diff --git a/products/terraform/docs/swfw/aws/vmseries/examples/panorama_standalone.md b/products/terraform/docs/swfw/aws/vmseries/examples/panorama_standalone.md
index 21157f042..7c02ca0d0 100644
--- a/products/terraform/docs/swfw/aws/vmseries/examples/panorama_standalone.md
+++ b/products/terraform/docs/swfw/aws/vmseries/examples/panorama_standalone.md
@@ -103,8 +103,6 @@ Use a web browser to access https://x.x.x.x and login with admin and your previo
| [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
| [aws_iam_role_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
-| [aws_ebs_default_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
-| [aws_kms_alias.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
### Inputs
@@ -113,7 +111,7 @@ Use a web browser to access https://x.x.x.x and login with admin and your previo
|------|-------------|------|---------|:--------:|
| [global\_tags](#input\_global\_tags) | Global tags configured for all provisioned resources | `map(any)` | `{}` | no |
| [name\_prefix](#input\_name\_prefix) | Prefix used in names for the resources (VPCs, EC2 instances, autoscaling groups etc.) | `string` | `""` | no |
-| [panoramas](#input\_panoramas) | A map defining Panorama instances
Following properties are available:
- `instances`: map of Panorama instances with attributes:
- `az`: name of the Availability Zone
- `private_ip_address`: private IP address for management interface
- `panos_version`: PAN-OS version used for Panorama
- `network`: definition of network settings in object with attributes:
- `vpc`: name of the VPC (needs to be one of the keys in map `vpcs`)
- `vpc_subnet`: key of the VPC and subnet connected by '-' character
- `security_group`: security group assigned to ENI used by Panorama
- `create_public_ip`: true, if public IP address for management should be created
- `ebs`: EBS settings defined in object with attributes:
- `volumes`: list of EBS volumes attached to each instance
- `kms_key_alias`: KMS key alias used for encrypting Panorama EBS
- `iam`: IAM settings in object with attrbiutes:
- `create_role`: enable creation of IAM role
- `role_name`: name of the role to create or use existing one
- `enable_imdsv2`: whether to enable IMDSv2 on the EC2 instance
Example:{
panorama\_ha\_pair = {
instances = {
"primary" = {
az = "eu-central-1a"
private\_ip\_address = "10.255.0.4"
}
"secondary" = {
az = "eu-central-1b"
private\_ip\_address = "10.255.1.4"
}
}
panos\_version = "10.2.3"
network = {
vpc = "management\_vpc"
vpc\_subnet = "management\_vpc-mgmt"
security\_group = "panorama\_mgmt"
create\_public\_ip = true
}
ebs = {
volumes = [
{
name = "ebs-1"
ebs\_device\_name = "/dev/sdb"
ebs\_size = "2000"
ebs\_encrypted = true
},
{
name = "ebs-2"
ebs\_device\_name = "/dev/sdc"
ebs\_size = "2000"
ebs\_encrypted = true
}
]
kms\_key\_alias = "aws/ebs"
}
iam = {
create\_role = true
role\_name = "panorama"
}
enable\_imdsv2 = false
}
} | map(object({
instances = map(object({
az = string
private\_ip\_address = string
}))
panos\_version = string
network = object({
vpc = string
vpc\_subnet = string
security\_group = string
create\_public\_ip = bool
})
ebs = object({
volumes = list(object({
name = string
ebs\_device\_name = string
ebs\_size = string
ebs\_encrypted = bool
}))
kms\_key\_alias = string
})
iam = object({
create\_role = bool
role\_name = string
})
enable\_imdsv2 = bool
})) | `{}` | no |
+| [panoramas](#input\_panoramas) | A map defining Panorama instances
Following properties are available:
- `instances`: map of Panorama instances with attributes:
- `az`: name of the Availability Zone
- `private_ip_address`: private IP address for management interface
- `panos_version`: PAN-OS version used for Panorama
- `network`: definition of network settings in object with attributes:
- `vpc`: name of the VPC (needs to be one of the keys in map `vpcs`)
- `vpc_subnet`: key of the VPC and subnet connected by '-' character
- `security_group`: security group assigned to ENI used by Panorama
- `create_public_ip`: true, if public IP address for management should be created
- `ebs`: EBS settings defined in object with attributes:
- `volumes`: list of EBS volumes attached to each instance
- `kms_key_alias`: KMS key alias used for encrypting Panorama EBS
- `iam`: IAM settings in object with attrbiutes:
- `create_role`: enable creation of IAM role
- `role_name`: name of the role to create or use existing one
- `enable_imdsv2`: whether to enable IMDSv2 on the EC2 instance
Example:{
panorama\_ha\_pair = {
instances = {
"primary" = {
az = "eu-central-1a"
private\_ip\_address = "10.255.0.4"
}
"secondary" = {
az = "eu-central-1b"
private\_ip\_address = "10.255.1.4"
}
}
panos\_version = "10.2.3"
network = {
vpc = "management\_vpc"
vpc\_subnet = "management\_vpc-mgmt"
security\_group = "panorama\_mgmt"
create\_public\_ip = true
}
ebs = {
volumes = [
{
name = "ebs-1"
ebs\_device\_name = "/dev/sdb"
ebs\_size = "2000"
ebs\_encrypted = true
},
{
name = "ebs-2"
ebs\_device\_name = "/dev/sdc"
ebs\_size = "2000"
ebs\_encrypted = true
}
]
kms\_key\_alias = "aws/ebs"
}
iam = {
create\_role = true
role\_name = "panorama"
}
enable\_imdsv2 = false
}
} | map(object({
instances = map(object({
az = string
private\_ip\_address = string
}))
panos\_version = string
network = object({
vpc = string
vpc\_subnet = string
security\_group = string
create\_public\_ip = bool
})
ebs = object({
volumes = list(object({
name = string
ebs\_device\_name = string
ebs\_size = string
}))
encrypted = bool
kms\_key\_alias = string
})
iam = object({
create\_role = bool
role\_name = string
})
enable\_imdsv2 = bool
})) | `{}` | no |
| [region](#input\_region) | AWS region used to deploy whole infrastructure | `string` | n/a | yes |
| [ssh\_key\_name](#input\_ssh\_key\_name) | Name of the SSH key pair existing in AWS key pairs and used to authenticate to VM-Series or test boxes | `string` | n/a | yes |
| [vpcs](#input\_vpcs) | A map defining VPCs with security groups and subnets.
Following properties are available:
- `name`: VPC name
- `cidr`: CIDR for VPC
- `security_groups`: map of security groups
- `subnets`: map of subnets with properties:
- `az`: availability zone
- `set`: internal identifier referenced by main.tf
- `routes`: map of routes with properties:
- `vpc_subnet`: built from key of VPCs concatenate with `-` and key of subnet in format: `VPCKEY-SUBNETKEY`
- `to_cidr`: destination IP range
- `next_hop_key`: must match keys use to create TGW attachment, IGW, GWLB endpoint or other resources
- `next_hop_type`: internet\_gateway, nat\_gateway, transit\_gateway\_attachment or gwlbe\_endpoint
Example:{
security\_vpc = {
name = "security-vpc"
cidr = "10.100.0.0/16"
security\_groups = {
panorama\_mgmt = {
name = "panorama\_mgmt"
rules = {
all\_outbound = {
description = "Permit All traffic outbound"
type = "egress", from\_port = "0", to\_port = "0", protocol = "-1"
cidr\_blocks = ["0.0.0.0/0"]
}
https = {
description = "Permit HTTPS"
type = "ingress", from\_port = "443", to\_port = "443", protocol = "tcp"
cidr\_blocks = ["130.41.247.0/24"]
}
ssh = {
description = "Permit SSH"
type = "ingress", from\_port = "22", to\_port = "22", protocol = "tcp"
cidr\_blocks = ["130.41.247.0/24"]
}
}
}
}
subnets = {
"10.100.0.0/24" = { az = "eu-central-1a", set = "mgmt" }
"10.100.64.0/24" = { az = "eu-central-1b", set = "mgmt" }
}
routes = {
mgmt\_default = {
vpc\_subnet = "security\_vpc-mgmt"
to\_cidr = "0.0.0.0/0"
next\_hop\_key = "security\_vpc"
next\_hop\_type = "internet\_gateway"
}
}
}
} | map(object({
name = string
cidr = string
security\_groups = any
subnets = map(object({
az = string
set = string
}))
routes = map(object({
vpc\_subnet = string
to\_cidr = string
next\_hop\_key = string
next\_hop\_type = string
}))
})) | `{}` | no |
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/asg.md b/products/terraform/docs/swfw/aws/vmseries/modules/asg.md
index 6b88de227..f60ac0ade 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/asg.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/asg.md
@@ -85,17 +85,21 @@ No modules.
| [bootstrap\_options](#input\_bootstrap\_options) | Bootstrap options to put into userdata | `any` | `{}` | no |
| [delete\_timeout](#input\_delete\_timeout) | Timeout needed to correctly drain autoscaling group while deleting ASG.
By default in AWS timeout is set to 10 minutes, which is too low and causes issue:
Error: waiting for Auto Scaling Group (example-asg) drain: timeout while waiting for state to become '0' (last state: '1', timeout: 10m0s) | `string` | `"20m"` | no |
| [delicense\_enabled](#input\_delicense\_enabled) | If true, then Lambda is going to delicense FW before destroying VM-Series | `bool` | `false` | no |
-| [delicense\_ssm\_param\_name](#input\_delicense\_ssm\_param\_name) | Secure string in Parameter Store with value in below format:{"username":"ACCOUNT","password":"PASSWORD","panorama1":"IP\_ADDRESS1","panorama2":"IP\_ADDRESS2","license\_manager":"LICENSE\_MANAGER\_NAME"}" | `any` | `null` | no |
+| [delicense\_ssm\_param\_name](#input\_delicense\_ssm\_param\_name) | Secure string in Parameter Store with value in below format:{"username":"ACCOUNT","password":"PASSWORD","panorama1":"IP\_ADDRESS1","panorama2":"IP\_ADDRESS2","license\_manager":"LICENSE\_MANAGER\_NAME"}"the format can either be the plain name in case you store it without hierarchy or with a "/" in case you store in in a hierarchy | `any` | `null` | no |
| [desired\_capacity](#input\_desired\_capacity) | Number of Amazon EC2 instances that should be running in the group. | `number` | `2` | no |
| [ebs\_kms\_id](#input\_ebs\_kms\_id) | Alias for AWS KMS used for EBS encryption in VM-Series | `string` | `"alias/aws/ebs"` | no |
| [fw\_license\_type](#input\_fw\_license\_type) | Select License type (byol/payg1/payg2) | `string` | `"byol"` | no |
| [global\_tags](#input\_global\_tags) | Map of AWS tags to apply to all the created resources. | `map(any)` | n/a | yes |
+| [health\_check](#input\_health\_check) | Controls how health checking is done. | object({
grace\_period = number
type = string
}) | {
"grace\_period": 300,
"type": "EC2"
} | no |
+| [include\_deprecated\_ami](#input\_include\_deprecated\_ami) | In certain scenarios, customers may deploy a VM-Series instance through the marketplace,
only to later discover that the ami has been deprecated, resulting in pipeline failures.
