to `false`) enables network ACLs on the Storage Account. If this is enabled - `storage_allow_vnet_subnets` and `storage_allow_inbound_public_ips` options become available. The ACL defaults to default `Deny`.
- `storage_allow_vnet_subnets` : (defaults to `[]`) whitelist containing the allowed vnet and associated subnets that are allowed to access the Storage Account. Note that the respective subnets require `enable_storage_service_endpoint` set to `true` to work properly.
- `storage_allow_inbound_public_ips` : (defaults to `[]`) whitelist containing the allowed public IP subnets that can access the Storage Account. Note that the code automatically tried to query https://ifconfig.me/ip to obtain the public IP address of the machine executing the code so that the bootstrap files are succuessfuly uploaded to the Storage Account.
The properties below do not directly change anything in the Storage Account settings. They can be used to control common parts of the `DAY0` configuration (used only when full bootstrap is used). These properties can also be specified per firewall, but when specified here they tak higher precedence:
- `public_snet_key` : required, name of the key in `var.vnets` map defining a public subnet, required to calculate the Azure router IP for the public subnet.
- `private_snet_key` : required, name of the key in `var.vnets` map defining a private subnet, required to calculate the Azure router IP for the private subnet.
- `intranet_cidr` : optional, CIDR of the private networks required to build a general static route to resources protected by this firewall, when skipped the 1st CIDR from `vnet_name` address space will be used.
- `ai_update_interval` : if Application Insights are used this property can override the default metrics update interval (in minutes). | `any` | `{}` | no |
| [vmseries](#input\_vmseries) | Map of virtual machines to create to run VM-Series - inbound firewalls. Following properties are supported:
- `name` : name of the VMSeries virtual machine.
- `vm_size` : size of the VMSeries virtual machine, when specified overrides `var.vmseries_vm_size`.
- `version` : PanOS version, when specified overrides `var.vmseries_version`.
- `vnet_key` : a key of a VNET defined in the `var.vnets` map. This value will be used during network interfaces creation.
- `add_to_appgw_backend` : bool, `false` by default, set this to `true` to add this backend to an Application Gateway.
- `avzone`: the Azure Availability Zone identifier ("1", "2", "3"). Default is "1".
- `availability_set_name` : a name of an Availability Set as declared in `availability_set` property. Specify when HA is required but cannot go for zonal deployment.
- `bootstrap_options` : string, optional bootstrap options to pass to VM-Series instances, semicolon separated values. When defined this precedence over `bootstrap_storage`
- `bootstrap_storage` : a map containing definition of the bootstrap package content. When present triggers a creation of a File Share in an existing Storage Account, following properties supported:
- `name` : a name of a key in `var.bootstrap_storage` variable defining a Storage Account
- `static_files` : a map where key is a path to a file, value is the location of the file in the bootstrap package (file share). All files in this map are copied 1:1 to the bootstrap package
- `template_bootstrap_xml` : path to the `bootstrap.xml` template. When defined it will trigger creation of the `bootstrap.xml` file and the file will be uploaded to the storage account. This is a simple `day 0` configuration file that should set up only basic networking. Specifying this property forces additional properties that are required to properly template the file. They can be defined per each VM or globally for all VMs (in this case place them in the bootstrap storage definition). The properties are listed below.
- `public_snet_key` : required, name of the key in `var.vnets` map defining a public subnet, required to calculate the Azure router IP for the public subnet.
- `private_snet_key` : required, name of the key in `var.vnets` map defining a private subnet, required to calculate the Azure router IP for the private subnet.
- `intranet_cidr` : optional, CIDR of the private networks required to build a general static route to resources protected by this firewall, when skipped the 1st CIDR from `vnet_name` address space will be used.
- `ai_update_interval` : if Application Insights are used this property can override the default metrics update interval (in minutes).
- `interfaces` : configuration of all NICs assigned to a VM. A list of maps, each map is a NIC definition. Notice that the order DOES matter. NICs are attached to VMs in Azure in the order they are defined in this list, therefore the management interface has to be defined first. Following properties are available:
- `name`: string that will form the NIC name
- `subnet_key` : (string) a key of a subnet as defined in `var.vnets`
- `create_pip` : (boolean) flag to create Public IP for an interface, defaults to `false`
- `public_ip_name` : (string) when `create_pip` is set to `false` a name of a Public IP resource that should be associated with this Network Interface
- `public_ip_resource_group` : (string) when associating an existing Public IP resource, name of the Resource Group the IP is placed in, defaults to the `var.resource_group_name`
- `load_balancer_key` : (string) key of a Load Balancer defined in the `var.loadbalancers` variable, defaults to `null`
- `private_ip_address` : (string) a static IP address that should be assigned to an interface, defaults to `null` (in that case DHCP is used)
Example:{
"fw01" = {
name = "firewall01"
bootstrap\_storage = {
name = "storageaccountname"
static\_files = { "files/init-cfg.txt" = "config/init-cfg.txt" }
template\_bootstrap\_xml = "templates/bootstrap\_common.tmpl"
public\_snet\_key = "public"
private\_snet\_key = "private"
}
avzone = 1
vnet\_key = "trust"
interfaces = [
{
name = "mgmt"
subnet\_key = "mgmt"
create\_pip = true
private\_ip\_address = "10.0.0.1"
},
{
name = "trust"
subnet\_key = "private"
private\_ip\_address = "10.0.1.1"
load\_balancer\_key = "private\_lb"
},
{
name = "untrust"
subnet\_key = "public"
private\_ip\_address = "10.0.2.1"
load\_balancer\_key = "public\_lb"
public\_ip\_name = "existing\_public\_ip"
}
]
}
}
| `any` | n/a | yes |
-| [appgws](#input\_appgws) | A map defining all Application Gateways in the current deployment.
For detailed documentation on how to configure this resource, for available properties, especially for the defaults and the `rules` property refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-azurerm-vmseries-modules/blob/main/modules/appgw/README.md).
Following properties are supported:
- `name` : name of the Application Gateway.
- `vnet_key` : a key of a VNET defined in the `var.vnets` map.
- `subnet_key` : a key of a subnet as defined in `var.vnets`. This has to be a subnet dedicated to Application Gateways v2.
- `zones` : for zonal deployment this is a list of all zones in a region - this property is used by both: the Application Gateway and the Public IP created in front of the AppGW.
- `capacity` : (optional) number of Application Gateway instances, not used when autoscalling is enabled (see `capacity_min`)
- `capacity_min` : (optional) when set enables autoscaling and becomes the minimum capacity
- `capacity_max` : (optional) maximum capacity for autoscaling
- `enable_http2` : enable HTTP2 support on the Application Gateway
- `waf_enabled` : (optional) enables WAF Application Gateway, defining WAF rules is not supported, defaults to `false`
- `vmseries_public_nic_name` : name of the public VMSeries interface as defined in `interfaces` property.
- `managed_identities` : (optional) a list of existing User-Assigned Managed Identities, which Application Gateway uses to retrieve certificates from Key Vault
- `ssl_policy_type` : (optional) type of an SSL policy, defaults to `Predefined`
- `ssl_policy_name` : (optional) name of an SSL policy, for `ssl_policy_type` set to `Predefined`
- `ssl_policy_min_protocol_version` : (optional) minimum version of the TLS protocol for SSL Policy, for `ssl_policy_type` set to `Custom`
- `ssl_policy_cipher_suites` : (optional) a list of accepted cipher suites, for `ssl_policy_type` set to `Custom`
- `ssl_profiles` : (optional) a map of SSL profiles that can be later on referenced in HTTPS listeners by providing a name of the profile in the `ssl_profile_name` property | `map` | `{}` | no |
+| [appgws](#input\_appgws) | A map defining all Application Gateways in the current deployment.
