diff --git a/products/terraform/docs/swfw/azure/vmseries/examples/standalone_panorama.md b/products/terraform/docs/swfw/azure/vmseries/examples/standalone_panorama.md index 9a665f1d4..ed94f772f 100644 --- a/products/terraform/docs/swfw/azure/vmseries/examples/standalone_panorama.md +++ b/products/terraform/docs/swfw/azure/vmseries/examples/standalone_panorama.md @@ -151,6 +151,7 @@ terraform destroy Name | Version | Source | Description --- | --- | --- | --- `vnet` | - | ../../modules/vnet | +`public_ip` | - | ../../modules/public_ip | `panorama` | - | ../../modules/panorama | ### Resources @@ -175,6 +176,7 @@ Name | Type | Description [`name_prefix`](#name_prefix) | `string` | A prefix that will be added to all created resources. [`create_resource_group`](#create_resource_group) | `bool` | When set to `true` it will cause a Resource Group creation. [`tags`](#tags) | `map` | Map of tags to assign to the created resources. +[`public_ips`](#public_ips) | `object` | A map defining Public IP Addresses and Prefixes. [`availability_sets`](#availability_sets) | `map` | A map defining availability sets. [`panoramas`](#panoramas) | `map` | A map defining Azure Virtual Machine based on Palo Alto Networks Panorama image. @@ -182,9 +184,9 @@ Name | Type | Description Name | Description --- | --- -`username` | Initial administrative username to use for VM-Series. -`password` | Initial administrative password to use for VM-Series. -`panorama_mgmt_ips` | +`username` | Initial administrative username to use for Panorama. +`password` | Initial administrative password to use for Panorama. +`panorama_mgmt_ips` | IP addresses for the Panorama management interface. ### Required Inputs details @@ -215,6 +217,8 @@ For detailed documentation on each property refer to [module documentation](../. - `name` - (`string`, required) a name of a VNET. In case `create_virtual_network = false` this should be a full resource name, including prefixes. - `address_space` - (`list`, required when `create_virtual_network = false`) a list of CIDRs for a newly created VNET. +- `dns_servers` - (`list`, optional, defaults to module defaults) a list of IP addresses of custom DNS servers (by + default Azure DNS is used). - `vnet_encryption` - (`string`, optional, defaults to module default) enables Azure Virtual Network Encryption when set, only possible value at the moment is `AllowUnencrypted`. When set to `null`, the feature is disabled. @@ -238,6 +242,7 @@ map(object({ resource_group_name = optional(string) create_virtual_network = optional(bool, true) address_space = optional(list(string)) + dns_servers = optional(list(string)) vnet_encryption = optional(string) network_security_groups = optional(map(object({ name = string @@ -259,7 +264,7 @@ map(object({ })), {}) route_tables = optional(map(object({ name = string - disable_bgp_route_propagation = optional(bool) + bgp_route_propagation_enabled = optional(bool) routes = map(object({ name = string address_prefix = string @@ -325,6 +330,49 @@ Map of tags to assign to the created resources. Type: map(string) +Default value: `map[]` + +[back to list](#modules-optional-inputs) + +#### public_ips + +A map defining Public IP Addresses and Prefixes. + +Following properties are available: + +- `public_ip_addresses` - (`map`, optional) map of objects describing Public IP Addresses, please refer to + [module documentation](../../modules/public_ip#public_ip_addresses) + for available properties. +- `public_ip_prefixes` - (`map`, optional) map of objects describing Public IP Prefixes, please refer to + [module documentation](../../modules/public_ip#public_ip_prefixes) + for available properties. + + +Type: + +```hcl +object({ + public_ip_addresses = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + domain_name_label = optional(string) + idle_timeout_in_minutes = optional(number) + prefix_name = optional(string) + prefix_resource_group_name = optional(string) + })), {}) + public_ip_prefixes = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + length = optional(number) + })), {}) + }) +``` + + Default value: `map[]` [back to list](#modules-optional-inputs) @@ -458,10 +506,11 @@ map(object({ interfaces = list(object({ name = string subnet_key = string - private_ip_address = optional(string) create_public_ip = optional(bool, false) public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + private_ip_address = optional(string) })) logging_disks = optional(map(object({ name = string diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/appgw.md b/products/terraform/docs/swfw/azure/vmseries/modules/appgw.md index bf2755500..936b0c8f7 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/appgw.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/appgw.md @@ -30,7 +30,7 @@ In order to use module `appgw`, you need to deploy `azurerm_resource_group` and Then you can use below code as an example of calling module to create Application Gateway: ```hcl -# Create Application Gateay +# Create Application Gateway module "appgw" { source = "PaloAltoNetworks/swfw-modules/azurerm//modules/appgw" @@ -101,6 +101,13 @@ appgws = { port = 80 } } + backend_settings = { + minimum = { + name = "http-backend" + port = 80 + protocol = "Http" + } + } rewrites = { minimum = { name = "minimum-set" @@ -119,9 +126,9 @@ appgws = { minimum = { name = "minimum-rule" priority = 1 - backend = "minimum" - listener = "minimum" - rewrite = "minimum" + backend_key = "minimum" + listener_key = "minimum" + rewrite_key = "minimum" } } } @@ -151,13 +158,11 @@ appgws = { capacity = { static = 2 } - backends = { + backend_settings = { existing = { name = "http-backend" port = 80 protocol = "Http" - timeout = 60 - cookie_based_affinity = "Enabled" } } listeners = { @@ -184,9 +189,9 @@ appgws = { existing = { name = "existing-rule" priority = 1 - backend = "existing" - listener = "existing" - rewrite = "existing" + backend_key = "existing" + listener_key = "existing" + rewrite_key = "existing" } } } @@ -217,13 +222,11 @@ appgws = { max = 20 } } - backends = { + backend_settings = { http = { name = "http-backend" port = 80 protocol = "Http" - timeout = 60 - cookie_based_affinity = "Enabled" } } listeners = { @@ -236,8 +239,8 @@ appgws = { http = { name = "http-rule" priority = 1 - backend = "http" - listener = "http" + backend_key = "http" + listener_key = "http" } } } @@ -272,13 +275,11 @@ appgws = { rule_set_type = "OWASP" rule_set_version = "3.2" } - backends = { + backend_settings = { waf = { name = "waf-backend" port = 80 protocol = "Http" - timeout = 60 - cookie_based_affinity = "Enabled" } } listeners = { @@ -305,9 +306,9 @@ appgws = { minimum = { name = "waf-rule" priority = 1 - backend = "waf" - listener = "waf" - rewrite = "waf" + backend_key = "waf" + listener_key = "waf" + rewrite_key = "waf" } } } @@ -364,9 +365,9 @@ appgws = { capacity = { static = 2 } - ssl_global = { - ssl_policy_type = "Predefined" - ssl_policy_name = "AppGwSslPolicy20170401" + global_ssl_policy = { + type = "Predefined" + name = "AppGwSslPolicy20170401" } ssl_profiles = { profile1 = { @@ -382,7 +383,7 @@ appgws = { protocol = "Https" ssl_profile_name = "appgw-ssl-profile1" ssl_certificate_path = "./files/test1.pfx" - ssl_certificate_pass = "" + ssl_certificate_pass = "123abc" host_names = ["test1.appgw.local"] } https2 = { @@ -390,20 +391,20 @@ appgws = { port = 443 protocol = "Https" ssl_certificate_path = "./files/test2.pfx" - ssl_certificate_pass = "" + ssl_certificate_pass = "123abc" host_names = ["test2.appgw.local"] } } backend_pool = { name = "vmseries-pool" } - backends = { + backend_settings = { https1 = { name = "https1-settings" port = 481 protocol = "Https" timeout = 60 - cookie_based_affinity = "Enabled" + use_cookie_based_affinity = true hostname_from_backend = false hostname = "test1.appgw.local" root_certs = { @@ -418,7 +419,7 @@ appgws = { port = 482 protocol = "Https" timeout = 60 - cookie_based_affinity = "Enabled" + use_cookie_based_affinity = true hostname_from_backend = false hostname = "test2.appgw.local" root_certs = { @@ -475,16 +476,16 @@ appgws = { https1 = { name = "https1-rule" priority = 2 - backend = "https1" - listener = "https1" - rewrite = "https1" + backend_key = "https1" + listener_key = "https1" + rewrite_key = "https1" } https2 = { name = "https2-rule" priority = 3 - backend = "https2" - listener = "https2" - rewrite = "https2" + backend_key = "https2" + listener_key = "https2" + rewrite_key = "https2" } } } @@ -520,10 +521,10 @@ appgws = { capacity = { static = 2 } - ssl_global = { - ssl_policy_type = "Custom" - ssl_policy_min_protocol_version = "TLSv1_0" - ssl_policy_cipher_suites = ["TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", + global_ssl_policy = { + type = "Custom" + min_protocol_version = "TLSv1_0" + cipher_suites = ["TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", @@ -605,21 +606,21 @@ appgws = { backend_pool = { name = "vmseries-pool" } - backends = { + backend_settings = { http = { name = "http-settings" port = 80 protocol = "Http" timeout = 60 - cookie_based_affinity = "Enabled" - probe = "http" + use_cookie_based_affinity = true + probe_key = "http" } https1 = { name = "https1-settings" port = 481 protocol = "Https" timeout = 60 - cookie_based_affinity = "Enabled" + use_cookie_based_affinity = true hostname_from_backend = false hostname = "test1.appgw.local" root_certs = { @@ -628,14 +629,14 @@ appgws = { path = "./files/ca-cert1.pem" } } - probe = "https1" + probe_key = "https1" } https2 = { name = "https2-settings" port = 482 protocol = "Https" timeout = 60 - cookie_based_affinity = "Enabled" + use_cookie_based_affinity = true hostname_from_backend = false hostname = "test2.appgw.local" root_certs = { @@ -644,7 +645,7 @@ appgws = { path = "./files/ca-cert2.pem" } } - probe = "https2" + probe_key = "https2" } } probes = { @@ -726,60 +727,60 @@ appgws = { http = { name = "http-rule" priority = 1 - backend = "http" - listener = "http" - rewrite = "http" + backend_key = "http" + listener_key = "http" + rewrite_key = "http" } https1 = { name = "https1-rule" priority = 2 - backend = "https1" - listener = "https1" - rewrite = "https1" + backend_key = "https1" + listener_key = "https1" + rewrite_key = "https1" } https2 = { name = "https2-rule" priority = 3 - backend = "https2" - listener = "https2" - rewrite = "https2" + backend_key = "https2" + listener_key = "https2" + rewrite_key = "https2" } redirect_listener = { name = "redirect-listener-rule" priority = 4 - listener = "redirect_listener" - redirect = "redirect_listener" + listener_key = "redirect_listener" + redirect_key = "redirect_listener" } redirect_url = { name = "redirect-url-rule" priority = 5 - listener = "redirect_url" - redirect = "redirect_url" + listener_key = "redirect_url" + redirect_key = "redirect_url" } path_based_backend = { name = "path-based-backend-rule" priority = 6 - listener = "path_based_backend" - url_path_map = "path_based_backend" + listener_key = "path_based_backend" + url_path_map_key = "path_based_backend" } path_based_redirect_listener = { name = "path-redirect-listener-rule" priority = 7 - listener = "path_based_redirect_listener" - url_path_map = "path_based_redirect_listener" + listener_key = "path_based_redirect_listener" + url_path_map_key = "path_based_redirect_listener" } path_based_redirect_url = { name = "path-redirect-rul-rule" priority = 8 - listener = "path_based_redirect_url" - url_path_map = "path_based_redirect_url" + listener_key = "path_based_redirect_url" + url_path_map_key = "path_based_redirect_url" } } redirects = { redirect_listener = { name = "listener-redirect" type = "Permanent" - target_listener = "http" + target_listener_key = "http" include_path = true include_query_string = true } @@ -794,35 +795,35 @@ appgws = { url_path_maps = { path_based_backend = { name = "backend-map" - backend = "http" + backend_key = "http" path_rules = { http = { paths = ["/plaintext"] - backend = "http" + backend_key = "http" } https = { paths = ["/secure"] - backend = "https1" + backend_key = "https1" } } } path_based_redirect_listener = { name = "redirect-listener-map" - backend = "http" + backend_key = "http" path_rules = { http = { paths = ["/redirect"] - redirect = "redirect_listener" + redirect_key = "redirect_listener" } } } path_based_redirect_url = { name = "redirect-url-map" - backend = "http" + backend_key = "http" path_rules = { http = { paths = ["/redirect"] - redirect = "redirect_url" + redirect_key = "redirect_url" } } } @@ -836,11 +837,11 @@ appgws = { ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 @@ -930,19 +931,23 @@ Type: string A map defining listener's public IP configuration. Following properties are available: -- `name` - (`string`, required) name of the Public IP resource. - `create` - (`bool`, optional, defaults to `true`) controls if the Public IP resource is created or sourced. +- `name` - (`string`, optional) name of the Public IP resource, required unless `public_ip` module and `id` + property are used. - `resource_group_name` - (`string`, optional, defaults to `null`) name of the Resource Group hosting the Public IP resource, used only for sourced resources. +- `id` - (`string`, optional, defaults to `null`) ID of the Public IP to associate with the Listener. + Property is used when Public IP is not created or sourced within this module. Type: ```hcl object({ - name = string create = optional(bool, true) + name = optional(string) resource_group_name = optional(string) + id = optional(string) }) ``` diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/bootstrap.md b/products/terraform/docs/swfw/azure/vmseries/modules/bootstrap.md index b440fd917..2924e0222 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/bootstrap.