Setting the specified parameter to `true` will enable the continued use of deprecated AMIs,
mitigating this issue. | `bool` | `false` | no |
+| [instance\_refresh](#input\_instance\_refresh) | If this variable is configured (not null), then start an Instance Refresh when Auto Scaling Group is updated.
Instance refresh is defined by attributes:
- `strategy` - Strategy to use for instance refresh. The only allowed value is Rolling
- `preferences` - Override default parameters for Instance Refresh:
- `checkpoint_delay` - Number of seconds to wait after a checkpoint. Defaults to 3600.
- `checkpoint_percentages` - List of percentages for each checkpoint. Values must be unique and in ascending order.
To replace all instances, the final number must be 100.
- `instance_warmup` - Number of seconds until a newly launched instance is configured and ready to use.
Default behavior is to use the Auto Scaling Group's health check grace period.
- `min_healthy_percentage` - Amount of capacity in the Auto Scaling group that must remain healthy during an instance refresh
to allow the operation to continue, as a percentage of the desired capacity of the Auto Scaling group.
Defaults to 90.
- `skip_matching` - Replace instances that already have your desired configuration. Defaults to false.
- `auto_rollback` - Automatically rollback if instance refresh fails. Defaults to false.
This option may only be set to true when specifying a launch\_template or mixed\_instances\_policy.
- `scale_in_protected_instances` - Behavior when encountering instances protected from scale in are found.
Available behaviors are Refresh, Ignore, and Wait. Default is Ignore.
- `standby_instances` - Behavior when encountering instances in the Standby state in are found.
Available behaviors are Terminate, Ignore, and Wait. Default is Ignore.
- `trigger` - Set of additional property names that will trigger an Instance Refresh.
A refresh will always be triggered by a change in any of launch\_configuration, launch\_template, or mixed\_instances\_policy. | object({
strategy = string
preferences = object({
checkpoint\_delay = number
checkpoint\_percentages = list(number)
instance\_warmup = number
min\_healthy\_percentage = number
skip\_matching = bool
auto\_rollback = bool
scale\_in\_protected\_instances = string
standby\_instances = string
})
triggers = list(string)
}) | `null` | no |
| [instance\_type](#input\_instance\_type) | EC2 instance type. | `string` | `"m5.xlarge"` | no |
| [interfaces](#input\_interfaces) | Map of the network interface specifications.
If "mgmt-interface-swap" bootstrap option is enabled, ensure dataplane interface `device_index` is set to 0 and the firewall management interface `device_index` is set to 1.
Available options:
- `device_index` = (Required\|int) Determines order in which interfaces are attached to the instance. Interface with `0` is attached at boot time.
- `subnet_id` = (Required\|string) Subnet ID to create the ENI in.
- `name` = (Optional\|string) Name tag for the ENI. Defaults to instance name suffixed by map's key.
- `description` = (Optional\|string) A descriptive name for the ENI.
- `create_public_ip` = (Optional\|bool) Whether to create a public IP for the ENI. Defaults to false.
- `eip_allocation_id` = (Optional\|string) Associate an existing EIP to the ENI.
- `private_ips` = (Optional\|list) List of private IPs to assign to the ENI. If not set, dynamic allocation is used.
- `public_ipv4_pool` = (Optional\|string) EC2 IPv4 address pool identifier.
- `source_dest_check` = (Optional\|bool) Whether to enable source destination checking for the ENI. Defaults to false.
- `security_group_ids` = (Optional\|list) A list of Security Group IDs to assign to this interface. Defaults to null.
Example:interfaces = {
mgmt = {
device\_index = 0
subnet\_id = aws\_subnet.mgmt.id
name = "mgmt"
create\_public\_ip = true
source\_dest\_check = true
security\_group\_ids = ["sg-123456"]
},
public = {
device\_index = 1
subnet\_id = aws\_subnet.public.id
name = "public"
create\_public\_ip = true
},
private = {
device\_index = 2
subnet\_id = aws\_subnet.private.id
name = "private"
},
] | `map(any)` | n/a | yes |
| [ip\_target\_groups](#input\_ip\_target\_groups) | Target groups (type IP) for load balancers, which are used by Lamda to register VM-Series IP of untrust interface | list(object({
arn = string
port = string
})) | `[]` | no |
| [lambda\_execute\_pip\_install\_once](#input\_lambda\_execute\_pip\_install\_once) | Flag used in local-exec command installing Python packages required by Lambda.
If set to true, local-exec is executed only once, when all resources are created.
If you need to have idempotent behaviour for terraform apply every time and you have downloaded
all required Python packages, set it to true.
If set to false, every time it's checked if files for package pan\_os\_python are downloaded.
If not, it causes execution of local-exec command in two consecutive calls of terraform apply:
- first time value of installed-pan-os-python is changed from true (or empty) to false
- second time value of installed-pan-os-python is changed from false to true
In summary while executing code from scratch, two consecutive calls of terraform apply are not idempotent.
The third execution of terraform apply show no changes.
While using modules in CI/CD pipelines, when agents are selected randomly, set this value to false
in order to check every time, if pan\_os\_python package is downloaded. sdfdsf sdfvars | `bool` | `false` | no |
| [lambda\_timeout](#input\_lambda\_timeout) | Amount of time Lambda Function has to run in seconds. | `number` | `30` | no |
| [launch\_template\_update\_default\_version](#input\_launch\_template\_update\_default\_version) | Whether to update launch template default version each update.
If set to true, every time when e.g. bootstrap options are changed, new version is created and default version is updated.
If set to false, every time when e.g. bootstrap options are changed, new version is created, but default version is not changed. | `bool` | `true` | no |
+| [launch\_template\_version](#input\_launch\_template\_version) | Launch template version to use to launch instances | `string` | `"$Latest"` | no |
| [lifecycle\_hook\_timeout](#input\_lifecycle\_hook\_timeout) | How long should we wait for lambda to finish | `number` | `300` | no |
| [max\_size](#input\_max\_size) | Maximum size of the Auto Scaling Group. | `number` | `2` | no |
| [min\_size](#input\_min\_size) | Minimum size of the Auto Scaling Group. | `number` | `1` | no |
@@ -103,6 +107,7 @@ No modules.
| [region](#input\_region) | AWS region | `string` | n/a | yes |
| [reserved\_concurrent\_executions](#input\_reserved\_concurrent\_executions) | Amount of reserved concurrent execussions for lambda function. | `number` | `100` | no |
| [scaling\_cloudwatch\_namespace](#input\_scaling\_cloudwatch\_namespace) | Name of CloudWatch namespace, where metrics are available (it should be the same as namespace configured in VM-Series plugin in PAN-OS) | `string` | `"VMseries_dimensions"` | no |
+| [scaling\_estimated\_instance\_warmup](#input\_scaling\_estimated\_instance\_warmup) | Estimated time, in seconds, until a newly launched instance can contribute to the CloudWatch metrics | `number` | `900` | no |
| [scaling\_metric\_name](#input\_scaling\_metric\_name) | Name of the metric used in dynamic scaling policy | `string` | `""` | no |
| [scaling\_plan\_enabled](#input\_scaling\_plan\_enabled) | True, if automatic dynamic scaling policy should be created | `bool` | `false` | no |
| [scaling\_statistic](#input\_scaling\_statistic) | Statistic of the metric. Valid values: Average, Maximum, Minimum, SampleCount, Sum | `string` | `"Average"` | no |
@@ -112,11 +117,12 @@ No modules.
| [ssh\_key\_name](#input\_ssh\_key\_name) | Name of AWS keypair to associate with instances | `string` | n/a | yes |
| [subnet\_ids](#input\_subnet\_ids) | List of subnet IDs associated with the Lambda function | `list(string)` | `[]` | no |
| [suspended\_processes](#input\_suspended\_processes) | List of processes to suspend for the Auto Scaling Group. The allowed values are Launch, Terminate, HealthCheck, ReplaceUnhealthy, AZRebalance, AlarmNotification, ScheduledActions, AddToLoadBalancer, InstanceRefresh | `list(string)` | `[]` | no |
+| [tag\_specifications\_targets](#input\_tag\_specifications\_targets) | List of resources that will be tagged when launched via ASG | `list(string)` | [
"instance",
"volume",
"network-interface"
]
| no |
| [target\_group\_arn](#input\_target\_group\_arn) | ARN of target group (type instance) for load balancer, which is used by ASG to register VM-Series instance | `string` | `null` | no |
| [vmseries\_ami\_id](#input\_vmseries\_ami\_id) | The AMI from which to launch the instance. Takes precedence over fw\_version and fw\_license\_type | `string` | `null` | no |
| [vmseries\_iam\_instance\_profile](#input\_vmseries\_iam\_instance\_profile) | IAM instance profile used in launch template | `string` | `""` | no |
| [vmseries\_product\_code](#input\_vmseries\_product\_code) | Product code corresponding to a chosen VM-Series license type model - by default - BYOL.