For detailed documentation on how to configure this resource, for available properties, especially for the defaults and the `rules` property refer to [module documentation](../../modules/appgw/README.md).
Following properties are supported:
- `name` : name of the Application Gateway.
- `vnet_key` : a key of a VNET defined in the `var.vnets` map.
- `subnet_key` : a key of a subnet as defined in `var.vnets`. This has to be a subnet dedicated to Application Gateways v2.
- `zones` : for zonal deployment this is a list of all zones in a region - this property is used by both: the Application Gateway and the Public IP created in front of the AppGW.
- `capacity` : (optional) number of Application Gateway instances, not used when autoscalling is enabled (see `capacity_min`)
- `capacity_min` : (optional) when set enables autoscaling and becomes the minimum capacity
- `capacity_max` : (optional) maximum capacity for autoscaling
- `enable_http2` : enable HTTP2 support on the Application Gateway
- `waf_enabled` : (optional) enables WAF Application Gateway, defining WAF rules is not supported, defaults to `false`
- `vmseries_public_nic_name` : name of the public VMSeries interface as defined in `interfaces` property.
- `managed_identities` : (optional) a list of existing User-Assigned Managed Identities, which Application Gateway uses to retrieve certificates from Key Vault
- `ssl_policy_type` : (optional) type of an SSL policy, defaults to `Predefined`
- `ssl_policy_name` : (optional) name of an SSL policy, for `ssl_policy_type` set to `Predefined`
- `ssl_policy_min_protocol_version` : (optional) minimum version of the TLS protocol for SSL Policy, for `ssl_policy_type` set to `Custom`
- `ssl_policy_cipher_suites` : (optional) a list of accepted cipher suites, for `ssl_policy_type` set to `Custom`
- `ssl_profiles` : (optional) a map of SSL profiles that can be later on referenced in HTTPS listeners by providing a name of the profile in the `ssl_profile_name` property | `map` | `{}` | no |
### Outputs
diff --git a/products/terraform/docs/swfw/gcp/vmseries/modules/autoscale.md b/products/terraform/docs/swfw/gcp/vmseries/modules/autoscale.md
index a8d490421..325c26e03 100644
--- a/products/terraform/docs/swfw/gcp/vmseries/modules/autoscale.md
+++ b/products/terraform/docs/swfw/gcp/vmseries/modules/autoscale.md
@@ -32,7 +32,6 @@ title: Auto-Scaling for Palo Alto Networks VM-Series
| Name | Version |
|------|---------|
| [google](#provider\_google) | ~> 4.54 |
-| [random](#provider\_random) | n/a |
### Modules
@@ -42,46 +41,52 @@ No modules.
| Name | Type |
|------|------|
-| [google_compute_autoscaler.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_autoscaler) | resource |
-| [google_compute_instance_group_manager.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance_group_manager) | resource |
-| [google_compute_instance_template.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance_template) | resource |
-| [google_pubsub_subscription.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription) | resource |
-| [google_pubsub_subscription_iam_member.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription_iam_member) | resource |
-| [google_pubsub_topic.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic) | resource |
-| [random_id.autoscaler](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
-| [google_compute_default_service_account.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_default_service_account) | data source |
+| [google_compute_autoscaler.zonal](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_autoscaler) | resource |
+| [google_compute_instance_group_manager.zonal](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance_group_manager) | resource |
+| [google_compute_instance_template.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance_template) | resource |
+| [google_compute_region_autoscaler.regional](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_region_autoscaler) | resource |
+| [google_compute_region_instance_group_manager.regional](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_region_instance_group_manager) | resource |
+| [google_pubsub_subscription.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription) | resource |
+| [google_pubsub_subscription_iam_member.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_subscription_iam_member) | resource |
+| [google_pubsub_topic.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/pubsub_topic) | resource |
+| [google_compute_default_service_account.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_default_service_account) | data source |
+| [google_compute_zones.main](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_zones) | data source |
### Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
-| [autoscaler\_metrics](#input\_autoscaler\_metrics) | The map with the keys being metrics identifiers (e.g. custom.googleapis.com/VMSeries/panSessionUtilization).
Each of the contained objects has attribute `target` which is a numerical threshold for a scale-out or a scale-in.
Each zonal group grows until it satisfies all the targets.
Additional optional attribute `type` defines the metric as either `GAUGE` (the default), `DELTA_PER_SECOND`, or `DELTA_PER_MINUTE`.
For full specification, see the `metric` inside the [provider doc](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_autoscaler). | `map` | {
"custom.googleapis.com/VMSeries/panSessionThroughputKbps": {
"target": 700000
},
"custom.googleapis.com/VMSeries/panSessionUtilization": {
"target": 70
}
}
| no |
-| [cooldown\_period](#input\_cooldown\_period) | How much tame does it take for a spawned PA-VM to become functional on the initialization boot | `number` | `480` | no |
-| [deployment\_name](#input\_deployment\_name) | Deployment Name that matches what is specified in Panorama GCP Plugin | `string` | n/a | yes |
-| [disk\_type](#input\_disk\_type) | n/a | `string` | `"pd-ssd"` | no |
-| [image](#input\_image) | Link to VM-Series PAN-OS image. Can be either a full self\_link, or one of the shortened forms per the [provider doc](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#image). | `string` | `"https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries-byol-912"` | no |
-| [machine\_type](#input\_machine\_type) | GCP instance type to use. | `string` | `"n1-standard-4"` | no |
-| [max\_replicas\_per\_zone](#input\_max\_replicas\_per\_zone) | Maximum number of VM-series instances per *each* of the zones | `number` | `1` | no |
-| [metadata](#input\_metadata) | Metadata for VM-Series firewall. Commented examples below show two examples: 1. partial bootstrap to Panorama 2. Full configuration bootstrap from Google storage bucket. | `map(string)` | `{}` | no |
-| [min\_cpu\_platform](#input\_min\_cpu\_platform) | n/a | `string` | `"Intel Broadwell"` | no |
-| [min\_replicas\_per\_zone](#input\_min\_replicas\_per\_zone) | Minimum number of VM-series instances per *each* of the zones | `number` | `1` | no |
-| [named\_ports](#input\_named\_ports) | (Optional) The list of named ports:named\_ports = [
{
name = "http"
port = "80"
},
{
name = "app42"
port = "4242"
},
]
The name identifies the backend port to receive the traffic from the global load balancers. | `list` | `[]` | no |
-| [network\_interfaces](#input\_network\_interfaces) | List of the network interface specifications.
Available options:
- `subnetwork` - (Required\|string) Self-link of a subnetwork to create interface in.
- `create_public_ip` - (Optional\|boolean) Whether to reserve public IP for the interface. Ignored if `public_ip` is provided. Defaults to 'false'. | `list(any)` | n/a | yes |
-| [pool](#input\_pool) | The self\_link of google\_compute\_target\_pool where the auto-created instances will be placed for healtchecking of External Load Balancer | `string` | `null` | no |
-| [prefix](#input\_prefix) | Prefix to various GCP resource names | `string` | n/a | yes |
-| [region](#input\_region) | The Google Cloud region for the resources. If null is provided, provider region will be used. | `string` | `null` | no |
-| [scale\_in\_control\_replicas\_fixed](#input\_scale\_in\_control\_replicas\_fixed) | Fixed number of VM instances that can be killed in each zone within the scale-in time window.
