diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index e2aa32c..3949ab4 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,4 +1,5 @@
 ---
+# spell-checker:disable
 repos:
   - repo: https://github.com/adrienverge/yamllint
     rev: v1.24.2
@@ -8,7 +9,7 @@ repos:
         types: [file, yaml]
         entry: yamllint
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.32.0
+    rev: v1.39.0
     hooks:
       - id: terraform_fmt
       - id: terraform_docs
@@ -27,6 +28,6 @@ repos:
       - id: sort-simple-yaml
       - id: trailing-whitespace
   - repo: https://github.com/thoughtworks/talisman
-    rev: v1.6.0
+    rev: v1.9.0
     hooks:
       - id: talisman-commit
diff --git a/.talismanrc b/.talismanrc
index 7b1f528..0f45687 100644
--- a/.talismanrc
+++ b/.talismanrc
@@ -14,14 +14,22 @@ fileignoreconfig:
 - filename: .github/workflows/pre-commit.yml
   checksum: 71fea73f97b2882cc899f729b9e9c2b79cd5a199aecdb9a28794e64d4fda859e
 - filename: modules/big-ip/instance/README.md
-  checksum: 7cc374e7edb7f98530d6f9818820a1549ae20d8c6a9d33bd84e5d16ebc5fb0a0
+  checksum: 4cf9f2888b4c18070c0a1423b50a30f86c3a29f7108f42eaa0f92c95dfde9498
 - filename: modules/big-ip/ha/README.md
-  checksum: 7395be8cbccffa49105fed677227f125ca0631d9bdc17f9f93084ae6eb5b9a37
+  checksum: 0fa3ce279f0cad506a0b69ea3ba515a9ef5971674ddde4f0a2f7889339a4c762
 - filename: modules/big-ip/cfe/README.md
-  checksum: ef06939edac22a49742f6d126f0ce4592ec03cb548224d2ad78bd8a6aaba4b0c
+  checksum: 6fed9e58db1fe307d1a72ff26be5c4736f055fe7dee02b3c99a8f6688bc39713
 - filename: modules/big-ip/cfe/main.tf
   checksum: a3ec435e68eb52f7f43b5694bc6a1d238c86e11d5aab6c92c61459a4daa2199d
 - filename: modules/big-ip/cfe/templates/cfe.json
   checksum: cc3d6ca42066a846a7585bebdc0490c41e1cb996367018ca7461b82725548053
 - filename: modules/big-ip/cfe/files/cloudFailoverExtension.sh
   checksum: 0db34f831d6bb25db19ed2b206c3499766cc4d713e7fe8c611970c556a024251
+- filename: modules/big-ip/README.md
+  checksum: 97024310b64f9e6f08a303ccde837a3815fc5f21099a04be10bdc6036f170d05
+- filename: modules/big-ip/metadata/README.md
+  checksum: 2d33509e132ab8b4754c811892d9d1a6349334ccd87f3cafc9497027f1ec9e70
+- filename: modules/big-ip/cfe/examples/single-project-2nic/main.tf
+  checksum: 290742ecf62a5959de43ff2d1d10b3281a6de1d2631d46fbfda809dac91ad635
+- filename: modules/big-ip/cfe/examples/single-project-3nic/main.tf
+  checksum: bb0c52a41e7f5a002d3676f9f90404cf549a02490a7f69b9cac64bc9cff89cd1
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 71f2f92..d9b576b 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,11 +1,11 @@
 # How to contribute
 
-We welcome contributions to this repo, but we do have a few guidelines for
+Contributions are welcome to this repo, but we do have a few guidelines for
 contributors.
 
 ## Open an issue and pull request for changes
 
-All submissions, including those from project memebers, are required to go through
+All submissions, including those from project members, are required to go through
 review. We use GitHub Pull Requests for this workflow, which should be linked with
 an issue for tracking purposes.
 See [GitHub](https://help.github.com/articles/about-pull-requests/) for more details.
diff --git a/README.md b/README.md
index f7bfb58..d043fc6 100644
--- a/README.md
+++ b/README.md
@@ -1,25 +1,49 @@
 # Unofficial F5 Terraform modules for GCP
 
+<!-- spell-checker:ignore markdownlint -->
+<!-- markdownlint-disable MD033 -->
 This repo contains unofficial and unsupported<sup>1</sup> Terraform modules to
 deploy F5 solutions on Google Cloud Platform, using a modular approach that can
 be composed into a solution that is consistent for each variant of a product.
+<!-- markdownlint-enable MD033 -->
 
 > NOTE: The modules **do not** include setup and configuration of supporting
-> resources, such as firewall rules or service accounts.
+> resources, such as ingress firewall rules or service accounts. Where required,
+> the examples will include the bare-minimum setup to show demonstrate usage.
+> Some modules will include links to other public GitHub repositories that
+> demonstrate specific use-cases.
+
+## Rationale
+
+The intent is allow for integration of BIG-IP, NGINX+, and other F5 products
+with GCP infrastructure that is managed using Google's
+[Cloud Foundation Toolkit](https://cloud.google.com/foundation-toolkit)
+Terraform modules or an equivalent. These are not fully-baked solutions, but can
+be integrated to build a reusable deployment pipeline.
+
+For example, the modules do not include ingress firewall rule resources as core
+module components. This is because some organizations may mandate use of service
+account based rules, where others prefer tag based, or a combination of both where
+interfaces are attached to peered VPCs. The exception to this is the firewall
+module to support ConfigSync for HA and CFE clusters; since the BIG-IPs will be
+deployed to the same VPC networks, it is reasonably safe to assume a service
+account based rule will be universally applicable.
 
 ## BIG-IP
 
-The BIG-IP modules build on each other to have a similar API (Terraform input
-variables), promoting consistency and reuse.
+The [BIG-IP](modules/big-ip) modules build on each other to have a similar AP
+(implemented as Terraform input variables), promoting consistency and reuse. For
+more information about these open the README files in each module.
 
 1. [x] [Standalone](modules/big-ip/instance/) BIG-IP instances
    * [x] Support 1-8 network interfaces
    * [x] Opinionated startup scripts
-   * [x] Specify default gateway for
+   * [x] Override default gateway when needed; e.g. for bootstrapping in a restricted
+         VPC where data-plane does not have egress.
    * [x] [AS3](https://clouddocs.f5.com/products/extensions/f5-appsvcs-extension/latest/) support
    * [x] [DO](https://clouddocs.f5.com/products/extensions/f5-declarative-onboarding/latest/) support
-2. [x] [HA](modules/big-ip/ha/) BIG-IP instances
-   * [ ] [CFE](https://clouddocs.f5.com/products/extensions/f5-cloud-failover/latest/) Cloud Failover Extension support
+2. [x] [HA](modules/big-ip/ha/) BIG-IP clustered instances
+   * [x] [CFE](modules/big-ip/cfe/) [Cloud Failover Extension](https://clouddocs.f5.com/products/extensions/f5-cloud-failover/latest/) support
 3. [ ] Autoscaling
 4. [ ] WAF
 5. [ ] GKE integration with [CIS](https://www.f5.com/products/automation-and-orchestration/container-ingress-services)
@@ -34,5 +58,7 @@ TBD
 
 ---
 
+<!-- markdownlint-disable MD033 -->
 <sup>1</sup>This repo will be maintained on a best-effort basis, but is not a
 substitute for F5 support.
+<!-- markdownlint-enable MD033 -->
diff --git a/foundations/README.md b/foundations/README.md
index 1d2ffda..d855da4 100644
--- a/foundations/README.md
+++ b/foundations/README.md
@@ -1,4 +1,4 @@
 # Foundations
 
-This module is used to setup multiple networks for testing the F5 modules. It is
-not needed for consumers of the modules.
+This module is used to setup multiple networks for testing the published modules.
+It is not needed for consumers of the modules.
diff --git a/modules/big-ip/README.md b/modules/big-ip/README.md
new file mode 100644
index 0000000..7dd8ec7
--- /dev/null
+++ b/modules/big-ip/README.md
@@ -0,0 +1,43 @@
+# BIG-IP modules
+
+<!-- spell-checker:ignore markdownlint, NICs, secretmanager -->
+These modules support deploying BIG-IP v13, v14, and v15 instances to Google Cloud
+in an opinionated manner. By themselves they do not implement a full stack or
+solution, and additional setup will be needed for firewall rules, service account
+creation and role assignments.
+
+## Dependencies
+
+The BIG-IP modules all have a common set of requirements.
+
+1. Terraform 0.12
+
+   A future version of these modules will target Terraform 0.13 once the majority
+   of module consumers request it.
+
+2. Google Cloud [Secret Manager](https://cloud.google.com/secret-manager)
+
+   There are many good options for run-time secret injection but this module is
+   supporting Google's Secret Manager only at this time.
+
+3. APIs to enable
+
+   * Compute Engine `compute.googleapis.com`
+   * Secret Manager `secretmanager.googleapis.com`
+   * Storage (required for CFE) `storage-api.googleapis.com`
+
+## Run-time setup
+
+The BIG-IP modules in this repo support [cloud-init](https://cloudinit.readthedocs.io/en/latest/)
+and [metadata-startup-script](https://cloud.google.com/compute/docs/startupscript)
+boot options, defaulting to the metadata startup-script for compatibility with
+BIG-IP versions 13.x, 14.x, and 15.x. Set the `use_cloud_init` input variable to
+`true`.
+
+Fundamentally both approaches launch the same shell scripts; the difference is
+that `cloud-init` script installs a systemd service unit with dependencies to
+prevent early execution, and automatically disables the service unit after
+success. The simple metadata startup-script will execute on every boot.
+
+For more information on how run-time configuration is applied to each BIG-IP
+instance, see the [configuration details](metadata#configuration) section in [metadata module](metadata).
diff --git a/modules/big-ip/cfe/README.md b/modules/big-ip/cfe/README.md
index e9eb8b7..13ec947 100644
--- a/modules/big-ip/cfe/README.md
+++ b/modules/big-ip/cfe/README.md
@@ -1,9 +1,13 @@
 # BIG-IP instance module
 
-This module encapsulates the creation of BIG-IP HA cluster.
+This module encapsulates the creation of BIG-IP HA cluster with [Cloud Failover
+Extension](https://clouddocs.f5.com/products/extensions/f5-cloud-failover/latest/)
+to manage run-time update of GCP routing on failover event.
 
 *Note:* This module is unsupported and not an official F5 product.
 