To check the available license type models and their codes, please refer to the
[VM-Series documentation](https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/deploy-the-vm-series-firewall-on-aws/obtain-the-ami/get-amazon-machine-image-ids.html) | `string` | `"6njl1pau431dv1qxipg63mvah"` | no |
-| [vmseries\_version](#input\_vmseries\_version) | Select which FW version to deploy | `string` | `"10.2.2"` | no |
+| [vmseries\_version](#input\_vmseries\_version) | Select which FW version to deploy | `string` | `"10.2.9-h1"` | no |
### Outputs
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/gwlb_endpoint_set.md b/products/terraform/docs/swfw/aws/vmseries/modules/gwlb_endpoint_set.md
index aa40c2fa6..0cd0a0457 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/gwlb_endpoint_set.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/gwlb_endpoint_set.md
@@ -33,12 +33,14 @@ over a range of one or more Availability Zones. All the Endpoints transfer the t
|------|---------|
| [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
| [aws](#requirement\_aws) | ~> 5.17 |
+| [time](#requirement\_time) | 0.11.1 |
### Providers
| Name | Version |
|------|---------|
| [aws](#provider\_aws) | ~> 5.17 |
+| [time](#provider\_time) | 0.11.1 |
### Modules
@@ -50,6 +52,7 @@ No modules.
|------|------|
| [aws_route.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route) | resource |
| [aws_vpc_endpoint.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
+| [time_sleep.this](https://registry.terraform.io/providers/hashicorp/time/0.11.1/docs/resources/sleep) | resource |
### Inputs
@@ -57,6 +60,7 @@ No modules.
|------|-------------|------|---------|:--------:|
| [act\_as\_next\_hop\_for](#input\_act\_as\_next\_hop\_for) | The map of edge routes to create to pass network traffic to this Endpoint Set.
This input is not intended for typical routes - use instead the `vpc_route` module to pass traffic through this Endpoint Set from sources other than IGW.
This input only handles routes which have subnet CIDRs destination (AZ-specific), usually the ingress traffic coming from an Internet Gateway.
AWS docs call this special kind of route the ["edge route"](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html#gateway-route-table).
The keys of the map are arbitrary strings. Example:act\_as\_next\_hop\_for = {
from\_igw\_to\_alb = {
route\_table\_id = module.my\_vpc.internet\_gateway\_route\_table.id
to\_subnets = module.my\_alb\_subnet\_set.subnets
}In this example, traffic from IGW destined to the ALB is instead routed to the GWLBE (for inspection by an appliance). | map(object({
route\_table\_id = string
to\_subnets = map(object({
cidr\_block = string
}))
})) | `{}` | no |
| [custom\_names](#input\_custom\_names) | Optional map of readable names of the VPC Endpoints, used to override the default naming generated from the input `name`. Each key is the Availability Zone identifier, for example `us-east-1b`. Each value is used as VPC Endpoint's standard AWS tag `Name`, for example "my-gwlbe-in-us-east-1b". | `map(string)` | `{}` | no |
+| [delay](#input\_delay) | If Service Account name belongs to different AWS account It might delay endpoint status changes. It leads to routing issue. The variable should be applied for CloudNGFW. Number of seconds. | `number` | `0` | no |
| [gwlb\_service\_name](#input\_gwlb\_service\_name) | The name of the VPC Endpoint Service to connect to, which may reside in a different VPC. Usually an output `module.gwlb.endpoint_service.service_name`. Example: "com.amazonaws.vpce.eu-west-3.vpce-svc-0df5336455053eb2b". | `string` | n/a | yes |
| [gwlb\_service\_type](#input\_gwlb\_service\_type) | The type of the Endpoint to create for `gwlb_service_name`. | `string` | `"GatewayLoadBalancer"` | no |
| [name](#input\_name) | Name of the VPC Endpoint Set, for example: "my-gwlbe-". Each individual endpoint is named by appending an AZ letter, such as "my-set-a" and "my-set-b". These names can be overriden using `custom_names`. | `string` | `"gwlbe-"` | no |
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/panorama.md b/products/terraform/docs/swfw/aws/vmseries/modules/panorama.md
index 758d66640..7ab1397d0 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/panorama.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/panorama.md
@@ -73,6 +73,7 @@ No modules.
| [eip\_domain](#input\_eip\_domain) | Indicates if this EIP is for use in VPC | `string` | `"vpc"` | no |
| [enable\_imdsv2](#input\_enable\_imdsv2) | Whether to enable IMDSv2 on the EC2 instance.
Support for this feature has been added in VM-Series Plugin [3.0.0](https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/vm-series-plugin/vm-series-plugin-30/vm-series-plugin-300#id126d0957-95d7-4b29-9147-fff20027986e), which in turn requires PAN-OS version 10.2.0 at minimum. | `string` | `false` | no |
| [global\_tags](#input\_global\_tags) | A map of tags to assign to the resources.
If configured with a provider `default_tags` configuration block present, tags with matching keys will overwrite those defined at the provider-level." | `map(any)` | `{}` | no |
+| [include\_deprecated\_ami](#input\_include\_deprecated\_ami) | In certain scenarios, customers may deploy a Panorama instance through the marketplace,
only to later discover that the ami has been deprecated, resulting in pipeline failures.
Setting the specified parameter to `true` will enable the continued use of deprecated AMIs,
mitigating this issue. | `bool` | `false` | no |
| [instance\_type](#input\_instance\_type) | EC2 instance type for Panorama. Default set to Palo Alto Networks recommended instance type. | `string` | `"c5.4xlarge"` | no |
| [name](#input\_name) | Name for the Panorama instance. | `string` | `"pan-panorama"` | no |
| [panorama\_ami\_id](#input\_panorama\_ami\_id) | Specific AMI ID to use for Panorama instance.
If `null` (the default), `panorama_version` and `product_code` vars are used to determine a public image to use. | `string` | `null` | no |
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/transit_gateway_attachment.md b/products/terraform/docs/swfw/aws/vmseries/modules/transit_gateway_attachment.md
index 1f7b90d84..e3c4a6b6f 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/transit_gateway_attachment.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/transit_gateway_attachment.md
@@ -56,19 +56,22 @@ No modules.
| [aws_ec2_transit_gateway_route_table_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_association) | resource |
| [aws_ec2_transit_gateway_route_table_propagation.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource |
| [aws_ec2_transit_gateway_vpc_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_vpc_attachment) | resource |
+| [aws_ec2_transit_gateway_vpc_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_transit_gateway_vpc_attachment) | data source |
### Inputs
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [appliance\_mode\_support](#input\_appliance\_mode\_support) | See the [provider documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_vpc_attachment). | `string` | `"enable"` | no |
+| [create](#input\_create) | Trigger module mode between creating a new TGW Attachment or retrieving an existing one. | `bool` | `true` | no |
| [dns\_support](#input\_dns\_support) | See the [provider documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_vpc_attachment). | `string` | `null` | no |
+| [id](#input\_id) | ID of an existing TGW Attachment. Used in conjunction with `create = false`. When set, takes precedence over `var.name`. | `string` | `null` | no |
| [ipv6\_support](#input\_ipv6\_support) | See the [provider documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_vpc_attachment). | `string` | `null` | no |
| [name](#input\_name) | Optional readable name of the TGW attachment object. It is assigned to the usual AWS Name tag. | `string` | `null` | no |
| [propagate\_routes\_to](#input\_propagate\_routes\_to) | Map of route propagations from this attachment. Each key is an arbitrary string, each value is the id of a TGW route table which should receive the routes to the attached VPC CIDRs. | `map(string)` | `{}` | no |
| [subnets](#input\_subnets) | The attachment's subnets as a map. Each key is the availability zone name and each object has an attribute
`id` identifying AWS subnet.
All subnets in the map obtain virtual network interfaces attached to the TGW.
Example for users of module `subnet_set`:subnets = module.subnet\_set.subnets
Example:subnets = {
"us-east-1a" = { id = "snet-123007" }
"us-east-1b" = { id = "snet-123008" }
} | map(object({
id = string
})) | n/a | yes |
| [tags](#input\_tags) | AWS tags to assign to all the created objects. | `map(string)` | `{}` | no |
-| [transit\_gateway\_route\_table](#input\_transit\_gateway\_route\_table) | TGW's route table which should receive the traffic coming from the `subnet_set` (also called an association). An object with at least two attributes:transit\_gateway\_route\_table = {
id = "tgw-rtb-1234"
transit\_gateway\_id = "tgw-1234"
} | object({
id = string
transit\_gateway\_id = string
}) | n/a | yes |
+| [transit\_gateway\_route\_table](#input\_transit\_gateway\_route\_table) | TGW's route table which should receive the traffic coming from the `subnet_set` (also called an association). An object with at least two attributes:transit\_gateway\_route\_table = {
id = "tgw-rtb-1234"
transit\_gateway\_id = "tgw-1234"
} | object({
id = string
transit\_gateway\_id = string
}) | {
"id": null,
"transit\_gateway\_id": null
} | no |
| [vpc\_id](#input\_vpc\_id) | AWS identifier of a VPC containing the Attachment. | `string` | n/a | yes |
### Outputs
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/vmseries.md b/products/terraform/docs/swfw/aws/vmseries/modules/vmseries.md
index 1cc1ff046..5062e1612 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/vmseries.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/vmseries.md
@@ -75,6 +75,7 @@ No modules.
| [enable\_imdsv2](#input\_enable\_imdsv2) | Whether to enable IMDSv2 on the EC2 instance.
Support for this feature has been added in VM-Series Plugin [3.0.0](https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/vm-series-plugin/vm-series-plugin-30/vm-series-plugin-300#id126d0957-95d7-4b29-9147-fff20027986e), which in turn requires VM-Series version 10.2.0 at minimum. | `string` | `false` | no |
| [enable\_instance\_termination\_protection](#input\_enable\_instance\_termination\_protection) | Whether to enable termination protection on the EC2 instance. | `bool` | `false` | no |
| [iam\_instance\_profile](#input\_iam\_instance\_profile) | IAM instance profile. | `string` | `null` | no |
+| [include\_deprecated\_ami](#input\_include\_deprecated\_ami) | In certain scenarios, customers may deploy a VM-Series instance through the marketplace,
only to later discover that the ami has been deprecated, resulting in pipeline failures.
Setting the specified parameter to `true` will enable the continued use of deprecated AMIs,
mitigating this issue. | `bool` | `false` | no |
| [instance\_type](#input\_instance\_type) | EC2 instance type. | `string` | `"m5.xlarge"` | no |
| [interfaces](#input\_interfaces) | Map of the network interface specifications.