See `scale_in_control` in the [provider doc](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_autoscaler). | `number` | `1` | no |
-| [scale\_in\_control\_time\_window\_sec](#input\_scale\_in\_control\_time\_window\_sec) | How many seconds autoscaling should look into the past when scaling in (down).
Default 30 minutes corresponds to the default custom metrics period of 5 minutes
and also to the considerable init time of a fresh instance. | `number` | `1800` | no |
-| [scopes](#input\_scopes) | n/a | `list(string)` | [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read\_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write"
]
| no |
-| [service\_account\_email](#input\_service\_account\_email) | IAM Service Account for running firewall instance (just the email) | `string` | `null` | no |
-| [tags](#input\_tags) | n/a | `list(string)` | `[]` | no |
-| [update\_policy\_type](#input\_update\_policy\_type) | What to do when the underlying template changes (e.g. PAN-OS upgrade).
OPPORTUNISTIC is the only recommended value. Also PROACTIVE is allowed: it immediately
starts to re-create/delete instances and since this is not coordinated with
the instance group manager in other zone, it can easily lead to total outage.
It is thus feasible only in dev environments. Real environments should
perform a "Rolling Update" in GCP web interface. | `string` | `"OPPORTUNISTIC"` | no |
-| [zones](#input\_zones) | Map of zone names for the zonal IGMs | `map(string)` | `{}` | no |
+| [autoscaler\_metrics](#input\_autoscaler\_metrics) | A map with the keys being metrics identifiers (e.g. custom.googleapis.com/VMSeries/panSessionUtilization). Each of the contained objects has attribute `target` which is a numerical threshold for a scale-out or a scale-in. Each zonal group grows until it satisfies all the targets. Additional optional attribute `type` defines the metric as either `GAUGE`, `DELTA_PER_SECOND`, or `DELTA_PER_MINUTE`. For full specification, see the `metric` inside the [provider doc](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_autoscaler). | `map` | {
"custom.googleapis.com/VMSeries/panSessionThroughputKbps": {
"target": 700000
},
"custom.googleapis.com/VMSeries/panSessionUtilization": {
"target": 70
}
}
| no |
+| [cooldown\_period](#input\_cooldown\_period) | The number of seconds that the autoscaler should wait before it starts collecting information from a new VM-Series. This prevents the autoscaler from collecting information when the VM-Series is initializing, during which the collected usage would not be reliable. Virtual machine initialization times might vary because of numerous factors. | `number` | `480` | no |
+| [create\_pubsub\_topic](#input\_create\_pubsub\_topic) | Set to `true` to create a Pub/Sub topic and subscription. The Panorama Google Cloud Plugin can use this Pub/Sub to trigger actions when the VM-Series Instance Group descales. Actions include, removal of VM-Series from Panorama and automatic delicensing (if VM-Series BYOL licensing is used). For more information, please see [Autoscaling the VM-Series on GCP](https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/set-up-the-vm-series-firewall-on-google-cloud-platform/autoscaling-on-google-cloud-platform). | `bool` | `true` | no |
+| [disk\_type](#input\_disk\_type) | The disk type that is attached to the instances of the VM-Series firewalls. | `string` | `"pd-ssd"` | no |
+| [image](#input\_image) | Link to VM-Series PAN-OS image. Can be either a full self\_link, or one of the shortened forms per the [provider doc](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance#image). | `string` | `"https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries-byol-1014"` | no |
+| [machine\_type](#input\_machine\_type) | The instance type for the VM-Series firewalls. | `string` | `"n2-standard-4"` | no |
+| [max\_vmseries\_replicas](#input\_max\_vmseries\_replicas) | The maximum number of VM-Series per region/zone that the autoscaler can scale up to. The maximum number of VM-Series should not be lower than `min_vmseries_replicas`. | `number` | n/a | yes |
+| [metadata](#input\_metadata) | Metadata for VM-Series firewall. The metadata is used to perform mgmt-interface-swap and for bootstrapping the VM-Series.
Ex 1: Partial bootstrap to Panoramametadata = {
type = "dhcp-client"
op-command-modes = "mgmt-interface-swap"
vm-auth-key = "012345601234560123456"
panorama-server = "1.1.1.1"
dgname = "my-device-group"
tplname = "my-template-stack"
dhcp-send-hostname = "yes"
dhcp-send-client-id = "yes"
dhcp-accept-server-hostname = "yes"
dhcp-accept-server-domain = "yes"
}
Ex 2: Full configuration bootstrap from Google storage bucket.metadata = {
mgmt-interface-swap = "enable"
vmseries-bootstrap-gce-storagebucket = "your-bootstrap-bucket"
ssh-keys = "admin:"
}
| `map(string)` | `{}` | no |
+| [min\_cpu\_platform](#input\_min\_cpu\_platform) | The minimum CPU platform for the instance type of the VM-Series firewalls. | `string` | `"Intel Cascade Lake"` | no |
+| [min\_vmseries\_replicas](#input\_min\_vmseries\_replicas) | The minimum number of VM-Series per region/zone that the autoscaler can scale down to. This cannot be less than 0. | `number` | n/a | yes |
+| [name](#input\_name) | The name of the VM-Series deployed. This value will be used as the `base_instance_name` and will be used as a prepended prefix for other created resources. | `string` | n/a | yes |
+| [named\_ports](#input\_named\_ports) | A list of named port configurations. The name identifies the backend port to receive the traffic
from the global load balancers.named\_ports = [
{
name = "http"
port = "80"
},
{
name = "app42"
port = "4242"
},
]
| `list` | `[]` | no |
+| [network\_interfaces](#input\_network\_interfaces) | List of the network interface specifications.
Available options:
- `subnetwork` - (Required\|string) Self-link of a subnetwork to create interface in.
- `create_public_ip` - (Optional\|boolean) Whether to reserve public IP for the interface. | `list(any)` | n/a | yes |
+| [region](#input\_region) | The Google Cloud region for the resources. If null, provider region will be used. | `string` | `null` | no |
+| [regional\_mig](#input\_regional\_mig) | Sets the managed instance group type to either a regional (if `true`) or a zonal (if `false`).
For more information please see [About regional MIGs](https://cloud.google.com/compute/docs/instance-groups/regional-migs#why_choose_regional_managed_instance_groups). | `bool` | n/a | yes |
+| [scale\_in\_control\_replicas\_fixed](#input\_scale\_in\_control\_replicas\_fixed) | Fixed number of VM-Series instances that can be killed within the scale-in time window. See `scale_in_control` in the [provider doc](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_autoscaler). | `number` | `1` | no |
+| [scale\_in\_control\_time\_window\_sec](#input\_scale\_in\_control\_time\_window\_sec) | How far (in seconds) autoscaling should look into the past when scaling down. | `number` | `1800` | no |
+| [scopes](#input\_scopes) | A list of service scopes. Both OAuth2 URLs and gcloud short names are supported. See a complete list of scopes [here](https://cloud.google.com/sdk/gcloud/reference/alpha/compute/instances/set-scopes#--scopes). | `list(string)` | [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read\_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write"
]
| no |
+| [service\_account\_email](#input\_service\_account\_email) | IAM Service Account applied to the VM-Series instances. | `string` | `null` | no |
+| [tags](#input\_tags) | Tags to attach to the instance | `list(string)` | `[]` | no |
+| [target\_pools](#input\_target\_pools) | A list of target pool URLs to which the instance groups are added. Updating the target pools attribute does not affect existing VM-Series instances. | `list(string)` | `null` | no |
+| [update\_policy\_type](#input\_update\_policy\_type) | What to do when the underlying template changes (e.g. PAN-OS upgrade). OPPORTUNISTIC is the only recommended value. Also PROACTIVE is allowed. | `string` | `"OPPORTUNISTIC"` | no |
+| [zones](#input\_zones) | A map of the zone names for zonal managed instance groups. A managed instance group will be created for every zone entered.