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/bootstrap.md @@ -154,11 +154,11 @@ details refer to the [var.file_shares](#file_shares) variable documentation. ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/gwlb.md b/products/terraform/docs/swfw/azure/vmseries/modules/gwlb.md index bec4c5fd8..4b0f0a7d3 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/gwlb.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/gwlb.md @@ -37,11 +37,12 @@ In order to use GWLB, below minimal definition of Gateway Load Balancer can be u ```hcl gwlb = { - name = "vmseries-gwlb" - - frontend_ip = { - vnet_key = "security" - subnet_key = "data" + vmseries_gwlb = { + name = "vmseries-gwlb" + frontend_ip = { + vnet_key = "security" + subnet_key = "data" + } } } ``` @@ -55,7 +56,8 @@ For more customized requirements, below extended definition of GWLB can be appli - 2 backends are defined (external and internal) ```hcl - gwlb2 = { + gwlb = { + vmseries_gwlb = { name = "vmseries-gwlb2" zones = [] @@ -73,6 +75,7 @@ For more customized requirements, below extended definition of GWLB can be appli health_probe = { name = "custom-name-health-probe" port = 80 + protocol = "Tcp" } backends = { @@ -100,6 +103,7 @@ For more customized requirements, below extended definition of GWLB can be appli } } } +} ``` ## Reference @@ -107,11 +111,11 @@ For more customized requirements, below extended definition of GWLB can be appli ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/loadbalancer.md b/products/terraform/docs/swfw/azure/vmseries/modules/loadbalancer.md index 6f4662424..a7a723d0a 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/loadbalancer.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/loadbalancer.md @@ -54,6 +54,7 @@ module "lbi" { name = "private-lb" region = "West Europe" resource_group_name = "existing-rg" + backend_name = "vmseries_backend" frontend_ips = { ha = { @@ -86,6 +87,7 @@ module "lbe" { name = "public-lb" region = "West Europe" resource_group_name = "existing-rg" + backend_name = "vmseries_backend" frontend_ips = { web = { @@ -96,7 +98,7 @@ module "lbe" { http = { name = "http" port = 80 - protocol = "TCP" + protocol = "Tcp" } } } @@ -109,11 +111,11 @@ module "lbe" { ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 @@ -153,8 +155,8 @@ Name | Description --- | --- `id` | The identifier of the Load Balancer resource. `backend_pool_id` | The identifier of the backend pool. -`frontend_ip_configs` | Map of IP addresses, one per each entry of `frontend_ips` input. Contains public IP address for the frontends that have it, -private IP address otherwise. +`frontend_ip_configs` | Map of IP prefixes/addresses, one per each entry of `frontend_ips` input. Contains public IP prefix/address for the frontends +that have it, private IP address otherwise. `health_probe` | The health probe object. @@ -204,35 +206,44 @@ To ease configuration they were grouped per Load Balancer type. Private Load Balancer: -- `name` - (`string`, required) name of a frontend IP configuration -- `subnet_id` - (`string`, required) an ID of an existing subnet that will host the private Load Balancer -- `private_ip_address` - (`string`, required) the IP address of the Load Balancer -- `in_rules` - (`map`, optional, defaults to `{}`) a map defining inbound rules, see details below -- `gwlb_fip_id` - (`string`, optional, defaults to `null`) an ID of a frontend IP configuration - of a Gateway Load Balancer +- `name` - (`string`, required) name of a frontend IP configuration. +- `subnet_id` - (`string`, required) an ID of an existing subnet that will host the private Load Balancer. +- `private_ip_address` - (`string`, required) the IP address of the Load Balancer. +- `in_rules` - (`map`, optional, defaults to `{}`) a map defining inbound rules, see details below. +- `gwlb_fip_id` - (`string`, optional, defaults to `null`) an ID of a frontend IP configuration of a + Gateway Load Balancer. Public Load Balancer: -- `name` - (`string`, required) name of a frontend IP configuration -- `public_ip_name` - (`string`, required) name of a public IP resource -- `create_public_ip` - (`bool`, optional, defaults to `false`) when set to `true` a new public IP will be +- `name` - (`string`, required) name of a frontend IP configuration. +- `create_public_ip` - (`bool`, optional, defaults to `false`) when set to `true` a new Public IP will be created, otherwise an existing resource will be used; - in both cases the name of the resource is controlled by `public_ip_name` property + in both cases the name of the resource is controlled by `public_ip_name` property. +- `public_ip_name` - (`string`, optional) name of a Public IP resource, required unless `public_ip` module and + `public_ip_id` property are used. - `public_ip_resource_group_name` - (`string`, optional, defaults to the Load Balancer's RG) name of a Resource Group - hosting an existing public IP resource -- `in_rules` - (`map`, optional, defaults to `{}`) a map defining inbound rules, see details below -- `out_rules` - (`map`, optional, defaults to `{}`) a map defining outbound rules, see details below + hosting an existing Public IP resource. +- `public_ip_id` - (`string`, optional, defaults to `null`) ID of the Public IP Address to associate with the + Frontend. Property is used when Public IP is not created or sourced within this module. +- `public_ip_address` - (`string`, optional, defaults to `null`) IP address of the Public IP to associate with the + Frontend. Property is used when Public IP is not created or sourced within this module. +- `public_ip_prefix_id` - (`string`, optional, defaults to `null`) ID of the Public IP Prefix to associate with the + Frontend. Property is used when you need to source Public IP Prefix. +- `public_ip_prefix_address` - (`string`, optional, defaults to `null`) IP address of the Public IP Prefix to associate + with the Frontend. Property is used when you need to source Public IP Prefix. +- `in_rules` - (`map`, optional, defaults to `{}`) a map defining inbound rules, see details below. +- `out_rules` - (`map`, optional, defaults to `{}`) a map defining outbound rules, see details below. Below are the properties for the `in_rules` map: -- `name` - (`string`, required) a name of an inbound rule +- `name` - (`string`, required) a name of an inbound rule. - `protocol` - (`string`, required) communication protocol, either 'Tcp', 'Udp' or 'All'. - `port` - (`number`, required) communication port, this is both the front- and the backend port - if `backend_port` is not set; value of `0` means all ports + if `backend_port` is not set; value of `0` means all ports. - `backend_port` - (`number`, optional, defaults to `null`) this is the backend port to forward traffic - to in the backend pool + to in the backend pool. - `health_probe_key` - (`string`, optional, defaults to `default`) a key from the `var.health_probes` map defining - a health probe to use with this rule + a health probe to use with this rule. - `floating_ip` - (`bool`, optional, defaults to `true`) enables floating IP for this rule. - `session_persistence` - (`string`, optional, defaults to `Default`) controls session persistance/load distribution, three values are possible: @@ -250,21 +261,20 @@ Setting at least one `out_rule` switches the outgoing traffic from SNAT to outbo single backend, and you cannot mix SNAT and outbound rules traffic in rules using the same backend, setting one `out_rule` switches the outgoing traffic route for **ALL** `in_rules`. -- `name` - (`string`, required) a name of an outbound rule -- `protocol` - (`string`, required) protocol used by the rule. One of `All`, `Tcp` or `Udp` is accepted +- `name` - (`string`, required) a name of an outbound rule. +- `protocol` - (`string`, required) protocol used by the rule. One of `All`, `Tcp` or `Udp` is accepted. - `allocated_outbound_ports` - (`number`, optional, defaults to `null`) number of ports allocated per instance, when skipped provider defaults will be used (`1024`), when set to `0` port allocation will be set to default number (Azure defaults); - maximum value is `64000` -- `enable_tcp_reset` - (`bool`, optional, defaults to Azure defaults) ignored when `protocol` is set to `Udp` -- `idle_timeout_in_minutes` - (`number`, optional, defaults to Azure defaults) TCP connection timeout in minutes - (between 4 and 120) - in case the connection is idle, ignored when `protocol` is set to `Udp` + maximum value is `64000`. +- `enable_tcp_reset` - (`bool`, optional, defaults to Azure defaults) ignored when `protocol` is set to `Udp`. +- `idle_timeout_in_minutes` - (`number`, optional, defaults to Azure defaults) TCP connection timeout in minutes (between 4 + and 120) in case the connection is idle, ignored when `protocol` is set to `Udp`. Examples ```hcl -# rules for a public Load Balancer, reusing an existing public IP and doing port translation +# rules for a public Load Balancer, reusing an existing Public IP and doing port translation frontend_ips = { pip_existing = { create_public_ip = false @@ -323,9 +333,13 @@ Type: ```hcl map(object({ name = string - public_ip_name = optional(string) create_public_ip = optional(bool, false) + public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_id = optional(string) + public_ip_address = optional(string) + public_ip_prefix_id = optional(string) + public_ip_prefix_address = optional(string) subnet_id = optional(string) private_ip_address = optional(string) gwlb_fip_id = optional(string) @@ -370,14 +384,14 @@ Controls zones for Load Balancer's fronted IP configurations. For: -- public IPs - these are zones in which the public IP resource is available. +- public IPs - these are zones in which the Public IP resource is available. - private IPs - these are zones to which Azure will deploy paths leading to Load Balancer frontend IPs (all frontends are affected). Setting this variable to explicit `null` disables a zonal deployment. This can be helpful in regions where Availability Zones are not available. -For public Load Balancers, since this setting controls also Availability Zones for public IPs, you need to specify all zones +For public Load Balancers, since this setting controls also Availability Zones for Public IPs, you need to specify all zones available in a region (typically 3): `["1","2","3"]`. diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/natgw.md b/products/terraform/docs/swfw/azure/vmseries/modules/natgw.md index 6a2ac2eba..0aaecd442 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/natgw.