diff --git a/examples/multi_nic_common/README.md b/examples/multi_nic_common/README.md
index 2164287..5b4144c 100644
--- a/examples/multi_nic_common/README.md
+++ b/examples/multi_nic_common/README.md
@@ -217,7 +217,7 @@ please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the
| [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.
Example of variable deployment :routes = {
"default-route-trust" = {
name = "fw-default-trust"
destination_range = "0.0.0.0/0"
vpc_network_key = "fw-trust-vpc"
lb_internal_name = "internal-lb"
}
}Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [service\_accounts](#input\_service\_accounts) | A map containing each service account setting.
Example of variable deployment :service_accounts = {
"sa-vmseries-01" = {
service_account_id = "sa-vmseries-01"
display_name = "VM-Series SA"
roles = [
"roles/compute.networkViewer",
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
"roles/monitoring.viewer",
"roles/viewer"
]
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/iam_service_account#Inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [vmseries](#input\_vmseries) | A map containing each individual vmseries setting.
Example of variable deployment :vmseries = {
"fw-vmseries-01" = {
name = "fw-vmseries-01"
zone = "us-east1-b"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
tags = ["vmseries"]
service_account_key = "sa-vmseries-01"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
bootstrap_options = {
panorama-server = "1.1.1.1"
dns-primary = "8.8.8.8"
dns-secondary = "8.8.4.4"
}
bootstrap_template_map = {
trust_gcp_router_ip = "10.10.12.1"
untrust_gcp_router_ip = "10.10.11.1"
private_network_cidr = "192.168.0.0/16"
untrust_loopback_ip = "1.1.1.1/32" #This is placeholder IP - you must replace it on the vmseries config with the LB public IP address after the infrastructure is deployed
trust_loopback_ip = "10.10.12.5/32"
}
named_ports = [
{
name = "http"
port = 80
},
{
name = "https"
port = 443
}
]
network_interfaces = [
{
vpc_network_key = "fw-untrust-vpc"
subnetwork_key = "fw-untrust-sub"
private_ip = "10.10.11.2"
create_public_ip = true
},
{
vpc_network_key = "fw-mgmt-vpc"
subnetwork_key = "fw-mgmt-sub"
private_ip = "10.10.10.2"
create_public_ip = true
},
{
vpc_network_key = "fw-trust-vpc"
subnetwork_key = "fw-trust-sub"
private_ip = "10.10.12.2"
},
]
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vmseries#inputs)
The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | `{}` | no |
-| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.
Example of variable deployment :vmseries_common = {
ssh_keys = "admin:AAAABBBB..."
vmseries_image = "vmseries-flex-byol-1029h1"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `any` | `{}` | no |
+| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries settings.
Example of variable deployment :vmseries_common = {
ssh_keys = "admin:AAAABBBB..."
vmseries_image = "vmseries-flex-byol-1029h1"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}Majority of settings can be moved between this common and individual instance (ie. `var.vmseries`) variables. If values for the same item are specified in both of them, one from the latter will take precedence. | `any` | `{}` | no |
| [vpc\_peerings](#input\_vpc\_peerings) | A map containing each VPC peering setting.