Required if `regional_mig` is set to `false`. | `map(string)` | `{}` | no |
### Outputs
| Name | Description |
|------|-------------|
-| [backends](#output\_backends) | Map of instance group (IG) identifiers, suitable for use in module lb\_internal as input `backends`. |
-| [instance\_group\_manager](#output\_instance\_group\_manager) | n/a |
+| [pubsub\_subscription\_iam\_member\_etag](#output\_pubsub\_subscription\_iam\_member\_etag) | The etag of the Pub/Sub IAM Member. |
+| [pubsub\_subscription\_id](#output\_pubsub\_subscription\_id) | The resource ID of the Pub/Sub Subscription. |
+| [pubsub\_topic\_id](#output\_pubsub\_topic\_id) | The resource ID of the Pub/Sub Topic. |
+| [regional\_instance\_group\_id](#output\_regional\_instance\_group\_id) | The resource ID of the regional VM-Series managed instance group. This output should only be used when `regional_mig` is set to `true`. |
+| [zonal\_instance\_group\_ids](#output\_zonal\_instance\_group\_ids) | The resource IDs of the zonal VM-Series managed instance groups. This output should only be used when `regional_mig` is set to `false`. |
\ No newline at end of file
diff --git a/products/terraform/docs/swfw/gcp/vmseries/modules/bootstrap.md b/products/terraform/docs/swfw/gcp/vmseries/modules/bootstrap.md
index 4022a2fd3..962897ecd 100644
--- a/products/terraform/docs/swfw/gcp/vmseries/modules/bootstrap.md
+++ b/products/terraform/docs/swfw/gcp/vmseries/modules/bootstrap.md
@@ -56,6 +56,7 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
+| [bootstrap\_files\_dir](#input\_bootstrap\_files\_dir) | Bootstrap file directory. If the variable has a value of `null` (default) - then it will not upload any other files other than the ones specified in the `files` variable.
More information can be found at https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/bootstrap-the-vm-series-firewall/bootstrap-package. | `string` | `null` | no |
| [files](#input\_files) | Map of all files to copy to bucket. The keys are local paths, the values are remote paths. For example `{"dir/my.txt" = "config/init-cfg.txt"}` | `map(string)` | `{}` | no |
| [folders](#input\_folders) | List of folder paths that will be used to create dedicated boostrap package folder sets per firewall or firewall group (for example to distinguish configuration per region, per inbound/obew role, etc) within the created storage bucket.
A default value (empty list) will result in the creation of a single bootstrap package folder set in the bucket top-level directory. | `list(any)` | `[]` | no |
| [location](#input\_location) | Location in which the GCS Bucket will be deployed. Available locations can be found under https://cloud.google.com/storage/docs/locations. | `string` | n/a | yes |
diff --git a/products/terraform/docs/swfw/gcp/vmseries/modules/lb_external.md b/products/terraform/docs/swfw/gcp/vmseries/modules/lb_external.md
index d58a010ef..db0dd546d 100644
--- a/products/terraform/docs/swfw/gcp/vmseries/modules/lb_external.md
+++ b/products/terraform/docs/swfw/gcp/vmseries/modules/lb_external.md
@@ -63,8 +63,7 @@ No modules.
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [backend\_instance\_groups](#input\_backend\_instance\_groups) | List of backend instance groups | `list` | `[]` | no |
-| [connection\_persistence\_on\_unhealthy\_backends](#input\_connection\_persistence\_on\_unhealthy\_backends) | Specifies connection persistence when backends are unhealthy. If set to DEFAULT\_FOR\_PROTOCOL, the existing connections persist on unhealthy backends only for connection-oriented protocols (TCP and SCTP) and only if the Tracking Mode is PER\_CONNECTION (default tracking mode) or the Session Affinity is configured for 5-tuple. They do not persist for UDP. If set to NEVER\_PERSIST, after a backend becomes unhealthy, the existing connections on the unhealthy backend are never persisted on the unhealthy backend. They are always diverted to newly selected healthy backends (unless all backends are unhealthy). If set to ALWAYS\_PERSIST, existing connections always persist on unhealthy backends regardless of protocol and session affinity. It is generally not recommended to use this mode overriding the default. | `string` | `"DEFAULT_FOR_PROTOCOL"` | no |
-| [connection\_tracking\_mode](#input\_connection\_tracking\_mode) | There are two options: PER\_CONNECTION: The Connection Tracking is performed as per the Connection Key (default Hash Method) for the specific protocol. PER\_SESSION: The Connection Tracking is performed as per the configured Session Affinity. It matches the configured Session Affinity. | `string` | `"PER_CONNECTION"` | no |
+| [connection\_tracking\_policy](#input\_connection\_tracking\_policy) | Connection tracking policy settings, only available for backend service based rules. Following options are available:
- `mode` - (Optional\|string) `PER_CONNECTION` (default) or `PER_SESSION`
- `persistence_on_unhealthy_backends` - (Optional\|string) `DEFAULT_FOR_PROTOCOL` (default), `ALWAYS_PERSIST` or `NEVER_PERSIST`
More information about supported configurations in conjunction with `session_affinity` is available in [Backend service-based external Network Load Balancing](https://cloud.google.com/load-balancing/docs/network/networklb-backend-service#connection-tracking) documentation. | `map(any)` | `null` | no |
| [create\_health\_check](#input\_create\_health\_check) | Whether to create a health check on the target pool. | `bool` | `true` | no |
| [health\_check\_healthy\_threshold](#input\_health\_check\_healthy\_threshold) | Health check parameter, see [provider doc](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_http_health_check) | `number` | `null` | no |
| [health\_check\_http\_host](#input\_health\_check\_http\_host) | Health check http request host header, with the default adjusted to localhost to be able to check the health of the PAN-OS webui. | `string` | `"localhost"` | no |
@@ -73,14 +72,13 @@ No modules.
| [health\_check\_interval\_sec](#input\_health\_check\_interval\_sec) | Health check parameter, see [provider doc](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_http_health_check) | `number` | `null` | no |
| [health\_check\_timeout\_sec](#input\_health\_check\_timeout\_sec) | Health check parameter, see [provider doc](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_http_health_check) | `number` | `null` | no |
| [health\_check\_unhealthy\_threshold](#input\_health\_check\_unhealthy\_threshold) | Health check parameter, see [provider doc](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_http_health_check) | `number` | `null` | no |
-| [idle\_timeout\_sec](#input\_idle\_timeout\_sec) | Specifies how long to keep a Connection Tracking entry while there is no matching traffic (in seconds). For L4 ILB the minimum(default) is 10 minutes and maximum is 16 hours. For NLB the minimum(default) is 60 seconds and the maximum is 16 hours. | `number` | `null` | no |
| [instances](#input\_instances) | List of links to the instances. Expected to be empty when using an autoscaler, as the autoscaler inserts entries to the target pool dynamically. The nic0 of each instance gets the traffic. Even when this list is shifted or re-ordered, it doesn't re-create any resources and such modifications often proceed without any noticeable downtime. | `list(string)` | `null` | no |
| [name](#input\_name) | Name of the backend\_service, target\_pool and of the associated health check. | `string` | n/a | yes |
| [network\_tier](#input\_network\_tier) | The networking tier used for configuring this address. If this field is not specified, it is assumed to be PREMIUM. Possible values are PREMIUM and STANDARD. | `string` | `"PREMIUM"` | no |
| [project](#input\_project) | The project to deploy to. If unset the default provider project is used. | `string` | `""` | no |
| [region](#input\_region) | GCP region to deploy to. If unset the default provider region is used. | `string` | `null` | no |
| [rules](#input\_rules) | Map of objects, the keys are names of the external forwarding rules, each of the objects has the following attributes:
- `port_range`: (Required) The port your service is listening on. Can be a number (80) or a range (8080-8089, or even 1-65535).