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/natgw.md @@ -52,8 +52,8 @@ module "natgw" { name = "NATGW_name" resource_group_name = "resource_group_name" location = "region_name" - subnet_ids = { "a_subnet_name" = -module.vnet.subnet_ids["a_subnet_name"] } + subnet_ids = { "subnet_name" = "/subscription/xxxx/......." } + idle_timeout = 120 } ``` @@ -65,11 +65,11 @@ by Azure. ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 @@ -211,9 +211,12 @@ A map defining a Public IP resource. List of available properties: - `create` - (`bool`, required) controls whether a Public IP is created, sourced, or not used at all. -- `name` - (`string`, required) name of a created or sourced Public IP. +- `name` - (`string`, optional) name of a created or sourced Public IP, required unless `public_ip` module and + `id` property are used. - `resource_group_name` - (`string`, optional) name of a resource group hosting the sourced Public IP resource, ignored when `create = true`. +- `id` - (`string`, optional, defaults to `null`) ID of the Public IP to associate with the NAT Gateway. + Property is used when Public IP Address is not created or sourced within this module. The module operates in 3 modes, depending on combination of `create` and `name` properties: @@ -247,8 +250,9 @@ Type: ```hcl object({ create = bool - name = string + name = optional(string) resource_group_name = optional(string) + id = optional(string) }) ``` @@ -264,11 +268,14 @@ A map defining a Public IP Prefix resource. List of available properties: - `create` - (`bool`, required) controls whether a Public IP Prefix is created, sourced, or not used at all. -- `name` - (`string`, required) name of a created or sourced Public IP Prefix. +- `name` - (`string`, optional) name of a created or sourced Public IP Prefix, required unless `public_ip` + module and `id` property are used. - `resource_group_name` - (`string`, optional) name of a resource group hosting the sourced Public IP Prefix resource, ignored when `create = true`. - `length` - (`number`, optional, defaults to `28`) number of bits of the Public IP Prefix, this value can be between `0` and `31` but can be limited on subscription level (Azure default is `/28`). +- `id` - (`string`, optional, defaults to `null`) ID of the Public IP Prefix to associate with the NAT Gateway. + Property is used when Public IP Prefix is not created or sourced within this module. The module operates in 3 modes, depending on combination of `create` and `name` properties: @@ -302,9 +309,10 @@ Type: ```hcl object({ create = bool - name = string + name = optional(string) resource_group_name = optional(string) length = optional(number, 28) + id = optional(string) }) ``` diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/ngfw_metrics.md b/products/terraform/docs/swfw/azure/vmseries/modules/ngfw_metrics.md index d53a1aefb..549c2a772 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/ngfw_metrics.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/ngfw_metrics.md @@ -81,11 +81,11 @@ module "ngfw_metrics" { ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/panorama.md b/products/terraform/docs/swfw/azure/vmseries/modules/panorama.md index e5a5f6640..4d7cf33cd 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/panorama.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/panorama.md @@ -44,11 +44,11 @@ The acceptance applies to the entirety of your Azure Subscription. ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 @@ -270,10 +270,12 @@ Following configuration options are available: - `public_ip_name` - (`string`, optional, defaults to `null`) name of the public IP to associate with the interface. When `create_public_ip` is set to `true` this will become a name of a newly created Public IP interface. Otherwise this is a name of an existing interfaces that will - be sourced and attached to the interface. + be sourced and attached to the interface. Not used when using `public_ip` module. - `public_ip_resource_group_name` - (`string`, optional, defaults to `var.resource_group_name`) name of a Resource Group that contains public IP that that will be associated with the interface. Used only when `create_public_ip` is `false`. +- `public_ip_id` - (`string`, optional, defaults to `null`) ID of the public IP to associate with the + interface. Property is used when public IP is not created or sourced within this module. Example: @@ -307,6 +309,7 @@ list(object({ create_public_ip = optional(bool, false) public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_id = optional(string) })) ``` diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/public_ip.md b/products/terraform/docs/swfw/azure/vmseries/modules/public_ip.md new file mode 100644 index 000000000..a2288c4ff --- /dev/null +++ b/products/terraform/docs/swfw/azure/vmseries/modules/public_ip.md @@ -0,0 +1,346 @@ +--- +hide_title: true +id: public_ip +keywords: +- pan-os +- panos +- firewall +- configuration +- terraform +- vmseries +- vm-series +- swfw +- software-firewalls +- azure +pagination_next: null +pagination_prev: null +sidebar_label: Public Ip +title: Palo Alto Networks Public IP Module for Azure +--- + +# Palo Alto Networks Public IP Module for Azure + +A Terraform module for deploying Public IP Addresses and Prefixes required for the VM-Series firewalls and other infrastructure +components in Azure. + +[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-azurerm-swfw-modules/tree/main/modules/public_ip) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/swfw-modules/azurerm/latest/submodules/public_ip) + +## Purpose + +All other modules that may require a Public IP Address resource support simple creation of it. This module allows more advanced +creation of Public IP Addresses and Prefixes, including: +- Specifying Availability Zones for Public IPs separately from the main resource +- Specifying Domain Name Label and Idle Timeout for Public IPs +- Allocating Public IP Addresses from an existing Public IP Prefix (e.g. Custom non-Microsoft IP Prefix) + +## Usage + +In order to use module `public_ip`, you need to deploy `azurerm_resource_group` as a prerequisite. Then you can use below code as +an example of calling module to create Public IP Addresses and Prefixes: + +```hcl +module "public_ip" { + source = ""PaloAltoNetworks/swfw-modules/azurerm//modules/public_ip" + + region = var.region + public_ip_addresses = { + for k, v in var.public_ips.public_ip_addresses : k => merge(v, { + name = "${var.name_prefix}${v.name}" + resource_group_name = coalesce(v.resource_group_name, local.resource_group.name) + }) + } + public_ip_prefixes = { + for k, v in var.public_ips.public_ip_prefixes : k => merge(v, { + name = "${var.name_prefix}${v.name}" + resource_group_name = coalesce(v.resource_group_name, local.resource_group.name) + }) + } + + tags = var.tags +} +``` + +Below there are provided sample values for `public_ips` map: + +```hcl +public_ips = { + public_ip_addresses = { + # create a new public ip address in zone 1, with domain name label "domainname" and idle timeout of 10 minutes + pip1 = { + create = true + name = "new-public-ip-name1" + resource_group_name = "pip-rg-name" + zones = ["1"] + domain_name_label = "domainname" + idle_timeout_in_minutes = 10 + } + # create a new public ip address in all zones (default) and allocate it from an existing ip prefix + pip2 = { + create = true + name = "new-public-ip-name2" + resource_group_name = "pip-rg-name" + prefix_name = "public-ip-prefix-name" + prefix_resource_group_name = "ippre-rg-name" + } + # source an existing public ip address + pip3 = { + create = false + name = "existing-public-ip-name" + resource_group_name = "pip-rg-name" + } + } + public_ip_prefixes = { + # create a new public ip prefix in zone 1 with a prefix length of /28 (default) + ippre1 = { + create = true + name = "new-public-ip-prefix-name1" + resource_group_name = "ippre-rg-name" + zones = ["1"] + } + # create a new public ip prefix in all zones (default) with a prefix length of /30 + ippre2 = { + create = true + name = "new-public-ip-prefix-name2" + resource_group_name = "ippre-rg-name" + length = 30 + } + # source and existing public ip prefix + ippre3 = { + create = false + name = "existing-public-ip-prefix-name" + resource_group_name = "ippre-rg-name" + } + } +} +``` + +To make defining the Public IPs easy, you can use the following variable in the _glue_ code: + +```hcl +variable "public_ips" { + description = "A map defining Public IP Addresses and Prefixes." + default = {} + type = object({ + public_ip_addresses = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + domain_name_label = optional(string) + idle_timeout_in_minutes = optional(number) + prefix_name = optional(string) + prefix_resource_group_name = optional(string) + })), {}) + public_ip_prefixes = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + length = optional(number) + })), {}) + }) +} +``` + +## Reference + +### Requirements + +- `terraform`, version: >= 1.5, < 2.0 +- `azurerm`, version: ~> 4.0 + +### Providers + +- `azurerm`, version: ~> 4.0 + + + +### Resources + +- `public_ip` (managed) +- `public_ip_prefix` (managed) +- `public_ip` (data) +- `public_ip_prefix` (data) +- `public_ip_prefix` (data) + +### Required Inputs + +Name | Type | Description +--- | --- | --- +[`region`](#region) | `string` | The name of the Azure region to deploy the resources in. + +### Optional Inputs + +Name | Type | Description +--- | --- | --- +[`tags`](#tags) | `map` | The map of tags to assign to all created resources. +[`public_ip_addresses`](#public_ip_addresses) | `map` | Map of objects describing Public IP Addresses. +[`public_ip_prefixes`](#public_ip_prefixes) | `map` | Map of objects describing Public IP Prefixes. + +### Outputs + +Name | Description +--- | --- +`pip_ids` | The identifiers of the created or sourced Public IP Addresses. +`pip_ip_addresses` | The IP values of the created or sourced Public IP Addresses. +`ippre_ids` | The identifiers of the created or sourced Public IP Prefixes. +`ippre_ip_prefixes` | The IP values of the created or sourced Public IP Prefixes. + +### Required Inputs details + +#### region + +The name of the Azure region to deploy the resources in. + +Type: string + +[back to list](#modules-required-inputs) + +### Optional Inputs details + +#### tags + +The map of tags to assign to all created resources. + +Type: map(string) + +Default value: `map[]` + +[back to list](#modules-optional-inputs) + +#### public_ip_addresses + +Map of objects describing Public IP Addresses. + +List of available properties: + +- `create` - (`bool`, required) controls whether a Public IP Address is created or sourced. +- `name` - (`string`, required) name of a created or sourced Public IP Address. +- `resource_group_name` - (`string`, required) name of a Resource Group for created Public IP Address or hosting an + existing Public IP Address. +- `zones` - (`list`, optional, defaults to ["1", "2", "3"]) list of Availability Zones in which the Public + IP Address is available, setting this variable to explicit `null` disables a zonal deployment. +- `domain_name_label` - (`string`, optional, defaults to `null`) a label for the Domain Name, will be used to make up + the FQDN. If a domain name label is specified, an A DNS record is created for the Public IP in + the Microsoft Azure DNS system. +- `idle_timeout_in_minutes` - (`number`, optional, defaults to Azure default) the Idle Timeout in minutes for the Public IP + Address, possible values are in the range from 4 to 32. +- `prefix_name` - (`string`, optional) the name of an existing Public IP Prefix from where Public IP Addresses + should be allocated. +- `prefix_resource_group_name` - (`string`, optional, defaults to the PIP's RG) name of a Resource Group hosting an existing + Public IP Prefix resource. + +Example: + +```hcl +# create two new Public IP Addresses, where the first IP is only in Availability Zone 1 +# and the second IP is in all 3 Availability Zones (default) and is allocated from a specific Public IP Prefix +public_ip_addresses = { + pip1 = { + create = true + name = "new-public-ip-name1" + resource_group_name = "pip-rg-name" + zones = ["1"] + } + pip2 = { + create = true + name = "new-public-ip-name2" + resource_group_name = "pip-rg-name" + prefix_name = "public-ip-prefix-name" + prefix_resource_group_name = "ippre-rg-name" + } +} + +# source an existing Public IP +public_ip_addresses = { + pip1 = { + create = false + name = "existing-public-ip-name" + resource_group_name = "pip-rg-name" + } +} +``` + + +Type: + +```hcl +map(object({ + create = bool + name = string + resource_group_name = string + zones = optional(list(string), ["1", "2", "3"]) + domain_name_label = optional(string) + idle_timeout_in_minutes = optional(number) + prefix_name = optional(string) + prefix_resource_group_name = optional(string) + })) +``` + + +Default value: `&{}` + +[back to list](#modules-optional-inputs) + +#### public_ip_prefixes + +Map of objects describing Public IP Prefixes. + +List of available properties: + +- `create` - (`bool`, required) controls whether a Public IP Prefix is created or sourced. +- `name` - (`string`, required) name of a created or sourced Public IP Prefix. +- `resource_group_name` - (`string`, required) name of a Resource Group for created Public IP Prefix or hosting an existing + Public IP Prefix. +- `zones` - (`list`, optional, defaults to ["1", "2", "3"]) list of Availability Zones in which the Public IP + Address is available, setting this variable to explicit `null` disables a zonal deployment. +- `length` - (`number`, optional, defaults to `28`) number of bits of the Public IP Prefix, this value can be + between `0` and `31` but can be limited on subscription level (Azure default is `/28`). + +Example: + +```hcl +# create two new Public IP Prefixes, where the first one is only in Availability Zone 1 and with default prefix length of `/28` +# and the second one is in all 3 Availability Zones (default) and with prefix length of `/30` +public_ip_prefixes = { + ippre1 = { + create = true + name = "new-public-ip-prefix-name1" + resource_group_name = "ippre-rg-name" + zones = ["1"] + } + ippre2 = { + create = true + name = "new-public-ip-prefix-name2" + resource_group_name = "ippre-rg-name" + length = 30 + } +} + +# source an existing Public IP Prefix +public_ip_prefixes = { + ippre1 = { + create = false + name = "existing-public-ip-prefix-name" + resource_group_name = "ippre-rg-name" + } +} +``` + + +Type: + +```hcl +map(object({ + create = bool + name = string + resource_group_name = string + zones = optional(list(string), ["1", "2", "3"]) + length = optional(number, 28) + })) +``` + + +Default value: `&{}` + +[back to list](#modules-optional-inputs) \ No newline at end of file diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/virtual_network_gateway.md b/products/terraform/docs/swfw/azure/vmseries/modules/virtual_network_gateway.md index 51558ae32..5c738d1c0 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/virtual_network_gateway.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/virtual_network_gateway.md @@ -37,13 +37,13 @@ module "vng" { for_each = var.virtual_network_gateways name = "${var.name_prefix}${each.value.name}" - location = var.region + region = var.region resource_group_name = local.resource_group.name - network = each.value.network - subnet_id = module.vnet[each.value.vnet_key].subnet_ids[each.value.subnet_key] + ip_configurations = each.value.ip_configurations + instance_settings = each.value.instance_settings + subnet_id = "/subscription/xxxx/......." - virtual_network_gateway = each.value.virtual_network_gateway azure_bgp_peer_addresses = each.value.azure_bgp_peer_addresses bgp = each.value.bgp local_network_gateways = each.value.local_network_gateways @@ -59,7 +59,7 @@ Below there are provided sample values for `virtual_network_gateways` map: virtual_network_gateways = { expressroute = { name = "expressroute" - virtual_network_gateway = { + instance_settings = { type = "ExpressRoute" # vpn_type = "PolicyBased" sku = "Standard" @@ -67,20 +67,18 @@ virtual_network_gateways = { } vnet_key = "transit" subnet_key = "vpn" - network = { - public_ip_zones = ["1"] - ip_configurations = { - primary = { - create_public_ip = true - name = "primary" - public_ip_name = "expressroute_pip" - } + ip_configurations = { + primary = { + create_public_ip = true + name = "primary" + public_ip_name = "expressroute_pip" } } + } expressroute_policy_based = { name = "er_policy" - virtual_network_gateway = { + instance_settings = { type = "ExpressRoute" vpn_type = "PolicyBased" sku = "Standard" @@ -88,20 +86,18 @@ virtual_network_gateways = { } vnet_key = "er" subnet_key = "vpn" - network = { - public_ip_zones = ["1"] - ip_configurations = { - primary = { - create_public_ip = true - name = "primary" - public_ip_name = "er_policy_pip" - } + ip_configurations = { + primary = { + create_public_ip = true + name = "primary" + public_ip_name = "er_policy_pip" } } + } vpn_simple = { name = "simple-vpn" - virtual_network_gateway = { + instance_settings = { type = "Vpn" # vpn_type = "PolicyBased" sku = "VpnGw1" @@ -109,20 +105,18 @@ virtual_network_gateways = { } vnet_key = "er" subnet_key = "vpn" - network = { - public_ip_zones = [] - ip_configurations = { - primary = { - create_public_ip = true - name = "primary" - public_ip_name = "simple_vpn_pip" - } + ip_configurations = { + primary = { + create_public_ip = true + name = "primary" + public_ip_name = "simple_vpn_pip" } } + } "vng" = { name = "vng" - virtual_network_gateway = { + instance_settings = { type = "Vpn" sku = "VpnGw2AZ" generation = "Generation2" @@ -130,21 +124,19 @@ virtual_network_gateways = { } vnet_key = "transit" subnet_key = "vpn" - network = { - public_ip_zones = ["1", "2", "3"] - ip_configurations = { - primary = { - name = "primary" - create_public_ip = true - public_ip_name = "vng-primary-pip" - } - secondary = { - name = "secondary" - create_public_ip = true - public_ip_name = "vng-secondary-pip" - } + ip_configurations = { + primary = { + name = "primary" + create_public_ip = true + public_ip_name = "vng-primary-pip" + } + secondary = { + name = "secondary" + create_public_ip = true + public_ip_name = "vng-secondary-pip" } } + azure_bgp_peer_addresses = { one_primary = "169.254.21.2" one_secondary = "169.254.22.2" @@ -240,36 +232,31 @@ variable "virtual_network_gateways" { nullable = false type = map(object({ name = string - virtual_network_gateway = object({ + instance_settings = object({ type = optional(string) vpn_type = optional(string) sku = optional(string) active_active = optional(bool) generation = optional(string) - custom_routes = optional(map(list(string))) }) vnet_key = string subnet_key = string - network = object({ - public_ip_zones = optional(list(string)) - ip_configurations = object({ - primary = object({ - name = string - create_public_ip = optional(bool) - public_ip_name = string - private_ip_address_allocation = optional(string) - }) - secondary = optional(object({ - name = string - create_public_ip = optional(bool) - public_ip_name = string - private_ip_address_allocation = optional(string) - })) + + ip_configurations = object({ + primary = object({ + name = string + create_public_ip = optional(bool) + public_ip_name = string + private_ip_address_allocation = optional(string) }) - private_ip_address_enabled = optional(bool) - default_local_network_gateway_id = optional(string) - edge_zone = optional(string) + secondary = optional(object({ + name = string + create_public_ip = optional(bool) + public_ip_name = string + private_ip_address_allocation = optional(string) + })) }) + azure_bgp_peer_addresses = optional(map(string)) bgp = optional(object({ enable = optional(bool, false) @@ -339,11 +326,11 @@ variable "virtual_network_gateways" { ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 @@ -503,13 +490,18 @@ A map defining the Public IPs used by the Virtual Network Gateway. Following properties are available: - `primary` - (`map`, required) a map defining the primary Public IP address, following properties are available: - - `name` - (`string`, required) name of the IP config. - - `create_public_ip` - (`bool`, optional, defaults to `true`) controls if a Public IP is created or sourced. - - `public_ip_name` - (`string`, required) name of a Public IP resource, depending on the value of - `create_public_ip` property this will be a name of a newly create or existing resource - (for values of `true` and `false` accordingly). - - `dynamic_private_ip_allocation` - (`bool`, optional, defaults to `true`) controls if the private IP address is assigned - dynamically or statically. + - `name` - (`string`, required) name of the IP config. + - `create_public_ip` - (`bool`, optional, defaults to `true`) controls if a Public IP is created or sourced. + - `public_ip_name` - (`string`, optional) name of a Public IP resource, required unless `public_ip` module + and `public_ip_id` property are used. Depending on the value of `create_public_ip` + property, this will be a name of a newly created or existing resource (for values of + `true` and `false` accordingly). + - `public_ip_resource_group_name` - (`string`, optional, defaults to the Load Balancer's RG) name of a Resource Group + hosting an existing Public IP resource. + - `public_ip_id` - (`string`, optional, defaults to `null`) ID of the public IP to associate with the + interface. Property is used when public IP is not created or sourced within this module. + - `dynamic_private_ip_allocation` - (`bool`, optional, defaults to `true`) controls if the private IP address is assigned + dynamically or statically. - `secondary` - (`map`, optional, defaults to `null`) a map defining the secondary Public IP address resource. Required only for `type` set to `Vpn` and `active-active` set to `true`. Same properties available as for `primary` property. @@ -522,13 +514,16 @@ object({ primary = object({ name = string create_public_ip = optional(bool, true) - public_ip_name = string + public_ip_name = optional(string) + public_ip_resource_group_name = optional(string) + public_ip_id = optional(string) private_ip_address_allocation = optional(string, "Dynamic") }) secondary = optional(object({ name = string create_public_ip = optional(bool, true) - public_ip_name = string + public_ip_name = optional(string) + public_ip_id = optional(string) private_ip_address_allocation = optional(string, "Dynamic") })) }) diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/vmseries.md b/products/terraform/docs/swfw/azure/vmseries/modules/vmseries.md index fe895a96b..ba2283a85 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/vmseries.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/vmseries.md @@ -58,11 +58,11 @@ If your Region doesn't, use an alternative mechanism of Availability Set, which ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 @@ -70,6 +70,7 @@ If your Region doesn't, use an alternative mechanism of Availability Set, which - `linux_virtual_machine` (managed) - `network_interface` (managed) +- `network_interface_application_gateway_backend_address_pool_association` (managed) - `network_interface_backend_address_pool_association` (managed) - `public_ip` (managed) - `public_ip` (data) @@ -299,14 +300,20 @@ Following configuration options are available: - `public_ip_name` - (`string`, optional, defaults to `null`) name of the public IP to associate with the interface. When `create_public_ip` is set to `true` this will become a name of a newly created Public IP interface. Otherwise this is a name of an existing interfaces that will - be sourced and attached to the interface. + be sourced and attached to the interface. Not used when using `public_ip` module. - `public_ip_resource_group_name` - (`string`, optional, defaults to `var.resource_group_name`) name of a Resource Group that contains public IP that that will be associated with the interface. Used only when `create_public_ip` is `false`. +- `public_ip_id` - (`string`, optional, defaults to `null`) ID of the public IP to associate with the + interface. Property is used when public IP is not created or sourced within this module. - `attach_to_lb_backend_pool` - (`bool`, optional, defaults to `false`) set to `true` if you would like to associate this interface with a Load Balancer backend pool. - `lb_backend_pool_id` - (`string`, optional, defaults to `null`) ID of an existing backend pool to associate the interface with. +- `appgw_backend_pool_id` - (`string`, optional, defaults to `null`) ID of an existing Application Gateway backend pool + to associate the interface with. +- `attach_to_appgw_backend_pool` - (`bool`, optional, defaults to `false`) set to `true` if you would like to associate this + interface with an Application Gateway backend pool. Example: @@ -341,9 +348,12 @@ list(object({ create_public_ip = optional(bool, false) public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_id = optional(string) private_ip_address = optional(string) lb_backend_pool_id = optional(string) attach_to_lb_backend_pool = optional(bool, false) + appgw_backend_pool_id = optional(string) + attach_to_appgw_backend_pool = optional(bool, false) })) ``` diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/vmss.md b/products/terraform/docs/swfw/azure/vmseries/modules/vmss.md index 7943a4218..f4c64ce56 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/vmss.