Example of variable deployment :vpc_peerings = {
"trust-to-spoke1" = {
local_network_key = "fw-trust-vpc"
peer_network_key = "fw-spoke1-vpc"
local_export_custom_routes = true
local_import_custom_routes = true
local_export_subnet_routes_with_public_ip = true
local_import_subnet_routes_with_public_ip = true
peer_export_custom_routes = true
peer_import_custom_routes = true
peer_export_subnet_routes_with_public_ip = true
peer_import_subnet_routes_with_public_ip = true
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vpc-peering#inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
### Outputs
diff --git a/examples/multi_nic_common/main.tf b/examples/multi_nic_common/main.tf
index 8066de6..d1b29d5 100644
--- a/examples/multi_nic_common/main.tf
+++ b/examples/multi_nic_common/main.tf
@@ -119,7 +119,7 @@ module "vmseries" {
ssh_keys = try(each.value.ssh_keys, var.vmseries_common.ssh_keys)
vmseries_image = try(each.value.vmseries_image, var.vmseries_common.vmseries_image)
machine_type = try(each.value.machine_type, var.vmseries_common.machine_type)
- min_cpu_platform = try(each.value.min_cpu_platform, var.vmseries_common.min_cpu_platform, "Intel Cascade Lake")
+ min_cpu_platform = try(each.value.min_cpu_platform, var.vmseries_common.min_cpu_platform)
tags = try(each.value.tags, var.vmseries_common.tags, [])
service_account = try(module.iam_service_account[each.value.service_account_key].email, module.iam_service_account[var.vmseries_common.service_account_key].email)
scopes = try(each.value.scopes, var.vmseries_common.scopes, [])
@@ -128,11 +128,13 @@ module "vmseries" {
bootstrap_options = try(
merge(
{ vmseries-bootstrap-gce-storagebucket = "${module.bootstrap[each.value.bootstrap_bucket_key].bucket_name}/${each.key}/" },
- var.vmseries_common.bootstrap_options),
+ var.vmseries_common.bootstrap_options
+ ),
merge(
- try(each.value.bootstrap_options, {}),
- try(var.vmseries_common.bootstrap_options, {})
- ))
+ try(var.vmseries_common.bootstrap_options, {}),
+ try(each.value.bootstrap_options, {})
+ )
+ )
named_ports = try(each.value.named_ports, [])
@@ -142,7 +144,8 @@ module "vmseries" {
private_ip = v.private_ip
create_public_ip = try(v.create_public_ip, false)
public_ip = try(v.public_ip, null)
- }]
+ }
+ ]
}
data "google_compute_image" "my_image" {
diff --git a/examples/multi_nic_common/variables.tf b/examples/multi_nic_common/variables.tf
index 140215d..2ca592b 100644
--- a/examples/multi_nic_common/variables.tf
+++ b/examples/multi_nic_common/variables.tf
@@ -4,19 +4,20 @@ variable "project" {
type = string
default = null
}
+
variable "region" {
description = "The region into which to deploy the infrastructure in to."
type = string
default = "us-central1"
}
+
variable "name_prefix" {
description = "A string to prefix resource namings."
type = string
default = "example-"
}
-#Service Account
-
+# Service Account
variable "service_accounts" {
description = <<-EOF
A map containing each service account setting.
@@ -46,7 +47,7 @@ variable "service_accounts" {
default = {}
}
-#Bootstrap bucket
+# Bootstrap bucket
variable "bootstrap_buckets" {
description = <<-EOF
@@ -73,7 +74,7 @@ variable "bootstrap_buckets" {
default = {}
}
-#VPC
+# VPC
variable "networks" {
description = <<-EOF
@@ -173,11 +174,11 @@ variable "routes" {
default = {}
}
-#vmseries
+# VM-Series
variable "vmseries_common" {
description = <<-EOF
- A map containing common vmseries setting.
+ A map containing common vmseries settings.
Example of variable deployment :
@@ -195,11 +196,12 @@ variable "vmseries_common" {
}
```
- Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`).
+ Majority of settings can be moved between this common and individual instance (ie. `var.vmseries`) variables. If values for the same item are specified in both of them, one from the latter will take precedence.
EOF
type = any
default = {}
}
+
variable "vmseries" {
description = <<-EOF
A map containing each individual vmseries setting.
@@ -277,7 +279,7 @@ variable "vmseries" {
default = {}
}
-#Load Balancers
+# Load Balancers
variable "lbs_internal" {
description = <<-EOF
@@ -304,6 +306,7 @@ variable "lbs_internal" {
type = map(any)
default = {}
}
+
variable "lbs_external" {
description = <<-EOF
A map containing each external loadbalancer setting.
@@ -333,7 +336,7 @@ variable "lbs_external" {
default = {}
}
-#Spoke VPCs Linux VMs
+# Spoke VPCs Linux VMs
variable "linux_vms" {
description = <<-EOF
diff --git a/examples/vmseries_ha/README.md b/examples/vmseries_ha/README.md
index 9971342..da03150 100644
--- a/examples/vmseries_ha/README.md
+++ b/examples/vmseries_ha/README.md
@@ -271,7 +271,7 @@ Check the succesful inbound and outbound traffic fail-over to and from the spoke
| [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.
Example of variable deployment :routes = {
"default-route-trust" = {
name = "fw-default-trust"
destination_range = "0.0.0.0/0"
vpc_network_key = "fw-trust-vpc"
lb_internal_name = "internal-lb"
}
}Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [service\_accounts](#input\_service\_accounts) | A map containing each service account setting.