+<!-- spell-checker:ignore markdownlint bigip oslogin subnetwork subnetworks NICs byol payg Skylake preemptible VCPUS routable zoneinfo -->
+<!-- markdownlint-disable MD033 MD034-->
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
@@ -20,7 +24,7 @@ No provider.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| admin\_password\_secret\_manager\_key | The Secret Manager key for BIG-IP admin password; during initialisation, the<br>BIG-IP admin account's password will be changed to the value retreived from GCP<br>Secret Manager using this key.<br><br>NOTE: if the secret does not exist, is misidentified, or if the VM cannot read<br>the secret value associated with this key, then the BIG-IP onboarding will fail<br>to complete, and onboarding will require manual intervention. | `string` | n/a | yes |
+| admin\_password\_secret\_manager\_key | The Secret Manager key for BIG-IP admin password; during initialisation, the<br>BIG-IP admin account's password will be changed to the value retrieved from GCP<br>Secret Manager using this key.<br><br>NOTE: if the secret does not exist, is misidentified, or if the VM cannot read<br>the secret value associated with this key, then the BIG-IP onboarding will fail<br>to complete, and onboarding will require manual intervention. | `string` | n/a | yes |
 | allow\_phone\_home | Allow the BIG-IP VMs to send high-level device use information to help F5<br>optimize development resources. If set to false the information is not sent. | `bool` | `true` | no |
 | allow\_usage\_analytics | Allow the BIG-IP VMs to send anonymous statistics to F5 to help us determine how<br>to improve our solutions (default). If set to false no statistics will be sent. | `bool` | `true` | no |
 | as3\_payloads | An optional, but recommended, list of AS3 JSON files that can be used to setup<br>the BIG-IP instances. If left empty (default), the module will use a simple<br>no-op AS3 declaration. | `list(string)` | `[]` | no |
@@ -33,7 +37,7 @@ No provider.
 | description | An optional description that will be applied to the instances. Default value is<br>an empty string, which will be replaced by a generated description at run-time. | `string` | `""` | no |
 | disk\_size\_gb | Use this flag to set the boot volume size in GB. If left at the default value<br>the boot disk will have the same size as specified in 'bigip\_image'. | `number` | `null` | no |
 | disk\_type | The boot disk type to use with instances; can be 'pd-ssd' (default), or<br>'pd-standard'.<br>\*Note:\* Choosing 'pd-standard' will reduce operating cost, but at the expense of<br>network performance. | `string` | `"pd-ssd"` | no |
-| dns\_servers | An optonal list of DNS servers for BIG-IP instances to use, if explicit DO files<br>are not provided. The default is ["169.254.169.254"] to use GCE metadata server. | `list(string)` | <pre>[<br>  "169.254.169.254"<br>]</pre> | no |
+| dns\_servers | An optional list of DNS servers for BIG-IP instances to use, if explicit DO files<br>are not provided. The default is ["169.254.169.254"] to use GCE metadata server. | `list(string)` | <pre>[<br>  "169.254.169.254"<br>]</pre> | no |
 | do\_payloads | The Declarative Onboarding contents to apply to the instances. This<br>module has migrated to use of Declarative Onboarding for module activation,<br>licensing, NTP, DNS, and other<br>basic configurations. Sample payloads are in the examples folder.<br><br>Note: if left empty, the module will use a simple JSON that sets NTP and DNS,<br>and enables LTM module, and configures a sync-group with active-standby failover<br>among the instances. | `list(string)` | `[]` | no |
 | enable\_os\_login | Set to true to enable OS Login on the VMs. Default value is false as BIG-IP does<br>not support in OS Login mode currently.<br>NOTE: this value will override an 'enable-oslogin' key in `metadata` map. | `bool` | `false` | no |
 | enable\_serial\_console | Set to true to enable serial port console on the VMs. Default value is false. | `bool` | `false` | no |
@@ -44,28 +48,28 @@ No provider.
 | image | The self-link URI for a BIG-IP image to use as a base for the VM cluster. This<br>can be an official F5 image from GCP Marketplace, or a customised image. | `string` | n/a | yes |
 | install\_cloud\_libs | An optional list of cloud library URLs that will be downloaded and installed on<br>the BIG-IP VM during initial boot. The contents of each download will be compared<br>to the verifyHash file, and failure will cause the boot scripts to fail. Default<br>list will install F5 Cloud Libraries (w/GCE extension), AS3, Declarative<br>Onboarding, and Cloud Failover extensions. | `list(string)` | <pre>[<br>  "https://cdn.f5.com/product/cloudsolutions/f5-cloud-libs/v4.22.0/f5-cloud-libs.tar.gz",<br>  "https://cdn.f5.com/product/cloudsolutions/f5-cloud-libs-gce/v2.6.0/f5-cloud-libs-gce.tar.gz",<br>  "https://github.com/F5Networks/f5-appsvcs-extension/releases/download/v3.22.1/f5-appsvcs-3.22.1-1.noarch.rpm",<br>  "https://github.com/F5Networks/f5-declarative-onboarding/releases/download/v1.15.0/f5-declarative-onboarding-1.15.0-3.noarch.rpm",<br>  "https://github.com/F5Networks/f5-cloud-failover-extension/releases/download/v1.5.0/f5-cloud-failover-1.5.0-0.noarch.rpm"<br>]</pre> | no |
 | instance\_name\_template | A format string that will be used when naming instance, that should include a<br>format token for including ordinal number. E.g. 'bigip-%d', such that %d will<br>be replaced with the ordinal of each instance. Default value is 'bigip-%d'. | `string` | `"bigip-%d"` | no |
-| internal\_subnetwork\_network\_ips | Alist of lists of IP addresses to assign to BIG-IP instances on their internal<br>interfaces. Required if the instances have 3+ networks defined.<br><br>E.g. to assign addresses to two internal networks:-<br><br>internal\_subnetwork\_network\_ips = [<br>  # Will be assigned to first instance<br>  [<br>    "10.0.0.4", # first internal nic<br>    "10.0.1.4", # second internal nic<br>  ],<br>  # Will be assigned to second instance<br>  [<br>    "10.0.0.5",<br>    "10.0.1.5",<br>  ],<br>  ...<br>] | `list(list(string))` | `[]` | no |
+| internal\_subnetwork\_network\_ips | A list of lists of IP addresses to assign to BIG-IP instances on their internal<br>interfaces. Required if the instances have 3+ networks defined.<br><br>E.g. to assign addresses to two internal networks:-<br><br>internal\_subnetwork\_network\_ips = [<br>  # Will be assigned to first instance<br>  [<br>    "10.0.0.4", # first internal nic<br>    "10.0.1.4", # second internal nic<br>  ],<br>  # Will be assigned to second instance<br>  [<br>    "10.0.0.5",<br>    "10.0.1.5",<br>  ],<br>  ...<br>] | `list(list(string))` | `[]` | no |
 | internal\_subnetwork\_tier | The network tier to set for internal subnetwork; must be one of 'PREMIUM'<br>(default) or 'STANDARD'. This setting only applies if the internal interface is<br>permitted to have a public IP address (see `provision_internal_public_ip`) | `string` | `"PREMIUM"` | no |
 | internal\_subnetwork\_vip\_cidrs | An optional list of CIDRs to assign to *active* BIG-IP instance as VIPs on its<br>internal interface. E.g. to assign two CIDR blocks as VIPs:-<br><br>internal\_subnetwork\_vip\_cidrs = [<br>  "10.1.0.0/16",<br>  "10.2.0.0/24",<br>] | `list(string)` | `[]` | no |
-| internal\_subnetworks | An optional list of fully-qualified subnet self-links that will be assigned as<br>internal traffoc on NICs eth[2-8]. | `list(string)` | `[]` | no |
+| internal\_subnetworks | An optional list of fully-qualified subnet self-links that will be assigned as<br>internal traffic on NICs eth[2-8]. | `list(string)` | `[]` | no |
 | labels | An optional map of *labels* to add to the instance template. | `map(string)` | `{}` | no |
 | license\_type | A BIG-IP license type to use with the BIG-IP instance. Must be one of "byol" or<br>"payg", with "byol" as the default. If set to "payg", the image must be a PAYG<br>image from F5's official project or the instance will fail to onboard correctly. | `string` | `"byol"` | no |
-| machine\_type | The machine type to use for BIG-IP VMs; this may be a standard GCE machine type,<br>or a customised VM ('custom-VPCUS-MEM\_IN\_MB'). Default value is 'n1-standard-4'.<br>\*Note:\* machine\_type is highly-correlated with network bandwidth and performance;<br>an N2 or N2D machine type will give better performance but has limited availability. | `string` | `"n1-standard-4"` | no |
+| machine\_type | The machine type to use for BIG-IP VMs; this may be a standard GCE machine type,<br>or a customised VM ('custom-VCPUS-MEM\_IN\_MB'). Default value is 'n1-standard-4'.<br>\*Note:\* machine\_type is highly-correlated with network bandwidth and performance;<br>an N2 or N2D machine type will give better performance but has limited availability. | `string` | `"n1-standard-4"` | no |
 | management\_subnetwork | An optional fully-qualified self-link of the subnet that will be used for<br>management access (2+ NIC deployment). | `string` | `null` | no |
 | management\_subnetwork\_network\_ips | A list of IP addresses to assign to BIG-IP instances on their management<br>interface. Required if there are 2+ NICs defined for instances. | `list(string)` | `[]` | no |
 | management\_subnetwork\_tier | The network tier to set for management subnetwork; must be one of 'PREMIUM'<br>(default) or 'STANDARD'. This setting only applies if the management interface is<br>permitted to have a public IP address (see `provision_management_public_ip`) | `string` | `"PREMIUM"` | no |
 | management\_subnetwork\_vip\_cidrs | An optional list of CIDRs to assign to *active* BIG-IP instance as VIPs on its<br>management interface. E.g. to assign two CIDR blocks as VIPs:-<br><br>management\_subnetwork\_vip\_cidrs = [<br>  "10.1.0.0/16",<br>  "10.2.0.0/24",<br>] | `list(string)` | `[]` | no |
 | metadata | An optional map of metadata values that will be applied to the instances. | `map(string)` | `{}` | no |
-| min\_cpu\_platform | An optional constraint used when scheduling the BIG-IP VMs; this value prevents<br>the VMs from being scheduled on hardware that doesn't meet the minimum CPU<br>microarchitecture. Default value is 'Intel Skylake'. | `string` | `"Intel Skylake"` | no |
-| modules | A map of BIG-IP module = provisioning-level pairs to enable, where the module<br>name is key, and the provisioing-level is the value. This value is used with the<br>default Declaration Onboarding template; a better option for full control is to<br>explicitly declare the modules to be provisioned as part of a custom JSON file.<br>See `do_payload`.<br><br>E.g. the default is<br>modules = {<br>  ltm = "nominal"<br>}<br><br>To provision ASM and LTM, the value might be:-<br>modules = {<br>  ltm = "nominal"<br>  asm = "nominal"<br>} | `map(string)` | <pre>{<br>  "ltm": "nominal"<br>}</pre> | no |
-| ntp\_servers | An optonal list of NTP servers for BIG-IP instances to use. The default is<br>["169.254.169.254"] to use GCE metadata server. | `list(string)` | <pre>[<br>  "169.254.169.254"<br>]</pre> | no |
+| min\_cpu\_platform | An optional constraint used when scheduling the BIG-IP VMs; this value prevents<br>the VMs from being scheduled on hardware that doesn't meet the minimum CPU<br>micro-architecture. Default value is 'Intel Skylake'. | `string` | `"Intel Skylake"` | no |
+| modules | A map of BIG-IP module = provisioning-level pairs to enable, where the module<br>name is key, and the provisioning-level is the value. This value is used with the<br>default Declaration Onboarding template; a better option for full control is to<br>explicitly declare the modules to be provisioned as part of a custom JSON file.<br>See `do_payload`.<br><br>E.g. the default is<br>modules = {<br>  ltm = "nominal"<br>}<br><br>To provision ASM and LTM, the value might be:-<br>modules = {<br>  ltm = "nominal"<br>  asm = "nominal"<br>} | `map(string)` | <pre>{<br>  "ltm": "nominal"<br>}</pre> | no |
+| ntp\_servers | An optional list of NTP servers for BIG-IP instances to use. The default is<br>["169.254.169.254"] to use GCE metadata server. | `list(string)` | <pre>[<br>  "169.254.169.254"<br>]</pre> | no |
 | num\_instances | The number of BIG-IP instances to provision in CFE HA cluster. Default value is 2. | `number` | `2` | no |
-| preemptible | If set to true, the BIG-IP instances will be deployed on preemptible VMs, which<br>could be terminated at any time, and have a maximum lifetimne of 24 hours. Default<br>value is false. | `string` | `false` | no |
+| preemptible | If set to true, the BIG-IP instances will be deployed on preemptible VMs, which<br>could be terminated at any time, and have a maximum lifetime of 24 hours. Default<br>value is false. | `string` | `false` | no |
 | project\_id | The GCP project identifier where the cluster will be created. | `string` | n/a | yes |
-| provision\_external\_public\_ip | If this flag is set to true (default), a publicly routable IP address WILL be<br>assigned to the external interface of instances. If set to false, the BIG-IP<br>instances will NOT have a public IP address assigned to the extenral interface. | `bool` | `true` | no |
+| provision\_external\_public\_ip | If this flag is set to true (default), a publicly routable IP address WILL be<br>assigned to the external interface of instances. If set to false, the BIG-IP<br>instances will NOT have a public IP address assigned to the external interface. | `bool` | `true` | no |
 | provision\_internal\_public\_ip | If this flag is set to true, a publicly routable IP address WILL be assigned to<br>the internal interfaces of instances. If set to false (default), the BIG-IP<br>instances will NOT have a public IP address assigned to the internal interfaces. | `bool` | `false` | no |
 | provision\_management\_public\_ip | If this flag is set to true, a publicly routable IP address WILL be assigned to<br>the management interface of instances. If set to false (default), the BIG-IP<br>instances will NOT have a public IP address assigned to the management interface. | `bool` | `false` | no |
-| search\_domains | An optonal list of DNS search domains for BIG-IP instances to use, if explicit<br>DO files are not provided. If left empty (default), search domains will be added<br>for "google.internal" and the zone/project specific domain assigned to instances. | `list(string)` | `[]` | no |
+| search\_domains | An optional list of DNS search domains for BIG-IP instances to use, if explicit<br>DO files are not provided. If left empty (default), search domains will be added<br>for "google.internal" and the zone/project specific domain assigned to instances. | `list(string)` | `[]` | no |
 | service\_account | The service account that will be used for the BIG-IP VMs. | `string` | n/a | yes |
 | ssh\_keys | An optional set of SSH public keys, concatenated into a single string. The keys<br>will be added to instance metadata. Default is an empty string.<br><br>See also `enable_os_login`. | `string` | `""` | no |
 | tags | An optional list of *network tags* to add to the instance template. | `list(string)` | `[]` | no |
@@ -79,7 +83,7 @@ No provider.
 |------|-------------|
 | external\_addresses | A list of the IP addresses and alias CIDRs assigned to instances on the external<br>NIC. |
 | external\_public\_ips | A list of the public IP addresses assigned to instances on the external NIC. |
-| external\_vips | A list of IP CIDRs asssigned to the active instance on its external NIC. |
+| external\_vips | A list of IP CIDRs assigned to the active instance on its external NIC. |
 | instance\_addresses | A map of instance name to assigned IP addresses and alias CIDRs. |
 | internal\_addresses | A list of the IP addresses and alias CIDRs assigned to instances on the internal<br>NICs, if present. |
 | internal\_public\_ips | A list of the public IP addresses assigned to instances on the internal NICs,<br>if present. |
@@ -88,3 +92,4 @@ No provider.
 | self\_links | A list of self-links of the BIG-IP instances. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- markdownlint-enable MD033 MD034 -->
diff --git a/modules/big-ip/cfe/examples/single-project-2nic/main.tf b/modules/big-ip/cfe/examples/single-project-2nic/main.tf
new file mode 100644
index 0000000..d2b3452
--- /dev/null
+++ b/modules/big-ip/cfe/examples/single-project-2nic/main.tf
@@ -0,0 +1,96 @@
+# Example Terraform to create a three-NIC instance of BIG-IP using default
+# compute service account, and a Marketplace PAYG image.
+#
+# Note: values to be updated by implementor are shown as [ITEM], where ITEM should
+# be changed to the correct resource name/identifier.
+
+# Only supported on Terraform 0.12
+terraform {
+  required_version = "~> 0.12"
+}
+
+# Create a custom CFE role for BIG-IP service account
+module "cfe_role" {
+  #source      = "git::https://github.com/memes/f5-google-terraform-modules/modules/big-ip/cfe/role?ref=v1.1.0"
+  source      = "../../role/"
+  target_type = "project"
+  target_id   = var.project_id
+  members     = [format("serviceAccount:%s", var.service_account)]
+}
+
+# Reserve IPs on external subnet for BIG-IP nic0s
+resource "google_compute_address" "ext" {
+  count        = var.num_instances
+  project      = var.project_id
+  name         = format("bigip-ext-%d", count.index)
+  subnetwork   = var.external_subnet
+  address_type = "INTERNAL"
+  region       = replace(var.zone, "/-[a-z]$/", "")
+}
+
+# Reserve VIP on external subnet for BIG-IP
+resource "google_compute_address" "vip" {
+  project      = var.project_id
+  name         = "bigip-ext-vip"
+  subnetwork   = var.external_subnet
+  address_type = "INTERNAL"
+  region       = replace(var.zone, "/-[a-z]$/", "")
+}
+
+# Reserve IPs on management subnet for BIG-IP nic1s
+resource "google_compute_address" "mgt" {
+  count        = var.num_instances
+  project      = var.project_id
+  name         = format("bigip-mgt-%d", count.index)
+  subnetwork   = var.management_subnet
+  address_type = "INTERNAL"
+  region       = replace(var.zone, "/-[a-z]$/", "")
+}
+
+# Random name for CFE bucket
+resource "random_id" "bucket" {
+  byte_length = 8
+}
+
+# Create CFE bucket - use a random value as part of the name so that new bucket
+# can be created with same prefix without waiting.
+module "cfe_bucket" {
+  source     = "terraform-google-modules/cloud-storage/google"
+  version    = "1.6.0"
+  project_id = var.project_id
+  prefix     = "bigip-cfe-example"
+  names      = [random_id.bucket.hex]
+  force_destroy = {
+    "${random_id.bucket.hex}" = true
+  }
+  location          = "US"
+  set_admin_roles   = false
+  set_creator_roles = false
+  set_viewer_roles  = true
+  viewers           = [format("serviceAccount:%s", var.service_account)]
+  # Label the bucket with the CFE pair, as supplied to CFE module
+  labels = {
+    f5_cloud_failover_label = "cfe-example"
+  }
+}
+
+module "cfe" {
+  #source              = "git::https://github.com/memes/f5-google-terraform-modules/modules/big-ip/cfe?ref=v1.1.0"
+  source                            = "../../"
+  project_id                        = var.project_id
+  num_instances                     = var.num_instances
+  zones                             = [var.zone]
+  machine_type                      = "n1-standard-8"
+  service_account                   = var.service_account
+  external_subnetwork               = var.external_subnet
+  external_subnetwork_network_ips   = [for r in google_compute_address.ext : r.address]
+  external_subnetwork_vip_cidrs     = [google_compute_address.vip.address]
+  management_subnetwork             = var.management_subnet
+  management_subnetwork_network_ips = [for r in google_compute_address.mgt : r.address]
+  image                             = var.image
+  allow_phone_home                  = false
+  allow_usage_analytics             = false
+  admin_password_secret_manager_key = var.admin_password_key
+  cfe_label_key                     = "f5_cloud_failover_label"
+  cfe_label_value                   = "cfe-example"
+}
diff --git a/modules/big-ip/cfe/examples/single-project-2nic/outputs.tf b/modules/big-ip/cfe/examples/single-project-2nic/outputs.tf
new file mode 100644
index 0000000..363077d
--- /dev/null
+++ b/modules/big-ip/cfe/examples/single-project-2nic/outputs.tf
@@ -0,0 +1,6 @@
+output "instance_self_links" {
+  description = <<EOD
+Self-link of the BIG-IP instances.
+EOD
+  value       = module.cfe.self_links
+}
diff --git a/modules/big-ip/cfe/examples/single-project-2nic/variables.tf b/modules/big-ip/cfe/examples/single-project-2nic/variables.tf
new file mode 100644
index 0000000..0f14c43
--- /dev/null
+++ b/modules/big-ip/cfe/examples/single-project-2nic/variables.tf
@@ -0,0 +1,61 @@
+variable "project_id" {
+  type        = string
+  description = <<EOD
+The GCP project identifier where the cluster will be created.
+EOD
+}
+
+variable "zone" {
+  type        = string
+  description = <<EOD
+The compute zone which will host the BIG-IP VMs.
+EOD
+}
+
+variable "external_subnet" {
+  type        = string
+  description = <<EOD
+The fully-qualified subnetwork self-link to attach to the BIG-IP VM *external*
+interface.
+EOD
+}
+
+variable "management_subnet" {
+  type        = string
+  description = <<EOD
+The fully-qualified subnetwork self-link to attach to the BIG-IP VM *management*
+interface.
+EOD
+}
+
+variable "admin_password_key" {
+  type        = string
+  description = <<EOD
+The Secret Manager key to lookup and retrive admin user password during
+initialization.
+EOD
+}
+
+variable "service_account" {
+  type        = string
+  description = <<EOD
+The service account to use for BIG-IP VMs.
+EOD
+}
+
+variable "image" {
+  type        = string
+  default     = "projects/f5-7626-networks-public/global/images/f5-bigip-15-0-1-3-0-0-4-payg-good-5gbps-200318182229"
+  description = <<EOD
+The BIG-IP image to use. Defaults to the latest v15 PAYG/good/5gbps
+release as of the publishing of this module.
+EOD
+}
+
+variable "num_instances" {
+  type        = number
+  default     = 2
+  description = <<EOD
+The number of BIG-IP instances to create. Default is 2.
+EOD
+}
diff --git a/modules/big-ip/cfe/examples/single-project-3nic/main.tf b/modules/big-ip/cfe/examples/single-project-3nic/main.tf
new file mode 100644
index 0000000..5699398
--- /dev/null
+++ b/modules/big-ip/cfe/examples/single-project-3nic/main.tf
@@ -0,0 +1,108 @@
+# Example Terraform to create a three-NIC instance of BIG-IP using default
+# compute service account, and a Marketplace PAYG image.
+#
+# Note: values to be updated by implementor are shown as [ITEM], where ITEM should
+# be changed to the correct resource name/identifier.
+
+# Only supported on Terraform 0.12
+terraform {
+  required_version = "~> 0.12"
+}
+
+# Create a custom CFE role for BIG-IP service account
+module "cfe_role" {
+  #source      = "git::https://github.com/memes/f5-google-terraform-modules/modules/big-ip/cfe/role?ref=v1.1.0"
+  source      = "../../role/"
+  target_type = "project"
+  target_id   = var.project_id
+  members     = [format("serviceAccount:%s", var.service_account)]
+}
+
+# Reserve IPs on external subnet for BIG-IP nic0s
+resource "google_compute_address" "ext" {
+  count        = var.num_instances
+  project      = var.project_id
+  name         = format("bigip-ext-%d", count.index)
+  subnetwork   = var.external_subnet
+  address_type = "INTERNAL"
+  region       = replace(var.zone, "/-[a-z]$/", "")
+}
+
+# Reserve VIP on external subnet for BIG-IP
+resource "google_compute_address" "vip" {
+  project      = var.project_id
+  name         = "bigip-ext-vip"
+  subnetwork   = var.external_subnet
+  address_type = "INTERNAL"
+  region       = replace(var.zone, "/-[a-z]$/", "")
+}
+
+# Reserve IPs on management subnet for BIG-IP nic1s
+resource "google_compute_address" "mgt" {
+  count        = var.num_instances
+  project      = var.project_id
+  name         = format("bigip-mgt-%d", count.index)
+  subnetwork   = var.management_subnet
+  address_type = "INTERNAL"
+  region       = replace(var.zone, "/-[a-z]$/", "")
+}
+
+# Reserve IPs on internal subnet for BIG-IP nic2s
+resource "google_compute_address" "int" {
+  count        = var.num_instances
+  project      = var.project_id
+  name         = format("bigip-int-%d", count.index)
+  subnetwork   = var.internal_subnet
+  address_type = "INTERNAL"
+  region       = replace(var.zone, "/-[a-z]$/", "")
+}
+
+# Random name for CFE bucket
+resource "random_id" "bucket" {
+  byte_length = 8
+}
+
+# Create CFE bucket - use a random value as part of the name so that new bucket
+# can be created with same prefix without waiting.
+module "cfe_bucket" {
+  source     = "terraform-google-modules/cloud-storage/google"
+  version    = "1.6.0"
+  project_id = var.project_id
+  prefix     = "bigip-cfe-example"
+  names      = [random_id.bucket.hex]
+  force_destroy = {
+    "${random_id.bucket.hex}" = true
+  }
+  location          = "US"
+  set_admin_roles   = false
+  set_creator_roles = false
+  set_viewer_roles  = true
+  viewers           = [format("serviceAccount:%s", var.service_account)]
+  # Label the bucket with the CFE pair, as supplied to CFE module
+  labels = {
+    f5_cloud_failover_label = "cfe-example"
+  }
+}
+
+module "cfe" {
+  #source              = "git::https://github.com/memes/f5-google-terraform-modules/modules/big-ip/cfe?ref=v1.1.0"
+  source                            = "../../"
+  project_id                        = var.project_id
+  num_instances                     = var.num_instances
+  zones                             = [var.zone]
+  machine_type                      = "n1-standard-8"
+  service_account                   = var.service_account
+  external_subnetwork               = var.external_subnet
+  external_subnetwork_network_ips   = [for r in google_compute_address.ext : r.address]
+  external_subnetwork_vip_cidrs     = [google_compute_address.vip.address]
+  management_subnetwork             = var.management_subnet
+  management_subnetwork_network_ips = [for r in google_compute_address.mgt : r.address]
+  internal_subnetworks              = [var.internal_subnet]
+  internal_subnetwork_network_ips   = [for r in google_compute_address.int : [r.address]]
+  image                             = var.image
+  allow_phone_home                  = false
+  allow_usage_analytics             = false
+  admin_password_secret_manager_key = var.admin_password_key
+  cfe_label_key                     = "f5_cloud_failover_label"
+  cfe_label_value                   = "cfe-example"
+}
diff --git a/modules/big-ip/cfe/examples/single-project-3nic/outputs.tf b/modules/big-ip/cfe/examples/single-project-3nic/outputs.tf
new file mode 100644
index 0000000..c2c084a
--- /dev/null
+++ b/modules/big-ip/cfe/examples/single-project-3nic/outputs.tf
@@ -0,0 +1,6 @@
+output "instances_self_link" {
+  description = <<EOD
+Self-link of the BIG-IP instances.
+EOD
+  value       = module.cfe.self_links
+}
diff --git a/modules/big-ip/cfe/examples/single-project-3nic/variables.tf b/modules/big-ip/cfe/examples/single-project-3nic/variables.tf
new file mode 100644
index 0000000..f612b05
--- /dev/null
+++ b/modules/big-ip/cfe/examples/single-project-3nic/variables.tf
@@ -0,0 +1,69 @@
+variable "project_id" {
+  type        = string
+  description = <<EOD
+The GCP project identifier where the cluster will be created.
+EOD
+}
+
+variable "zone" {
+  type        = string
+  description = <<EOD
+The compute zone which will host the BIG-IP VMs.
+EOD
+}
+
+variable "external_subnet" {
+  type        = string
+  description = <<EOD
+The fully-qualified subnetwork self-link to attach to the BIG-IP VM *external*
+interface.
+EOD
+}
+
+variable "management_subnet" {
+  type        = string
+  description = <<EOD
+The fully-qualified subnetwork self-link to attach to the BIG-IP VM *management*
+interface.
+EOD
+}
+
+variable "internal_subnet" {
+  type        = string
+  description = <<EOD
+The fully-qualified subnetwork self-link to attach to the BIG-IP VM *internal*
+interface.
+EOD
+}
+
+variable "admin_password_key" {
+  type        = string
+  description = <<EOD
+The Secret Manager key to lookup and retrive admin user password during
+initialization.
+EOD
+}
+
+variable "service_account" {
+  type        = string
+  description = <<EOD
+The service account to use for BIG-IP VMs.
+EOD
+}
+
+variable "image" {
+  type        = string
+  default     = "projects/f5-7626-networks-public/global/images/f5-bigip-15-0-1-3-0-0-4-payg-good-5gbps-200318182229"
+  description = <<EOD
+The BIG-IP image to use. Defaults to the latest v15 PAYG/good/5gbps
+release as of the publishing of this module.
+EOD
+}
+
+variable "num_instances" {
+  type        = number
+  default     = 2
+  description = <<EOD
+The number of BIG-IP instances to create. Default is 2.
+EOD
+}
diff --git a/modules/big-ip/cfe/firewall/README.md b/modules/big-ip/cfe/firewall/README.md
new file mode 100644
index 0000000..037a255
--- /dev/null
+++ b/modules/big-ip/cfe/firewall/README.md
@@ -0,0 +1,37 @@
+# CFE ConfigSync firewall sub-module
+
+This Terraform module is a helper to create a pair of firewall rules that allow
+BIG-IP to BIG-IP instance ConfigSync traffic on data-plane and control-plane
+networks.
+
+<!-- spell-checker:ignore markdownlint bigip -->
+<!-- markdownlint-disable MD033 MD034 -->
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | ~> 0.12 |
+| google | >= 3.19 |
+
+## Providers
+
+No provider.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| bigip\_service\_account | The service account that will be used for the BIG-IP VMs; the firewall rules will<br>be constructed to use this for source and target filtering. | `string` | n/a | yes |
+| dataplane\_firewall\_name | The name to use for data-plane network firewall rule. Default is<br>'allow-bigip-configsync-data-plane'. | `string` | `"allow-bigip-configsync-data-plane"` | no |
+| dataplane\_network | The fully-qualified self-link of the subnet that will be used for data-plane<br>ConfigSync traffic. | `string` | n/a | yes |
+| management\_firewall\_name | The name to use for Manangement (control-plane) network firewall rule. Default is<br>'allow-bigip-configsync-mgt'. | `string` | `"allow-bigip-configsync-mgt"` | no |
+| management\_network | The fully-qualified self-link of the subnet that will be used for Management<br>(control-plane) ConfigSync traffic. | `string` | n/a | yes |
+| project\_id | The GCP project identifier where the cluster will be created. | `string` | n/a | yes |
+
+## Outputs
+
+No output.
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- markdownlint-enable MD033 MD034 -->
diff --git a/modules/big-ip/cfe/firewall/main.tf b/modules/big-ip/cfe/firewall/main.tf
new file mode 100644
index 0000000..0c11d54
--- /dev/null
+++ b/modules/big-ip/cfe/firewall/main.tf
@@ -0,0 +1,18 @@
+terraform {
+  required_version = "~> 0.12"
+  required_providers {
+    google = ">= 3.19"
+  }
+  experiments = [variable_validation]
+}
+
+# CFE requirements for firewall are the same as HA
+module "ha_firewall" {
+  source                   = "../../ha/firewall/"
+  project_id               = var.project_id
+  bigip_service_account    = var.bigip_service_account
+  management_firewall_name = var.management_firewall_name
+  management_network       = var.management_network
+  dataplane_firewall_name  = var.dataplane_firewall_name
+  dataplane_network        = var.dataplane_network
+}
diff --git a/modules/big-ip/cfe/firewall/variables.tf b/modules/big-ip/cfe/firewall/variables.tf
new file mode 100644
index 0000000..765599f
--- /dev/null
+++ b/modules/big-ip/cfe/firewall/variables.tf
@@ -0,0 +1,68 @@
+variable "project_id" {
+  type        = string
+  description = <<EOD
+The GCP project identifier where the cluster will be created.
+EOD
+}
+
+variable "bigip_service_account" {
+  type = string
+  validation {
+    condition     = can(regex("(?:\\.iam|developer)\\.gserviceaccount\\.com$", var.bigip_service_account))
+    error_message = "The bigip_service_account variable must be a valid GCP service account email address."
+  }
+  description = <<EOD
+The service account that will be used for the BIG-IP VMs; the firewall rules will
+be constructed to use this for source and target filtering.
+EOD
+}
+
+variable "management_firewall_name" {
+  type    = string
+  default = "allow-bigip-configsync-mgt"
+  validation {
+    condition     = can(regex("^[a-z](?:[-a-z0-9]*[a-z0-9]){0,62}$", var.management_firewall_name))
+    error_message = "The management_firewall_name variable must be valid RFC1035."
+  }
+  description = <<EOD
+The name to use for Manangement (control-plane) network firewall rule. Default is
+'allow-bigip-configsync-mgt'.
+EOD
+}
+
+variable "management_network" {
+  type = string
+  validation {
+    condition     = can(regex("^(?:https://www.googleapis.com/compute/v1/projects/[a-z][a-z0-9-]{4,28}[a-z0-9]/global/networks/)?[a-z](?:[-a-z0-9]*[a-z0-9]){0,62}$", var.management_network))
+    error_message = "The management_network variable must be a fully-qualified self-link URI, or RFC1035 network name."
+  }
+  description = <<EOD
+The fully-qualified self-link of the subnet that will be used for Management
+(control-plane) ConfigSync traffic.
+EOD
+}
+
+variable "dataplane_firewall_name" {
+  type    = string
+  default = "allow-bigip-configsync-data-plane"
+  validation {
+    condition     = can(regex("^[a-z](?:[-a-z0-9]*[a-z0-9]){0,62}$", var.dataplane_firewall_name))
+    error_message = "The dataplane_firewall_name variable must be valid RFC1035."
+  }
+  description = <<EOD
+The name to use for data-plane network firewall rule. Default is
+'allow-bigip-configsync-data-plane'.
+EOD
+}
+
+variable "dataplane_network" {
+  type = string
+  validation {
+    condition     = can(regex("^(?:https://www.googleapis.com/compute/v1/projects/[a-z][a-z0-9-]{4,28}[a-z0-9]/global/networks/)?[a-z](?:[-a-z0-9]*[a-z0-9]){0,62}$", var.dataplane_network))
+    error_message = "The dataplane_network variable must be a fully-qualified self-link URI, or RFC1035 network name."
+  }
+  description = <<EOD
+The fully-qualified self-link of the subnet that will be used for data-plane
+ConfigSync traffic.
+EOD
+}
diff --git a/modules/big-ip/cfe/outputs.tf b/modules/big-ip/cfe/outputs.tf
index d18efba..c431ef1 100644
--- a/modules/big-ip/cfe/outputs.tf
+++ b/modules/big-ip/cfe/outputs.tf
@@ -16,7 +16,7 @@ EOD
 output "external_vips" {
   value       = module.ha.external_vips
   description = <<EOD
-A list of IP CIDRs asssigned to the active instance on its external NIC.
+A list of IP CIDRs assigned to the active instance on its external NIC.
 EOD
 }
 