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/vmss.md @@ -88,15 +88,19 @@ module "vmss" { resource_group_name = "hub-rg" region = "West Europe" + image = { + version = "10.2.901" + publisher = "paloaltonetworks" + offer = "vmseries-flex" + sku = "byol" + } + authentication = { username = "panadmin" password = "c0mpl1c@t3d" - disable_password_authentication = true + disable_password_authentication = false } - vm_image_configuration = { - img_version = "10.2.4" - } - scale_set_configuration = {} + interfaces = [ { name = "managmeent" @@ -125,11 +129,11 @@ module "vmss" { ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Modules Name | Version | Source | Description @@ -140,6 +144,7 @@ Name | Version | Source | Description - `linux_virtual_machine_scale_set` (managed) - `monitor_autoscale_setting` (managed) +- `public_ip_prefix` (data) ### Required Inputs @@ -282,15 +287,21 @@ Interfaces will be attached to VM in the order you define here, therefore: Following configuration options are available: -- `name` - (`string`, required) the interface name. -- `subnet_id` - (`string`, required) ID of an existing subnet to create the interface in. -- `create_public_ip` - (`bool`, optional, defaults to `false`) if `true`, create a public IP for the interface. -- `lb_backend_pool_ids` - (`list`, optional, defaults to `[]`) a list of identifiers of existing Load Balancer backend pools - to associate the interface with. -- `appgw_backend_pool_ids` - (`list`, optional, defaults to `[]`) a list of identifier of Application Gateway's backend pools - to associate the interface with. -- `pip_domain_name_label` - (`string`, optional, defaults to `null`) the IP Prefix which should be used for the Domain Name - Label for each Virtual Machine Instance. +- `name` - (`string`, required) the interface name. +- `subnet_id` - (`string`, required) ID of an existing subnet to create the interface in. +- `create_public_ip` - (`bool`, optional, defaults to `false`) if `true`, create a public IP for the interface. +- `pip_domain_name_label` - (`string`, optional, defaults to `null`) the Prefix which should be used for the Domain + Name Label for each Virtual Machine Instance. +- `pip_idle_timeout_in_minutes` - (`number`, optional, defaults to Azure default) the Idle Timeout in minutes for the Public + IP Address, possible values are in the range from 4 to 32. +- `pip_prefix_name` - (`string`, optional) the name of an existing Public IP Address Prefix from where Public IP + Addresses should be allocated. +- `pip_prefix_resource_group_name` - (`string`, optional, defaults to the VMSS's RG) name of a Resource Group hosting an + existing Public IP Prefix resource. +- `lb_backend_pool_ids` - (`list`, optional, defaults to `[]`) a list of identifiers of existing Load Balancer + backend pools to associate the interface with. +- `appgw_backend_pool_ids` - (`list`, optional, defaults to `[]`) a list of identifier of Application Gateway's backend + pools to associate the interface with. Example: @@ -318,12 +329,15 @@ Type: ```hcl list(object({ - name = string - subnet_id = string - create_public_ip = optional(bool, false) - lb_backend_pool_ids = optional(list(string), []) - appgw_backend_pool_ids = optional(list(string), []) - pip_domain_name_label = optional(string) + name = string + subnet_id = string + create_public_ip = optional(bool, false) + pip_domain_name_label = optional(string) + pip_idle_timeout_in_minutes = optional(number) + pip_prefix_name = optional(string) + pip_prefix_resource_group_name = optional(string) + lb_backend_pool_ids = optional(list(string), []) + appgw_backend_pool_ids = optional(list(string), []) })) ``` diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/vnet.md b/products/terraform/docs/swfw/azure/vmseries/modules/vnet.md index fb0a3d645..9e96469fd 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/vnet.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/vnet.md @@ -33,6 +33,7 @@ This module is designed to work in several *modes* depending on which variables name = "transit" resource_group_name = "existing-rg" address_space = ["10.0.0.0/25"] + region = "North Europe" network_security_groups = { inbound = { name = "inbound-nsg" @@ -56,42 +57,53 @@ This module is designed to work in several *modes* depending on which variables name = "default-rt" routes = { "default" = { - name = "default-udr" - address_prefix = "0.0.0.0/0" - next_hop_type = "VirtualAppliance" - next_hop_in_ip_address = "5.6.7.8" + name = "default-udr" + address_prefix = "0.0.0.0/0" + next_hop_type = "VirtualAppliance" + next_hop_ip_address = "5.6.7.8" } } } } subnets = { "subnet" = { - name = "snet" - address_prefixes = ["10.0.0.0/28"] - network_security_group = "inbound" - route_table = "default" + name = "snet" + address_prefixes = ["10.0.0.0/28"] + network_security_group_key = "inbound" + route_table_key = "default" } } ``` -- source a VNET but create Subnets, NSGs and Route Tables. This is a similar example to the above one, NSG and Route Table are empty this time: +- source a VNET but create Subnets, NSGs and Route Tables. This is a similar example to the above one, NSG is empty this time: ```hcl create_virtual_network = false name = "existing-vnet" resource_group_name = "existing-rg" + region = "North Europe" network_security_groups = { inbound = { name = "inbound-nsg" } } route_tables = { - default = { name = "default-rt" } + default = { + name = "default-rt" + routes = { + "default" = { + name = "default-udr" + address_prefix = "0.0.0.0/0" + next_hop_type = "VirtualAppliance" + next_hop_ip_address = "5.6.7.8" + } + } + } } subnets = { "subnet" = { - name = "snet" - address_prefixes = ["10.0.0.0/28"] - network_security_group = "inbound" - route_table = "default" + name = "snet" + address_prefixes = ["10.0.0.0/28"] + network_security_group_key = "inbound" + route_table_key = "default" } } ``` @@ -102,6 +114,7 @@ This module is designed to work in several *modes* depending on which variables create_virtual_network = false name = "existing-vnet" resource_group_name = "existing-rg" + region = "North Europe" network_security_groups = { inbound = { name = "inbound-nsg" @@ -125,10 +138,10 @@ This module is designed to work in several *modes* depending on which variables name = "default-rt" routes = { "default" = { - name = "default-udr" - address_prefix = "0.0.0.0/0" - next_hop_type = "VirtualAppliance" - next_hop_in_ip_address = "5.6.7.8" + name = "default-udr" + address_prefix = "0.0.0.0/0" + next_hop_type = "VirtualAppliance" + next_hop_ip_address = "5.6.7.8" } } } @@ -136,9 +149,9 @@ This module is designed to work in several *modes* depending on which variables create_subnets = false subnets = { "subnet" = { - name = "snet" - network_security_group = "inbound" - route_table = "default" + name = "snet" + network_security_group_key = "inbound" + route_table_key = "default" } } ``` @@ -148,11 +161,11 @@ This module is designed to work in several *modes* depending on which variables ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 @@ -184,6 +197,7 @@ Name | Type | Description [`tags`](#tags) | `map` | The map of tags to assign to all created resources. [`create_virtual_network`](#create_virtual_network) | `bool` | Controls Virtual Network creation. [`address_space`](#address_space) | `list` | The address space used by the virtual network. +[`dns_servers`](#dns_servers) | `list` | List of IP addresses of custom DNS servers (by default Azure DNS is used). [`vnet_encryption`](#vnet_encryption) | `string` | Enables Azure Virtual Network encryption feature (in `AllowUnencrypted` mode by default). [`network_security_groups`](#network_security_groups) | `map` | Map of objects describing Network Security Groups. [`route_tables`](#route_tables) | `map` | Map of objects describing a Route Tables. @@ -259,6 +273,16 @@ The address space used by the virtual network. You can supply more than one address space. Required only when you create a VNET. +Type: list(string) + +Default value: `&{}` + +[back to list](#modules-optional-inputs) + +#### dns_servers + +List of IP addresses of custom DNS servers (by default Azure DNS is used). + Type: list(string) Default value: `&{}` @@ -406,7 +430,7 @@ Map of objects describing a Route Tables. List of available properties: - `name` - (`string`, required) name of a Route Table. -- `disable_bgp_route_propagation` - (`bool`, optional, defaults to `false`) controls propagation of routes learned by BGP. +- `bgp_route_propagation_enabled` - (`bool`, optional, defaults to `true`) controls propagation of routes learned by BGP. - `routes` - (`map`, required) a map of Route Table entries (UDRs): - `name` - (`string`, required) a name of a UDR. - `address_prefix` - (`string`, required) the destination CIDR to which the route applies, such as `10.1.0.0/16`. @@ -453,7 +477,7 @@ Type: ```hcl map(object({ name = string - disable_bgp_route_propagation = optional(bool, false) + bgp_route_propagation_enabled = optional(bool, true) routes = map(object({ name = string address_prefix = string diff --git a/products/terraform/docs/swfw/azure/vmseries/modules/vnet_peering.md b/products/terraform/docs/swfw/azure/vmseries/modules/vnet_peering.md index 162661161..e390d7118 100644 --- a/products/terraform/docs/swfw/azure/vmseries/modules/vnet_peering.md +++ b/products/terraform/docs/swfw/azure/vmseries/modules/vnet_peering.md @@ -47,11 +47,11 @@ remote_peer_config = { ### Requirements - `terraform`, version: >= 1.5, < 2.0 -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 ### Providers -- `azurerm`, version: ~> 3.98 +- `azurerm`, version: ~> 4.0 diff --git a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries.md b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries.md index 5f6c1bfe8..40871b57a 100644 --- a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries.md +++ b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries.md @@ -209,6 +209,7 @@ Name | Version | Source | Description --- | --- | --- | --- `vnet` | - | ../../modules/vnet | `vnet_peering` | - | ../../modules/vnet_peering | +`public_ip` | - | ../../modules/public_ip | `natgw` | - | ../../modules/natgw | `load_balancer` | - | ../../modules/loadbalancer | `appgw` | - | ../../modules/appgw | @@ -241,6 +242,7 @@ Name | Type | Description [`create_resource_group`](#create_resource_group) | `bool` | When set to `true` it will cause a Resource Group creation. [`tags`](#tags) | `map` | Map of tags to assign to the created resources. [`vnet_peerings`](#vnet_peerings) | `map` | A map defining VNET peerings. +[`public_ips`](#public_ips) | `object` | A map defining Public IP Addresses and Prefixes. [`natgws`](#natgws) | `map` | A map defining NAT Gateways. [`load_balancers`](#load_balancers) | `map` | A map containing configuration for all (both private and public) Load Balancers. [`appgws`](#appgws) | `map` | A map defining all Application Gateways in the current deployment. @@ -265,7 +267,7 @@ Name | Description `test_vms_usernames` | Initial administrative username to use for test VMs. `test_vms_passwords` | Initial administrative password to use for test VMs. `test_vms_ips` | IP Addresses of the test VMs. -`app_lb_frontend_ips` | IP Addresses of the load