Example of variable deployment :service_accounts = {
"sa-vmseries-01" = {
service_account_id = "sa-vmseries-01"
display_name = "VM-Series SA"
roles = [
"roles/compute.networkViewer",
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
"roles/monitoring.viewer",
"roles/viewer"
]
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/iam_service_account#Inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [vmseries](#input\_vmseries) | A map containing each individual vmseries setting.
Example of variable deployment :vmseries = {
"fw-vmseries-01" = {
name = "fw-vmseries-01"
zone = "us-east1-b"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
tags = ["vmseries"]
service_account_key = "sa-vmseries-01"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
bootstrap_options = {
panorama-server = "1.1.1.1"
dns-primary = "8.8.8.8"
dns-secondary = "8.8.4.4"
}
bootstrap_template_map = {
trust_gcp_router_ip = "10.10.12.1"
untrust_gcp_router_ip = "10.10.11.1"
private_network_cidr = "192.168.0.0/16"
untrust_loopback_ip = "1.1.1.1/32" #This is placeholder IP - you must replace it on the vmseries config with the LB public IP address after the infrastructure is deployed
trust_loopback_ip = "10.10.12.5/32"
}
named_ports = [
{
name = "http"
port = 80
},
{
name = "https"
port = 443
}
]
network_interfaces = [
{
vpc_network_key = "fw-untrust-vpc"
subnetwork_key = "fw-untrust-sub"
private_ip = "10.10.11.2"
create_public_ip = true
},
{
vpc_network_key = "fw-mgmt-vpc"
subnetwork_key = "fw-mgmt-sub"
private_ip = "10.10.10.2"
create_public_ip = true
},
{
vpc_network_key = "fw-trust-vpc"
subnetwork_key = "fw-trust-sub"
private_ip = "10.10.12.2"
},
]
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vmseries#inputs)
The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes |
-| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.
Example of variable deployment :vmseries_common = {
ssh_keys = "admin:AAAABBBB..."
vmseries_image = "vmseries-flex-byol-1029h1"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `any` | n/a | yes |
+| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.
Example of variable deployment :vmseries_common = {
ssh_keys = "admin:AAAABBBB..."
vmseries_image = "vmseries-flex-byol-1029h1"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}Majority of settings can be moved between this common and individual instance (ie. `var.vmseries`) variables. If values for the same item are specified in both of them, one from the latter will take precedence. | `any` | n/a | yes |
| [vpc\_peerings](#input\_vpc\_peerings) | A map containing each VPC peering setting.
Example of variable deployment :vpc_peerings = {
"trust-to-spoke1" = {
local_network_key = "fw-trust-vpc"
peer_network_key = "fw-spoke1-vpc"
local_export_custom_routes = true
local_import_custom_routes = true
local_export_subnet_routes_with_public_ip = true
local_import_subnet_routes_with_public_ip = true
peer_export_custom_routes = true
peer_import_custom_routes = true
peer_export_subnet_routes_with_public_ip = true
peer_import_subnet_routes_with_public_ip = true
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vpc-peering#inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
### Outputs
diff --git a/examples/vmseries_ha/main.tf b/examples/vmseries_ha/main.tf
index 771f296..8ae3997 100644
--- a/examples/vmseries_ha/main.tf
+++ b/examples/vmseries_ha/main.tf
@@ -123,7 +123,7 @@ module "vmseries" {
ssh_keys = try(each.value.ssh_keys, var.vmseries_common.ssh_keys)
vmseries_image = try(each.value.vmseries_image, var.vmseries_common.vmseries_image)
machine_type = try(each.value.machine_type, var.vmseries_common.machine_type)
- min_cpu_platform = try(each.value.min_cpu_platform, var.vmseries_common.min_cpu_platform, "Intel Cascade Lake")
+ min_cpu_platform = try(each.value.min_cpu_platform, var.vmseries_common.min_cpu_platform)
tags = try(each.value.tags, var.vmseries_common.tags, [])
service_account = try(module.iam_service_account[each.value.service_account_key].email, module.iam_service_account[var.vmseries_common.service_account_key].email)
scopes = try(each.value.scopes, var.vmseries_common.scopes, [])
@@ -132,11 +132,13 @@ module "vmseries" {
bootstrap_options = try(
merge(
{ vmseries-bootstrap-gce-storagebucket = "${module.bootstrap[each.value.bootstrap_bucket_key].bucket_name}/${each.key}/" },
- var.vmseries_common.bootstrap_options),
+ var.vmseries_common.bootstrap_options
+ ),
merge(
- try(each.value.bootstrap_options, {}),
- try(var.vmseries_common.bootstrap_options, {})
- ))
+ try(var.vmseries_common.bootstrap_options, {}),
+ try(each.value.bootstrap_options, {})
+ )
+ )
named_ports = try(each.value.named_ports, [])
@@ -146,7 +148,8 @@ module "vmseries" {
private_ip = v.private_ip
create_public_ip = try(v.create_public_ip, false)
public_ip = try(v.public_ip, null)
- }]
+ }
+ ]
}
data "google_compute_image" "my_image" {
diff --git a/examples/vmseries_ha/variables.tf b/examples/vmseries_ha/variables.tf
index 82e7d18..90daeea 100644
--- a/examples/vmseries_ha/variables.tf
+++ b/examples/vmseries_ha/variables.tf
@@ -4,18 +4,20 @@ variable "project" {
type = string
default = null
}
+
variable "region" {
description = "The region into which to deploy the infrastructure in to."