- `ip_address`: (Optional) A public IP address on which to listen, must be in the same region as the LB and must be IPv4. If empty, automatically generates a new non-ephemeral IP on a PREMIUM tier.
- `ip_protocol`: (Optional) The IP protocol for the frontend forwarding rule: TCP, UDP, ESP, ICMP, or L3\_DEFAULT. Default is TCP.
- `all_ports`: (Optional) Allows all ports to be forwarded to the Backend Service | `any` | n/a | yes |
-| [session\_affinity](#input\_session\_affinity) | How to distribute load. Options are `NONE`, `CLIENT_IP` and `CLIENT_IP_PROTO`. | `string` | `"NONE"` | no |
+| [session\_affinity](#input\_session\_affinity) | Controls distribution of new connections (or fragmented UDP packets) from clients to the backends, can influence available connection tracking configurations.
Valid values are: NONE (default), CLIENT\_IP, CLIENT\_IP\_PROTO, CLIENT\_IP\_PORT\_PROTO (only available for backend service based rules). | `string` | `"NONE"` | no |
### Outputs
diff --git a/products/terraform/docs/swfw/gcp/vmseries/modules/lb_internal.md b/products/terraform/docs/swfw/gcp/vmseries/modules/lb_internal.md
index 6ed921e0e..7080b7c69 100644
--- a/products/terraform/docs/swfw/gcp/vmseries/modules/lb_internal.md
+++ b/products/terraform/docs/swfw/gcp/vmseries/modules/lb_internal.md
@@ -32,6 +32,7 @@ title: Internally-Facing Regional TCP/UDP Load Balancer on GCP
| Name | Version |
|------|---------|
| [google](#provider\_google) | ~> 4.54 |
+| [google-beta](#provider\_google-beta) | n/a |
### Modules
@@ -41,9 +42,9 @@ No modules.
| Name | Type |
|------|------|
+| [google-beta_google_compute_region_backend_service.this](https://registry.terraform.io/providers/hashicorp/google-beta/latest/docs/resources/google_compute_region_backend_service) | resource |
| [google_compute_forwarding_rule.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_forwarding_rule) | resource |
| [google_compute_health_check.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_health_check) | resource |
-| [google_compute_region_backend_service.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_region_backend_service) | resource |
| [google_client_config.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/client_config) | data source |
### Inputs
@@ -54,6 +55,7 @@ No modules.
| [allow\_global\_access](#input\_allow\_global\_access) | (Optional) If true, clients can access ILB from all regions. By default false, only allow from the ILB's local region; useful if the ILB is a next hop of a route. | `bool` | `false` | no |
| [backends](#input\_backends) | Names of primary backend groups (IGs or IGMs). Typically use `module.vmseries.instance_group_self_links` here. | `map(string)` | n/a | yes |
| [connection\_draining\_timeout\_sec](#input\_connection\_draining\_timeout\_sec) | (Optional) Time for which instance will be drained (not accept new connections, but still work to finish started). | `number` | `null` | no |
+| [connection\_tracking\_policy](#input\_connection\_tracking\_policy) | Connection tracking policy settings. Following options are available:
- `mode` - (Optional\|string) `PER_CONNECTION` (default) or `PER_SESSION`
- `idle_timeout_sec` - (Optional\|number) Defaults to 600 seconds, can only be modified in specific conditions (see link below)
- `persistence_on_unhealthy_backends` - (Optional\|string) `DEFAULT_FOR_PROTOCOL` (default), `ALWAYS_PERSIST` or `NEVER_PERSIST`
More information about supported configurations in conjunction with `session_affinity` is available in [Internal TCP/UDP Load Balancing](https://cloud.google.com/load-balancing/docs/internal#connection-tracking) documentation. | `map(any)` | `null` | no |
| [disable\_connection\_drain\_on\_failover](#input\_disable\_connection\_drain\_on\_failover) | (Optional) On failover or failback, this field indicates whether connection drain will be honored. Setting this to true has the following effect: connections to the old active pool are not drained. Connections to the new active pool use the timeout of 10 min (currently fixed). Setting to false has the following effect: both old and new connections will have a drain timeout of 10 min. This can be set to true only if the protocol is TCP. The default is false. | `bool` | `null` | no |
| [drop\_traffic\_if\_unhealthy](#input\_drop\_traffic\_if\_unhealthy) | (Optional) Used only when no healthy VMs are detected in the primary and backup instance groups. When set to true, traffic is dropped. When set to false, new connections are sent across all VMs in the primary group. The default is false. | `bool` | `null` | no |
| [failover\_backends](#input\_failover\_backends) | (Optional) Names of failover backend groups (IGs or IGMs). Failover groups are ignored unless the primary groups do not meet collective health threshold. | `map(string)` | `{}` | no |
@@ -65,8 +67,9 @@ No modules.
| [name](#input\_name) | Name of the load balancer (that is, both the forwarding rule and the backend service) | `string` | n/a | yes |
| [network](#input\_network) | n/a | `any` | `null` | no |
| [ports](#input\_ports) | Which port numbers are forwarded to the backends (up to 5 ports). Conflicts with all\_ports. | `list(number)` | `[]` | no |
+| [project](#input\_project) | The project to deploy to. If unset the default provider project is used. | `string` | `null` | no |
| [region](#input\_region) | Region to create ILB in. | `string` | `null` | no |
-| [session\_affinity](#input\_session\_affinity) | (Optional, TCP only) Try to direct sessions to the same backend, can be: CLIENT\_IP, CLIENT\_IP\_PORT\_PROTO, CLIENT\_IP\_PROTO, NONE (default is NONE). | `string` | `null` | no |
+| [session\_affinity](#input\_session\_affinity) | Controls distribution of new connections (or fragmented UDP packets) from clients to the backends, can influence available connection tracking configurations.