balancers. +`test_lb_frontend_ips` | IP Addresses of the test load balancers. ### Required Inputs details @@ -296,6 +298,8 @@ For detailed documentation on each property refer to [module documentation](../. - `name` - (`string`, required) a name of a VNET. In case `create_virtual_network = false` this should be a full resource name, including prefixes. - `address_space` - (`list`, required when `create_virtual_network = false`) a list of CIDRs for a newly created VNET. +- `dns_servers` - (`list`, optional, defaults to module defaults) a list of IP addresses of custom DNS servers (by + default Azure DNS is used). - `vnet_encryption` - (`string`, optional, defaults to module default) enables Azure Virtual Network Encryption when set, only possible value at the moment is `AllowUnencrypted`. When set to `null`, the feature is disabled. @@ -319,6 +323,7 @@ map(object({ resource_group_name = optional(string) create_virtual_network = optional(bool, true) address_space = optional(list(string)) + dns_servers = optional(list(string)) vnet_encryption = optional(string) network_security_groups = optional(map(object({ name = string @@ -340,7 +345,7 @@ map(object({ })), {}) route_tables = optional(map(object({ name = string - disable_bgp_route_propagation = optional(bool) + bgp_route_propagation_enabled = optional(bool) routes = map(object({ name = string address_prefix = string @@ -433,6 +438,49 @@ map(object({ ``` +Default value: `map[]` + +[back to list](#modules-optional-inputs) + +#### public_ips + +A map defining Public IP Addresses and Prefixes. + +Following properties are available: + +- `public_ip_addresses` - (`map`, optional) map of objects describing Public IP Addresses, please refer to + [module documentation](../../modules/public_ip#public_ip_addresses) + for available properties. +- `public_ip_prefixes` - (`map`, optional) map of objects describing Public IP Prefixes, please refer to + [module documentation](../../modules/public_ip#public_ip_prefixes) + for available properties. + + +Type: + +```hcl +object({ + public_ip_addresses = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + domain_name_label = optional(string) + idle_timeout_in_minutes = optional(number) + prefix_name = optional(string) + prefix_resource_group_name = optional(string) + })), {}) + public_ip_prefixes = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + length = optional(number) + })), {}) + }) +``` + + Default value: `map[]` [back to list](#modules-optional-inputs) @@ -491,14 +539,16 @@ map(object({ idle_timeout = optional(number, 4) public_ip = optional(object({ create = bool - name = string + name = optional(string) resource_group_name = optional(string) + key = optional(string) })) public_ip_prefix = optional(object({ create = bool - name = string + name = optional(string) resource_group_name = optional(string) length = optional(number) + key = optional(string) })) })) ``` @@ -577,9 +627,11 @@ map(object({ frontend_ips = optional(map(object({ name = string subnet_key = optional(string) - public_ip_name = optional(string) create_public_ip = optional(bool, false) + public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + public_ip_prefix_key = optional(string) private_ip_address = optional(string) gwlb_key = optional(string) in_rules = optional(map(object({ @@ -658,9 +710,10 @@ map(object({ subnet_key = string zones = optional(list(string)) public_ip = object({ - name = string create = optional(bool, true) + name = optional(string) resource_group_name = optional(string) + key = optional(string) }) domain_name_label = optional(string) capacity = optional(object({ @@ -1100,7 +1153,9 @@ The most basic properties are as follows: backend pool. - `application_gateway_key` - (`string`, optional, defaults to `null`) key of an Application Gateway defined in `var.appgws` variable, network interface that has this property defined will be added to the Application - Gateway's backend pool. + Gateway's backend pool. Mutually exclusive with `appgw_backend_pool_id`. + - `appgw_backend_pool_id` - (`string`, optional, defaults to `null`) ID of the Application Gateway backend pool to which + the network interface will be added. Mutually exclusive with `application_gateway_key`. For details on all properties refer to [module's documentation](../../modules/panorama#interfaces). @@ -1158,9 +1213,11 @@ map(object({ create_public_ip = optional(bool, false) public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) private_ip_address = optional(string) load_balancer_key = optional(string) application_gateway_key = optional(string) + appgw_backend_pool_id = optional(string) })) })) ``` @@ -1279,6 +1336,7 @@ map(object({ name = string create_virtual_network = optional(bool, true) address_space = optional(list(string)) + dns_servers = optional(list(string)) hub_resource_group_name = optional(string) hub_vnet_name = string network_security_groups = optional(map(object({ @@ -1301,7 +1359,7 @@ map(object({ })), {}) route_tables = optional(map(object({ name = string - disable_bgp_route_propagation = optional(bool) + bgp_route_propagation_enabled = optional(bool) routes = map(object({ name = string address_prefix = string @@ -1354,9 +1412,11 @@ map(object({ frontend_ips = optional(map(object({ name = string subnet_key = optional(string) - public_ip_name = optional(string) create_public_ip = optional(bool, false) + public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + public_ip_prefix_key = optional(string) private_ip_address = optional(string) gwlb_key = optional(string) in_rules = optional(map(object({ @@ -1401,10 +1461,13 @@ map(object({ custom_data = optional(string) })) bastions = map(object({ - name = string - public_ip_name = optional(string) - vnet_key = string - subnet_key = string + name = string + create_public_ip = optional(bool, true) + public_ip_name = optional(string) + public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + vnet_key = string + subnet_key = string })) })) ``` diff --git a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries_and_autoscale.md b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries_and_autoscale.md index 4b1868470..c0a76968f 100644 --- a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries_and_autoscale.md +++ b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/common_vmseries_and_autoscale.md @@ -239,6 +239,7 @@ Name | Version | Source | Description --- | --- | --- | --- `vnet` | - | ../../modules/vnet | `vnet_peering` | - | ../../modules/vnet_peering | +`public_ip` | - | ../../modules/public_ip | `natgw` | - | ../../modules/natgw | `load_balancer` | - | ../../modules/loadbalancer | `appgw` | - | ../../modules/appgw | @@ -268,6 +269,7 @@ Name | Type | Description [`create_resource_group`](#create_resource_group) | `bool` | When set to `true` it will cause a Resource Group creation. [`tags`](#tags) | `map` | Map of tags to assign to the created resources. [`vnet_peerings`](#vnet_peerings) | `map` | A map defining VNET peerings. +[`public_ips`](#public_ips) | `object` | A map defining Public IP Addresses and Prefixes. [`natgws`](#natgws) | `map` | A map defining NAT Gateways. [`load_balancers`](#load_balancers) | `map` | A map containing configuration for all (both private and public) Load Balancers. [`appgws`](#appgws) | `map` | A map defining all Application Gateways in the current deployment. @@ -282,12 +284,13 @@ Name | Description --- | --- `usernames` | Initial firewall administrative usernames for all deployed Scale Sets. `passwords` | Initial firewall administrative passwords for all deployed Scale Sets. +`natgw_public_ips` | Nat Gateways Public IP resources. `metrics_instrumentation_keys` | The Instrumentation Key of the created instance(s) of Azure Application Insights. `lb_frontend_ips` | IP Addresses of the load balancers. `test_vms_usernames` | Initial administrative username to use for test VMs. `test_vms_passwords` | Initial administrative password to use for test VMs. `test_vms_ips` | IP Addresses of the test VMs. -`app_lb_frontend_ips` | IP Addresses of the load balancers. +`test_lb_frontend_ips` | IP Addresses of the test load balancers. ### Required Inputs details @@ -318,6 +321,8 @@ For detailed documentation on each property refer to [module documentation](../. - `name` - (`string`, required) a name of a VNET. In case `create_virtual_network = false` this should be a full resource name, including prefixes. - `address_space` - (`list`, required when `create_virtual_network = false`) a list of CIDRs for a newly created VNET. +- `dns_servers` - (`list`, optional, defaults to module defaults) a list of IP addresses of custom DNS servers (by + default Azure DNS is used). - `vnet_encryption` - (`string`, optional, defaults to module default) enables Azure Virtual Network Encryption when set, only possible value at the moment is `AllowUnencrypted`. When set to `null`, the feature is disabled. @@ -341,6 +346,7 @@ map(object({ resource_group_name = optional(string) create_virtual_network = optional(bool, true) address_space = optional(list(string)) + dns_servers = optional(list(string)) vnet_encryption = optional(string) network_security_groups = optional(map(object({ name = string @@ -362,7 +368,7 @@ map(object({ })), {}) route_tables = optional(map(object({ name = string - disable_bgp_route_propagation = optional(bool) + bgp_route_propagation_enabled = optional(bool) routes = map(object({ name = string address_prefix = string @@ -455,6 +461,49 @@ map(object({ ``` +Default value: `map[]` + +[back to list](#modules-optional-inputs) + +#### public_ips + +A map defining Public IP Addresses and Prefixes. + +Following properties are available: + +- `public_ip_addresses` - (`map`, optional) map of objects describing Public IP Addresses, please refer to + [module documentation](../../modules/public_ip#public_ip_addresses) + for available properties. +- `public_ip_prefixes` - (`map`, optional) map of objects describing Public IP Prefixes, please refer to + [module documentation](../../modules/public_ip#public_ip_prefixes) + for available properties. + + +Type: + +```hcl +object({ + public_ip_addresses = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + domain_name_label = optional(string) + idle_timeout_in_minutes = optional(number) + prefix_name = optional(string) + prefix_resource_group_name = optional(string) + })), {}) + public_ip_prefixes = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + length = optional(number) + })), {}) + }) +``` + + Default value: `map[]` [back to list](#modules-optional-inputs) @@ -515,12 +564,14 @@ map(object({ create = bool name = string resource_group_name = optional(string) + key = optional(string) })) public_ip_prefix = optional(object({ create = bool name = string resource_group_name = optional(string) length = optional(number) + key = optional(string) })) })) ``` @@ -599,9 +650,11 @@ map(object({ frontend_ips = optional(map(object({ name = string subnet_key = optional(string) - public_ip_name = optional(string) create_public_ip = optional(bool, false) + public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + public_ip_prefix_key = optional(string) private_ip_address = optional(string) gwlb_key = optional(string) in_rules = optional(map(object({ @@ -680,9 +733,10 @@ map(object({ subnet_key = string zones = optional(list(string)) public_ip = object({ - name = string create = optional(bool, true) + name = optional(string) resource_group_name = optional(string) + key = optional(string) }) domain_name_label = optional(string) capacity = optional(object({ @@ -948,8 +1002,8 @@ The basic Scale Set configuration properties are as follows: - `application_gateway_key` - (`string`, optional, defaults to `null`) key of an Application Gateway defined in the `var.appgws`, network interface that has this property defined will be added to the Application Gateways's backend pool. - - `pip_domain_name_label` - (`string`, optional, defaults to `null`) prefix which should be used for the Domain Name Label - for each VM instance. + + For details on all properties refer to [module's documentation](../../modules/vmss#interfaces). - `autoscaling_profiles` - (`list`, optional, defaults to `[]`) a list of