type = string
default = "us-central1"
}
+
variable "name_prefix" {
description = "A string to prefix resource namings."
type = string
default = "example-"
}
-#Service Account
+# Service Account
variable "service_accounts" {
description = <<-EOF
@@ -46,7 +48,7 @@ variable "service_accounts" {
default = {}
}
-#Bootstrap bucket
+# Bootstrap bucket
variable "bootstrap_buckets" {
description = <<-EOF
@@ -73,7 +75,7 @@ variable "bootstrap_buckets" {
default = {}
}
-#VPC
+# VPC
variable "networks" {
description = <<-EOF
@@ -171,7 +173,7 @@ variable "routes" {
default = {}
}
-#vmseries
+# VM-Series
variable "vmseries_common" {
description = <<-EOF
@@ -193,9 +195,10 @@ variable "vmseries_common" {
}
```
- Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`).
+ Majority of settings can be moved between this common and individual instance (ie. `var.vmseries`) variables. If values for the same item are specified in both of them, one from the latter will take precedence.
EOF
}
+
variable "vmseries" {
description = <<-EOF
A map containing each individual vmseries setting.
@@ -271,7 +274,7 @@ variable "vmseries" {
EOF
}
-#Load Balancers
+# Load Balancers
variable "lbs_internal" {
description = <<-EOF
@@ -298,6 +301,7 @@ variable "lbs_internal" {
type = map(any)
default = {}
}
+
variable "lbs_external" {
description = <<-EOF
A map containing each external loadbalancer setting.
@@ -327,7 +331,7 @@ variable "lbs_external" {
default = {}
}
-#Spoke VPCs Linux VMs
+# Spoke VPCs Linux VMs
variable "linux_vms" {
description = <<-EOF
diff --git a/examples/vpc_peering_common/README.md b/examples/vpc_peering_common/README.md
index ac20070..b9ef04f 100644
--- a/examples/vpc_peering_common/README.md
+++ b/examples/vpc_peering_common/README.md
@@ -235,7 +235,7 @@ please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the
| [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.
Example of variable deployment :routes = {
"default-route-trust" = {
name = "fw-default-trust"
destination_range = "0.0.0.0/0"
vpc_network_key = "fw-trust-vpc"
lb_internal_name = "internal-lb"
}
}Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [service\_accounts](#input\_service\_accounts) | A map containing each service account setting.
Example of variable deployment :service_accounts = {
"sa-vmseries-01" = {
service_account_id = "sa-vmseries-01"
display_name = "VM-Series SA"
roles = [
"roles/compute.networkViewer",
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
"roles/monitoring.viewer",
"roles/viewer"
]
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/iam_service_account#Inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [vmseries](#input\_vmseries) | A map containing each individual vmseries setting.