diff --git a/modules/big-ip/cfe/role/README.md b/modules/big-ip/cfe/role/README.md
index ae3c96e..b1d5fa9 100644
--- a/modules/big-ip/cfe/role/README.md
+++ b/modules/big-ip/cfe/role/README.md
@@ -3,6 +3,8 @@
 This Terraform module is a helper to create a custom IAM role that has the
 permissions required for correct Cloud Failover Extension to function correctly.
 
+<!-- spell-checker:ignore markdownlint bigip -->
+<!-- markdownlint-disable MD033 MD034 -->
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
@@ -19,11 +21,11 @@ No provider.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| id | An identifier to use for the new role; default is 'bigip\_cfe'. This id must<br>be unique at the orgnization or project level depending on value of target\_type<br>respectively. E.g. multiple projects can all have a 'bigip\_cfe' role defined,<br>but an organization level role must be uniquely named. | `string` | `"bigip_cfe"` | no |
+| id | An identifier to use for the new role; default is 'bigip\_cfe'. This id must<br>be unique at the organization or project level depending on value of target\_type<br>respectively. E.g. multiple projects can all have a 'bigip\_cfe' role defined,<br>but an organization level role must be uniquely named. | `string` | `"bigip_cfe"` | no |
 | members | An optional list of accounts that will be assigned the custom role. Default is<br>an empty list. | `list(string)` | `[]` | no |
-| target\_id | Sets the target for role creation; must be either an orgnization ID (target\_type = 'org'),<br>or project ID (target\_type = 'project'). | `string` | n/a | yes |
+| target\_id | Sets the target for role creation; must be either an organization ID (target\_type = 'org'),<br>or project ID (target\_type = 'project'). | `string` | n/a | yes |
 | target\_type | Determines if the CFE role is to be created for the whole organization ('org')<br>or at a 'project' level. Default is 'project'. | `string` | `"project"` | no |
-| title | The human-readible title to assign to the custom CFE role. Default is 'Custom BIG-IP CFE role'. | `string` | `"Custom BIG-IP CFE role"` | no |
+| title | The human-readable title to assign to the custom CFE role. Default is 'Custom BIG-IP CFE role'. | `string` | `"Custom BIG-IP CFE role"` | no |
 
 ## Outputs
 
@@ -32,3 +34,4 @@ No provider.
 | qualified\_role\_id | The qualified role-id for the custom CFE role. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- markdownlint-enable MD033 MD034 -->
diff --git a/modules/big-ip/cfe/role/variables.tf b/modules/big-ip/cfe/role/variables.tf
index 236d4e6..f71ca2a 100644
--- a/modules/big-ip/cfe/role/variables.tf
+++ b/modules/big-ip/cfe/role/variables.tf
@@ -14,7 +14,7 @@ EOD
 variable "target_id" {
   type        = string
   description = <<EOD
-Sets the target for role creation; must be either an orgnization ID (target_type = 'org'),
+Sets the target for role creation; must be either an organization ID (target_type = 'org'),
 or project ID (target_type = 'project').
 EOD
 }
@@ -28,7 +28,7 @@ variable "id" {
   }
   description = <<EOD
 An identifier to use for the new role; default is 'bigip_cfe'. This id must
-be unique at the orgnization or project level depending on value of target_type
+be unique at the organization or project level depending on value of target_type
 respectively. E.g. multiple projects can all have a 'bigip_cfe' role defined,
 but an organization level role must be uniquely named.
 EOD
@@ -42,7 +42,7 @@ variable "title" {
     error_message = "The title variable must be empty, or up to 100 characters long."
   }
   description = <<EOD
-The human-readible title to assign to the custom CFE role. Default is 'Custom BIG-IP CFE role'.
+The human-readable title to assign to the custom CFE role. Default is 'Custom BIG-IP CFE role'.
 EOD
 }
 
diff --git a/modules/big-ip/cfe/variables.tf b/modules/big-ip/cfe/variables.tf
index 0e4c001..dd6719a 100644
--- a/modules/big-ip/cfe/variables.tf
+++ b/modules/big-ip/cfe/variables.tf
@@ -73,7 +73,7 @@ variable "min_cpu_platform" {
   description = <<EOD
 An optional constraint used when scheduling the BIG-IP VMs; this value prevents
 the VMs from being scheduled on hardware that doesn't meet the minimum CPU
-microarchitecture. Default value is 'Intel Skylake'.
+micro-architecture. Default value is 'Intel Skylake'.
 EOD
 }
 
@@ -82,7 +82,7 @@ variable "machine_type" {
   default     = "n1-standard-4"
   description = <<EOD
 The machine type to use for BIG-IP VMs; this may be a standard GCE machine type,
-or a customised VM ('custom-VPCUS-MEM_IN_MB'). Default value is 'n1-standard-4'.
+or a customised VM ('custom-VCPUS-MEM_IN_MB'). Default value is 'n1-standard-4'.
 *Note:* machine_type is highly-correlated with network bandwidth and performance;
 an N2 or N2D machine type will give better performance but has limited availability.
 EOD
@@ -113,7 +113,7 @@ variable "preemptible" {
   default     = false
   description = <<EOD
 If set to true, the BIG-IP instances will be deployed on preemptible VMs, which
-could be terminated at any time, and have a maximum lifetimne of 24 hours. Default
+could be terminated at any time, and have a maximum lifetime of 24 hours. Default
 value is false.
 EOD
 }
@@ -211,7 +211,7 @@ variable "provision_external_public_ip" {
   description = <<EOD
 If this flag is set to true (default), a publicly routable IP address WILL be
 assigned to the external interface of instances. If set to false, the BIG-IP
-instances will NOT have a public IP address assigned to the extenral interface.
+instances will NOT have a public IP address assigned to the external interface.
 EOD
 }
 
@@ -341,7 +341,7 @@ variable "internal_subnetworks" {
   }
   description = <<EOD
 An optional list of fully-qualified subnet self-links that will be assigned as
-internal traffoc on NICs eth[2-8].
+internal traffic on NICs eth[2-8].
 EOD
 }
 
@@ -377,7 +377,7 @@ variable "internal_subnetwork_network_ips" {
     error_message = "Each internal_subnetwork_network_ips value must be a valid IPv4 address."
   }
   description = <<EOD
-Alist of lists of IP addresses to assign to BIG-IP instances on their internal
+A list of lists of IP addresses to assign to BIG-IP instances on their internal
 interfaces. Required if the instances have 3+ networks defined.
 