autoscaling profiles, for details on available properties please refer to @@ -1002,12 +1056,15 @@ map(object({ webhooks_uris = optional(map(string), {}) }), {}) interfaces = list(object({ - name = string - subnet_key = string - create_public_ip = optional(bool) - load_balancer_key = optional(string) - application_gateway_key = optional(string) - pip_domain_name_label = optional(string) + name = string + subnet_key = string + create_public_ip = optional(bool) + pip_domain_name_label = optional(string) + pip_idle_timeout_in_minutes = optional(number) + pip_prefix_name = optional(string) + pip_prefix_resource_group_name = optional(string) + load_balancer_key = optional(string) + application_gateway_key = optional(string) })) autoscaling_profiles = optional(list(object({ name = string @@ -1161,6 +1218,7 @@ map(object({ name = string create_virtual_network = optional(bool, true) address_space = optional(list(string)) + dns_servers = optional(list(string)) hub_resource_group_name = optional(string) hub_vnet_name = string network_security_groups = optional(map(object({ @@ -1183,7 +1241,7 @@ map(object({ })), {}) route_tables = optional(map(object({ name = string - disable_bgp_route_propagation = optional(bool) + bgp_route_propagation_enabled = optional(bool) routes = map(object({ name = string address_prefix = string @@ -1236,9 +1294,11 @@ map(object({ frontend_ips = optional(map(object({ name = string subnet_key = optional(string) - public_ip_name = optional(string) create_public_ip = optional(bool, false) + public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + public_ip_prefix_key = optional(string) private_ip_address = optional(string) gwlb_key = optional(string) in_rules = optional(map(object({ @@ -1283,10 +1343,13 @@ map(object({ custom_data = optional(string) })) bastions = map(object({ - name = string - public_ip_name = optional(string) - vnet_key = string - subnet_key = string + name = string + create_public_ip = optional(bool, true) + public_ip_name = optional(string) + public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + vnet_key = string + subnet_key = string })) })) ``` diff --git a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries.md b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries.md index 935cb51ec..fe8cc49c1 100644 --- a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries.md +++ b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries.md @@ -213,6 +213,7 @@ Name | Version | Source | Description --- | --- | --- | --- `vnet` | - | ../../modules/vnet | `vnet_peering` | - | ../../modules/vnet_peering | +`public_ip` | - | ../../modules/public_ip | `natgw` | - | ../../modules/natgw | `load_balancer` | - | ../../modules/loadbalancer | `appgw` | - | ../../modules/appgw | @@ -245,6 +246,7 @@ Name | Type | Description [`create_resource_group`](#create_resource_group) | `bool` | When set to `true` it will cause a Resource Group creation. [`tags`](#tags) | `map` | Map of tags to assign to the created resources. [`vnet_peerings`](#vnet_peerings) | `map` | A map defining VNET peerings. +[`public_ips`](#public_ips) | `object` | A map defining Public IP Addresses and Prefixes. [`natgws`](#natgws) | `map` | A map defining NAT Gateways. [`load_balancers`](#load_balancers) | `map` | A map containing configuration for all (both private and public) Load Balancers. [`appgws`](#appgws) | `map` | A map defining all Application Gateways in the current deployment. @@ -269,7 +271,7 @@ Name | Description `test_vms_usernames` | Initial administrative username to use for test VMs. `test_vms_passwords` | Initial administrative password to use for test VMs. `test_vms_ips` | IP Addresses of the test VMs. -`app_lb_frontend_ips` | IP Addresses of the load balancers. +`test_lb_frontend_ips` | IP Addresses of the test load balancers. ### Required Inputs details @@ -292,7 +294,7 @@ Type: string #### vnets A map defining VNETs. - + For detailed documentation on each property refer to [module documentation](../../modules/vnet) - `create_virtual_network` - (`bool`, optional, defaults to `true`) when set to `true` will create a VNET, `false` will source @@ -300,6 +302,8 @@ For detailed documentation on each property refer to [module documentation](../. - `name` - (`string`, required) a name of a VNET. In case `create_virtual_network = false` this should be a full resource name, including prefixes. - `address_space` - (`list`, required when `create_virtual_network = false`) a list of CIDRs for a newly created VNET. +- `dns_servers` - (`list`, optional, defaults to module defaults) a list of IP addresses of custom DNS servers (by + default Azure DNS is used). - `vnet_encryption` - (`string`, optional, defaults to module default) enables Azure Virtual Network Encryption when set, only possible value at the moment is `AllowUnencrypted`. When set to `null`, the feature is disabled. @@ -323,6 +327,7 @@ map(object({ resource_group_name = optional(string) create_virtual_network = optional(bool, true) address_space = optional(list(string)) + dns_servers = optional(list(string)) vnet_encryption = optional(string) network_security_groups = optional(map(object({ name = string @@ -344,7 +349,7 @@ map(object({ })), {}) route_tables = optional(map(object({ name = string - disable_bgp_route_propagation = optional(bool) + bgp_route_propagation_enabled = optional(bool) routes = map(object({ name = string address_prefix = string @@ -378,7 +383,7 @@ Example: ``` name_prefix = "test-" ``` - + **Note!** \ This prefix is not applied to existing resources. If you plan to reuse i.e. a VNET please specify it's full name, even if it is also prefixed with the same value as the one in this property. @@ -394,7 +399,7 @@ Default value: `` When set to `true` it will cause a Resource Group creation. Name of the newly specified RG is controlled by `resource_group_name`. - + When set to `false` the `resource_group_name` parameter is used to specify a name of an existing Resource Group. @@ -437,18 +442,61 @@ map(object({ ``` +Default value: `map[]` + +[back to list](#modules-optional-inputs) + +#### public_ips + +A map defining Public IP Addresses and Prefixes. + +Following properties are available: + +- `public_ip_addresses` - (`map`, optional) map of objects describing Public IP Addresses, please refer to + [module documentation](../../modules/public_ip#public_ip_addresses) + for available properties. +- `public_ip_prefixes` - (`map`, optional) map of objects describing Public IP Prefixes, please refer to + [module documentation](../../modules/public_ip#public_ip_prefixes) + for available properties. + + +Type: + +```hcl +object({ + public_ip_addresses = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + domain_name_label = optional(string) + idle_timeout_in_minutes = optional(number) + prefix_name = optional(string) + prefix_resource_group_name = optional(string) + })), {}) + public_ip_prefixes = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + length = optional(number) + })), {}) + }) +``` + + Default value: `map[]` [back to list](#modules-optional-inputs) #### natgws -A map defining NAT Gateways. +A map defining NAT Gateways. Please note that a NAT Gateway is a zonal resource, this means it's always placed in a zone (even when you do not specify one explicitly). Please refer to Microsoft documentation for notes on NAT Gateway's zonal resiliency. For detailed documentation on each property refer to [module documentation](../../modules/natgw). - + Following properties are supported: - `name` - (`string`, required) a name of a NAT Gateway. In case `create_natgw = false` this should be a full resource name, including prefixes. @@ -495,14 +543,16 @@ map(object({ idle_timeout = optional(number, 4) public_ip = optional(object({ create = bool - name = string + name = optional(string) resource_group_name = optional(string) + key = optional(string) })) public_ip_prefix = optional(object({ create = bool - name = string + name = optional(string) resource_group_name = optional(string) length = optional(number) + key = optional(string) })) })) ``` @@ -534,8 +584,8 @@ Following properties are available: - `nsg_auto_rules_settings` - (`map`, optional, defaults to `null`) a map defining a location of an existing NSG rule that will be populated with `Allow` rules for each load balancing rule (`in_rules`), please refer to [module documentation](../../modules/loadbalancer#nsg_auto_rules_settings) for - available properties. - + available properties. + Please note that in this example two additional properties are available: - `nsg_vnet_key` - (`string`, optional, mutually exclusive with `nsg_name`) a key pointing to a VNET definition in the @@ -581,9 +631,11 @@ map(object({ frontend_ips = optional(map(object({ name = string subnet_key = optional(string) - public_ip_name = optional(string) create_public_ip = optional(bool, false) + public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + public_ip_prefix_key = optional(string) private_ip_address = optional(string) gwlb_key = optional(string) in_rules = optional(map(object({ @@ -620,7 +672,7 @@ For detailed documentation on how to configure this resource, for available prop refer to [module documentation](../../modules/appgw). **Note!** \ -The `rules` property is meant to bind together `backend_setting`, `redirect` or `url_path_map` (all 3 are mutually exclusive). +The `rules` property is meant to bind together `backend_setting`, `redirect` or `url_path_map` (all 3 are mutually exclusive). It represents the Rules section of an Application Gateway in Azure Portal. Below you can find a brief list of most important properties: @@ -642,11 +694,11 @@ Below you can find a brief list of most important properties: settings, see [module's documentation](../../modules/appgw#backend_settings) for details. - `probes` - (`map`, optional, defaults to module default) defines backend probes used check health of backends, see [module's documentation](../../modules/appgw#probes) for details. -- `rewrites` - (`map`, optional, defaults to module default) defines rewrite rules, see +- `rewrites` - (`map`, optional, defaults to module default) defines rewrite rules, see [module's documentation](../../modules/appgw#rewrites) for details. -- `redirects` - (`map`, optional, mutually exclusive with `backend_settings` and `url_path_maps`) static redirects +- `redirects` - (`map`, optional, mutually exclusive with `backend_settings` and `url_path_maps`) static redirects definition, see [module's documentation](../../modules/appgw#redirects) for details. -- `url_path_maps` - (`map`, optional, mutually exclusive with `backend_settings` and `redirects`) URL path maps definition, +- `url_path_maps` - (`map`, optional, mutually exclusive with `backend_settings` and `redirects`) URL path maps definition, see [module's documentation](../../modules/appgw#url_path_maps) for details. - `rules` - (`map`, required) Application Gateway Rules definition, bind together a `listener` with either `backend_setting`, `redirect` or `url_path_map`, see @@ -662,9 +714,10 @@ map(object({ subnet_key = string zones = optional(list(string)) public_ip = object({ - name = string create = optional(bool, true) + name = optional(string) resource_group_name = optional(string) + key = optional(string) }) domain_name_label = optional(string) capacity = optional(object({ @@ -794,7 +847,7 @@ Following properties are supported: - `name` - (`string`, required) name of the Application Insights. - `update_domain_count` - (`number`, optional, defaults to Azure default) specifies the number of update domains that are used. - `fault_domain_count` - (`number`, optional, defaults to Azure default) specifies the number of fault domains that are used. - + **Note!