Example of variable deployment :vmseries = {
"fw-vmseries-01" = {
name = "fw-vmseries-01"
zone = "us-east1-b"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
tags = ["vmseries"]
service_account_key = "sa-vmseries-01"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
bootstrap_options = {
panorama-server = "1.1.1.1"
dns-primary = "8.8.8.8"
dns-secondary = "8.8.4.4"
}
bootstrap_template_map = {
trust_gcp_router_ip = "10.10.12.1"
untrust_gcp_router_ip = "10.10.11.1"
private_network_cidr = "192.168.0.0/16"
untrust_loopback_ip = "1.1.1.1/32" #This is placeholder IP - you must replace it on the vmseries config with the LB public IP address after the infrastructure is deployed
trust_loopback_ip = "10.10.12.5/32"
}
named_ports = [
{
name = "http"
port = 80
},
{
name = "https"
port = 443
}
]
network_interfaces = [
{
vpc_network_key = "fw-untrust-vpc"
subnetwork_key = "fw-untrust-sub"
private_ip = "10.10.11.2"
create_public_ip = true
},
{
vpc_network_key = "fw-mgmt-vpc"
subnetwork_key = "fw-mgmt-sub"
private_ip = "10.10.10.2"
create_public_ip = true
},
{
vpc_network_key = "fw-trust-vpc"
subnetwork_key = "fw-trust-sub"
private_ip = "10.10.12.2"
},
]
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vmseries#inputs)
The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes |
-| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.
Example of variable deployment :vmseries_common = {
ssh_keys = "admin:AAAABBBB..."
vmseries_image = "vmseries-flex-byol-1029h1"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `any` | n/a | yes |
+| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.
Example of variable deployment :vmseries_common = {
ssh_keys = "admin:AAAABBBB..."
vmseries_image = "vmseries-flex-byol-1029h1"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}Majority of settings can be moved between this common and individual instance (ie. `var.vmseries`) variables. If values for the same item are specified in both of them, one from the latter will take precedence. | `any` | n/a | yes |
| [vpc\_peerings](#input\_vpc\_peerings) | A map containing each VPC peering setting.
Example of variable deployment :vpc_peerings = {
"trust-to-spoke1" = {
local_network_key = "fw-trust-vpc"
peer_network_key = "fw-spoke1-vpc"
local_export_custom_routes = true
local_import_custom_routes = true
local_export_subnet_routes_with_public_ip = true
local_import_subnet_routes_with_public_ip = true
peer_export_custom_routes = true
peer_import_custom_routes = true
peer_export_subnet_routes_with_public_ip = true
peer_import_subnet_routes_with_public_ip = true
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vpc-peering#inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
### Outputs
diff --git a/examples/vpc_peering_common/main.tf b/examples/vpc_peering_common/main.tf
index 548d4e3..4ece60c 100644
--- a/examples/vpc_peering_common/main.tf
+++ b/examples/vpc_peering_common/main.tf
@@ -117,20 +117,21 @@ module "vmseries" {
ssh_keys = try(each.value.ssh_keys, var.vmseries_common.ssh_keys)
vmseries_image = try(each.value.vmseries_image, var.vmseries_common.vmseries_image)
machine_type = try(each.value.machine_type, var.vmseries_common.machine_type)
- min_cpu_platform = try(each.value.min_cpu_platform, var.vmseries_common.min_cpu_platform, "Intel Cascade Lake")
+ min_cpu_platform = try(each.value.min_cpu_platform, var.vmseries_common.min_cpu_platform)
tags = try(each.value.tags, var.vmseries_common.tags, [])
service_account = try(module.iam_service_account[each.value.service_account_key].email, module.iam_service_account[var.vmseries_common.service_account_key].email)
scopes = try(each.value.scopes, var.vmseries_common.scopes, [])
create_instance_group = true
-
bootstrap_options = try(
merge(
{ vmseries-bootstrap-gce-storagebucket = "${module.bootstrap[each.value.bootstrap_bucket_key].bucket_name}/${each.key}/" },
- var.vmseries_common.bootstrap_options),
+ var.vmseries_common.bootstrap_options
+ ),
merge(
- try(each.value.bootstrap_options, {}),
- try(var.vmseries_common.bootstrap_options, {})
- ))
+ try(var.vmseries_common.bootstrap_options, {}),
+ try(each.value.bootstrap_options, {})
+ )
+ )
named_ports = try(each.value.named_ports, [])
@@ -140,7 +141,8 @@ module "vmseries" {
private_ip = v.private_ip
create_public_ip = try(v.create_public_ip, false)
public_ip = try(v.public_ip, null)
- }]
+ }
+ ]
}
data "google_compute_image" "my_image" {
diff --git a/examples/vpc_peering_common/variables.tf b/examples/vpc_peering_common/variables.tf
index d1e610a..4f7d849 100644
--- a/examples/vpc_peering_common/variables.tf
+++ b/examples/vpc_peering_common/variables.tf
@@ -4,18 +4,20 @@ variable "project" {
type = string
default = null
}
+
variable "region" {
description = "The region into which to deploy the infrastructure in to."