If "mgmt-interface-swap" bootstrap option is enabled, ensure dataplane interface `device_index` is set to 0 and the firewall management interface `device_index` is set to 1.
Available options:
- `device_index` = (Required\|int) Determines order in which interfaces are attached to the instance. Interface with `0` is attached at boot time.
- `subnet_id` = (Required\|string) Subnet ID to create the ENI in.
- `name` = (Optional\|string) Name tag for the ENI. Defaults to instance name suffixed by map's key.
- `description` = (Optional\|string) A descriptive name for the ENI.
- `create_public_ip` = (Optional\|bool) Whether to create a public IP for the ENI. Defaults to false.
- `eip_allocation_id` = (Optional\|string) Associate an existing EIP to the ENI.
- `private_ips` = (Optional\|list) List of private IPs to assign to the ENI. If not set, dynamic allocation is used.
- `public_ipv4_pool` = (Optional\|string) EC2 IPv4 address pool identifier.
- `source_dest_check` = (Optional\|bool) Whether to enable source destination checking for the ENI. Defaults to false.
- `security_group_ids` = (Optional\|list) A list of Security Group IDs to assign to this interface. Defaults to null.
Example:interfaces = {
mgmt = {
device\_index = 0
subnet\_id = aws\_subnet.mgmt.id
name = "mgmt"
create\_public\_ip = true
source\_dest\_check = true
security\_group\_ids = ["sg-123456"]
},
public = {
device\_index = 1
subnet\_id = aws\_subnet.public.id
name = "public"
create\_public\_ip = true
},
private = {
device\_index = 2
subnet\_id = aws\_subnet.private.id
name = "private"
},
] | `map(any)` | n/a | yes |
| [name](#input\_name) | Name of the VM-Series instance. | `string` | `null` | no |
@@ -82,7 +83,7 @@ No modules.
| [tags](#input\_tags) | Map of additional tags to apply to all resources. | `map(any)` | `{}` | no |
| [vmseries\_ami\_id](#input\_vmseries\_ami\_id) | Specific AMI ID to use for VM-Series instance.
If `null` (the default), `vmseries_version` and `vmseries_product_code` vars are used to determine a public image to use. | `string` | `null` | no |
| [vmseries\_product\_code](#input\_vmseries\_product\_code) | Product code corresponding to a chosen VM-Series license type model - by default - BYOL.
To check the available license type models and their codes, please refer to the
[VM-Series documentation](https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/set-up-the-vm-series-firewall-on-aws/deploy-the-vm-series-firewall-on-aws/obtain-the-ami/get-amazon-machine-image-ids.html) | `string` | `"6njl1pau431dv1qxipg63mvah"` | no |
-| [vmseries\_version](#input\_vmseries\_version) | VM-Series Firewall version to deploy.
To list all available VM-Series versions, run the command provided below.
Please have in mind that the `product-code` may need to be updated - check the `vmseries_product_code` variable for more information.aws ec2 describe-images --region us-west-1 --filters "Name=product-code,Values=6njl1pau431dv1qxipg63mvah" "Name=name,Values=PA-VM-AWS*" --output json --query "Images[].Description" \| grep -o 'PA-VM-AWS-.*' \| sort
| `string` | `"10.2.0"` | no |
+| [vmseries\_version](#input\_vmseries\_version) | VM-Series Firewall version to deploy.
To list all available VM-Series versions, run the command provided below.
Please have in mind that the `product-code` may need to be updated - check the `vmseries_product_code` variable for more information.aws ec2 describe-images --region us-west-1 --filters "Name=product-code,Values=6njl1pau431dv1qxipg63mvah" "Name=name,Values=PA-VM-AWS*" --output json --query "Images[].Description" \| grep -o 'PA-VM-AWS-.*' \| sort
| `string` | `"10.2.9-h1"` | no |
### Outputs
diff --git a/products/terraform/docs/swfw/aws/vmseries/reference-architectures/centralized_design_autoscale.md b/products/terraform/docs/swfw/aws/vmseries/reference-architectures/centralized_design_autoscale.md
index ce32d0eda..88b3f9d75 100644
--- a/products/terraform/docs/swfw/aws/vmseries/reference-architectures/centralized_design_autoscale.md
+++ b/products/terraform/docs/swfw/aws/vmseries/reference-architectures/centralized_design_autoscale.md
@@ -213,7 +213,7 @@ statistic = "Maximum"
| [spoke\_vms](#input\_spoke\_vms) | A map defining VMs in spoke VPCs.
Following properties are available:
- `az`: name of the Availability Zone
- `vpc`: name of the VPC (needs to be one of the keys in map `vpcs`)
- `vpc_subnet`: key of the VPC and subnet connected by '-' character
- `security_group`: security group assigned to ENI used by VM
- `type`: EC2 type VM
Example:spoke\_vms = {
"app1\_vm01" = {
az = "eu-central-1a"
vpc = "app1\_vpc"
vpc\_subnet = "app1\_vpc-app1\_vm"
security\_group = "app1\_vm"
type = "t2.micro"
}
} | map(object({
az = string
vpc = string
vpc\_subnet = string
security\_group = string
type = string
})) | `{}` | no |
| [ssh\_key\_name](#input\_ssh\_key\_name) | Name of the SSH key pair existing in AWS key pairs and used to authenticate to VM-Series or test boxes | `string` | n/a | yes |
| [tgw](#input\_tgw) | A object defining Transit Gateway.
Following properties are available:
- `create`: set to false, if existing TGW needs to be reused
- `id`: id of existing TGW or null
- `name`: name of TGW to create or use
- `asn`: ASN number
- `route_tables`: map of route tables
- `attachments`: map of TGW attachments
Example:tgw = {
create = true
id = null
name = "tgw"
asn = "64512"
route\_tables = {
"from\_security\_vpc" = {
create = true
name = "from\_security"
}
}
attachments = {
security = {
name = "vmseries"
vpc\_subnet = "security\_vpc-tgw\_attach"
route\_table = "from\_security\_vpc"
propagate\_routes\_to = "from\_spoke\_vpc"
}
}
} | object({
create = bool
id = string
name = string
asn = string
route\_tables = map(object({
create = bool
name = string
}))
attachments = map(object({
name = string
vpc\_subnet = string
route\_table = string
propagate\_routes\_to = string
}))
}) | `null` | no |
-| [vmseries\_asgs](#input\_vmseries\_asgs) | A map defining Autoscaling Groups with VM-Series instances.
Following properties are available:
- `bootstrap_options`: VM-Seriess bootstrap options used to connect to Panorama
- `panos_version`: PAN-OS version used for VM-Series
- `ebs_kms_id`: alias for AWS KMS used for EBS encryption in VM-Series
- `vpc`: key of VPC
- `gwlb`: key of GWLB
- `interfaces`: configuration of network interfaces for VM-Series used by Lamdba while provisioning new VM-Series in autoscaling group
- `subinterfaces`: configuration of network subinterfaces used to map with GWLB endpoints
- `asg`: the number of Amazon EC2 instances that should be running in the group (desired, minimum, maximum)
- `scaling_plan`: scaling plan with attributes
- `enabled`: `true` if automatic dynamic scaling policy should be created
- `metric_name`: name of the metric used in dynamic scaling policy
- `target_value`: target value for the metric used in dynamic scaling policy
- `statistic`: statistic of the metric. Valid values: Average, Maximum, Minimum, SampleCount, Sum
- `cloudwatch_namespace`: name of CloudWatch namespace, where metrics are available (it should be the same as namespace configured in VM-Series plugin in PAN-OS)
- `tags`: tags configured for dynamic scaling policy
Example:vmseries\_asgs = {
main\_asg = {
bootstrap\_options = {
mgmt-interface-swap = "enable"
plugin-op-commands = "panorama-licensing-mode-on,aws-gwlb-inspect:enable,aws-gwlb-overlay-routing:enable" # TODO: update here
panorama-server = "" # TODO: update here
auth-key = "" # TODO: update here
dgname = "" # TODO: update here
tplname = "" # TODO: update here
dhcp-send-hostname = "yes" # TODO: update here
dhcp-send-client-id = "yes" # TODO: update here
dhcp-accept-server-hostname = "yes" # TODO: update here
dhcp-accept-server-domain = "yes" # TODO: update here
}
panos\_version = "10.2.3" # TODO: update here
ebs\_kms\_id = "alias/aws/ebs" # TODO: update here
vpc = "security\_vpc"
gwlb = "security\_gwlb"
interfaces = {
private = {
device\_index = 0
security\_group = "vmseries\_private"
subnet = {
"privatea" = "eu-central-1a",
"privateb" = "eu-central-1b"
}
create\_public\_ip = false
source\_dest\_check = false
}
mgmt = {
device\_index = 1
security\_group = "vmseries\_mgmt"
subnet = {
"mgmta" = "eu-central-1a",
"mgmtb" = "eu-central-1b"
}
create\_public\_ip = true
source\_dest\_check = true
}
public = {
device\_index = 2
security\_group = "vmseries\_public"
subnet = {
"publica" = "eu-central-1a",
"publicb" = "eu-central-1b"
}
create\_public\_ip = false
source\_dest\_check = false
}
}
subinterfaces = {
inbound = {
app1 = {
gwlb\_endpoint = "app1\_inbound"
subinterface = "ethernet1/1.11"
}
app2 = {
gwlb\_endpoint = "app2\_inbound"
subinterface = "ethernet1/1.12"
}
}
outbound = {
only\_1\_outbound = {
gwlb\_endpoint = "security\_gwlb\_outbound"
subinterface = "ethernet1/1.20"
}
}
eastwest = {
only\_1\_eastwest = {
gwlb\_endpoint = "security\_gwlb\_eastwest"
subinterface = "ethernet1/1.30"
}
}
}
asg = {
desired\_cap = 0
min\_size = 0
max\_size = 4
lambda\_execute\_pip\_install\_once = true
}
scaling\_plan = {
enabled = true # TODO: update here
metric\_name = "panSessionActive" # TODO: update here
target\_value = 75 # TODO: update here
statistic = "Average" # TODO: update here
cloudwatch\_namespace = "example-vmseries" # TODO: update here
tags = {
ManagedBy = "terraform"
}
}
application\_lb = null
network\_lb = null
}
} | map(object({
bootstrap\_options = object({
mgmt-interface-swap = string
plugin-op-commands = string
panorama-server = string
auth-key = string
dgname = string
tplname = string
dhcp-send-hostname = string
dhcp-send-client-id = string
dhcp-accept-server-hostname = string
dhcp-accept-server-domain = string
})
panos\_version = string
ebs\_kms\_id = string
vpc = string
gwlb = string
interfaces = map(object({
device\_index = number
security\_group = string
subnet = map(string)
create\_public\_ip = bool
source\_dest\_check = bool
}))
subinterfaces = map(map(object({
gwlb\_endpoint = string
subinterface = string
})))
asg = object({
desired\_cap = number
min\_size = number
max\_size = number
lambda\_execute\_pip\_install\_once = bool
})
scaling\_plan = object({
enabled = bool
metric\_name = string
target\_value = number
statistic = string
cloudwatch\_namespace = string
tags = map(string)
})
application\_lb = object({
name = string
rules = any
})
network\_lb = object({
name = string
rules = any
})
})) | `{}` | no |
+| [vmseries\_asgs](#input\_vmseries\_asgs) | A map defining Autoscaling Groups with VM-Series instances.