** \ Please keep in mind that Azure defaults are not working for every region (especially the small ones, without any Availability Zones). Please verify how many update and fault domain are supported in a region before deploying this resource. @@ -875,7 +928,7 @@ You can create or re-use an existing Storage Account and/or File Share. For deta will host (created) a Storage Account. When skipped the code will fall back to `var.resource_group_name`. - `storage_account` - (`map`, optional, defaults to `{}`) a map controlling basic Storage Account configuration. - + The property you should pay attention to is: - `create` - (`bool`, optional, defaults to module default) controls if the Storage Account specified in the `name` property @@ -884,8 +937,8 @@ You can create or re-use an existing Storage Account and/or File Share. For deta For detailed documentation see [module's documentation](../../modules/bootstrap#storage_account). - `storage_network_security` - (`map`, optional, defaults to `{}`) a map defining network security settings for a **new** - storage account. - + storage account. + The properties you should pay attention to are: - `allowed_subnet_keys` - (`list`, optional, defaults to `[]`) a list of keys pointing to Subnet definitions in the @@ -895,9 +948,9 @@ You can create or re-use an existing Storage Account and/or File Share. For deta Subnets described in `allowed_subnet_keys`. For detailed documentation see [module's documentation](../../modules/bootstrap#storage_network_security). - + - `file_shares_configuration` - (`map`, optional, defaults to `{}`) a map defining common File Share setting. - + The properties you should pay attention to are: - `create_file_shares` - (`bool`, optional, defaults to module default) controls if the File Shares defined in the @@ -1104,7 +1157,9 @@ The most basic properties are as follows: backend pool. - `application_gateway_key` - (`string`, optional, defaults to `null`) key of an Application Gateway defined in `var.appgws` variable, network interface that has this property defined will be added to the Application - Gateway's backend pool. + Gateway's backend pool. Mutually exclusive with `appgw_backend_pool_id`. + - `appgw_backend_pool_id` - (`string`, optional, defaults to `null`) ID of the Application Gateway backend pool to which + the network interface will be added. Mutually exclusive with `application_gateway_key`. For details on all properties refer to [module's documentation](../../modules/panorama#interfaces). @@ -1162,9 +1217,11 @@ map(object({ create_public_ip = optional(bool, false) public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) private_ip_address = optional(string) load_balancer_key = optional(string) application_gateway_key = optional(string) + appgw_backend_pool_id = optional(string) })) })) ``` @@ -1283,6 +1340,7 @@ map(object({ name = string create_virtual_network = optional(bool, true) address_space = optional(list(string)) + dns_servers = optional(list(string)) hub_resource_group_name = optional(string) hub_vnet_name = string network_security_groups = optional(map(object({ @@ -1305,7 +1363,7 @@ map(object({ })), {}) route_tables = optional(map(object({ name = string - disable_bgp_route_propagation = optional(bool) + bgp_route_propagation_enabled = optional(bool) routes = map(object({ name = string address_prefix = string @@ -1358,9 +1416,11 @@ map(object({ frontend_ips = optional(map(object({ name = string subnet_key = optional(string) - public_ip_name = optional(string) create_public_ip = optional(bool, false) + public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + public_ip_prefix_key = optional(string) private_ip_address = optional(string) gwlb_key = optional(string) in_rules = optional(map(object({ @@ -1405,10 +1465,13 @@ map(object({ custom_data = optional(string) })) bastions = map(object({ - name = string - public_ip_name = optional(string) - vnet_key = string - subnet_key = string + name = string + create_public_ip = optional(bool, true) + public_ip_name = optional(string) + public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + vnet_key = string + subnet_key = string })) })) ``` diff --git a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries_and_autoscale.md b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries_and_autoscale.md index 89d2ebe97..11c320b51 100644 --- a/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries_and_autoscale.md +++ b/products/terraform/docs/swfw/azure/vmseries/reference-architectures/dedicated_vmseries_and_autoscale.md @@ -233,6 +233,7 @@ Name | Version | Source | Description --- | --- | --- | --- `vnet` | - | ../../modules/vnet | `vnet_peering` | - | ../../modules/vnet_peering | +`public_ip` | - | ../../modules/public_ip | `natgw` | - | ../../modules/natgw | `load_balancer` | - | ../../modules/loadbalancer | `appgw` | - | ../../modules/appgw | @@ -262,6 +263,7 @@ Name | Type | Description [`create_resource_group`](#create_resource_group) | `bool` | When set to `true` it will cause a Resource Group creation. [`tags`](#tags) | `map` | Map of tags to assign to the created resources. [`vnet_peerings`](#vnet_peerings) | `map` | A map defining VNET peerings. +[`public_ips`](#public_ips) | `object` | A map defining Public IP Addresses and Prefixes. [`natgws`](#natgws) | `map` | A map defining NAT Gateways. [`load_balancers`](#load_balancers) | `map` | A map containing configuration for all (both private and public) Load Balancers. [`appgws`](#appgws) | `map` | A map defining all Application Gateways in the current deployment. @@ -276,12 +278,13 @@ Name | Description --- | --- `usernames` | Initial firewall administrative usernames for all deployed Scale Sets. `passwords` | Initial firewall administrative passwords for all deployed Scale Sets. +`natgw_public_ips` | Nat Gateways Public IP resources. `metrics_instrumentation_keys` | The Instrumentation Key of the created instance(s) of Azure Application Insights. `lb_frontend_ips` | IP Addresses of the load balancers. `test_vms_usernames` | Initial administrative username to use for test VMs. `test_vms_passwords` | Initial administrative password to use for test VMs. `test_vms_ips` | IP Addresses of the test VMs. -`app_lb_frontend_ips` | IP Addresses of the load balancers. +`test_lb_frontend_ips` | IP Addresses of the test load balancers. ### Required Inputs details @@ -312,6 +315,8 @@ For detailed documentation on each property refer to [module documentation](../. - `name` - (`string`, required) a name of a VNET. In case `create_virtual_network = false` this should be a full resource name, including prefixes. - `address_space` - (`list`, required when `create_virtual_network = false`) a list of CIDRs for a newly created VNET. +- `dns_servers` - (`list`, optional, defaults to module defaults) a list of IP addresses of custom DNS servers (by + default Azure DNS is used). - `vnet_encryption` - (`string`, optional, defaults to module default) enables Azure Virtual Network Encryption when set, only possible value at the moment is `AllowUnencrypted`. When set to `null`, the feature is disabled. @@ -335,6 +340,7 @@ map(object({ resource_group_name = optional(string) create_virtual_network = optional(bool, true) address_space = optional(list(string)) + dns_servers = optional(list(string)) vnet_encryption = optional(string) network_security_groups = optional(map(object({ name = string @@ -356,7 +362,7 @@ map(object({ })), {}) route_tables = optional(map(object({ name = string - disable_bgp_route_propagation = optional(bool) + bgp_route_propagation_enabled = optional(bool) routes = map(object({ name = string address_prefix = string @@ -449,6 +455,49 @@ map(object({ ``` +Default value: `map[]` + +[back to list](#modules-optional-inputs) + +#### public_ips + +A map defining Public IP Addresses and Prefixes. + +Following properties are available: + +- `public_ip_addresses` - (`map`, optional) map of objects describing Public IP Addresses, please refer to + [module documentation](../../modules/public_ip#public_ip_addresses) + for available properties. +- `public_ip_prefixes` - (`map`, optional) map of objects describing Public IP Prefixes, please refer to + [module documentation](../../modules/public_ip#public_ip_prefixes) + for available properties. + + +Type: + +```hcl +object({ + public_ip_addresses = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + domain_name_label = optional(string) + idle_timeout_in_minutes = optional(number) + prefix_name = optional(string) + prefix_resource_group_name = optional(string) + })), {}) + public_ip_prefixes = optional(map(object({ + create = bool + name = string + resource_group_name = optional(string) + zones = optional(list(string)) + length = optional(number) + })), {}) + }) +``` + + Default value: `map[]` [back to list](#modules-optional-inputs) @@ -509,12 +558,14 @@ map(object({ create = bool name = string resource_group_name = optional(string) + key = optional(string) })) public_ip_prefix = optional(object({ create = bool name = string resource_group_name = optional(string) length = optional(number) + key = optional(string) })) })) ``` @@ -593,9 +644,11 @@ map(object({ frontend_ips = optional(map(object({ name = string subnet_key = optional(string) - public_ip_name = optional(string) create_public_ip = optional(bool, false) + public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + public_ip_prefix_key = optional(string) private_ip_address = optional(string) gwlb_key = optional(string) in_rules = optional(map(object({ @@ -674,9 +727,10 @@ map(object({ subnet_key = string zones = optional(list(string)) public_ip = object({ - name = string create = optional(bool, true) + name = optional(string) resource_group_name = optional(string) + key = optional(string) }) domain_name_label = optional(string) capacity = optional(object({ @@ -942,8 +996,8 @@ The basic Scale Set configuration properties are as follows: - `application_gateway_key` - (`string`, optional, defaults to `null`) key of an Application Gateway defined in the `var.appgws`, network interface that has this property defined will be added to the Application Gateways's backend pool. - - `pip_domain_name_label` - (`string`, optional, defaults to `null`) prefix which should be used for the Domain Name Label - for each VM instance. + + For details on all properties refer to [module's documentation](../../modules/vmss#interfaces). - `autoscaling_profiles` - (`list`, optional, defaults to `[]`) a list of autoscaling profiles, for details on available properties please refer to @@ -996,12 +1050,15 @@ map(object({ webhooks_uris = optional(map(string), {}) }), {}) interfaces = list(object({ - name = string - subnet_key = string - create_public_ip = optional(bool) - load_balancer_key = optional(string) - application_gateway_key = optional(string) - pip_domain_name_label = optional(string) + name = string + subnet_key = string + create_public_ip = optional(bool) + pip_domain_name_label = optional(string) + pip_idle_timeout_in_minutes = optional(number) + pip_prefix_name = optional(string) + pip_prefix_resource_group_name = optional(string) + load_balancer_key = optional(string) + application_gateway_key = optional(string) })) autoscaling_profiles = optional(list(object({ name = string @@ -1155,6 +1212,7 @@ map(object({ name = string create_virtual_network = optional(bool, true) address_space = optional(list(string)) + dns_servers = optional(list(string)) hub_resource_group_name = optional(string) hub_vnet_name = string network_security_groups = optional(map(object({ @@ -1177,7 +1235,7 @@ map(object({ })), {}) route_tables = optional(map(object({ name = string - disable_bgp_route_propagation = optional(bool) + bgp_route_propagation_enabled = optional(bool) routes = map(object({ name = string address_prefix = string @@ -1230,9 +1288,11 @@ map(object({ frontend_ips = optional(map(object({ name = string subnet_key = optional(string) - public_ip_name = optional(string) create_public_ip = optional(bool, false) + public_ip_name = optional(string) public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + public_ip_prefix_key = optional(string) private_ip_address = optional(string) gwlb_key = optional(string) in_rules = optional(map(object({ @@ -1277,10 +1337,13 @@ map(object({ custom_data = optional(string) })) bastions = map(object({ - name = string - public_ip_name = optional(string) - vnet_key = string - subnet_key = string + name = string + create_public_ip = optional(bool, true) + public_ip_name = optional(string) + public_ip_resource_group_name = optional(string) + public_ip_key = optional(string) + vnet_key = string + subnet_key = string })) })) ```