type = string
default = "us-central1"
}
+
variable "name_prefix" {
description = "A string to prefix resource namings."
type = string
default = "example-"
}
-#Service Account
+# Service Account
variable "service_accounts" {
description = <<-EOF
@@ -46,7 +48,7 @@ variable "service_accounts" {
default = {}
}
-#Bootstrap bucket
+# Bootstrap bucket
variable "bootstrap_buckets" {
description = <<-EOF
@@ -73,7 +75,7 @@ variable "bootstrap_buckets" {
default = {}
}
-#VPC
+# VPC
variable "networks" {
description = <<-EOF
@@ -171,7 +173,7 @@ variable "routes" {
default = {}
}
-#vmseries
+# VM-Series
variable "vmseries_common" {
description = <<-EOF
@@ -193,9 +195,10 @@ variable "vmseries_common" {
}
```
- Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`).
+ Majority of settings can be moved between this common and individual instance (ie. `var.vmseries`) variables. If values for the same item are specified in both of them, one from the latter will take precedence.
EOF
}
+
variable "vmseries" {
description = <<-EOF
A map containing each individual vmseries setting.
@@ -271,7 +274,7 @@ variable "vmseries" {
EOF
}
-#Load Balancers
+# Load Balancers
variable "lbs_internal" {
description = <<-EOF
@@ -298,6 +301,7 @@ variable "lbs_internal" {
type = map(any)
default = {}
}
+
variable "lbs_external" {
description = <<-EOF
A map containing each external loadbalancer setting.
@@ -327,7 +331,7 @@ variable "lbs_external" {
default = {}
}
-#Spoke VPCs Linux VMs
+# Spoke VPCs Linux VMs
variable "linux_vms" {
description = <<-EOF
diff --git a/examples/vpc_peering_common_dual_stack/README.md b/examples/vpc_peering_common_dual_stack/README.md
index 59d86fa..6f01375 100644
--- a/examples/vpc_peering_common_dual_stack/README.md
+++ b/examples/vpc_peering_common_dual_stack/README.md
@@ -301,7 +301,7 @@ please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the
| [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.
Example of variable deployment :routes = {
"default-route-trust" = {
name = "fw-default-trust"
destination_range = "0.0.0.0/0"
vpc_network_key = "fw-trust-vpc"
lb_internal_name = "internal-lb"
}
}Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [service\_accounts](#input\_service\_accounts) | A map containing each service account setting.
Example of variable deployment :service_accounts = {
"sa-vmseries-01" = {
service_account_id = "sa-vmseries-01"
display_name = "VM-Series SA"
roles = [
"roles/compute.networkViewer",
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
"roles/monitoring.viewer",
"roles/viewer"
]
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/iam_service_account#Inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [vmseries](#input\_vmseries) | A map containing each individual vmseries setting.
Example of variable deployment :vmseries = {
"fw-vmseries-01" = {
name = "fw-vmseries-01"
zone = "us-east1-b"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
tags = ["vmseries"]
service_account_key = "sa-vmseries-01"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
bootstrap_options = {
panorama-server = "1.1.1.1"
dns-primary = "8.8.8.8"
dns-secondary = "8.8.4.4"
}
bootstrap_template_map = {
trust_gcp_router_ip = "10.10.12.1"
untrust_gcp_router_ip = "10.10.11.1"
private_network_cidr = "192.168.0.0/16"
untrust_loopback_ip = "1.1.1.1/32" #This is placeholder IP - you must replace it on the vmseries config with the LB public IP address after the infrastructure is deployed
trust_loopback_ip = "10.10.12.5/32"
}
named_ports = [
{
name = "http"
port = 80
},
{
name = "https"
port = 443
}
]
network_interfaces = [
{
vpc_network_key = "fw-untrust-vpc"
subnetwork_key = "fw-untrust-sub"
private_ip = "10.10.11.2"
create_public_ip = true
},
{
vpc_network_key = "fw-mgmt-vpc"
subnetwork_key = "fw-mgmt-sub"
private_ip = "10.10.10.2"
create_public_ip = true
},
{
vpc_network_key = "fw-trust-vpc"
subnetwork_key = "fw-trust-sub"
private_ip = "10.10.12.2"
},
]
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vmseries#inputs)
The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes |
-| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.