 E.g. to assign addresses to two internal networks:-
@@ -482,7 +482,7 @@ variable "admin_password_secret_manager_key" {
   }
   description = <<EOD
 The Secret Manager key for BIG-IP admin password; during initialisation, the
-BIG-IP admin account's password will be changed to the value retreived from GCP
+BIG-IP admin account's password will be changed to the value retrieved from GCP
 Secret Manager using this key.
 
 NOTE: if the secret does not exist, is misidentified, or if the VM cannot read
@@ -520,7 +520,7 @@ variable "ntp_servers" {
   type        = list(string)
   default     = ["169.254.169.254"]
   description = <<EOD
-An optonal list of NTP servers for BIG-IP instances to use. The default is
+An optional list of NTP servers for BIG-IP instances to use. The default is
 ["169.254.169.254"] to use GCE metadata server.
 EOD
 }
@@ -543,7 +543,7 @@ variable "modules" {
   }
   description = <<EOD
 A map of BIG-IP module = provisioning-level pairs to enable, where the module
-name is key, and the provisioing-level is the value. This value is used with the
+name is key, and the provisioning-level is the value. This value is used with the
 default Declaration Onboarding template; a better option for full control is to
 explicitly declare the modules to be provisioned as part of a custom JSON file.
 See `do_payload`.
@@ -565,7 +565,7 @@ variable "dns_servers" {
   type        = list(string)
   default     = ["169.254.169.254"]
   description = <<EOD
-An optonal list of DNS servers for BIG-IP instances to use, if explicit DO files
+An optional list of DNS servers for BIG-IP instances to use, if explicit DO files
 are not provided. The default is ["169.254.169.254"] to use GCE metadata server.
 EOD
 }
@@ -574,7 +574,7 @@ variable "search_domains" {
   type        = list(string)
   default     = []
   description = <<EOD
-An optonal list of DNS search domains for BIG-IP instances to use, if explicit
+An optional list of DNS search domains for BIG-IP instances to use, if explicit
 DO files are not provided. If left empty (default), search domains will be added
 for "google.internal" and the zone/project specific domain assigned to instances.
 EOD
diff --git a/modules/big-ip/ha/README.md b/modules/big-ip/ha/README.md
index 32e886c..1f8a5ca 100644
--- a/modules/big-ip/ha/README.md
+++ b/modules/big-ip/ha/README.md
@@ -4,6 +4,8 @@ This module encapsulates the creation of BIG-IP HA cluster.
 
 *Note:* This module is unsupported and not an official F5 product.
 
+<!-- spell-checker:ignore markdownlint bigip oslogin subnetwork subnetworks NICs byol payg Skylake preemptible VCPUS routable zoneinfo -->
+<!-- markdownlint-disable MD033 MD034 -->
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
@@ -20,7 +22,7 @@ No provider.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| admin\_password\_secret\_manager\_key | The Secret Manager key for BIG-IP admin password; during initialisation, the<br>BIG-IP admin account's password will be changed to the value retreived from GCP<br>Secret Manager using this key.<br><br>NOTE: if the secret does not exist, is misidentified, or if the VM cannot read<br>the secret value associated with this key, then the BIG-IP onboarding will fail<br>to complete, and onboarding will require manual intervention. | `string` | n/a | yes |
+| admin\_password\_secret\_manager\_key | The Secret Manager key for BIG-IP admin password; during initialisation, the<br>BIG-IP admin account's password will be changed to the value retrieved from GCP<br>Secret Manager using this key.<br><br>NOTE: if the secret does not exist, is misidentified, or if the VM cannot read<br>the secret value associated with this key, then the BIG-IP onboarding will fail<br>to complete, and onboarding will require manual intervention. | `string` | n/a | yes |
 | allow\_phone\_home | Allow the BIG-IP VMs to send high-level device use information to help F5<br>optimize development resources. If set to false the information is not sent. | `bool` | `true` | no |
 | allow\_usage\_analytics | Allow the BIG-IP VMs to send anonymous statistics to F5 to help us determine how<br>to improve our solutions (default). If set to false no statistics will be sent. | `bool` | `true` | no |
 | as3\_payloads | An optional, but recommended, list of AS3 JSON files that can be used to setup<br>the BIG-IP instances. If left empty (default), the module will use a simple<br>no-op AS3 declaration. | `list(string)` | `[]` | no |
@@ -31,7 +33,7 @@ No provider.
 | description | An optional description that will be applied to the instances. Default value is<br>an empty string, which will be replaced by a generated description at run-time. | `string` | `""` | no |
 | disk\_size\_gb | Use this flag to set the boot volume size in GB. If left at the default value<br>the boot disk will have the same size as specified in 'bigip\_image'. | `number` | `null` | no |
 | disk\_type | The boot disk type to use with instances; can be 'pd-ssd' (default), or<br>'pd-standard'.<br>\*Note:\* Choosing 'pd-standard' will reduce operating cost, but at the expense of<br>network performance. | `string` | `"pd-ssd"` | no |
-| dns\_servers | An optonal list of DNS servers for BIG-IP instances to use, if explicit DO files<br>are not provided. The default is ["169.254.169.254"] to use GCE metadata server. | `list(string)` | <pre>[<br>  "169.254.169.254"<br>]</pre> | no |
+| dns\_servers | An optional list of DNS servers for BIG-IP instances to use, if explicit DO files<br>are not provided. The default is ["169.254.169.254"] to use GCE metadata server. | `list(string)` | <pre>[<br>  "169.254.169.254"<br>]</pre> | no |
 | do\_payloads | The Declarative Onboarding contents to apply to the instances. This<br>module has migrated to use of Declarative Onboarding for module activation,<br>licensing, NTP, DNS, and other<br>basic configurations. Sample payloads are in the examples folder.<br><br>Note: if left empty, the module will use a simple JSON that sets NTP and DNS,<br>and enables LTM module, and configures a sync-group with active-standby failover<br>among the instances. | `list(string)` | `[]` | no |
 | enable\_os\_login | Set to true to enable OS Login on the VMs. Default value is false as BIG-IP does<br>not support in OS Login mode currently.<br>NOTE: this value will override an 'enable-oslogin' key in `metadata` map. | `bool` | `false` | no |
 | enable\_serial\_console | Set to true to enable serial port console on the VMs. Default value is false. | `bool` | `false` | no |
@@ -42,28 +44,28 @@ No provider.
 | image | The self-link URI for a BIG-IP image to use as a base for the VM cluster. This<br>can be an official F5 image from GCP Marketplace, or a customised image. | `string` | n/a | yes |
 | install\_cloud\_libs | An optional list of cloud library URLs that will be downloaded and installed on<br>the BIG-IP VM during initial boot. The contents of each download will be compared<br>to the verifyHash file, and failure will cause the boot scripts to fail. Default<br>list is empty, and BIG-IP will be provisioned using the default libraries in<br>instance module. | `list(string)` | `[]` | no |
 | instance\_name\_template | A format string that will be used when naming instance, that should include a<br>format token for including ordinal number. E.g. 'bigip-%d', such that %d will<br>be replaced with the ordinal of each instance. Default value is 'bigip-%d'. | `string` | `"bigip-%d"` | no |
-| internal\_subnetwork\_network\_ips | Alist of lists of IP addresses to assign to BIG-IP instances on their internal<br>interfaces. Required if the instances have 3+ networks defined.<br><br>E.g. to assign addresses to two internal networks:-<br><br>internal\_subnetwork\_network\_ips = [<br>  # Will be assigned to first instance<br>  [<br>    "10.0.0.4", # first internal nic<br>    "10.0.1.4", # second internal nic<br>  ],<br>  # Will be assigned to second instance<br>  [<br>    "10.0.0.5",<br>    "10.0.1.5",<br>  ],<br>  ...<br>] | `list(list(string))` | `[]` | no |
+| internal\_subnetwork\_network\_ips | A list of lists of IP addresses to assign to BIG-IP instances on their internal<br>interfaces. Required if the instances have 3+ networks defined.<br><br>E.g. to assign addresses to two internal networks:-<br><br>internal\_subnetwork\_network\_ips = [<br>  # Will be assigned to first instance<br>  [<br>    "10.0.0.4", # first internal nic<br>    "10.0.1.4", # second internal nic<br>  ],<br>  # Will be assigned to second instance<br>  [<br>    "10.0.0.5",<br>    "10.0.1.5",<br>  ],<br>  ...<br>] | `list(list(string))` | `[]` | no |
 | internal\_subnetwork\_tier | The network tier to set for internal subnetwork; must be one of 'PREMIUM'<br>(default) or 'STANDARD'. This setting only applies if the internal interface is<br>permitted to have a public IP address (see `provision_internal_public_ip`) | `string` | `"PREMIUM"` | no |
 | internal\_subnetwork\_vip\_cidrs | An optional list of CIDRs to assign to *active* BIG-IP instance as VIPs on its<br>internal interface. E.g. to assign two CIDR blocks as VIPs:-<br><br>internal\_subnetwork\_vip\_cidrs = [<br>  "10.1.0.0/16",<br>  "10.2.0.0/24",<br>] | `list(string)` | `[]` | no |
-| internal\_subnetworks | An optional list of fully-qualified subnet self-links that will be assigned as<br>internal traffoc on NICs eth[2-8]. | `list(string)` | `[]` | no |
+| internal\_subnetworks | An optional list of fully-qualified subnet self-links that will be assigned as<br>internal traffic on NICs eth[2-8]. | `list(string)` | `[]` | no |
 | labels | An optional map of *labels* to add to the instance template. | `map(string)` | `{}` | no |
 | license\_type | A BIG-IP license type to use with the BIG-IP instance. Must be one of "byol" or<br>"payg", with "byol" as the default. If set to "payg", the image must be a PAYG<br>image from F5's official project or the instance will fail to onboard correctly. | `string` | `"byol"` | no |
-| machine\_type | The machine type to use for BIG-IP VMs; this may be a standard GCE machine type,<br>or a customised VM ('custom-VPCUS-MEM\_IN\_MB'). Default value is 'n1-standard-4'.<br>\*Note:\* machine\_type is highly-correlated with network bandwidth and performance;<br>an N2 or N2D machine type will give better performance but has limited availability. | `string` | `"n1-standard-4"` | no |
+| machine\_type | The machine type to use for BIG-IP VMs; this may be a standard GCE machine type,<br>or a customised VM ('custom-VCPUS-MEM\_IN\_MB'). Default value is 'n1-standard-4'.<br>\*Note:\* machine\_type is highly-correlated with network bandwidth and performance;<br>an N2 or N2D machine type will give better performance but has limited availability. | `string` | `"n1-standard-4"` | no |
 | management\_subnetwork | An optional fully-qualified self-link of the subnet that will be used for<br>management access (2+ NIC deployment). | `string` | `null` | no |
 | management\_subnetwork\_network\_ips | A list of IP addresses to assign to BIG-IP instances on their management<br>interface. Required if there are 2+ NICs defined for instances. | `list(string)` | `[]` | no |
 | management\_subnetwork\_tier | The network tier to set for management subnetwork; must be one of 'PREMIUM'<br>(default) or 'STANDARD'. This setting only applies if the management interface is<br>permitted to have a public IP address (see `provision_management_public_ip`) | `string` | `"PREMIUM"` | no |
 | management\_subnetwork\_vip\_cidrs | An optional list of CIDRs to assign to *active* BIG-IP instance as VIPs on its<br>management interface. E.g. to assign two CIDR blocks as VIPs:-<br><br>management\_subnetwork\_vip\_cidrs = [<br>  "10.1.0.0/16",<br>  "10.2.0.0/24",<br>] | `list(string)` | `[]` | no |
 | metadata | An optional map of metadata values that will be applied to the instances. | `map(string)` | `{}` | no |
-| min\_cpu\_platform | An optional constraint used when scheduling the BIG-IP VMs; this value prevents<br>the VMs from being scheduled on hardware that doesn't meet the minimum CPU<br>microarchitecture. Default value is 'Intel Skylake'. | `string` | `"Intel Skylake"` | no |
-| modules | A map of BIG-IP module = provisioning-level pairs to enable, where the module<br>name is key, and the provisioing-level is the value. This value is used with the<br>default Declaration Onboarding template; a better option for full control is to<br>explicitly declare the modules to be provisioned as part of a custom JSON file.<br>See `do_payload`.<br><br>E.g. the default is<br>modules = {<br>  ltm = "nominal"<br>}<br><br>To provision ASM and LTM, the value might be:-<br>modules = {<br>  ltm = "nominal"<br>  asm = "nominal"<br>} | `map(string)` | <pre>{<br>  "ltm": "nominal"<br>}</pre> | no |
-| ntp\_servers | An optonal list of NTP servers for BIG-IP instances to use. The default is<br>["169.254.169.254"] to use GCE metadata server. | `list(string)` | <pre>[<br>  "169.254.169.254"<br>]</pre> | no |
+| min\_cpu\_platform | An optional constraint used when scheduling the BIG-IP VMs; this value prevents<br>the VMs from being scheduled on hardware that doesn't meet the minimum CPU<br>micro-architecture. Default value is 'Intel Skylake'. | `string` | `"Intel Skylake"` | no |
+| modules | A map of BIG-IP module = provisioning-level pairs to enable, where the module<br>name is key, and the provisioning-level is the value. This value is used with the<br>default Declaration Onboarding template; a better option for full control is to<br>explicitly declare the modules to be provisioned as part of a custom JSON file.<br>See `do_payload`.<br><br>E.g. the default is<br>modules = {<br>  ltm = "nominal"<br>}<br><br>To provision ASM and LTM, the value might be:-<br>modules = {<br>  ltm = "nominal"<br>  asm = "nominal"<br>} | `map(string)` | <pre>{<br>  "ltm": "nominal"<br>}</pre> | no |
+| ntp\_servers | An optional list of NTP servers for BIG-IP instances to use. The default is<br>["169.254.169.254"] to use GCE metadata server. | `list(string)` | <pre>[<br>  "169.254.169.254"<br>]</pre> | no |
 | num\_instances | The number of BIG-IP instances to provision in HA cluster. Default value is 2. | `number` | `2` | no |
-| preemptible | If set to true, the BIG-IP instances will be deployed on preemptible VMs, which<br>could be terminated at any time, and have a maximum lifetimne of 24 hours. Default<br>value is false. | `string` | `false` | no |
+| preemptible | If set to true, the BIG-IP instances will be deployed on preemptible VMs, which<br>could be terminated at any time, and have a maximum lifetime of 24 hours. Default<br>value is false. | `string` | `false` | no |
 | project\_id | The GCP project identifier where the cluster will be created. | `string` | n/a | yes |
-| provision\_external\_public\_ip | If this flag is set to true (default), a publicly routable IP address WILL be<br>assigned to the external interface of instances. If set to false, the BIG-IP<br>instances will NOT have a public IP address assigned to the extenral interface. | `bool` | `true` | no |
+| provision\_external\_public\_ip | If this flag is set to true (default), a publicly routable IP address WILL be<br>assigned to the external interface of instances. If set to false, the BIG-IP<br>instances will NOT have a public IP address assigned to the external interface. | `bool` | `true` | no |
 | provision\_internal\_public\_ip | If this flag is set to true, a publicly routable IP address WILL be assigned to<br>the internal interfaces of instances. If set to false (default), the BIG-IP<br>instances will NOT have a public IP address assigned to the internal interfaces. | `bool` | `false` | no |
 | provision\_management\_public\_ip | If this flag is set to true, a publicly routable IP address WILL be assigned to<br>the management interface of instances. If set to false (default), the BIG-IP<br>instances will NOT have a public IP address assigned to the management interface. | `bool` | `false` | no |
-| search\_domains | An optonal list of DNS search domains for BIG-IP instances to use, if explicit<br>DO files are not provided. If left empty (default), search domains will be added<br>for "google.internal" and the zone/project specific domain assigned to instances. | `list(string)` | `[]` | no |
+| search\_domains | An optional list of DNS search domains for BIG-IP instances to use, if explicit<br>DO files are not provided. If left empty (default), search domains will be added<br>for "google.internal" and the zone/project specific domain assigned to instances. | `list(string)` | `[]` | no |
 | service\_account | The service account that will be used for the BIG-IP VMs. | `string` | n/a | yes |
 | ssh\_keys | An optional set of SSH public keys, concatenated into a single string. The keys<br>will be added to instance metadata. Default is an empty string.<br><br>See also `enable_os_login`. | `string` | `""` | no |
 | tags | An optional list of *network tags* to add to the instance template. | `list(string)` | `[]` | no |
@@ -77,7 +79,7 @@ No provider.
 |------|-------------|
 | external\_addresses | A list of the IP addresses and alias CIDRs assigned to instances on the external<br>NIC. |
 | external\_public\_ips | A list of the public IP addresses assigned to instances on the external NIC. |
-| external\_vips | A list of IP CIDRs asssigned to the active instance on its external NIC. |
+| external\_vips | A list of IP CIDRs assigned to the active instance on its external NIC. |
 | instance\_addresses | A map of instance name to assigned IP addresses and alias CIDRs. |
 | internal\_addresses | A list of the IP addresses and alias CIDRs assigned to instances on the internal<br>NICs, if present. |
 | internal\_public\_ips | A list of the public IP addresses assigned to instances on the internal NICs,<br>if present. |
@@ -86,3 +88,4 @@ No provider.
 | self\_links | A list of self-links of the BIG-IP instances. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- markdownlint-enable MD033 MD034 -->
diff --git a/modules/big-ip/ha/examples/single-project-2nic/main.tf b/modules/big-ip/ha/examples/single-project-2nic/main.tf
index 0e4db34..e31cba5 100644
--- a/modules/big-ip/ha/examples/single-project-2nic/main.tf
+++ b/modules/big-ip/ha/examples/single-project-2nic/main.tf
@@ -30,7 +30,7 @@ resource "google_compute_address" "mgt" {
 }
 