Valid values are: NONE (default), CLIENT\_IP\_NO\_DESTINATION, CLIENT\_IP, CLIENT\_IP\_PROTO, CLIENT\_IP\_PORT\_PROTO. | `string` | `null` | no |
| [subnetwork](#input\_subnetwork) | n/a | `string` | n/a | yes |
| [timeout\_sec](#input\_timeout\_sec) | (Optional) How many seconds to wait for the backend before dropping the connection. Default is 30 seconds. Valid range is [1, 86400]. | `number` | `null` | no |
diff --git a/products/terraform/docs/swfw/gcp/vmseries/modules/vpc.md b/products/terraform/docs/swfw/gcp/vmseries/modules/vpc.md
index c6468e5ce..534afc46a 100644
--- a/products/terraform/docs/swfw/gcp/vmseries/modules/vpc.md
+++ b/products/terraform/docs/swfw/gcp/vmseries/modules/vpc.md
@@ -64,7 +64,7 @@ No modules.
|------|-------------|------|---------|:--------:|
| [allowed\_ports](#input\_allowed\_ports) | A list of ports to pass for the `networks` entries that do not have their own `allowed_ports` attribute. For example ["22", "443"]. Can also include ranges, for example ["80", "8080-8999"]. Empty list means to allow all. | `list(string)` | `[]` | no |
| [allowed\_protocol](#input\_allowed\_protocol) | A protocol (TCP or UDP) to pass for the `networks` entries that do not have their own `allowed_protocol` attribute. | `string` | `"all"` | no |
-| [networks](#input\_networks) | Map of networks, a minimal example:{
"my-vpc" = {
name = "my-vpc"
subnetwork\_name = "my-subnet"
ip\_cidr\_range = "192.168.1.0/24"
}
}
An advanced example:{
"my-vpc" = {
name = "my-vpc"
subnetwork\_name = "my-subnet"
ip\_cidr\_range = "192.168.1.0/24"
allowed\_sources = ["209.85.152.0/22"]
log\_metadata = "INCLUDE\_ALL\_METADATA"
mtu = 1500
}
}
Full example:{
"my-vpc" = {
name = "my-vpc"
subnetwork\_name = "my-subnet"
ip\_cidr\_range = "192.168.1.0/24"
allowed\_sources = ["10.0.0.0/8", "98.98.98.0/28"]
allowed\_protocol = "UDP"
allowed\_ports = ["53", "123-125"]
log\_metadata = "EXCLUDE\_ALL\_METADATA"
delete\_default\_routes\_on\_create = true
}
"imported-from-hostproject" = {
name = "existing-core-vpc"
subnetwork\_name = "existing-subnet"
create\_network = false
create\_subnetwork = false
host\_project\_id = "my-core-project-id"
}
}
Terraform 0.12.x and 0.13.x limitation: the existing networks/subnetworks names should be static strings and not come from other `resource` objects.
It is allowed from Terraform 0.14 onwards. | `any` | n/a | yes |
+| [networks](#input\_networks) | Map of networks, a minimal example:{
"my-vpc" = {
name = "my-vpc"
subnetwork\_name = "my-subnet"
ip\_cidr\_range = "192.168.1.0/24"
}
}
An advanced example:{
"my-vpc" = {
name = "my-vpc"
subnetwork\_name = "my-subnet"
ip\_cidr\_range = "192.168.1.0/24"
allowed\_sources = ["209.85.152.0/22"]
log\_metadata = "INCLUDE\_ALL\_METADATA"
mtu = 1500
routing\_mode = "REGIONAL"
}
}
Full example:{
"my-vpc" = {
name = "my-vpc"
subnetwork\_name = "my-subnet"
ip\_cidr\_range = "192.168.1.0/24"
allowed\_sources = ["10.0.0.0/8", "98.98.98.0/28"]
allowed\_protocol = "UDP"
allowed\_ports = ["53", "123-125"]
log\_metadata = "EXCLUDE\_ALL\_METADATA"
routing\_mode = "GLOBAL"
delete\_default\_routes\_on\_create = true
}
"imported-from-hostproject" = {
name = "existing-core-vpc"
subnetwork\_name = "existing-subnet"
create\_network = false
create\_subnetwork = false
host\_project\_id = "my-core-project-id"
}
}
Terraform 0.12.x and 0.13.x limitation: the existing networks/subnetworks names should be static strings and not come from other `resource` objects.
It is allowed from Terraform 0.14 onwards. | `any` | n/a | yes |
| [project\_id](#input\_project\_id) | Project in which to create or look for VPCs and subnets | `string` | `null` | no |
| [region](#input\_region) | GCP region for all the created subnetworks and for all the imported subnetworks. Set to null to use a default provider's region.
To add subnetworks with another region use a separate instance of this module (and specify `create_network=false` to avoid creating a duplicate network). | `string` | `null` | no |
diff --git a/products/terraform/docs/swfw/gcp/vmseries/reference-architectures/7690846b-2aad-4045-913c-8a5cdb80b16b.png b/products/terraform/docs/swfw/gcp/vmseries/reference-architectures/7690846b-2aad-4045-913c-8a5cdb80b16b.png
new file mode 100644
index 000000000..279cfbc58
Binary files /dev/null and b/products/terraform/docs/swfw/gcp/vmseries/reference-architectures/7690846b-2aad-4045-913c-8a5cdb80b16b.png differ
diff --git a/products/terraform/docs/swfw/gcp/vmseries/reference-architectures/vmseries_ha.md b/products/terraform/docs/swfw/gcp/vmseries/reference-architectures/vmseries_ha.md
new file mode 100644
index 000000000..942526b9d
--- /dev/null
+++ b/products/terraform/docs/swfw/gcp/vmseries/reference-architectures/vmseries_ha.md
@@ -0,0 +1,298 @@
+---
+hide_title: true
+id: vmseries_ha
+keywords:
+- pan-os
+- panos
+- firewall
+- configuration
+- terraform
+- vmseries
+- vm-series
+- gcp
+pagination_next: null
+pagination_prev: null
+sidebar_label: Common Firewall Option with High Availability
+title: 'Reference Architecture with Terraform: VM-Series in GCP, Centralized Architecture,
+ Common NGFW Option'
+---
+
+# Reference Architecture with Terraform: VM-Series in GCP, Centralized Architecture, Common NGFW Option
+
+Palo Alto Networks produces several [validated reference architecture design and deployment documentation guides](https://www.paloaltonetworks.com/resources/reference-architectures), which describe well-architected and tested deployments. When deploying VM-Series in a public cloud, the reference architectures guide users toward the best security outcomes, whilst reducing rollout time and avoiding common integration efforts.
+The Terraform code presented here will deploy Palo Alto Networks VM-Series firewalls in GCP based on a centralized design with common VM-Series for all traffic; for a discussion of other options, please see the design guide from [the reference architecture guides](https://www.paloaltonetworks.com/resources/reference-architectures).
+
+## Reference Architecture Design
+
+![simple](942d7e0a-eafb-42fb-ba53-6fefedb4b69d.png)
+
+This code implements:
+- a _centralized design_, a hub-and-spoke topology with a shared VPC containing VM-Series deployed in high availability to inspect all inbound, outbound, east-west, and enterprise traffic
+- the _common option_, which routes all traffic flows onto a single set of VM-Series
+
+## Detailed Architecture and Design
+
+### Centralized Design
+
+This design uses a VPC Peering. Application functions are distributed across multiple projects that are connected in a logical hub-and-spoke topology. A security project acts as the hub, providing centralized connectivity and control for multiple application projects. You deploy all VM-Series firewalls within the security project. The spoke projects contain the workloads and necessary services to support the application deployment.
+This design model integrates multiple methods to interconnect and control your application project VPC networks with resources in the security project. VPC Peering enables the private VPC network in the security project to peer with, and share routing information to, each application project VPC network. Using Shared VPC, the security project administrators create and share VPC network resources from within the security project to the application projects. The application project administrators can select the network resources and deploy the application workloads.
+
+### Common Option with High Availabikity
+
+The common firewall option wiht High Availability leverages a single set of VM-Series firewalls that acts as a single entity. The sole set of firewalls operates as a shared resource and may present scale limitations with all traffic flowing through a single set of firewalls due to the performance degradation that occurs when traffic crosses virtual routers. This option is suitable for proof-of-concepts and smaller scale deployments because the number of firewalls is low. However, the technical integration complexity is high.