Example of variable deployment :vmseries_common = {
ssh_keys = "admin:AAAABBBB..."
vmseries_image = "vmseries-flex-byol-1029h1"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `any` | n/a | yes |
+| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.
Example of variable deployment :vmseries_common = {
ssh_keys = "admin:AAAABBBB..."
vmseries_image = "vmseries-flex-byol-1029h1"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}Majority of settings can be moved between this common and individual instance (ie. `var.vmseries`) variables. If values for the same item are specified in both of them, one from the latter will take precedence. | `any` | n/a | yes |
| [vpc\_peerings](#input\_vpc\_peerings) | A map containing each VPC peering setting.
Example of variable deployment :vpc_peerings = {
"trust-to-spoke1" = {
local_network_key = "fw-trust-vpc"
peer_network_key = "fw-spoke1-vpc"
local_export_custom_routes = true
local_import_custom_routes = true
local_export_subnet_routes_with_public_ip = true
local_import_subnet_routes_with_public_ip = true
peer_export_custom_routes = true
peer_import_custom_routes = true
peer_export_subnet_routes_with_public_ip = true
peer_import_subnet_routes_with_public_ip = true
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vpc-peering#inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
### Outputs
diff --git a/examples/vpc_peering_common_dual_stack/main.tf b/examples/vpc_peering_common_dual_stack/main.tf
index a38c24e..1e6b357 100644
--- a/examples/vpc_peering_common_dual_stack/main.tf
+++ b/examples/vpc_peering_common_dual_stack/main.tf
@@ -175,7 +175,7 @@ module "vmseries" {
ssh_keys = try(each.value.ssh_keys, var.vmseries_common.ssh_keys)
vmseries_image = try(each.value.vmseries_image, var.vmseries_common.vmseries_image)
machine_type = try(each.value.machine_type, var.vmseries_common.machine_type)
- min_cpu_platform = try(each.value.min_cpu_platform, var.vmseries_common.min_cpu_platform, "Intel Cascade Lake")
+ min_cpu_platform = try(each.value.min_cpu_platform, var.vmseries_common.min_cpu_platform)
tags = try(each.value.tags, var.vmseries_common.tags, [])
service_account = try(module.iam_service_account[each.value.service_account_key].email, module.iam_service_account[var.vmseries_common.service_account_key].email)
scopes = try(each.value.scopes, var.vmseries_common.scopes, [])
@@ -184,11 +184,13 @@ module "vmseries" {
bootstrap_options = try(
merge(
{ vmseries-bootstrap-gce-storagebucket = "${module.bootstrap[each.value.bootstrap_bucket_key].bucket_name}/${each.key}/" },
- var.vmseries_common.bootstrap_options),
+ var.vmseries_common.bootstrap_options
+ ),
merge(
- try(each.value.bootstrap_options, {}),
- try(var.vmseries_common.bootstrap_options, {})
- ))
+ try(var.vmseries_common.bootstrap_options, {}),
+ try(each.value.bootstrap_options, {})
+ )
+ )
named_ports = try(each.value.named_ports, [])
@@ -201,7 +203,8 @@ module "vmseries" {
public_ip = try(v.public_ip, null)
create_public_ipv6 = try(v.create_public_ipv6, false)
public_ipv6 = try(v.public_ipv6, null)
- }]
+ }
+ ]
}
data "google_compute_image" "my_image" {
diff --git a/examples/vpc_peering_common_dual_stack/variables.tf b/examples/vpc_peering_common_dual_stack/variables.tf
index fdf7869..5f8cb29 100644
--- a/examples/vpc_peering_common_dual_stack/variables.tf
+++ b/examples/vpc_peering_common_dual_stack/variables.tf
@@ -4,10 +4,12 @@ variable "project" {
type = string
default = null
}
+
variable "region" {
description = "The region into which to deploy the infrastructure in to."
type = string
default = "us-central1"
+
}
variable "name_prefix" {
description = "A string to prefix resource namings."