Following properties are available:
- `bootstrap_options`: VM-Seriess bootstrap options used to connect to Panorama
- `panos_version`: PAN-OS version used for VM-Series
- `ebs_kms_id`: alias for AWS KMS used for EBS encryption in VM-Series
- `vpc`: key of VPC
- `gwlb`: key of GWLB
- `interfaces`: configuration of network interfaces for VM-Series used by Lamdba while provisioning new VM-Series in autoscaling group
- `subinterfaces`: configuration of network subinterfaces used to map with GWLB endpoints
- `asg`: the number of Amazon EC2 instances that should be running in the group (desired, minimum, maximum)
- `scaling_plan`: scaling plan with attributes
- `enabled`: `true` if automatic dynamic scaling policy should be created
- `metric_name`: name of the metric used in dynamic scaling policy
- `estimated_instance_warmup`: estimated time, in seconds, until a newly launched instance can contribute to the CloudWatch metrics
- `target_value`: target value for the metric used in dynamic scaling policy
- `statistic`: statistic of the metric. Valid values: Average, Maximum, Minimum, SampleCount, Sum
- `cloudwatch_namespace`: name of CloudWatch namespace, where metrics are available (it should be the same as namespace configured in VM-Series plugin in PAN-OS)
- `tags`: tags configured for dynamic scaling policy
- `launch_template_version`: launch template version to use to launch instances
- `instance_refresh`: instance refresh for ASG defined by several attributes (please see README for module `asg` for more details)
Example:vmseries\_asgs = {
main\_asg = {
bootstrap\_options = {
mgmt-interface-swap = "enable"
plugin-op-commands = "panorama-licensing-mode-on,aws-gwlb-inspect:enable,aws-gwlb-overlay-routing:enable" # TODO: update here
panorama-server = "" # TODO: update here
auth-key = "" # TODO: update here
dgname = "" # TODO: update here
tplname = "" # TODO: update here
dhcp-send-hostname = "yes" # TODO: update here
dhcp-send-client-id = "yes" # TODO: update here
dhcp-accept-server-hostname = "yes" # TODO: update here
dhcp-accept-server-domain = "yes" # TODO: update here
}
panos\_version = "10.2.3" # TODO: update here
ebs\_kms\_id = "alias/aws/ebs" # TODO: update here
vpc = "security\_vpc"
gwlb = "security\_gwlb"
interfaces = {
private = {
device\_index = 0
security\_group = "vmseries\_private"
subnet = {
"privatea" = "eu-central-1a",
"privateb" = "eu-central-1b"
}
create\_public\_ip = false
source\_dest\_check = false
}
mgmt = {
device\_index = 1
security\_group = "vmseries\_mgmt"
subnet = {
"mgmta" = "eu-central-1a",
"mgmtb" = "eu-central-1b"
}
create\_public\_ip = true
source\_dest\_check = true
}
public = {
device\_index = 2
security\_group = "vmseries\_public"
subnet = {
"publica" = "eu-central-1a",
"publicb" = "eu-central-1b"
}
create\_public\_ip = false
source\_dest\_check = false
}
}
subinterfaces = {
inbound = {
app1 = {
gwlb\_endpoint = "app1\_inbound"
subinterface = "ethernet1/1.11"
}
app2 = {
gwlb\_endpoint = "app2\_inbound"
subinterface = "ethernet1/1.12"
}
}
outbound = {
only\_1\_outbound = {
gwlb\_endpoint = "security\_gwlb\_outbound"
subinterface = "ethernet1/1.20"
}
}
eastwest = {
only\_1\_eastwest = {
gwlb\_endpoint = "security\_gwlb\_eastwest"
subinterface = "ethernet1/1.30"
}
}
}
asg = {
desired\_cap = 0
min\_size = 0
max\_size = 4
lambda\_execute\_pip\_install\_once = true
}
scaling\_plan = {
enabled = true
metric\_name = "panSessionActive"
estimated\_instance\_warmup = 900
target\_value = 75
statistic = "Average"
cloudwatch\_namespace = "asg-vmseries"
tags = {
ManagedBy = "terraform"
}
}
launch\_template\_version = "1"
instance\_refresh = {
strategy = "Rolling"
preferences = {
checkpoint\_delay = 3600
checkpoint\_percentages = [50, 100]
instance\_warmup = 1200
min\_healthy\_percentage = 50
skip\_matching = false
auto\_rollback = false
scale\_in\_protected\_instances = "Ignore"
standby\_instances = "Ignore"
}
triggers = []
}
application\_lb = null
network\_lb = null
}
} | map(object({
bootstrap\_options = object({
mgmt-interface-swap = string
plugin-op-commands = string
panorama-server = string
auth-key = string
dgname = string
tplname = string
dhcp-send-hostname = string
dhcp-send-client-id = string
dhcp-accept-server-hostname = string
dhcp-accept-server-domain = string
})
panos\_version = string
ebs\_kms\_id = string
vpc = string
gwlb = string
interfaces = map(object({
device\_index = number
security\_group = string
subnet = map(string)
create\_public\_ip = bool
source\_dest\_check = bool
}))
subinterfaces = map(map(object({
gwlb\_endpoint = string
subinterface = string
})))
asg = object({
desired\_cap = number
min\_size = number
max\_size = number
lambda\_execute\_pip\_install\_once = bool
})
scaling\_plan = object({
enabled = bool
metric\_name = string
estimated\_instance\_warmup = number
target\_value = number
statistic = string
cloudwatch\_namespace = string
tags = map(string)
})
launch\_template\_version = string
instance\_refresh = object({
strategy = string
preferences = object({
checkpoint\_delay = number
checkpoint\_percentages = list(number)
instance\_warmup = number
min\_healthy\_percentage = number
skip\_matching = bool
auto\_rollback = bool
scale\_in\_protected\_instances = string
standby\_instances = string
})
triggers = list(string)
})
application\_lb = object({
name = string
rules = any
})
network\_lb = object({
name = string
rules = any
})
})) | `{}` | no |
| [vpcs](#input\_vpcs) | A map defining VPCs with security groups and subnets.
Following properties are available:
- `name`: VPC name
- `cidr`: CIDR for VPC
- `security_groups`: map of security groups
- `subnets`: map of subnets with properties:
- `az`: availability zone
- `set`: internal identifier referenced by main.tf
- `routes`: map of routes with properties:
- `vpc_subnet` - built from key of VPCs concatenate with `-` and key of subnet in format: `VPCKEY-SUBNETKEY`
- `next_hop_key` - must match keys use to create TGW attachment, IGW, GWLB endpoint or other resources
- `next_hop_type` - internet\_gateway, nat\_gateway, transit\_gateway\_attachment or gwlbe\_endpoint
Example:vpcs = {
example\_vpc = {
name = "example-spoke-vpc"
cidr = "10.104.0.0/16"
nacls = {
trusted\_path\_monitoring = {
name = "trusted-path-monitoring"
rules = {
allow\_inbound = {
rule\_number = 300
egress = false
protocol = "-1"
rule\_action = "allow"
cidr\_block = "0.0.0.0/0"
from\_port = null
to\_port = null
}
}
}
}
security\_groups = {
example\_vm = {
name = "example\_vm"
rules = {
all\_outbound = {
description = "Permit All traffic outbound"
type = "egress", from\_port = "0", to\_port = "0", protocol = "-1"
cidr\_blocks = ["0.0.0.0/0"]
}
}
}
}
subnets = {
"10.104.0.0/24" = { az = "eu-central-1a", set = "vm", nacl = null }
"10.104.128.0/24" = { az = "eu-central-1b", set = "vm", nacl = null }
}
routes = {
vm\_default = {
vpc\_subnet = "app1\_vpc-app1\_vm"
to\_cidr = "0.0.0.0/0"
next\_hop\_key = "app1"
next\_hop\_type = "transit\_gateway\_attachment"
}
}
}
} | map(object({
name = string
cidr = string
nacls = map(object({
name = string
rules = map(object({
rule\_number = number
egress = bool
protocol = string
rule\_action = string
cidr\_block = string
from\_port = string
to\_port = string
}))
}))
security\_groups = any
subnets = map(object({
az = string
set = string
nacl = string
}))
routes = map(object({
vpc\_subnet = string
to\_cidr = string
next\_hop\_key = string
next\_hop\_type = string
}))
})) | `{}` | no |
### Outputs
diff --git a/products/terraform/docs/swfw/aws/vmseries/reference-architectures/combined_design_autoscale.md b/products/terraform/docs/swfw/aws/vmseries/reference-architectures/combined_design_autoscale.md
index 66fd7ae6a..867aa462f 100644
--- a/products/terraform/docs/swfw/aws/vmseries/reference-architectures/combined_design_autoscale.md
+++ b/products/terraform/docs/swfw/aws/vmseries/reference-architectures/combined_design_autoscale.md
@@ -285,7 +285,7 @@ statistic = "Maximum"
| [spoke\_vms](#input\_spoke\_vms) | A map defining VMs in spoke VPCs.