+
+![VM-Series-Common-Firewall-Option-with-HA](7690846b-2aad-4045-913c-8a5cdb80b16b.png)
+
+The scope of this code is to deploy an example of the [VM-Series Common Firewall Option](https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/guides/gcp-architecture-guide#Design%20Model) architecture with [high availability configuration](https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/about-the-vm-series-firewall/vm-series-in-high-availability) within a GCP project.
+
+The example makes use of VM-Series full [bootstrap process](https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/bootstrap-the-vm-series-firewall/bootstrap-the-vm-series-firewall-on-google) using XML templates to properly parametrize the initial Day 0 configuration.
+
+With default variable values the topology consists of :
+ - 6 VPC networks :
+ - Management VPC
+ - Untrust (outside) VPC
+ - Trust (inside/security) VPC
+ - HA2 (strictly used for High Availability) VPC
+ - Spoke-1 VPC
+ - Spoke-2 VPC
+ - 2 VM-Series firewalls
+ - 2 Linux Ubuntu VMs (inside Spoke VPCs - for testing purposes)
+ - one internal network loadbalancer (for outbound/east-west traffic)
+ - one external regional network loadbalancer (for inbound traffic)
+
+## Prerequisites
+
+The following steps should be followed before deploying the Terraform code presented here.
+
+1. Prepare [VM-Series licenses](https://support.paloaltonetworks.com/)
+2. Configure the terraform [google provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication-configuration)
+
+## Usage
+
+1. Access Google Cloud Shell or any other environment that has access to your GCP project
+
+2. Clone the repository:
+
+```
+git clone https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules
+cd terraform-google-vmseries-modules/examples/vmseries_ha
+```
+
+3. Copy the `example.tfvars` to `terraform.tfvars`.
+
+`project`, `ssh_keys` and `allowed_sources` should be modified for successful deployment and access to the instance.
+
+There are also a few variables that have some default values but which should also be changed as per deployment requirements
+
+ - `region`
+ - `vmseries..bootstrap_options`
+ - `linux_vms..linux_disk_size`
+
+1. Apply the terraform code:
+
+```
+terraform init
+terraform apply
+```
+
+4. Check the output plan and confirm the apply.
+
+5. Check the successful application and outputs of the resulting infrastructure:
+
+```
+Apply complete! Resources: 96 added, 0 changed, 0 destroyed. (Number of resources can vary based on how many instances you push through tfvars)
+
+Outputs:
+
+lbs_internal_ips = {
+ "external-lb" = ""
+}
+lbs_internal_ips = {
+ "internal-lb" = "10.10.12.5"
+}
+linux_vm_ips = {
+ "spoke1-vm" = "192.168.1.2"
+ "spoke2-vm" = "192.168.2.2"
+}
+vmseries_private_ips = {
+ "fw-vmseries-01" = {
+ "0" = "10.10.11.2"
+ "1" = "10.10.10.2"
+ "2" = "10.10.12.2"
+ "3" = "10.10.13.2"
+ }
+ "fw-vmseries-02" = {
+ "0" = "10.10.11.3"
+ "1" = "10.10.10.3"
+ "2" = "10.10.12.3"
+ "3" = "10.10.13.3"
+ }
+}
+vmseries_public_ips = {
+ "fw-vmseries-01" = {
+ "0" = ""
+ "1" = ""
+ }
+ "fw-vmseries-02" = {
+ "0" = ""
+ "1" = ""
+ }
+}
+```
+
+
+## Post build
+
+Connect to the VM-Series instance(s) via SSH using your associated private key and check if the bootstrap process if finished successfuly and then set a password :
+ - Please allow for up to 10-15 minutes for the bootstrap process to finish
+ - The key output you should check for is "Auto-commit Successful"
+
+```
+ssh admin@x.x.x.x -i /PATH/TO/YOUR/KEY/id_rsa
+Welcome admin.
+admin@PA-VM(active)> show system bootstrap status
+
+Bootstrap Phase Status Details
+=============== ====== =======
+Media Detection Success Media detected successfully
+Media Sanity Check Success Media sanity check successful
+Parsing of Initial Config Successful
+Auto-commit Successful
+
+admin@PA-VM(active)> configure
+Entering configuration mode
+[edit]
+admin@PA-VM(active)# set mgt-config users admin password
+Enter password :
+Confirm password :
+
+[edit]
+admin@PA-VM(active)# commit
+Configuration committed successfully
+```
+
+## Check access via web UI
+
+Use a web browser to access `https://` and login with admin and your previously configured password.
+
+## Change the public Loopback public IP Address
+
+For the VM-Series that are backend instance group members of the public-facing loadbalancer - go to Network -> Interfaces -> Loopback and change the value of `1.1.1.1` with the value of object `external-lb` from the `lbs_external_ips` in Terraform outputs.
+
+In order to successfuly access the web server hosted on `spoke-1-vm` - also reconfigure the two NAT policies that contain the destination address of `1.1.1.1` with the IP address from `lbs_external_ips ` from Terraform outputs in Policies -> NAT -> `no-nat-lb-healthchecks` + `inbound-app1`
+
+## Check traffic from spoke VMs
+
+The firewalls are bootstrapped with a generic `allow any` policy just for demo purposes along with an outboud SNAT policy to allow Inernet access from spoke VMs.
+
+SSH to one of the spoke VMs using GCP IAP and gcloud command and test connectivity :
+
+
+```
+gcloud compute ssh spoke1-vm --zone=
+No zone specified. Using zone [us-east1-b] for instance: [spoke1-vm].
+External IP address was not found; defaulting to using IAP tunneling.
+WARNING:
+
+To increase the performance of the tunnel, consider installing NumPy. For instructions,
+please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the_tcp_upload_bandwidth
+
+@spoke1-vm:~$ping 8.8.8.8
+@spoke1-vm:~$ping 192.168.2.2
+```
+
+## Check traffic towards the test HTTP web server
+
+From any browser access `http://`
+
+## Test fail-over
+
+Connect to the spoke VM via gcloud CLI and continously ping a destination on the internet :
+
+```
+gcloud compute ssh spoke1-vm --zone=
+No zone specified. Using zone [us-east1-b] for instance: [spoke1-vm].
+External IP address was not found; defaulting to using IAP tunneling.
+WARNING:
+
+To increase the performance of the tunnel, consider installing NumPy. For instructions,
+please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the_tcp_upload_bandwidth
+
+@spoke1-vm:~$ping 8.8.8.8
+```
+
+Continously try to access the test HTTP web server - below is an example bash script that will continously try to access the web server :
+
+```
+while true; do curl -vvvv --connect-timeout 2 http:///; sleep 2; done
+```
+
+From the active VM-Series go to Device -> High Availability -> Operational Commands -> Suspend local device for high availability .
+
+Check the succesful inbound and outbound traffic fail-over to and from the spoke VM.