 module "ha" {
-  #source              = "https://github.com/memes/f5-google-terraform-modules/modules/big-ip/ha?ref=v1.0.0"
+  #source              = "git::https://github.com/memes/f5-google-terraform-modules/modules/big-ip/ha?ref=v1.0.0"
   source                            = "../../"
   project_id                        = var.project_id
   num_instances                     = var.num_instances
diff --git a/modules/big-ip/ha/examples/single-project-3nic/main.tf b/modules/big-ip/ha/examples/single-project-3nic/main.tf
index e2e8b4b..0539b78 100644
--- a/modules/big-ip/ha/examples/single-project-3nic/main.tf
+++ b/modules/big-ip/ha/examples/single-project-3nic/main.tf
@@ -40,7 +40,7 @@ resource "google_compute_address" "int" {
 }
 
 module "ha" {
-  #source              = "https://github.com/memes/f5-google-terraform-modules/modules/big-ip/ha?ref=v1.0.0"
+  #source              = "git::https://github.com/memes/f5-google-terraform-modules/modules/big-ip/ha?ref=v1.0.0"
   source                            = "../../"
   project_id                        = var.project_id
   num_instances                     = var.num_instances
diff --git a/modules/big-ip/ha/firewall/README.md b/modules/big-ip/ha/firewall/README.md
new file mode 100644
index 0000000..1d07303
--- /dev/null
+++ b/modules/big-ip/ha/firewall/README.md
@@ -0,0 +1,39 @@
+# HA ConfigSync firewall sub-module
+
+This Terraform module is a helper to create a pair of firewall rules that allow
+BIG-IP to BIG-IP instance ConfigSync traffic on data-plane and control-plane
+networks.
+
+<!-- spell-checker:ignore markdownlint bigip -->
+<!-- markdownlint-disable MD033 MD034 -->
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| terraform | ~> 0.12 |
+| google | >= 3.19 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| google | >= 3.19 |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| bigip\_service\_account | The service account that will be used for the BIG-IP VMs; the firewall rules will<br>be constructed to use this for source and target filtering. | `string` | n/a | yes |
+| dataplane\_firewall\_name | The name to use for data-plane network firewall rule. Default is<br>'allow-bigip-configsync-data-plane'. | `string` | `"allow-bigip-configsync-data-plane"` | no |
+| dataplane\_network | The fully-qualified self-link of the subnet that will be used for data-plane<br>ConfigSync traffic. | `string` | n/a | yes |
+| management\_firewall\_name | The name to use for Manangement (control-plane) network firewall rule. Default is<br>'allow-bigip-configsync-mgt'. | `string` | `"allow-bigip-configsync-mgt"` | no |
+| management\_network | The fully-qualified self-link of the subnet that will be used for Management<br>(control-plane) ConfigSync traffic. | `string` | n/a | yes |
+| project\_id | The GCP project identifier where the cluster will be created. | `string` | n/a | yes |
+
+## Outputs
+
+No output.
+
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- markdownlint-enable MD033 MD034 -->
diff --git a/modules/big-ip/ha/firewall/main.tf b/modules/big-ip/ha/firewall/main.tf
new file mode 100644
index 0000000..bc826c7
--- /dev/null
+++ b/modules/big-ip/ha/firewall/main.tf
@@ -0,0 +1,52 @@
+terraform {
+  required_version = "~> 0.12"
+  required_providers {
+    google = ">= 3.19"
+  }
+  experiments = [variable_validation]
+}
+
+# Create a pair of service account limited firewall rules that support ConfigSync
+# between BIG-IP instances
+
+# Allow BIG-IP instances to connect on management network
+resource "google_compute_firewall" "mgt_sync" {
+  project                 = var.project_id
+  name                    = var.management_firewall_name
+  network                 = var.management_network
+  description             = "ConfigSync for management network"
+  direction               = "INGRESS"
+  source_service_accounts = [var.bigip_service_account]
+  target_service_accounts = [var.bigip_service_account]
+  allow {
+    protocol = "tcp"
+    ports = [
+      443,
+    ]
+  }
+}
+
+# Allow BIG-IP instances to connect and sync on data-plane network
+resource "google_compute_firewall" "data_sync" {
+  project                 = var.project_id
+  name                    = var.dataplane_firewall_name
+  network                 = var.dataplane_network
+  description             = "ConfigSync for data-plane network"
+  direction               = "INGRESS"
+  source_service_accounts = [var.bigip_service_account]
+  target_service_accounts = [var.bigip_service_account]
+  allow {
+    protocol = "tcp"
+    ports = [
+      443,
+      4353,
+      "6123-6128",
+    ]
+  }
+  allow {
+    protocol = "udp"
+    ports = [
+      1026,
+    ]
+  }
+}
diff --git a/modules/big-ip/ha/firewall/variables.tf b/modules/big-ip/ha/firewall/variables.tf
new file mode 100644
index 0000000..765599f
--- /dev/null
+++ b/modules/big-ip/ha/firewall/variables.tf
@@ -0,0 +1,68 @@
+variable "project_id" {
+  type        = string
+  description = <<EOD
+The GCP project identifier where the cluster will be created.
+EOD
+}
+
+variable "bigip_service_account" {
+  type = string
+  validation {
+    condition     = can(regex("(?:\\.iam|developer)\\.gserviceaccount\\.com$", var.bigip_service_account))
+    error_message = "The bigip_service_account variable must be a valid GCP service account email address."
+  }
+  description = <<EOD
+The service account that will be used for the BIG-IP VMs; the firewall rules will
+be constructed to use this for source and target filtering.
+EOD
+}
+
+variable "management_firewall_name" {
+  type    = string
+  default = "allow-bigip-configsync-mgt"
+  validation {
+    condition     = can(regex("^[a-z](?:[-a-z0-9]*[a-z0-9]){0,62}$", var.management_firewall_name))
+    error_message = "The management_firewall_name variable must be valid RFC1035."
+  }
+  description = <<EOD
+The name to use for Manangement (control-plane) network firewall rule. Default is
+'allow-bigip-configsync-mgt'.
+EOD
+}
+
+variable "management_network" {
+  type = string
+  validation {
+    condition     = can(regex("^(?:https://www.googleapis.com/compute/v1/projects/[a-z][a-z0-9-]{4,28}[a-z0-9]/global/networks/)?[a-z](?:[-a-z0-9]*[a-z0-9]){0,62}$", var.management_network))
+    error_message = "The management_network variable must be a fully-qualified self-link URI, or RFC1035 network name."
+  }
+  description = <<EOD
+The fully-qualified self-link of the subnet that will be used for Management
+(control-plane) ConfigSync traffic.
+EOD
+}
+
+variable "dataplane_firewall_name" {
+  type    = string
+  default = "allow-bigip-configsync-data-plane"
+  validation {
+    condition     = can(regex("^[a-z](?:[-a-z0-9]*[a-z0-9]){0,62}$", var.dataplane_firewall_name))
+    error_message = "The dataplane_firewall_name variable must be valid RFC1035."
+  }
+  description = <<EOD
+The name to use for data-plane network firewall rule. Default is
+'allow-bigip-configsync-data-plane'.
+EOD
+}
+
+variable "dataplane_network" {
+  type = string
+  validation {
+    condition     = can(regex("^(?:https://www.googleapis.com/compute/v1/projects/[a-z][a-z0-9-]{4,28}[a-z0-9]/global/networks/)?[a-z](?:[-a-z0-9]*[a-z0-9]){0,62}$", var.dataplane_network))
+    error_message = "The dataplane_network variable must be a fully-qualified self-link URI, or RFC1035 network name."
+  }
+  description = <<EOD
+The fully-qualified self-link of the subnet that will be used for data-plane
+ConfigSync traffic.
+EOD
+}
diff --git a/modules/big-ip/ha/outputs.tf b/modules/big-ip/ha/outputs.tf
index cd5a49d..42b7df7 100644
--- a/modules/big-ip/ha/outputs.tf
+++ b/modules/big-ip/ha/outputs.tf
@@ -16,7 +16,7 @@ EOD
 output "external_vips" {
   value       = module.instance.external_vips
   description = <<EOD
-A list of IP CIDRs asssigned to the active instance on its external NIC.
+A list of IP CIDRs assigned to the active instance on its external NIC.
 EOD
 }
 
diff --git a/modules/big-ip/ha/variables.tf b/modules/big-ip/ha/variables.tf
index edf3229..10a97f5 100644
--- a/modules/big-ip/ha/variables.tf
+++ b/modules/big-ip/ha/variables.tf
@@ -73,7 +73,7 @@ variable "min_cpu_platform" {
   description = <<EOD
 An optional constraint used when scheduling the BIG-IP VMs; this value prevents
 the VMs from being scheduled on hardware that doesn't meet the minimum CPU
-microarchitecture. Default value is 'Intel Skylake'.
+micro-architecture. Default value is 'Intel Skylake'.
 EOD
 }
 
@@ -82,7 +82,7 @@ variable "machine_type" {
   default     = "n1-standard-4"
   description = <<EOD
 The machine type to use for BIG-IP VMs; this may be a standard GCE machine type,
-or a customised VM ('custom-VPCUS-MEM_IN_MB'). Default value is 'n1-standard-4'.
+or a customised VM ('custom-VCPUS-MEM_IN_MB'). Default value is 'n1-standard-4'.
 *Note:* machine_type is highly-correlated with network bandwidth and performance;
 an N2 or N2D machine type will give better performance but has limited availability.
 EOD
@@ -113,7 +113,7 @@ variable "preemptible" {
   default     = false
   description = <<EOD
 If set to true, the BIG-IP instances will be deployed on preemptible VMs, which
-could be terminated at any time, and have a maximum lifetimne of 24 hours. Default
+could be terminated at any time, and have a maximum lifetime of 24 hours. Default
 value is false.
 EOD
 }
@@ -211,7 +211,7 @@ variable "provision_external_public_ip" {
   description = <<EOD
 If this flag is set to true (default), a publicly routable IP address WILL be
 assigned to the external interface of instances. If set to false, the BIG-IP
-instances will NOT have a public IP address assigned to the extenral interface.
+instances will NOT have a public IP address assigned to the external interface.
 EOD
 }
 
@@ -341,7 +341,7 @@ variable "internal_subnetworks" {
   }
   description = <<EOD
 An optional list of fully-qualified subnet self-links that will be assigned as
-internal traffoc on NICs eth[2-8].
+internal traffic on NICs eth[2-8].
 EOD
 }
 
@@ -377,7 +377,7 @@ variable "internal_subnetwork_network_ips" {
     error_message = "Each internal_subnetwork_network_ips value must be a valid IPv4 address."
   }
   description = <<EOD
-Alist of lists of IP addresses to assign to BIG-IP instances on their internal
+A list of lists of IP addresses to assign to BIG-IP instances on their internal
 interfaces. Required if the instances have 3+ networks defined.
 
 E.g. to assign addresses to two internal networks:-
@@ -482,7 +482,7 @@ variable "admin_password_secret_manager_key" {
   }
   description = <<EOD
 The Secret Manager key for BIG-IP admin password; during initialisation, the
-BIG-IP admin account's password will be changed to the value retreived from GCP
+BIG-IP admin account's password will be changed to the value retrieved from GCP
 Secret Manager using this key.
 
 NOTE: if the secret does not exist, is misidentified, or if the VM cannot read
@@ -533,7 +533,7 @@ variable "ntp_servers" {
   type        = list(string)
   default     = ["169.254.169.254"]
   description = <<EOD
-An optonal list of NTP servers for BIG-IP instances to use. The default is
+An optional list of NTP servers for BIG-IP instances to use. The default is
 ["169.254.169.254"] to use GCE metadata server.
 EOD
 }
@@ -556,7 +556,7 @@ variable "modules" {
   }
   description = <<EOD
 A map of BIG-IP module = provisioning-level pairs to enable, where the module
-name is key, and the provisioing-level is the value. This value is used with the
+name is key, and the provisioning-level is the value. This value is used with the
 default Declaration Onboarding template; a better option for full control is to
 explicitly declare the modules to be provisioned as part of a custom JSON file.
 See `do_payload`.
@@ -578,7 +578,7 @@ variable "dns_servers" {
   type        = list(string)
   default     = ["169.254.169.254"]
   description = <<EOD
-An optonal list of DNS servers for BIG-IP instances to use, if explicit DO files
+An optional list of DNS servers for BIG-IP instances to use, if explicit DO files
 are not provided. The default is ["169.254.169.254"] to use GCE metadata server.
 EOD
 }
@@ -587,7 +587,7 @@ variable "search_domains" {
   type        = list(string)
   default     = []
   description = <<EOD
-An optonal list of DNS search domains for BIG-IP instances to use, if explicit
+An optional list of DNS search domains for BIG-IP instances to use, if explicit
 DO files are not provided. If left empty (default), search domains will be added
 for "google.internal" and the zone/project specific domain assigned to instances.
 EOD
diff --git a/modules/big-ip/instance/README.md b/modules/big-ip/instance/README.md
index 83427a4..caeef05 100644
--- a/modules/big-ip/instance/README.md
+++ b/modules/big-ip/instance/README.md
@@ -5,6 +5,8 @@ Google managed group.
 
 *Note:* This module is unsupported and not an official F5 product.
 