Following properties are available:
- `az`: name of the Availability Zone
- `vpc`: name of the VPC (needs to be one of the keys in map `vpcs`)
- `vpc_subnet`: key of the VPC and subnet connected by '-' character
- `security_group`: security group assigned to ENI used by VM
- `type`: EC2 type VM
Example:spoke\_vms = {
"app1\_vm01" = {
az = "eu-central-1a"
vpc = "app1\_vpc"
vpc\_subnet = "app1\_vpc-app1\_vm"
security\_group = "app1\_vm"
type = "t2.micro"
}
} | map(object({
az = string
vpc = string
vpc\_subnet = string
security\_group = string
type = string
})) | `{}` | no |
| [ssh\_key\_name](#input\_ssh\_key\_name) | Name of the SSH key pair existing in AWS key pairs and used to authenticate to VM-Series or test boxes | `string` | n/a | yes |
| [tgw](#input\_tgw) | A object defining Transit Gateway.
Following properties are available:
- `create`: set to false, if existing TGW needs to be reused
- `id`: id of existing TGW or null
- `name`: name of TGW to create or use
- `asn`: ASN number
- `route_tables`: map of route tables
- `attachments`: map of TGW attachments
Example:tgw = {
create = true
id = null
name = "tgw"
asn = "64512"
route\_tables = {
"from\_security\_vpc" = {
create = true
name = "from\_security"
}
}
attachments = {
security = {
name = "vmseries"
vpc\_subnet = "security\_vpc-tgw\_attach"
route\_table = "from\_security\_vpc"
propagate\_routes\_to = "from\_spoke\_vpc"
}
}
} | object({
create = bool
id = string
name = string
asn = string
route\_tables = map(object({
create = bool
name = string
}))
attachments = map(object({
name = string
vpc\_subnet = string
route\_table = string
propagate\_routes\_to = string
}))
}) | `null` | no |
-| [vmseries\_asgs](#input\_vmseries\_asgs) | A map defining Autoscaling Groups with VM-Series instances.
Following properties are available:
- `bootstrap_options`: VM-Seriess bootstrap options used to connect to Panorama
- `panos_version`: PAN-OS version used for VM-Series
- `ebs_kms_id`: alias for AWS KMS used for EBS encryption in VM-Series
- `vpc`: key of VPC
- `gwlb`: key of GWLB
- `interfaces`: configuration of network interfaces for VM-Series used by Lamdba while provisioning new VM-Series in autoscaling group
- `subinterfaces`: configuration of network subinterfaces used to map with GWLB endpoints
- `asg`: the number of Amazon EC2 instances that should be running in the group (desired, minimum, maximum)
- `scaling_plan`: scaling plan with attributes
- `enabled`: `true` if automatic dynamic scaling policy should be created
- `metric_name`: name of the metric used in dynamic scaling policy
- `target_value`: target value for the metric used in dynamic scaling policy
- `statistic`: statistic of the metric. Valid values: Average, Maximum, Minimum, SampleCount, Sum
- `cloudwatch_namespace`: name of CloudWatch namespace, where metrics are available (it should be the same as namespace configured in VM-Series plugin in PAN-OS)
- `tags`: tags configured for dynamic scaling policy
Example:vmseries\_asgs = {
main\_asg = {
bootstrap\_options = {
mgmt-interface-swap = "enable"
plugin-op-commands = "panorama-licensing-mode-on,aws-gwlb-inspect:enable,aws-gwlb-overlay-routing:enable" # TODO: update here
panorama-server = "" # TODO: update here
auth-key = "" # TODO: update here
dgname = "" # TODO: update here
tplname = "" # TODO: update here
dhcp-send-hostname = "yes" # TODO: update here
dhcp-send-client-id = "yes" # TODO: update here
dhcp-accept-server-hostname = "yes" # TODO: update here
dhcp-accept-server-domain = "yes" # TODO: update here
}
panos\_version = "10.2.3" # TODO: update here
ebs\_kms\_id = "alias/aws/ebs" # TODO: update here
vpc = "security\_vpc"
gwlb = "security\_gwlb"
interfaces = {
private = {
device\_index = 0
security\_group = "vmseries\_private"
subnet = {
"privatea" = "eu-central-1a",
"privateb" = "eu-central-1b"
}
create\_public\_ip = false
source\_dest\_check = false
}
mgmt = {
device\_index = 1
security\_group = "vmseries\_mgmt"
subnet = {
"mgmta" = "eu-central-1a",
"mgmtb" = "eu-central-1b"
}
create\_public\_ip = true
source\_dest\_check = true
}
public = {
device\_index = 2
security\_group = "vmseries\_public"
subnet = {
"publica" = "eu-central-1a",
"publicb" = "eu-central-1b"
}
create\_public\_ip = false
source\_dest\_check = false
}
}
subinterfaces = {
inbound = {
app1 = {
gwlb\_endpoint = "app1\_inbound"
subinterface = "ethernet1/1.11"
}
app2 = {
gwlb\_endpoint = "app2\_inbound"
subinterface = "ethernet1/1.12"
}
}
outbound = {
only\_1\_outbound = {
gwlb\_endpoint = "security\_gwlb\_outbound"
subinterface = "ethernet1/1.20"
}
}
eastwest = {
only\_1\_eastwest = {
gwlb\_endpoint = "security\_gwlb\_eastwest"
subinterface = "ethernet1/1.30"
}
}
}
asg = {
desired\_cap = 0
min\_size = 0
max\_size = 4
lambda\_execute\_pip\_install\_once = true
}
scaling\_plan = {
enabled = true # TODO: update here
metric\_name = "panSessionActive" # TODO: update here
target\_value = 75 # TODO: update here
statistic = "Average" # TODO: update here
cloudwatch\_namespace = "example-vmseries" # TODO: update here
tags = {
ManagedBy = "terraform"
}
}
delicense = {
enabled = true
ssm\_param\_name = "example\_param\_store\_delicense" # TODO: update here
}
}
} | map(object({
bootstrap\_options = object({
mgmt-interface-swap = string
plugin-op-commands = string
panorama-server = string
auth-key = string
dgname = string
tplname = string
dhcp-send-hostname = string
dhcp-send-client-id = string
dhcp-accept-server-hostname = string
dhcp-accept-server-domain = string
})
panos\_version = string
ebs\_kms\_id = string
vpc = string
gwlb = string
interfaces = map(object({
device\_index = number
security\_group = string
subnet = map(string)
create\_public\_ip = bool
source\_dest\_check = bool
}))
subinterfaces = map(map(object({
gwlb\_endpoint = string
subinterface = string
})))
asg = object({
desired\_cap = number
min\_size = number
max\_size = number
lambda\_execute\_pip\_install\_once = bool
})
scaling\_plan = object({
enabled = bool
metric\_name = string
target\_value = number
statistic = string
cloudwatch\_namespace = string
tags = map(string)
})
delicense = object({
enabled = bool
ssm\_param\_name = string
})
})) | `{}` | no |
+| [vmseries\_asgs](#input\_vmseries\_asgs) | A map defining Autoscaling Groups with VM-Series instances.
Following properties are available:
- `bootstrap_options`: VM-Seriess bootstrap options used to connect to Panorama
- `panos_version`: PAN-OS version used for VM-Series
- `ebs_kms_id`: alias for AWS KMS used for EBS encryption in VM-Series
- `vpc`: key of VPC
- `gwlb`: key of GWLB
- `interfaces`: configuration of network interfaces for VM-Series used by Lamdba while provisioning new VM-Series in autoscaling group
- `subinterfaces`: configuration of network subinterfaces used to map with GWLB endpoints
- `asg`: the number of Amazon EC2 instances that should be running in the group (desired, minimum, maximum)
- `scaling_plan`: scaling plan with attributes
- `enabled`: `true` if automatic dynamic scaling policy should be created
- `metric_name`: name of the metric used in dynamic scaling policy
- `estimated_instance_warmup`: estimated time, in seconds, until a newly launched instance can contribute to the CloudWatch metrics
- `target_value`: target value for the metric used in dynamic scaling policy
- `statistic`: statistic of the metric. Valid values: Average, Maximum, Minimum, SampleCount, Sum
- `cloudwatch_namespace`: name of CloudWatch namespace, where metrics are available (it should be the same as namespace configured in VM-Series plugin in PAN-OS)
- `tags`: tags configured for dynamic scaling policy
- `launch_template_version`: launch template version to use to launch instances
- `instance_refresh`: instance refresh for ASG defined by several attributes (please README for module `asg` for more details)
Example:vmseries\_asgs = {
main\_asg = {
bootstrap\_options = {
mgmt-interface-swap = "enable"
plugin-op-commands = "panorama-licensing-mode-on,aws-gwlb-inspect:enable,aws-gwlb-overlay-routing:enable" # TODO: update here
panorama-server = "" # TODO: update here
auth-key = "" # TODO: update here
dgname = "" # TODO: update here
tplname = "" # TODO: update here
dhcp-send-hostname = "yes" # TODO: update here
dhcp-send-client-id = "yes" # TODO: update here
dhcp-accept-server-hostname = "yes" # TODO: update here
dhcp-accept-server-domain = "yes" # TODO: update here
}
panos\_version = "10.2.3" # TODO: update here
ebs\_kms\_id = "alias/aws/ebs" # TODO: update here
vpc = "security\_vpc"
gwlb = "security\_gwlb"
interfaces = {
private = {
device\_index = 0
security\_group = "vmseries\_private"
subnet = {
"privatea" = "eu-central-1a",
"privateb" = "eu-central-1b"
}
create\_public\_ip = false
source\_dest\_check = false
}
mgmt = {
device\_index = 1
security\_group = "vmseries\_mgmt"
subnet = {
"mgmta" = "eu-central-1a",
"mgmtb" = "eu-central-1b"
}
create\_public\_ip = true
source\_dest\_check = true
}
public = {
device\_index = 2
security\_group = "vmseries\_public"
subnet = {
"publica" = "eu-central-1a",
"publicb" = "eu-central-1b"
}
create\_public\_ip = false
source\_dest\_check = false
}
}
subinterfaces = {
inbound = {
app1 = {
gwlb\_endpoint = "app1\_inbound"
subinterface = "ethernet1/1.11"
}
app2 = {
gwlb\_endpoint = "app2\_inbound"
subinterface = "ethernet1/1.12"
}
}
outbound = {
only\_1\_outbound = {
gwlb\_endpoint = "security\_gwlb\_outbound"
subinterface = "ethernet1/1.20"
}
}
eastwest = {
only\_1\_eastwest = {
gwlb\_endpoint = "security\_gwlb\_eastwest"
subinterface = "ethernet1/1.30"
}
}
}
asg = {
desired\_cap = 0
min\_size = 0
max\_size = 4
lambda\_execute\_pip\_install\_once = true
}
scaling\_plan = {
enabled = true
metric\_name = "panSessionActive"
estimated\_instance\_warmup = 900
target\_value = 75
statistic = "Average"
cloudwatch\_namespace = "asg-vmseries"
tags = {
ManagedBy = "terraform"
}
}
launch\_template\_version = "1"
instance\_refresh = {
strategy = "Rolling"
preferences = {
checkpoint\_delay = 3600
checkpoint\_percentages = [50, 100]
instance\_warmup = 1200
min\_healthy\_percentage = 50
skip\_matching = false
auto\_rollback = false
scale\_in\_protected\_instances = "Ignore"
standby\_instances = "Ignore"
}
triggers = []
}
delicense = {
enabled = true
ssm\_param\_name = "example\_param\_store\_delicense" # TODO: update here
}
}
} | map(object({
bootstrap\_options = object({
mgmt-interface-swap = string
plugin-op-commands = string
panorama-server = string
auth-key = string
dgname = string
tplname = string
dhcp-send-hostname = string
dhcp-send-client-id = string
dhcp-accept-server-hostname = string
dhcp-accept-server-domain = string
})
panos\_version = string
ebs\_kms\_id = string
vpc = string
gwlb = string
interfaces = map(object({
device\_index = number
security\_group = string
subnet = map(string)
create\_public\_ip = bool
source\_dest\_check = bool
}))
subinterfaces = map(map(object({
gwlb\_endpoint = string
subinterface = string
})))
asg = object({
desired\_cap = number
min\_size = number
max\_size = number
lambda\_execute\_pip\_install\_once = bool
})
scaling\_plan = object({
enabled = bool
metric\_name = string
estimated\_instance\_warmup = number
target\_value = number
statistic = string
cloudwatch\_namespace = string
tags = map(string)
})
launch\_template\_version = string
instance\_refresh = object({
strategy = string
preferences = object({
checkpoint\_delay = number
checkpoint\_percentages = list(number)
instance\_warmup = number
min\_healthy\_percentage = number
skip\_matching = bool
auto\_rollback = bool
scale\_in\_protected\_instances = string
standby\_instances = string
})
triggers = list(string)
})
delicense = object({
enabled = bool
ssm\_param\_name = string
})
})) | `{}` | no |
| [vpcs](#input\_vpcs) | A map defining VPCs with security groups and subnets.