+
+## Reference
+
+### Requirements
+
+| Name | Version |
+|------|---------|
+| [terraform](#requirement\_terraform) | >= 1.2, < 2.0 |
+
+### Providers
+
+| Name | Version |
+|------|---------|
+| [google](#provider\_google) | n/a |
+| [local](#provider\_local) | n/a |
+
+### Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [bootstrap](#module\_bootstrap) | ../../modules/bootstrap | n/a |
+| [iam\_service\_account](#module\_iam\_service\_account) | ../../modules/iam_service_account | n/a |
+| [lb\_external](#module\_lb\_external) | ../../modules/lb_external | n/a |
+| [lb\_internal](#module\_lb\_internal) | ../../modules/lb_internal | n/a |
+| [vmseries](#module\_vmseries) | ../../modules/vmseries | n/a |
+| [vpc](#module\_vpc) | ../../modules/vpc | n/a |
+| [vpc\_peering](#module\_vpc\_peering) | ../../modules/vpc-peering | n/a |
+
+### Resources
+
+| Name | Type |
+|------|------|
+| [google_compute_instance.linux_vm](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_instance) | resource |
+| [google_compute_route.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_route) | resource |
+| [local_file.bootstrap_xml](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
+| [local_file.init_cfg](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
+| [google_compute_image.my_image](https://registry.terraform.io/providers/hashicorp/google/latest/docs/data-sources/compute_image) | data source |
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [bootstrap\_buckets](#input\_bootstrap\_buckets) | A map containing each bootstrap bucket setting.
Example of variable deployment:bootstrap\_buckets = {
vmseries-bootstrap-bucket-01 = {
bucket\_name\_prefix = "bucket-01-"
location = "us"
service\_account\_key = "sa-vmseries-01"
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/bootstrap#Inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
+| [lbs\_external](#input\_lbs\_external) | A map containing each external loadbalancer setting.
Example of variable deployment :lbs\_external = {
"external-lb" = {
name = "external-lb"
backends = ["fw-vmseries-01", "fw-vmseries-02"]
rules = {
"all-ports" = {
ip\_protocol = "L3\_DEFAULT"
}
}
http\_health\_check\_port = "80"
http\_health\_check\_request\_path = "/php/login.php"
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/lb_external#inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
+| [lbs\_internal](#input\_lbs\_internal) | A map containing each internal loadbalancer setting.
Example of variable deployment :lbs\_internal = {
"internal-lb" = {
name = "internal-lb"
health\_check\_port = "80"
backends = ["fw-vmseries-01", "fw-vmseries-02"]
ip\_address = "10.10.12.5"
subnetwork = "fw-trust-sub"
network = "fw-trust-vpc"
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/lb_internal#inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
+| [linux\_vms](#input\_linux\_vms) | A map containing each Linux VM configuration that will be placed in SPOKE VPCs for testing purposes.
Example of varaible deployment:linux\_vms = {
spoke1-vm = {
linux\_machine\_type = "n2-standard-4"
zone = "us-east1-b"
linux\_disk\_size = "50" # Modify this value as per deployment requirements
subnetwork = "spoke1-sub"
private\_ip = "192.168.1.2"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read\_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
service\_account\_key = "sa-linux-01"
}
}
| `any` | `{}` | no |
+| [name\_prefix](#input\_name\_prefix) | A string to prefix resource namings. | `string` | `"example-"` | no |
+| [networks](#input\_networks) | A map containing each network setting.
Example of variable deployment :networks = {
"mgmt-network" = {
create\_network = true
create\_subnetwork = true
name = "fw-mgmt-vpc"
subnetwork\_name = "fw-mgmt-sub"
ip\_cidr\_range = "10.10.10.0/28"
allowed\_sources = ["1.1.1.1/32"]
delete\_default\_routes\_on\_create = false
allowed\_protocol = "all"
allowed\_ports = []
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc#input_networks)
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes |
+| [project](#input\_project) | The project name to deploy the infrastructure in to. | `string` | `null` | no |
+| [region](#input\_region) | The region into which to deploy the infrastructure in to. | `string` | `"us-central1"` | no |
+| [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.
Example of variable deployment :routes = {
"default-route-trust" = {
name = "fw-default-trust"
destination\_range = "0.0.0.0/0"
network = "fw-trust-vpc"
lb\_internal\_name = "internal-lb"
}
}
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
+| [service\_accounts](#input\_service\_accounts) | A map containing each service account setting.
Example of variable deployment :service\_accounts = {
"sa-vmseries-01" = {
service\_account\_id = "sa-vmseries-01"
display\_name = "VM-Series SA"
roles = [
"roles/compute.networkViewer",
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
"roles/monitoring.viewer",
"roles/viewer"
]
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/iam_service_account#Inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
+| [vmseries](#input\_vmseries) | A map containing each individual vmseries setting.
Example of variable deployment :vmseries = {
"fw-vmseries-01" = {
name = "fw-vmseries-01"
zone = "us-east1-b"
machine\_type = "n2-standard-4"
min\_cpu\_platform = "Intel Cascade Lake"
tags = ["vmseries"]
service\_account\_key = "sa-vmseries-01"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read\_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
bootstrap\_bucket\_key = "vmseries-bootstrap-bucket-01"
bootstrap\_options = {
panorama-server = "1.1.1.1"
dns-primary = "8.8.8.8"
dns-secondary = "8.8.4.4"
}
bootstrap\_template\_map = {
trust\_gcp\_router\_ip = "10.10.12.1"
untrust\_gcp\_router\_ip = "10.10.11.1"
private\_network\_cidr = "192.168.0.0/16"
untrust\_loopback\_ip = "1.1.1.1/32" #This is placeholder IP - you must replace it on the vmseries config with the LB public IP address after the infrastructure is deployed
trust\_loopback\_ip = "10.10.12.5/32"
}
named\_ports = [
{
name = "http"
port = 80
},
{
name = "https"
port = 443
}
]
network\_interfaces = [
{
subnetwork = "fw-untrust-sub"
private\_ip = "10.10.11.2"
create\_public\_ip = true
},
{
subnetwork = "fw-mgmt-sub"
private\_ip = "10.10.10.2"
create\_public\_ip = true
},
{
subnetwork = "fw-trust-sub"
private\_ip = "10.10.12.2"
}
]
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vmseries#inputs)
The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes |
+| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.
Example of variable deployment :vmseries\_common = {
ssh\_keys = "admin:AAAABBBB..."
vmseries\_image = "vmseries-flex-byol-1022h2"
machine\_type = "n2-standard-4"
min\_cpu\_platform = "Intel Cascade Lake"
service\_account\_key = "sa-vmseries-01"
bootstrap\_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}
Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `any` | n/a | yes |
+| [vpc\_peerings](#input\_vpc\_peerings) | A map containing each VPC peering setting.
Example of variable deployment :vpc\_peerings = {
"trust-to-spoke1" = {
local\_network = "fw-trust-vpc"
peer\_network = "spoke1-vpc"
local\_export\_custom\_routes = true
local\_import\_custom\_routes = true
local\_export\_subnet\_routes\_with\_public\_ip = true
local\_import\_subnet\_routes\_with\_public\_ip = true
peer\_export\_custom\_routes = true
peer\_import\_custom\_routes = true
peer\_export\_subnet\_routes\_with\_public\_ip = true
peer\_import\_subnet\_routes\_with\_public\_ip = true
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-vmseries-modules/tree/main/modules/vpc-peering#inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
+
+### Outputs
+
+| Name | Description |
+|------|-------------|
+| [lbs\_external\_ips](#output\_lbs\_external\_ips) | Public IP addresses of external network loadbalancers. |
+| [lbs\_internal\_ips](#output\_lbs\_internal\_ips) | Private IP addresses of internal network loadbalancers. |
+| [linux\_vm\_ips](#output\_linux\_vm\_ips) | Private IP addresses of Linux VMs. |
+| [vmseries\_private\_ips](#output\_vmseries\_private\_ips) | Private IP addresses of the vmseries instances. |
+| [vmseries\_public\_ips](#output\_vmseries\_public\_ips) | Public IP addresses of the vmseries instances. |
+
\ No newline at end of file