+<!-- spell-checker:ignore markdownlint bigip oslogin subnetwork subnetworks NICs byol payg Skylake preemptible VCPUS routable zoneinfo -->
+<!-- markdownlint-disable MD033 MD034-->
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
@@ -23,7 +25,7 @@ Google managed group.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| admin\_password\_secret\_manager\_key | The Secret Manager key for BIG-IP admin password; during initialisation, the<br>BIG-IP admin account's password will be changed to the value retreived from GCP<br>Secret Manager using this key.<br><br>NOTE: if the secret does not exist, is misidentified, or if the VM cannot read<br>the secret value associated with this key, then the BIG-IP onboarding will fail<br>to complete, and onboarding will require manual intervention. | `string` | n/a | yes |
+| admin\_password\_secret\_manager\_key | The Secret Manager key for BIG-IP admin password; during initialisation, the<br>BIG-IP admin account's password will be changed to the value retrieved from GCP<br>Secret Manager using this key.<br><br>NOTE: if the secret does not exist, is misidentified, or if the VM cannot read<br>the secret value associated with this key, then the BIG-IP onboarding will fail<br>to complete, and onboarding will require manual intervention. | `string` | n/a | yes |
 | allow\_phone\_home | Allow the BIG-IP VMs to send high-level device use information to help F5<br>optimize development resources. If set to false the information is not sent. | `bool` | `true` | no |
 | allow\_usage\_analytics | Allow the BIG-IP VMs to send anonymous statistics to F5 to help us determine how<br>to improve our solutions (default). If set to false no statistics will be sent. | `bool` | `true` | no |
 | as3\_payloads | An optional, but recommended, list of AS3 JSON files that can be used to setup<br>the BIG-IP instances. If left empty (default), the module will use a simple<br>no-op AS3 declaration. | `list(string)` | `[]` | no |
@@ -34,7 +36,7 @@ Google managed group.
 | description | An optional description that will be applied to the instances. Default value is<br>an empty string, which will be replaced by a generated description at run-time. | `string` | `""` | no |
 | disk\_size\_gb | Use this flag to set the boot volume size in GB. If left at the default value<br>the boot disk will have the same size as specified in 'bigip\_image'. | `number` | `null` | no |
 | disk\_type | The boot disk type to use with instances; can be 'pd-ssd' (default), or<br>'pd-standard'.<br>\*Note:\* Choosing 'pd-standard' will reduce operating cost, but at the expense of<br>network performance. | `string` | `"pd-ssd"` | no |
-| dns\_servers | An optonal list of DNS servers for BIG-IP instances to use if custom DO payloads<br>are not provided. The default is ["169.254.169.254"] to use GCE metadata server. | `list(string)` | <pre>[<br>  "169.254.169.254"<br>]</pre> | no |
+| dns\_servers | An optional list of DNS servers for BIG-IP instances to use if custom DO payloads<br>are not provided. The default is ["169.254.169.254"] to use GCE metadata server. | `list(string)` | <pre>[<br>  "169.254.169.254"<br>]</pre> | no |
 | do\_payloads | The Declarative Onboarding contents to apply to the instances. Required. This<br>module has migrated to use of Declarative Onboarding for module activation,<br>licensing, NTP, DNS, and other basic configurations. Sample payloads are in the<br>examples folder.<br><br>Note: if left empty, the module will use a simple JSON that sets NTP and DNS,<br>and enables LTM. | `list(string)` | `[]` | no |
 | enable\_os\_login | Set to true to enable OS Login on the VMs. Default value is false as BIG-IP does<br>not support in OS Login mode currently.<br>NOTE: this value will override an 'enable-oslogin' key in `metadata` map. | `bool` | `false` | no |
 | enable\_serial\_console | Set to true to enable serial port console on the VMs. Default value is false. | `bool` | `false` | no |
@@ -48,25 +50,25 @@ Google managed group.
 | internal\_subnetwork\_network\_ips | An optional list of lists of IP addresses to assign to BIG-IP instances on their<br>internal interface. The list may be empty, or contain empty strings, to<br>selectively applies addresses to instances. E.g. to assign addresses to two<br>internal networks:-<br>internal\_subnetwork\_network\_ips = [<br>  # Will be assigned to first instance<br>  [<br>    "10.0.0.4", # first internal nic<br>    "10.0.1.4", # second internal nic<br>  ],<br>  # Will be assigned to second instance<br>  [<br>    ...<br>  ],<br>  ...<br>] | `list(list(string))` | `[]` | no |
 | internal\_subnetwork\_tier | The network tier to set for internal subnetwork; must be one of 'PREMIUM'<br>(default) or 'STANDARD'. This setting only applies if the internal interface is<br>permitted to have a public IP address (see `provision_internal_public_ip`) | `string` | `"PREMIUM"` | no |
 | internal\_subnetwork\_vip\_cidrs | An optional list of CIDR lists to assign to BIG-IP instances as VIPs on their<br>internal interface. E.g. to assign two CIDR blocks as VIPs on the first<br>instance, and a single IP address as a VIP on the second instance:-<br><br>internal\_subnetwork\_vip\_cidrs = [<br>  # Will be assigned to first instance<br>  [<br>    "10.1.0.0/16", # first internal nic<br>    "10.2.0.0/24", # second internal nic<br>  ],<br>  # Will be assigned to second instance<br>  [<br>    "192.168.0.1/32", # first internal nic<br>  ]<br>] | `list(list(string))` | `[]` | no |
-| internal\_subnetworks | An optional list of fully-qualified subnet self-links that will be assigned as<br>internal traffoc on NICs eth[2-8]. | `list(string)` | `[]` | no |
+| internal\_subnetworks | An optional list of fully-qualified subnet self-links that will be assigned as<br>internal traffic on NICs eth[2-8]. | `list(string)` | `[]` | no |
 | labels | An optional map of *labels* to add to the instance template. | `map(string)` | `{}` | no |
 | license\_type | A BIG-IP license type to use with the BIG-IP instance. Must be one of "byol" or<br>"payg", with "byol" as the default. If set to "payg", the image must be a PAYG<br>image from F5's official project or the instance will fail to onboard correctly. | `string` | `"byol"` | no |
-| machine\_type | The machine type to use for BIG-IP VMs; this may be a standard GCE machine type,<br>or a customised VM ('custom-VPCUS-MEM\_IN\_MB'). Default value is 'n1-standard-4'.<br>\*Note:\* machine\_type is highly-correlated with network bandwidth and performance;<br>an N2 or N2D machine type will give better performance but has limited availability. | `string` | `"n1-standard-4"` | no |
+| machine\_type | The machine type to use for BIG-IP VMs; this may be a standard GCE machine type,<br>or a customised VM ('custom-VCPUS-MEM\_IN\_MB'). Default value is 'n1-standard-4'.<br>\*Note:\* machine\_type is highly-correlated with network bandwidth and performance;<br>an N2 or N2D machine type will give better performance but has limited availability. | `string` | `"n1-standard-4"` | no |
 | management\_subnetwork | An optional fully-qualified self-link of the subnet that will be used for<br>management access (2+ NIC deployment). | `string` | `null` | no |
 | management\_subnetwork\_network\_ips | An optional list of IP addresses to assign to BIG-IP instances on their<br>management interface. The list may be empty, or contain empty strings, to<br>selectively applies addresses to instances. | `list(string)` | `[]` | no |
 | management\_subnetwork\_tier | The network tier to set for management subnetwork; must be one of 'PREMIUM'<br>(default) or 'STANDARD'. This setting only applies if the management interface is<br>permitted to have a public IP address (see `provision_management_public_ip`) | `string` | `"PREMIUM"` | no |
 | management\_subnetwork\_vip\_cidrs | An optional list of CIDR lists to assign to BIG-IP instances as VIPs on their<br>management interface. E.g. to assign two CIDR blocks as VIPs on the first<br>instance, and a single IP address as an alias on the second instance:-<br><br>external\_subnetwork\_vip\_cidrs = [<br>  [<br>    "10.1.0.0/16",<br>    "10.2.0.0/24",<br>  ],<br>  [<br>    "192.168.0.1/32",<br>  ]<br>] | `list(list(string))` | `[]` | no |
 | metadata | An optional map of metadata values that will be applied to the instances. | `map(string)` | `{}` | no |
-| min\_cpu\_platform | An optional constraint used when scheduling the BIG-IP VMs; this value prevents<br>the VMs from being scheduled on hardware that doesn't meet the minimum CPU<br>microarchitecture. Default value is 'Intel Skylake'. | `string` | `"Intel Skylake"` | no |
+| min\_cpu\_platform | An optional constraint used when scheduling the BIG-IP VMs; this value prevents<br>the VMs from being scheduled on hardware that doesn't meet the minimum CPU<br>micro-architecture. Default value is 'Intel Skylake'. | `string` | `"Intel Skylake"` | no |
 | modules | A map of BIG-IP module = provisioning-level pairs to enable, where the module<br>name is key, and the provisioning-level is the value. This value is used with the<br>default Declaration Onboarding template; a better option for full control is to<br>explicitly declare the modules to be provisioned as part of a custom JSON file.<br>See `do_payloads`.<br><br>E.g. the default is<br>modules = {<br>  ltm = "nominal"<br>}<br><br>To provision ASM and LTM, the value might be:-<br>modules = {<br>  ltm = "nominal"<br>  asm = "nominal"<br>} | `map(string)` | <pre>{<br>  "ltm": "nominal"<br>}</pre> | no |
-| ntp\_servers | An optonal list of NTP servers for BIG-IP instances to use if custom DO files<br>are not provided. The default is ["169.254.169.254"] to use GCE metadata server. | `list(string)` | <pre>[<br>  "169.254.169.254"<br>]</pre> | no |
+| ntp\_servers | An optional list of NTP servers for BIG-IP instances to use if custom DO files<br>are not provided. The default is ["169.254.169.254"] to use GCE metadata server. | `list(string)` | <pre>[<br>  "169.254.169.254"<br>]</pre> | no |
 | num\_instances | The number of standalone BIG-IP instances to provision. Default value is 1. | `number` | `1` | no |
-| preemptible | If set to true, the BIG-IP instances will be deployed on preemptible VMs, which<br>could be terminated at any time, and have a maximum lifetimne of 24 hours. Default<br>value is false. | `string` | `false` | no |
+| preemptible | If set to true, the BIG-IP instances will be deployed on preemptible VMs, which<br>could be terminated at any time, and have a maximum lifetime of 24 hours. Default<br>value is false. | `string` | `false` | no |
 | project\_id | The GCP project identifier where the cluster will be created. | `string` | n/a | yes |
-| provision\_external\_public\_ip | If this flag is set to true (default), a publicly routable IP address WILL be<br>assigned to the external interface of instances. If set to false, the BIG-IP<br>instances will NOT have a public IP address assigned to the extenral interface. | `bool` | `true` | no |
+| provision\_external\_public\_ip | If this flag is set to true (default), a publicly routable IP address WILL be<br>assigned to the external interface of instances. If set to false, the BIG-IP<br>instances will NOT have a public IP address assigned to the external interface. | `bool` | `true` | no |
 | provision\_internal\_public\_ip | If this flag is set to true, a publicly routable IP address WILL be assigned to<br>the internal interfaces of instances. If set to false (default), the BIG-IP<br>instances will NOT have a public IP address assigned to the internal interfaces. | `bool` | `false` | no |
 | provision\_management\_public\_ip | If this flag is set to true, a publicly routable IP address WILL be assigned to<br>the management interface of instances. If set to false (default), the BIG-IP<br>instances will NOT have a public IP address assigned to the management interface. | `bool` | `false` | no |
-| search\_domains | An optonal list of DNS search domains for BIG-IP instances to use if custom DO<br>payloads are not provided. If left empty (default), search domains will be added<br>for "google.internal" and the zone/project specific domain assigned to instances. | `list(string)` | `[]` | no |
+| search\_domains | An optional list of DNS search domains for BIG-IP instances to use if custom DO<br>payloads are not provided. If left empty (default), search domains will be added<br>for "google.internal" and the zone/project specific domain assigned to instances. | `list(string)` | `[]` | no |
 | service\_account | The service account that will be used for the BIG-IP VMs. | `string` | n/a | yes |
 | ssh\_keys | An optional set of SSH public keys, concatenated into a single string. The keys<br>will be added to instance metadata. Default is an empty string.<br><br>See also `enable_os_login`. | `string` | `""` | no |
 | tags | An optional list of *network tags* to add to the instance template. | `list(string)` | `[]` | no |
@@ -80,7 +82,7 @@ Google managed group.
 |------|-------------|
 | external\_addresses | A list of the IP addresses and alias CIDRs assigned to instances on the external<br>NIC. |
 | external\_public\_ips | A list of the public IP addresses assigned to instances on the external NIC. |
-| external\_vips | A list of IP CIDRs asssigned to instances on the external NIC, which usually<br>corresponds to the VIPs defined on each instance. |
+| external\_vips | A list of IP CIDRs assigned to instances on the external NIC, which usually<br>corresponds to the VIPs defined on each instance. |
 | instance\_addresses | A map of instance name to assigned IP addresses and alias CIDRs. |
 | internal\_addresses | A list of the IP addresses and alias CIDRs assigned to instances on the internal<br>NICs, if present. |
 | internal\_public\_ips | A list of the public IP addresses assigned to instances on the internal NICs,<br>if present. |
@@ -89,3 +91,4 @@ Google managed group.
 | self\_links | A list of self-links of the BIG-IP instances. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- markdownlint-enable MD033 MD034 -->
diff --git a/modules/big-ip/instance/examples/single-project-1nic/main.tf b/modules/big-ip/instance/examples/single-project-1nic/main.tf
index cc29bdb..8155733 100644
--- a/modules/big-ip/instance/examples/single-project-1nic/main.tf
+++ b/modules/big-ip/instance/examples/single-project-1nic/main.tf
@@ -7,7 +7,7 @@ terraform {
 }
 
 module "instance" {
-  #source              = "https://github.com/memes/f5-google-terraform-modules/modules/big-ip/instance?ref=v1.0.0"
+  #source              = "git::https://github.com/memes/f5-google-terraform-modules/modules/big-ip/instance?ref=v1.0.0"
   source                            = "../../"
   project_id                        = var.project_id
   zones                             = [var.zone]
diff --git a/modules/big-ip/instance/examples/single-project-2nic/main.tf b/modules/big-ip/instance/examples/single-project-2nic/main.tf
index f4fb0c9..e13518e 100644
--- a/modules/big-ip/instance/examples/single-project-2nic/main.tf
+++ b/modules/big-ip/instance/examples/single-project-2nic/main.tf
@@ -10,7 +10,7 @@ terraform {
 }
 
 module "instance" {
-  #source              = "https://github.com/memes/f5-google-terraform-modules/modules/big-ip/instance?ref=v1.0.0"
+  #source              = "git::https://github.com/memes/f5-google-terraform-modules/modules/big-ip/instance?ref=v1.0.0"
   source                            = "../../"
   project_id                        = var.project_id
   zones                             = [var.zone]
diff --git a/modules/big-ip/instance/examples/single-project-3nic/main.tf b/modules/big-ip/instance/examples/single-project-3nic/main.tf
index e902b8f..fd2a140 100644
--- a/modules/big-ip/instance/examples/single-project-3nic/main.tf
+++ b/modules/big-ip/instance/examples/single-project-3nic/main.tf
@@ -10,7 +10,7 @@ terraform {
 }
 
 module "instance" {
-  #source              = "https://github.com/memes/f5-google-terraform-modules/modules/big-ip/instance?ref=v1.0.0"
+  #source              = "git::https://github.com/memes/f5-google-terraform-modules/modules/big-ip/instance?ref=v1.0.0"
   source                = "../../"
   project_id            = var.project_id
   zones                 = [var.zone]
diff --git a/modules/big-ip/instance/outputs.tf b/modules/big-ip/instance/outputs.tf
index a2ed448..d451e2c 100644
--- a/modules/big-ip/instance/outputs.tf
+++ b/modules/big-ip/instance/outputs.tf
@@ -16,7 +16,7 @@ EOD
 output "external_vips" {
   value       = flatten([for vm in google_compute_instance.bigip : [for alias in vm.network_interface[0].alias_ip_range : alias.ip_cidr_range]])
   description = <<EOD
-A list of IP CIDRs asssigned to instances on the external NIC, which usually
+A list of IP CIDRs assigned to instances on the external NIC, which usually
 corresponds to the VIPs defined on each instance.
 EOD
 }
diff --git a/modules/big-ip/instance/variables.tf b/modules/big-ip/instance/variables.tf
index 9d9ad20..ddc14a8 100644
--- a/modules/big-ip/instance/variables.tf
+++ b/modules/big-ip/instance/variables.tf
@@ -73,7 +73,7 @@ variable "min_cpu_platform" {
   description = <<EOD
 An optional constraint used when scheduling the BIG-IP VMs; this value prevents
 the VMs from being scheduled on hardware that doesn't meet the minimum CPU
-microarchitecture. Default value is 'Intel Skylake'.
+micro-architecture. Default value is 'Intel Skylake'.
 EOD
 }
 
@@ -82,7 +82,7 @@ variable "machine_type" {
   default     = "n1-standard-4"
   description = <<EOD
 The machine type to use for BIG-IP VMs; this may be a standard GCE machine type,
-or a customised VM ('custom-VPCUS-MEM_IN_MB'). Default value is 'n1-standard-4'.
+or a customised VM ('custom-VCPUS-MEM_IN_MB'). Default value is 'n1-standard-4'.
 *Note:* machine_type is highly-correlated with network bandwidth and performance;
 an N2 or N2D machine type will give better performance but has limited availability.
 EOD
@@ -113,7 +113,7 @@ variable "preemptible" {
   default     = false
   description = <<EOD
 If set to true, the BIG-IP instances will be deployed on preemptible VMs, which
-could be terminated at any time, and have a maximum lifetimne of 24 hours. Default
+could be terminated at any time, and have a maximum lifetime of 24 hours. Default
 value is false.
 EOD
 }
@@ -211,7 +211,7 @@ variable "provision_external_public_ip" {
   description = <<EOD
 If this flag is set to true (default), a publicly routable IP address WILL be
 assigned to the external interface of instances. If set to false, the BIG-IP
-instances will NOT have a public IP address assigned to the extenral interface.
+instances will NOT have a public IP address assigned to the external interface.
 EOD
 }
 
@@ -355,7 +355,7 @@ variable "internal_subnetworks" {
   }
   description = <<EOD
 An optional list of fully-qualified subnet self-links that will be assigned as
-internal traffoc on NICs eth[2-8].
+internal traffic on NICs eth[2-8].
 EOD
 }
 
@@ -502,7 +502,7 @@ variable "admin_password_secret_manager_key" {
   }
   description = <<EOD
 The Secret Manager key for BIG-IP admin password; during initialisation, the
-BIG-IP admin account's password will be changed to the value retreived from GCP
+BIG-IP admin account's password will be changed to the value retrieved from GCP
 Secret Manager using this key.
 