Following properties are available:
- `name`: VPC name
- `cidr`: CIDR for VPC
- `nacls`: map of network ACLs
- `security_groups`: map of security groups
- `subnets`: map of subnets with properties:
- `az`: availability zone
- `set`: internal identifier referenced by main.tf
- `nacl`: key of NACL (can be null)
- `routes`: map of routes with properties:
- `vpc_subnet` - built from key of VPCs concatenate with `-` and key of subnet in format: `VPCKEY-SUBNETKEY`
- `next_hop_key` - must match keys use to create TGW attachment, IGW, GWLB endpoint or other resources
- `next_hop_type` - internet\_gateway, nat\_gateway, transit\_gateway\_attachment or gwlbe\_endpoint
Example:vpcs = {
example\_vpc = {
name = "example-spoke-vpc"
cidr = "10.104.0.0/16"
nacls = {
trusted\_path\_monitoring = {
name = "trusted-path-monitoring"
rules = {
allow\_inbound = {
rule\_number = 300
egress = false
protocol = "-1"
rule\_action = "allow"
cidr\_block = "0.0.0.0/0"
from\_port = null
to\_port = null
}
}
}
}
security\_groups = {
example\_vm = {
name = "example\_vm"
rules = {
all\_outbound = {
description = "Permit All traffic outbound"
type = "egress", from\_port = "0", to\_port = "0", protocol = "-1"
cidr\_blocks = ["0.0.0.0/0"]
}
}
}
}
subnets = {
"10.104.0.0/24" = { az = "eu-central-1a", set = "vm", nacl = null }
"10.104.128.0/24" = { az = "eu-central-1b", set = "vm", nacl = null }
}
routes = {
vm\_default = {
vpc\_subnet = "app1\_vpc-app1\_vm"
to\_cidr = "0.0.0.0/0"
next\_hop\_key = "app1"
next\_hop\_type = "transit\_gateway\_attachment"
}
}
}
} | map(object({
name = string
cidr = string
nacls = map(object({
name = string
rules = map(object({
rule\_number = number
egress = bool
protocol = string
rule\_action = string
cidr\_block = string
from\_port = string
to\_port = string
}))
}))
security\_groups = any
subnets = map(object({
az = string
set = string
nacl = string
}))
routes = map(object({
vpc\_subnet = string
to\_cidr = string
next\_hop\_key = string
next\_hop\_type = string
}))
})) | `{}` | no |
### Outputs
diff --git a/products/terraform/docs/swfw/aws/vmseries/reference-architectures/isolated_design_autoscale.md b/products/terraform/docs/swfw/aws/vmseries/reference-architectures/isolated_design_autoscale.md
index e09ba298c..267e8af41 100644
--- a/products/terraform/docs/swfw/aws/vmseries/reference-architectures/isolated_design_autoscale.md
+++ b/products/terraform/docs/swfw/aws/vmseries/reference-architectures/isolated_design_autoscale.md
@@ -239,7 +239,7 @@ statistic = "Maximum"
| [spoke\_nlbs](#input\_spoke\_nlbs) | A map defining Network Load Balancers deployed in spoke VPCs.
Following properties are available:
- `vpc_subnet`: key of the VPC and subnet connected by '-' character
- `vms`: keys of spoke VMs
Example:spoke\_lbs = {
"app1-nlb" = {
vpc\_subnet = "app1\_vpc-app1\_lb"
vms = ["app1\_vm01", "app1\_vm02"]
}
} | map(object({
vpc\_subnet = string
vms = list(string)
})) | `{}` | no |
| [spoke\_vms](#input\_spoke\_vms) | A map defining VMs in spoke VPCs.
Following properties are available:
- `az`: name of the Availability Zone
- `vpc`: name of the VPC (needs to be one of the keys in map `vpcs`)
- `vpc_subnet`: key of the VPC and subnet connected by '-' character
- `security_group`: security group assigned to ENI used by VM
- `type`: EC2 type VM
Example:spoke\_vms = {
"app1\_vm01" = {
az = "eu-central-1a"
vpc = "app1\_vpc"
vpc\_subnet = "app1\_vpc-app1\_vm"
security\_group = "app1\_vm"
type = "t2.micro"
}
} | map(object({
az = string
vpc = string
vpc\_subnet = string
security\_group = string
type = string
})) | `{}` | no |
| [ssh\_key\_name](#input\_ssh\_key\_name) | Name of the SSH key pair existing in AWS key pairs and used to authenticate to VM-Series or test boxes | `string` | n/a | yes |
-| [vmseries\_asgs](#input\_vmseries\_asgs) | A map defining Autoscaling Groups with VM-Series instances.
Following properties are available:
- `bootstrap_options`: VM-Seriess bootstrap options used to connect to Panorama
- `panos_version`: PAN-OS version used for VM-Series
- `ebs_kms_id`: alias for AWS KMS used for EBS encryption in VM-Series
- `vpc`: key of VPC
- `gwlb`: key of GWLB
- `interfaces`: configuration of network interfaces for VM-Series used by Lamdba while provisioning new VM-Series in autoscaling group
- `subinterfaces`: configuration of network subinterfaces used to map with GWLB endpoints
- `asg`: the number of Amazon EC2 instances that should be running in the group (desired, minimum, maximum)
- `scaling_plan`: scaling plan with attributes
- `enabled`: `true` if automatic dynamic scaling policy should be created
- `metric_name`: name of the metric used in dynamic scaling policy
- `target_value`: target value for the metric used in dynamic scaling policy
- `statistic`: statistic of the metric. Valid values: Average, Maximum, Minimum, SampleCount, Sum
- `cloudwatch_namespace`: name of CloudWatch namespace, where metrics are available (it should be the same as namespace configured in VM-Series plugin in PAN-OS)
- `tags`: tags configured for dynamic scaling policy
Example:vmseries\_asgs = {
main\_asg = {
bootstrap\_options = {
mgmt-interface-swap = "enable"
plugin-op-commands = "panorama-licensing-mode-on,aws-gwlb-inspect:enable,aws-gwlb-overlay-routing:enable" # TODO: update here
panorama-server = "" # TODO: update here
auth-key = "" # TODO: update here
dgname = "" # TODO: update here
tplname = "" # TODO: update here
dhcp-send-hostname = "yes" # TODO: update here
dhcp-send-client-id = "yes" # TODO: update here
dhcp-accept-server-hostname = "yes" # TODO: update here
dhcp-accept-server-domain = "yes" # TODO: update here
}
panos\_version = "10.2.3" # TODO: update here
ebs\_kms\_id = "alias/aws/ebs" # TODO: update here
vpc = "security\_vpc"
gwlb = "security\_gwlb"
interfaces = {
private = {
device\_index = 0
security\_group = "vmseries\_private"
subnet = {
"privatea" = "eu-central-1a",
"privateb" = "eu-central-1b"
}
create\_public\_ip = false
source\_dest\_check = false
}
mgmt = {
device\_index = 1
security\_group = "vmseries\_mgmt"
subnet = {
"mgmta" = "eu-central-1a",
"mgmtb" = "eu-central-1b"
}
create\_public\_ip = true
source\_dest\_check = true
}
public = {
device\_index = 2
security\_group = "vmseries\_public"
subnet = {
"publica" = "eu-central-1a",
"publicb" = "eu-central-1b"
}
create\_public\_ip = false
source\_dest\_check = false
}
}
subinterfaces = {
inbound = {
app1 = {
gwlb\_endpoint = "app1\_inbound"
subinterface = "ethernet1/1.11"
}
app2 = {
gwlb\_endpoint = "app2\_inbound"
subinterface = "ethernet1/1.12"
}
}
outbound = {
only\_1\_outbound = {
gwlb\_endpoint = "security\_gwlb\_outbound"
subinterface = "ethernet1/1.20"
}
}
eastwest = {
only\_1\_eastwest = {
gwlb\_endpoint = "security\_gwlb\_eastwest"
subinterface = "ethernet1/1.30"
}
}
}
asg = {
desired\_cap = 0
min\_size = 0
max\_size = 4
lambda\_execute\_pip\_install\_once = true
}
scaling\_plan = {
enabled = true # TODO: update here
metric\_name = "panSessionActive" # TODO: update here
target\_value = 75 # TODO: update here
statistic = "Average" # TODO: update here
cloudwatch\_namespace = "example-vmseries" # TODO: update here
tags = {
ManagedBy = "terraform"
}
}
}
} | map(object({
bootstrap\_options = object({
mgmt-interface-swap = string
plugin-op-commands = string
panorama-server = string
auth-key = string
dgname = string
tplname = string
dhcp-send-hostname = string
dhcp-send-client-id = string
dhcp-accept-server-hostname = string
dhcp-accept-server-domain = string
})
panos\_version = string
ebs\_kms\_id = string
vpc = string
gwlb = string
interfaces = map(object({
device\_index = number
security\_group = string
subnet = map(string)
create\_public\_ip = bool
source\_dest\_check = bool
}))
subinterfaces = map(map(object({
gwlb\_endpoint = string
subinterface = string
})))
asg = object({
desired\_cap = number
min\_size = number
max\_size = number
lambda\_execute\_pip\_install\_once = bool
})
scaling\_plan = object({
enabled = bool
metric\_name = string
target\_value = number
statistic = string
cloudwatch\_namespace = string
tags = map(string)
})
})) | `{}` | no |
+| [vmseries\_asgs](#input\_vmseries\_asgs) | A map defining Autoscaling Groups with VM-Series instances.
Following properties are available:
- `bootstrap_options`: VM-Seriess bootstrap options used to connect to Panorama
- `panos_version`: PAN-OS version used for VM-Series
- `ebs_kms_id`: alias for AWS KMS used for EBS encryption in VM-Series
- `vpc`: key of VPC
- `gwlb`: key of GWLB
- `interfaces`: configuration of network interfaces for VM-Series used by Lamdba while provisioning new VM-Series in autoscaling group
- `subinterfaces`: configuration of network subinterfaces used to map with GWLB endpoints
- `asg`: the number of Amazon EC2 instances that should be running in the group (desired, minimum, maximum)
- `scaling_plan`: scaling plan with attributes
- `enabled`: `true` if automatic dynamic scaling policy should be created
- `metric_name`: name of the metric used in dynamic scaling policy
- `estimated_instance_warmup`: estimated time, in seconds, until a newly launched instance can contribute to the CloudWatch metrics
- `target_value`: target value for the metric used in dynamic scaling policy
- `statistic`: statistic of the metric. Valid values: Average, Maximum, Minimum, SampleCount, Sum
- `cloudwatch_namespace`: name of CloudWatch namespace, where metrics are available (it should be the same as namespace configured in VM-Series plugin in PAN-OS)
- `tags`: tags configured for dynamic scaling policy
- `launch_template_version`: launch template version to use to launch instances
- `instance_refresh`: instance refresh for ASG defined by several attributes (please README for module `asg` for more details)
Example:vmseries\_asgs = {
main\_asg = {
bootstrap\_options = {
mgmt-interface-swap = "enable"
plugin-op-commands = "panorama-licensing-mode-on,aws-gwlb-inspect:enable,aws-gwlb-overlay-routing:enable" # TODO: update here
panorama-server = "" # TODO: update here
auth-key = "" # TODO: update here
dgname = "" # TODO: update here
tplname = "" # TODO: update here
dhcp-send-hostname = "yes" # TODO: update here
dhcp-send-client-id = "yes" # TODO: update here
dhcp-accept-server-hostname = "yes" # TODO: update here
dhcp-accept-server-domain = "yes" # TODO: update here
}
panos\_version = "10.2.3" # TODO: update here
ebs\_kms\_id = "alias/aws/ebs" # TODO: update here
vpc = "security\_vpc"
gwlb = "security\_gwlb"
interfaces = {
private = {
device\_index = 0
security\_group = "vmseries\_private"
subnet = {
"privatea" = "eu-central-1a",
"privateb" = "eu-central-1b"
}
create\_public\_ip = false
source\_dest\_check = false
}
mgmt = {
device\_index = 1
security\_group = "vmseries\_mgmt"
subnet = {
"mgmta" = "eu-central-1a",
"mgmtb" = "eu-central-1b"
}
create\_public\_ip = true
source\_dest\_check = true
}
public = {
device\_index = 2
security\_group = "vmseries\_public"
subnet = {
"publica" = "eu-central-1a",
"publicb" = "eu-central-1b"
}
create\_public\_ip = false
source\_dest\_check = false
}
}
subinterfaces = {
inbound = {
app1 = {
gwlb\_endpoint = "app1\_inbound"
subinterface = "ethernet1/1.11"
}
app2 = {
gwlb\_endpoint = "app2\_inbound"
subinterface = "ethernet1/1.12"
}
}
outbound = {
only\_1\_outbound = {
gwlb\_endpoint = "security\_gwlb\_outbound"
subinterface = "ethernet1/1.20"
}
}
eastwest = {
only\_1\_eastwest = {
gwlb\_endpoint = "security\_gwlb\_eastwest"
subinterface = "ethernet1/1.30"
}
}
}
asg = {
desired\_cap = 0
min\_size = 0
max\_size = 4
lambda\_execute\_pip\_install\_once = true
}
scaling\_plan = {
enabled = true
metric\_name = "panSessionActive"
estimated\_instance\_warmup = 900
target\_value = 75
statistic = "Average"
cloudwatch\_namespace = "asg-vmseries"
tags = {
ManagedBy = "terraform"
}
}
launch\_template\_version = "1"
instance\_refresh = {
strategy = "Rolling"
preferences = {
checkpoint\_delay = 3600
checkpoint\_percentages = [50, 100]
instance\_warmup = 1200
min\_healthy\_percentage = 50
skip\_matching = false
auto\_rollback = false
scale\_in\_protected\_instances = "Ignore"
standby\_instances = "Ignore"
}
triggers = []
}
}
} | map(object({
bootstrap\_options = object({
mgmt-interface-swap = string
plugin-op-commands = string
panorama-server = string
auth-key = string
dgname = string
tplname = string
dhcp-send-hostname = string
dhcp-send-client-id = string
dhcp-accept-server-hostname = string
dhcp-accept-server-domain = string
})
panos\_version = string
ebs\_kms\_id = string
vpc = string
gwlb = string
interfaces = map(object({
device\_index = number
security\_group = string
subnet = map(string)
create\_public\_ip = bool
source\_dest\_check = bool
}))
subinterfaces = map(map(object({
gwlb\_endpoint = string
subinterface = string
})))
asg = object({
desired\_cap = number
min\_size = number
max\_size = number
lambda\_execute\_pip\_install\_once = bool
})
scaling\_plan = object({
enabled = bool
metric\_name = string
estimated\_instance\_warmup = number
target\_value = number
statistic = string
cloudwatch\_namespace = string
tags = map(string)
})
launch\_template\_version = string
instance\_refresh = object({
strategy = string
preferences = object({
checkpoint\_delay = number
checkpoint\_percentages = list(number)
instance\_warmup = number
min\_healthy\_percentage = number
skip\_matching = bool
auto\_rollback = bool
scale\_in\_protected\_instances = string
standby\_instances = string
})
triggers = list(string)
})
})) | `{}` | no |
| [vpcs](#input\_vpcs) | A map defining VPCs with security groups and subnets.
Following properties are available:
- `name`: VPC name
- `cidr`: CIDR for VPC
- `nacls`: map of network ACLs
- `security_groups`: map of security groups
- `subnets`: map of subnets with properties:
- `az`: availability zone
- `set`: internal identifier referenced by main.tf
- `nacl`: key of NACL (can be null)
- `routes`: map of routes with properties:
- `vpc_subnet` - built from key of VPCs concatenate with `-` and key of subnet in format: `VPCKEY-SUBNETKEY`
- `next_hop_key` - must match keys use to create TGW attachment, IGW, GWLB endpoint or other resources
- `next_hop_type` - internet\_gateway, nat\_gateway, transit\_gateway\_attachment or gwlbe\_endpoint
Example:vpcs = {
example\_vpc = {
name = "example-spoke-vpc"
cidr = "10.104.0.0/16"
nacls = {
trusted\_path\_monitoring = {
name = "trusted-path-monitoring"
rules = {
allow\_inbound = {
rule\_number = 300
egress = false
protocol = "-1"
rule\_action = "allow"
cidr\_block = "0.0.0.0/0"
from\_port = null
to\_port = null
}
}
}
}
security\_groups = {
example\_vm = {
name = "example\_vm"
rules = {
all\_outbound = {
description = "Permit All traffic outbound"
type = "egress", from\_port = "0", to\_port = "0", protocol = "-1"
cidr\_blocks = ["0.0.0.0/0"]
}
}
}
}
subnets = {
"10.104.0.0/24" = { az = "eu-central-1a", set = "vm", nacl = null }
"10.104.128.0/24" = { az = "eu-central-1b", set = "vm", nacl = null }
}
routes = {
vm\_default = {
vpc\_subnet = "app1\_vpc-app1\_vm"
to\_cidr = "0.0.0.0/0"
next\_hop\_key = "app1"
next\_hop\_type = "transit\_gateway\_attachment"
}
}
}
} | map(object({
name = string
cidr = string
nacls = map(object({
name = string
rules = map(object({
rule\_number = number
egress = bool
protocol = string
rule\_action = string
cidr\_block = string
from\_port = string
to\_port = string
}))
}))
security\_groups = any
subnets = map(object({
az = string
set = string
nacl = string
}))
routes = map(object({
vpc\_subnet = string
to\_cidr = string
next\_hop\_key = string
next\_hop\_type = string
}))
})) | `{}` | no |
### Outputs