 NOTE: if the secret does not exist, is misidentified, or if the VM cannot read
@@ -552,7 +552,7 @@ variable "ntp_servers" {
   type        = list(string)
   default     = ["169.254.169.254"]
   description = <<EOD
-An optonal list of NTP servers for BIG-IP instances to use if custom DO files
+An optional list of NTP servers for BIG-IP instances to use if custom DO files
 are not provided. The default is ["169.254.169.254"] to use GCE metadata server.
 EOD
 }
@@ -597,7 +597,7 @@ variable "dns_servers" {
   type        = list(string)
   default     = ["169.254.169.254"]
   description = <<EOD
-An optonal list of DNS servers for BIG-IP instances to use if custom DO payloads
+An optional list of DNS servers for BIG-IP instances to use if custom DO payloads
 are not provided. The default is ["169.254.169.254"] to use GCE metadata server.
 EOD
 }
@@ -606,7 +606,7 @@ variable "search_domains" {
   type        = list(string)
   default     = []
   description = <<EOD
-An optonal list of DNS search domains for BIG-IP instances to use if custom DO
+An optional list of DNS search domains for BIG-IP instances to use if custom DO
 payloads are not provided. If left empty (default), search domains will be added
 for "google.internal" and the zone/project specific domain assigned to instances.
 EOD
diff --git a/modules/big-ip/metadata/README.md b/modules/big-ip/metadata/README.md
index 004a138..de4179e 100644
--- a/modules/big-ip/metadata/README.md
+++ b/modules/big-ip/metadata/README.md
@@ -1,21 +1,14 @@
-# BIG-IP instance template
+# BIG-IP metadata module
 
 This module encapsulates the creation of a BIG-IP image template for consumption
-by other Terrform modules.
+by other Terraform modules.
 
 *Note:* This module is unsupported and not an official F5 product.
 
-## Rationale
-
-There are multiple Terraform modules in existence that are able to create GCE VMs,
-managed instance groups, load balancers, etc., but  The current F5 published modules are examples and POCs,
-which are broader in scope, and often tied to an arbitrary network architecture.
-
-By splitting this step into a separate module, consumers can use any other
-Terraform modules that can create VMs either standalone or in a MIG.
-
-See [Google's Terraform modules](https://registry.terraform.io/modules/terraform-google-modules).
+## Configuration
 
+<!-- spell-checker:ignore markdownlint hostnames byol payg zoneinfo -->
+<!-- markdownlint-disable MD033 MD034 -->
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
 ## Requirements
 
@@ -32,26 +25,26 @@ No provider.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| admin\_password\_secret\_manager\_key | The Secret Manager key for BIG-IP admin password; during initialisation, the<br>BIG-IP admin account's password will be changed to the value retreived from GCP<br>Secret Manager using this key.<br><br>NOTE: if the secret does not exist, is misidentified, or if the VM cannot read<br>the secret value associated with this key, then the BIG-IP onboarding will fail<br>to complete, and onboarding will require manual intervention. | `string` | n/a | yes |
+| admin\_password\_secret\_manager\_key | The Secret Manager key for BIG-IP admin password; during initialisation, the<br>BIG-IP admin account's password will be changed to the value retrieved from GCP<br>Secret Manager using this key.<br><br>NOTE: if the secret does not exist, is misidentified, or if the VM cannot read<br>the secret value associated with this key, then the BIG-IP onboarding will fail<br>to complete, and onboarding will require manual intervention. | `string` | n/a | yes |
 | allow\_phone\_home | Allow the BIG-IP VMs to send high-level device use information to help F5<br>optimize development resources. If set to false the information is not sent. | `bool` | `true` | no |
 | allow\_usage\_analytics | Allow the BIG-IP VMs to send anonymous statistics to F5 to help us determine how<br>to improve our solutions (default). If set to false no statistics will be sent. | `bool` | `true` | no |
 | as3\_payloads | An optional, but recommended, list of AS3 JSON declarations that can be used to<br>setup the BIG-IP instances. If left empty (default), a no-op AS3 declaration<br>will be generated for each instance.<br><br>The l | `list(string)` | `[]` | no |
 | custom\_script | An optional, custom shell script that will be executed during BIG-IP<br>initialisation, after BIG-IP networking is auto-configured, admin password is set from Secret<br>Manager (if possible), etc. Declarative Onboarding offers a better approach,<br>where suitable (see `do_payload`).<br><br>NOTE: this value should contain the script contents, not a file path. | `string` | `""` | no |
 | default\_gateway | Set this to the value to use as the default gateway for BIG-IP instances. This<br>could be an IP address, a shell command, or environment variable to use at<br>run-time. Set to blank to delete the default gateway without an explicit<br>replacement.<br><br>Default value is '$EXT\_GATEWAY' which will match the run-time upstream gateway<br>for nic0.<br><br>NOTE: this string will be inserted into the boot script as-is. | `string` | `"$EXT_GATEWAY"` | no |
-| dns\_servers | An optonal list of DNS servers for BIG-IP instances to use. The default is<br>["169.254.169.254"] to use GCE metadata server. | `list(string)` | <pre>[<br>  "169.254.169.254"<br>]</pre> | no |
+| dns\_servers | An optional list of DNS servers for BIG-IP instances to use. The default is<br>["169.254.169.254"] to use GCE metadata server. | `list(string)` | <pre>[<br>  "169.254.169.254"<br>]</pre> | no |
 | do\_payloads | An optional, but recommended, list of Declarative Onboarding JSON that can be used to<br>setup the BIG-IP instance. If left blank (default), a minimal Declarative<br>Onboarding will be generated and used. | `list(string)` | `[]` | no |
 | enable\_os\_login | Set to true to enable OS Login on the VMs. Default value is false. If disabled<br>you must ensure that SSH keys are set explicitly for this instance (see<br>`ssh_keys` or set in project metadata. | `bool` | `false` | no |
 | enable\_serial\_console | Set to true to enable serial port console on the VMs. Default value is false. | `bool` | `false` | no |
-| hostnames | An optional list of hostname declarations to set per-instance hostname in<br>generated DO file. Default is an empty stlistring, which will exclude hostname<br>from the generated DO file. | `list(string)` | `[]` | no |
+| hostnames | An optional list of hostname declarations to set per-instance hostname in<br>generated DO file. Default is an empty list, which will exclude hostname<br>from the generated DO file. | `list(string)` | `[]` | no |
 | image | The self-link URI for a BIG-IP image to use as a base for the VM cluster. This<br>can be an official F5 image from GCP Marketplace, or a customised image. | `string` | n/a | yes |
 | install\_cloud\_libs | An optional list of cloud library URLs that will be downloaded and installed on<br>the BIG-IP VM during initial boot. The contents of each download will be compared<br>to the verifyHash file, and failure will cause the boot scripts to fail. Default<br>list will install F5 Cloud Libraries (w/GCE extension), AS3, and Declarative<br>Onboarding extensions. | `list(string)` | <pre>[<br>  "https://cdn.f5.com/product/cloudsolutions/f5-cloud-libs/v4.22.0/f5-cloud-libs.tar.gz",<br>  "https://cdn.f5.com/product/cloudsolutions/f5-cloud-libs-gce/v2.6.0/f5-cloud-libs-gce.tar.gz",<br>  "https://github.com/F5Networks/f5-appsvcs-extension/releases/download/v3.22.1/f5-appsvcs-3.22.1-1.noarch.rpm",<br>  "https://github.com/F5Networks/f5-declarative-onboarding/releases/download/v1.15.0/f5-declarative-onboarding-1.15.0-3.noarch.rpm"<br>]</pre> | no |
 | license\_type | A BIG-IP license type to use with the BIG-IP instance. Must be one of "byol" or<br>"payg", with "byol" as the default. If set to "payg", the image must be a PAYG<br>image from F5's official project or the instance will fail to onboard correctly. | `string` | `"byol"` | no |
 | metadata | An optional map of initial metadata values that will be the base of generated<br>metadata. | `map(string)` | `{}` | no |
-| modules | A map of BIG-IP module = provisioning-level pairs to enable, where the module<br>name is key, and the provisioing-level is the value. This value is used with the<br>default Declaration Onboarding template; a better option for full control is to<br>explicitly declare the modules to be provisioned as part of a custom JSON file.<br>See `do_payload`.<br><br>E.g. the default is<br>modules = {<br>  ltm = "nominal"<br>}<br><br>To provision ASM and LTM, the value might be:-<br>modules = {<br>  ltm = "nominal"<br>  asm = "nominal"<br>} | `map(string)` | <pre>{<br>  "ltm": "nominal"<br>}</pre> | no |
-| ntp\_servers | An optonal list of NTP servers for BIG-IP instances to use. The default is<br>["169.254.169.254"] to use GCE metadata server. | `list(string)` | <pre>[<br>  "169.254.169.254"<br>]</pre> | no |
-| num\_instances | The number of BIG-IP metatdata sets to provision. Default value is 1. | `number` | `1` | no |
+| modules | A map of BIG-IP module = provisioning-level pairs to enable, where the module<br>name is key, and the provisioning-level is the value. This value is used with the<br>default Declaration Onboarding template; a better option for full control is to<br>explicitly declare the modules to be provisioned as part of a custom JSON file.<br>See `do_payload`.<br><br>E.g. the default is<br>modules = {<br>  ltm = "nominal"<br>}<br><br>To provision ASM and LTM, the value might be:-<br>modules = {<br>  ltm = "nominal"<br>  asm = "nominal"<br>} | `map(string)` | <pre>{<br>  "ltm": "nominal"<br>}</pre> | no |
+| ntp\_servers | An optional list of NTP servers for BIG-IP instances to use. The default is<br>["169.254.169.254"] to use GCE metadata server. | `list(string)` | <pre>[<br>  "169.254.169.254"<br>]</pre> | no |
+| num\_instances | The number of BIG-IP metadata sets to provision. Default value is 1. | `number` | `1` | no |
 | region | An optional region attribute to include in usage analytics. Default value is an<br>empty string. | `string` | `""` | no |
-| search\_domains | An optonal list of DNS search domains for BIG-IP instances to use. The default<br>is ["google.internal"]. | `list(string)` | <pre>[<br>  "google.internal"<br>]</pre> | no |
+| search\_domains | An optional list of DNS search domains for BIG-IP instances to use. The default<br>is ["google.internal"]. | `list(string)` | <pre>[<br>  "google.internal"<br>]</pre> | no |
 | ssh\_keys | An optional set of SSH public keys, concatenated into a single string. The keys<br>will be added to instance metadata. Default is an empty string.<br><br>See also `enable_os_login`. | `string` | `""` | no |
 | timezone | The Olson timezone string from /usr/share/zoneinfo for BIG-IP instances. The<br>default is 'UTC'. See the TZ column here<br>(https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) for legal values.<br>For example, 'US/Eastern'. | `string` | `"UTC"` | no |
 | use\_cloud\_init | If this value is set to true, cloud-init will be used as the initial<br>configuration approach; false (default) will fall-back to a standard shell<br>script for boot-time configuration.<br><br>Note: the BIG-IP version must support Cloud Init on GCP for this to function<br>correctly. E.g. v15.1+. | `bool` | `false` | no |
@@ -63,3 +56,4 @@ No provider.
 | metadata | The list of metadata maps to apply to instances. |
 
 <!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+<!-- markdownlint-enable MD033 MD034 -->
diff --git a/modules/big-ip/metadata/TROUBLESHOOTING.md b/modules/big-ip/metadata/TROUBLESHOOTING.md
new file mode 100644
index 0000000..06239a9
--- /dev/null
+++ b/modules/big-ip/metadata/TROUBLESHOOTING.md
@@ -0,0 +1,171 @@
+# Troubleshooting BIG-IP setup
+
+<!-- spell-checker: ignore markdownlint NICs -->
+
+## Boot steps
+
+1. Swap control-plane and data-plane NICs and reboot
+
+   This is only for VMs with 2 or more VPCs attached; 1 NIC instances will not
+   reboot
+
+2. Configure base networking
+
+   Add a self-ip and required routes to each interface known at boot; this
+   script will not configure VIPs or floating IPs
+
+3. Set admin password from Secret Manager
+
+4. Install supporting cloud libraries
+
+   By default, these will be pulled from official F5 sources, but alternate URLs
+   can be supplied to override these locations.
+
+5. Apply DO declaration
+
+6. Apply AS3 declaration
+
+7. Execute custom setup script
+
+   By default, this script is a no-operation starting point for end-user
+   customisations that cannot be handled by DO or AS3 declarations. The exception
+   is that the CFE module uses a custom script to apply CFE configuration.
+
+8. Reset management gateway configuration
+
+   Only for 2 or more NIC instances; `cloud-init` option will install a dedicated
+   systemd service unit to just perform this step on subsequent boots, whereas
+   the default metadata startup-script will execute on every boot.
+
+## Debugging the boot process
+
+<!-- markdownlint-disable MD033 -->
+|Boot option|Logging mechanism|
+|-----------|-----------------|
+|metadata startup-script|`/var/log/cloud/google/startup-script.log`|
+|`cloud-init`|Unit journal file<br/>`journalctl -u f5-gce-initial-setup.service`<br/>`journalctl -u f5-gce-management-route.service`|
+<!-- markdownlint-enable MD033 -->
+
+In addition to the log files above, the boot scripts will write progress to the
+serial console as well. This way you can determine where a script failed even if
+you cannot login to the instance via SSH or serial console. Serial console output
+can be seen in the web GUI:-
+
+![gui-serial-console](images/serial-console.png)
+
+Or via `gcloud` command line (replace PROJECT, ZONE, VM_NAME appropriately):-
+
+<!-- spell-checker: disable -->
+```shell
+gcloud compute instances get-serial-port-output --project PROJECT --zone ZONE VM_NAME 2>/dev/null | grep '/config/cloud/gce'
+```
+
+```shell
+2020-09-10T11:12:25.005-0700: /config/cloud/gce/initialSetup.sh: Info: Initialisation starting
+2020-09-10T11:12:25.019-0700: /config/cloud/gce/initialSetup.sh: Info: Generating /config/cloud/gce/network.config
+2020-09-10T11:12:25.165-0700: /config/cloud/gce/initialSetup.sh: Info: Waiting for mcpd to be ready
+2020-09-10T11:13:14.218-0700: /config/cloud/gce/multiNicMgmtSwap.sh: Rebooting for multi-nic management interface swap
+2020-09-10T11:13:56.772-0700: /config/cloud/gce/initialSetup.sh: Info: Initialisation starting
+2020-09-10T11:13:56.776-0700: /config/cloud/gce/initialSetup.sh: Info: Generating /config/cloud/gce/network.config
+2020-09-10T11:13:56.786-0700: /config/cloud/gce/initialSetup.sh: Info: Waiting for mcpd to be ready
+2020-09-10T11:14:24.846-0700: /config/cloud/gce/multiNicMgmtSwap.sh: Nothing to do
+2020-09-10T11:14:24.852-0700: /config/cloud/gce/initialNetworking.sh: Info: Waiting for mcpd to be ready
+2020-09-10T11:14:25.244-0700: /config/cloud/gce/initialNetworking.sh: Info: Resetting management settings
+2020-09-10T11:14:26.985-0700: /config/cloud/gce/initialNetworking.sh: Info: Resetting all routes
+2020-09-10T11:14:27.428-0700: /config/cloud/gce/initialNetworking.sh: Info: Resetting all self addresses
+2020-09-10T11:14:27.814-0700: /config/cloud/gce/initialNetworking.sh: Info: Resetting all vlans
+2020-09-10T11:14:28.205-0700: /config/cloud/gce/initialNetworking.sh: Info: Configuring management interface
+2020-09-10T11:14:31.489-0700: /config/cloud/gce/initialNetworking.sh: Info: Configuring external interface
+2020-09-10T11:14:33.713-0700: /config/cloud/gce/initialNetworking.sh: Info: Configuring internal interface
+2020-09-10T11:14:35.762-0700: /config/cloud/gce/initialNetworking.sh: Info: Setting default gateway to 172.16.0.1
+2020-09-10T11:14:36.374-0700: /config/cloud/gce/initialNetworking.sh: Info: Removing DHCP provided ntp servers from management
+2020-09-10T11:14:37.308-0700: /config/cloud/gce/initialNetworking.sh: Info: Adding GCP Metadata service as DNS resolver
+2020-09-10T11:14:38.503-0700: /config/cloud/gce/initialNetworking.sh: Info: Saving config
+2020-09-10T11:14:42.461-0700: /config/cloud/gce/initialNetworking.sh: Info: Initial networking configuration is complete
+2020-09-10T11:14:45.486-0700: /config/cloud/gce/initialSetup.sh: Info: Curl failed with exit code 7; sleeping before retry
+2020-09-10T11:14:55.860-0700: /config/cloud/gce/initialSetup.sh: Info: Changing admin password
+2020-09-10T11:14:56.522-0700: /config/cloud/gce/initialSetup.sh: Info: Admin password has been changed
+2020-09-10T11:14:56.612-0700: /config/cloud/gce/installCloudLibs.sh: Info: waiting for mcpd
+2020-09-10T11:14:57.527-0700: /config/cloud/gce/installCloudLibs.sh: Info: Getting admin password
+2020-09-10T11:14:57.813-0700: /config/cloud/gce/installCloudLibs.sh: Info: loading verifyHash script
+2020-09-10T11:14:58.435-0700: /config/cloud/gce/installCloudLibs.sh: Info: loaded verifyHash
+2020-09-10T11:14:58.441-0700: /config/cloud/gce/installCloudLibs.sh: Info: Downloading https://cdn.f5.com/product/cloudsolutions/f5-cloud-libs/v4.22.0/f5-cloud-libs.tar.gz to /var/tmp/f5-cloud-libs.tar.gz
+2020-09-10T11:14:58.931-0700: /config/cloud/gce/installCloudLibs.sh: Info: Verifying f5-cloud-libs.tar.gz
+2020-09-10T11:14:59.750-0700: /config/cloud/gce/installCloudLibs.sh: Info: verified /var/tmp/f5-cloud-libs.tar.gz
+2020-09-10T11:14:59.753-0700: /config/cloud/gce/installCloudLibs.sh: Info: Expanding /var/tmp/f5-cloud-libs.tar.gz
+2020-09-10T11:14:59.801-0700: /config/cloud/gce/installCloudLibs.sh: Info: Downloading https://cdn.f5.com/product/cloudsolutions/f5-cloud-libs-gce/v2.6.0/f5-cloud-libs-gce.tar.gz to /var/tmp/f5-cloud-libs-gce.tar.gz
+2020-09-10T11:15:00.234-0700: /config/cloud/gce/installCloudLibs.sh: Info: Verifying f5-cloud-libs-gce.tar.gz
+2020-09-10T11:15:01.109-0700: /config/cloud/gce/installCloudLibs.sh: Info: verified /var/tmp/f5-cloud-libs-gce.tar.gz
+2020-09-10T11:15:01.112-0700: /config/cloud/gce/installCloudLibs.sh: Info: Expanding /var/tmp/f5-cloud-libs-gce.tar.gz
+2020-09-10T11:15:01.372-0700: /config/cloud/gce/installCloudLibs.sh: Info: Downloading https://github.com/F5Networks/f5-appsvcs-extension/releases/download/v3.22.1/f5-appsvcs-3.22.1-1.noarch.rpm to /var/tmp/f5-appsvcs-3.22.1-1.noarch.rpm
+2020-09-10T11:15:03.083-0700: /config/cloud/gce/installCloudLibs.sh: Info: Don't have a verification hash for f5-appsvcs-3.22.1-1.noarch.rpm
+2020-09-10T11:15:03.086-0700: /config/cloud/gce/installCloudLibs.sh: Info: Installing /var/tmp/f5-appsvcs-3.22.1-1.noarch.rpm
+2020-09-10T11:15:03.374-0700: /config/cloud/gce/installCloudLibs.sh: Info: Downloading https://github.com/F5Networks/f5-declarative-onboarding/releases/download/v1.15.0/f5-declarative-onboarding-1.15.0-3.noarch.rpm to /var/tmp/f5-declarative-onboarding-1.15.0-3.noarch.rpm
+2020-09-10T11:15:04.591-0700: /config/cloud/gce/installCloudLibs.sh: Info: Don't have a verification hash for f5-declarative-onboarding-1.15.0-3.noarch.rpm
+2020-09-10T11:15:04.595-0700: /config/cloud/gce/installCloudLibs.sh: Info: Installing /var/tmp/f5-declarative-onboarding-1.15.0-3.noarch.rpm
+2020-09-10T11:15:04.739-0700: /config/cloud/gce/installCloudLibs.sh: Info: Downloading https://github.com/F5Networks/f5-cloud-failover-extension/releases/download/v1.5.0/f5-cloud-failover-1.5.0-0.noarch.rpm to /var/tmp/f5-cloud-failover-1.5.0-0.noarch.rpm
+2020-09-10T11:15:06.563-0700: /config/cloud/gce/installCloudLibs.sh: Info: Don't have a verification hash for f5-cloud-failover-1.5.0-0.noarch.rpm
+2020-09-10T11:15:06.565-0700: /config/cloud/gce/installCloudLibs.sh: Info: Installing /var/tmp/f5-cloud-failover-1.5.0-0.noarch.rpm
+2020-09-10T11:15:06.912-0700: /config/cloud/gce/installCloudLibs.sh: Info: Package f5-appsvcs-3.22.1-1.noarch is installed
+2020-09-10T11:15:07.074-0700: /config/cloud/gce/installCloudLibs.sh: Info: Package f5-declarative-onboarding-1.15.0-3.noarch is installed
+2020-09-10T11:15:07.244-0700: /config/cloud/gce/installCloudLibs.sh: Info: Package null has status STARTED
+2020-09-10T11:15:07.246-0700: /config/cloud/gce/installCloudLibs.sh: Info: Sleeping before reexamining installation tasks
+2020-09-10T11:15:12.555-0700: /config/cloud/gce/installCloudLibs.sh: Info: Package f5-cloud-failover-1.5.0-0.noarch is installed
+2020-09-10T11:15:12.559-0700: /config/cloud/gce/installCloudLibs.sh: Info: Deleting '/var/tmp/f5-cloud-libs.tar.gz'
+2020-09-10T11:15:12.562-0700: /config/cloud/gce/installCloudLibs.sh: Info: Deleting '/var/tmp/f5-cloud-libs-gce.tar.gz'
+2020-09-10T11:15:12.565-0700: /config/cloud/gce/installCloudLibs.sh: Info: Deleting '/var/tmp/f5-appsvcs-3.22.1-1.noarch.rpm'
+2020-09-10T11:15:12.568-0700: /config/cloud/gce/installCloudLibs.sh: Info: Deleting '/var/tmp/f5-declarative-onboarding-1.15.0-3.noarch.rpm'
+2020-09-10T11:15:12.571-0700: /config/cloud/gce/installCloudLibs.sh: Info: Deleting '/var/tmp/f5-cloud-failover-1.5.0-0.noarch.rpm'
+2020-09-10T11:15:12.574-0700: /config/cloud/gce/installCloudLibs.sh: Info: Cloud libraries are installed
+2020-09-10T11:15:13.097-0700: /config/cloud/gce/declarativeOnboarding.sh: Info: Applying Declarative Onboarding payload
+2020-09-10T11:15:13.994-0700: /config/cloud/gce/declarativeOnboarding.sh: Info: Declarative Onboarding is in process
+2020-09-10T11:15:13.997-0700: /config/cloud/gce/declarativeOnboarding.sh: Info: Sleeping before rechecking Declarative Onboarding tasks
+2020-09-10T11:15:31.061-0700: /config/cloud/gce/declarativeOnboarding.sh: Info: Declarative Onboarding is in process
+2020-09-10T11:15:31.065-0700: /config/cloud/gce/declarativeOnboarding.sh: Info: Sleeping before rechecking Declarative Onboarding tasks
+2020-09-10T18:15:36.252+0000: /config/cloud/gce/declarativeOnboarding.sh: Info: Declarative Onboarding is in process
+2020-09-10T18:15:36.255+0000: /config/cloud/gce/declarativeOnboarding.sh: Info: Sleeping before rechecking Declarative Onboarding tasks
+2020-09-10T18:15:41.706+0000: /config/cloud/gce/declarativeOnboarding.sh: Info: Declarative Onboarding is in process
+2020-09-10T18:15:41.709+0000: /config/cloud/gce/declarativeOnboarding.sh: Info: Sleeping before rechecking Declarative Onboarding tasks
+2020-09-10T18:15:46.899+0000: /config/cloud/gce/declarativeOnboarding.sh: Info: Declarative Onboarding is in process
+2020-09-10T18:15:46.903+0000: /config/cloud/gce/declarativeOnboarding.sh: Info: Sleeping before rechecking Declarative Onboarding tasks
+2020-09-10T18:15:52.092+0000: /config/cloud/gce/declarativeOnboarding.sh: Info: Declarative Onboarding is in process
+2020-09-10T18:15:52.095+0000: /config/cloud/gce/declarativeOnboarding.sh: Info: Sleeping before rechecking Declarative Onboarding tasks
+2020-09-10T18:16:14.225+0000: /config/cloud/gce/declarativeOnboarding.sh: Info: Declarative Onboarding is in process
+2020-09-10T18:16:14.229+0000: /config/cloud/gce/declarativeOnboarding.sh: Info: Sleeping before rechecking Declarative Onboarding tasks
+2020-09-10T18:16:19.447+0000: /config/cloud/gce/declarativeOnboarding.sh: Info: Declarative Onboarding is complete
+2020-09-10T18:16:20.068+0000: /config/cloud/gce/applicationServices3.sh: Info: Applying AS3 payload
+2020-09-10T18:16:20.512+0000: /config/cloud/gce/applicationServices3.sh: Info: AS3 payload is being processed
+2020-09-10T18:16:20.515+0000: /config/cloud/gce/applicationServices3.sh: Info: Sleeping before rechecking AS3 tasks
+2020-09-10T18:16:25.706+0000: /config/cloud/gce/applicationServices3.sh: Info: AS3 payload is installed
+2020-09-10T18:16:25.711+0000: /config/cloud/gce/initialSetup.sh: Info: About to execute custom configuration script
+2020-09-10T18:16:25.721+0000: /config/cloud/gce/customConfig.sh: Info: waiting for mcpd to be ready
+2020-09-10T18:16:26.193+0000: /config/cloud/gce/customConfig.sh: Info: Disabling gui-setup
+2020-09-10T18:16:26.791+0000: /config/cloud/gce/customConfig.sh: Info: Saving system config
+2020-09-10T18:16:31.618+0000: /config/cloud/gce/customConfig.sh: Info: Custom configuration is complete
+2020-09-10T18:16:31.622+0000: /config/cloud/gce/initialSetup.sh: Info: Initialisation complete
+2020-09-10T18:16:31.632+0000: /config/cloud/gce/resetManagementRoute.sh: waiting for mcpd to be ready
+2020-09-10T18:16:32.644+0000: /config/cloud/gce/resetManagementRoute.sh: complete
+```
+<!-- spell-checker: enable -->
+
+### Re-executing boot scripts
+
+The boot scripts are modular and designed to be re-executable in the event of a
+configuration failure. Should a [step](#boot-steps) fail, the entire
+initialisation script can be re-executed from an elevated BASH shell; items that
+have already been completed will be skipped, and only the incomplete steps will
+be re-executed.
+
+<!-- spell-checker: disable -->
+```shell
+admin@(isolated-vpcs-bigip-1)(cfg-sync In Sync)(Active)(/Common)(tmos)# bash
+[admin@isolated-vpcs-bigip-1:Active:In Sync] ~ # sudo sh /config/cloud/gce/initialSetup.sh
+/config/cloud/gce/initialSetup.sh: Info: Initialisation starting
+/config/cloud/gce/initialSetup.sh: Info: Generating /config/cloud/gce/network.config
+/config/cloud/gce/initialSetup.sh: Info: Waiting for mcpd to be ready
+...
+/config/cloud/gce/initialSetup.sh: Info: Initialisation complete
+```
+<!-- spell-checker: enable -->
+
+### Re-executing a specific script
diff --git a/modules/big-ip/metadata/files/installCloudLibs.sh b/modules/big-ip/metadata/files/installCloudLibs.sh
index 0ba93c6..981432f 100755
--- a/modules/big-ip/metadata/files/installCloudLibs.sh
+++ b/modules/big-ip/metadata/files/installCloudLibs.sh
@@ -46,6 +46,7 @@ for url in "$@"; do
             auth_token="$(get_auth_token)" || \
                 error "Unable to get auth token: $?"
             out="/var/tmp/$(basename "${url%%?alt=media}")"
+            info "Downloading ${url} to ${out}"
             curl -sfL --retry 20 -o "${out}" \
                     -H "Authorization: Bearer ${auth_token}" \
                     "${url}" || \
diff --git a/modules/big-ip/metadata/images/serial-console.png b/modules/big-ip/metadata/images/serial-console.png
new file mode 100644
index 0000000..0c01370
Binary files /dev/null and b/modules/big-ip/metadata/images/serial-console.png differ
diff --git a/modules/big-ip/metadata/variables.tf b/modules/big-ip/metadata/variables.tf
index 7ecf873..be0f0c5 100644
--- a/modules/big-ip/metadata/variables.tf
+++ b/modules/big-ip/metadata/variables.tf
@@ -52,7 +52,7 @@ variable "ntp_servers" {
   type        = list(string)
   default     = ["169.254.169.254"]
   description = <<EOD
-An optonal list of NTP servers for BIG-IP instances to use. The default is
+An optional list of NTP servers for BIG-IP instances to use. The default is
 ["169.254.169.254"] to use GCE metadata server.
 EOD
 }
@@ -75,7 +75,7 @@ variable "modules" {
   }
   description = <<EOD
 A map of BIG-IP module = provisioning-level pairs to enable, where the module
-name is key, and the provisioing-level is the value. This value is used with the
+name is key, and the provisioning-level is the value. This value is used with the
 default Declaration Onboarding template; a better option for full control is to
 explicitly declare the modules to be provisioned as part of a custom JSON file.
 See `do_payload`.
@@ -184,7 +184,7 @@ variable "admin_password_secret_manager_key" {
   type        = string
   description = <<EOD
 The Secret Manager key for BIG-IP admin password; during initialisation, the
-BIG-IP admin account's password will be changed to the value retreived from GCP
+BIG-IP admin account's password will be changed to the value retrieved from GCP
 Secret Manager using this key.
 
 NOTE: if the secret does not exist, is misidentified, or if the VM cannot read
@@ -233,7 +233,7 @@ variable "hostnames" {
   default     = []
   description = <<EOD
 An optional list of hostname declarations to set per-instance hostname in
-generated DO file. Default is an empty stlistring, which will exclude hostname
+generated DO file. Default is an empty list, which will exclude hostname
 from the generated DO file.
 EOD
 }
@@ -242,7 +242,7 @@ variable "dns_servers" {
   type        = list(string)
   default     = ["169.254.169.254"]
   description = <<EOD
-An optonal list of DNS servers for BIG-IP instances to use. The default is
+An optional list of DNS servers for BIG-IP instances to use. The default is
 ["169.254.169.254"] to use GCE metadata server.
 EOD
 }
@@ -251,7 +251,7 @@ variable "search_domains" {
   type        = list(string)
   default     = ["google.internal"]
   description = <<EOD
-An optonal list of DNS search domains for BIG-IP instances to use. The default
+An optional list of DNS search domains for BIG-IP instances to use. The default
 is ["google.internal"].
 EOD
 }
@@ -260,6 +260,6 @@ variable "num_instances" {
   type        = number
   default     = 1
   description = <<EOD
-The number of BIG-IP metatdata sets to provision. Default value is 1.
+The number of BIG-IP metadata sets to provision. Default value is 1.
 EOD
 }