@@ -15,7 +17,7 @@ variable "name_prefix" {
default = "example-"
}
-#Service Account
+# Service Account
variable "service_accounts" {
description = <<-EOF
@@ -46,7 +48,7 @@ variable "service_accounts" {
default = {}
}
-#Bootstrap bucket
+# Bootstrap bucket
variable "bootstrap_buckets" {
description = <<-EOF
@@ -73,7 +75,7 @@ variable "bootstrap_buckets" {
default = {}
}
-#VPC
+# VPC
variable "networks" {
description = <<-EOF
@@ -206,7 +208,7 @@ variable "policy_routes_trust_vpc_network_key" {
type = string
}
-#vmseries
+# VM-Series
variable "vmseries_common" {
description = <<-EOF
@@ -228,9 +230,10 @@ variable "vmseries_common" {
}
```
- Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`).
+ Majority of settings can be moved between this common and individual instance (ie. `var.vmseries`) variables. If values for the same item are specified in both of them, one from the latter will take precedence.
EOF
}
+
variable "vmseries" {
description = <<-EOF
A map containing each individual vmseries setting.
@@ -306,7 +309,7 @@ variable "vmseries" {
EOF
}
-#Load Balancers
+# Load Balancers
variable "lbs_internal" {
description = <<-EOF
@@ -333,6 +336,7 @@ variable "lbs_internal" {
type = map(any)
default = {}
}
+
variable "lbs_external" {
description = <<-EOF
A map containing each external loadbalancer setting.
@@ -362,7 +366,7 @@ variable "lbs_external" {
default = {}
}
-#Spoke VPCs Linux VMs
+# Spoke VPCs Linux VMs
variable "linux_vms" {
description = <<-EOF
diff --git a/examples/vpc_peering_common_with_autoscale/README.md b/examples/vpc_peering_common_with_autoscale/README.md
index 9885f98..ad307ba 100644
--- a/examples/vpc_peering_common_with_autoscale/README.md
+++ b/examples/vpc_peering_common_with_autoscale/README.md
@@ -190,7 +190,7 @@ please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [autoscale](#input\_autoscale) | A map containing each vmseries autoscale setting.
Zonal or regional managed instance group type is controolled from the `autoscale_regional_mig` variable for all autoscale instances.
Example of variable deployment :autoscale = {
fw-autoscale-common = {
name = "fw-autoscale-common"
zones = {
zone1 = "us-east4-b"
zone2 = "us-east4-c"
}
named_ports = [
{
name = "http"
port = 80
},
{
name = "https"
port = 443
}
]
service_account_key = "sa-vmseries-01"
min_vmseries_replicas = 2
max_vmseries_replicas = 4
create_pubsub_topic = true
autoscaler_metrics = {
"custom.googleapis.com/VMSeries/panSessionUtilization" = {
target = 70
}
"custom.googleapis.com/VMSeries/panSessionThroughputKbps" = {
target = 700000
}
}
bootstrap_options = {
type = "dhcp-client"
dhcp-send-hostname = "yes"
dhcp-send-client-id = "yes"
dhcp-accept-server-hostname = "yes"
dhcp-accept-server-domain = "yes"
mgmt-interface-swap = "enable"
panorama-server = "1.1.1.1"
ssh-keys = "admin:" # Replace this value with client data
}
network_interfaces = [
{
vpc_network_key = "fw-untrust-vpc"
subnetwork_key = "fw-untrust-sub"
create_public_ip = true
},
{
vpc_network_key = "fw-mgmt-vpc"
subnetwork_key = "fw-mgmt-sub"
create_public_ip = true
},
{
vpc_network_key = "fw-trust-vpc"
subnetwork_key = "fw-trust-sub"
}
]
}
} | `any` | `{}` | no |
-| [autoscale\_common](#input\_autoscale\_common) | A map containing common vmseries autoscale setting.
Bootstrap options can be moved between vmseries autoscale individual instances variable (`autoscale`) and this common vmseries autoscale variable (`autoscale_common`).
Example of variable deployment :autoscale_common = {
image = "vmseries-flex-byol-1110"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
disk_type = "pd-ssd"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
tags = ["vmseries-autoscale"]
update_policy_type = "OPPORTUNISTIC"
cooldown_period = 480
bootstrap_options = [
panorama_server = "1.1.1.1"
]
} | `any` | `{}` | no |
+| [autoscale\_common](#input\_autoscale\_common) | A map containing common vmseries autoscale setting.
Majority of settings can be moved between this common and individual autoscale setup (ie. `var.autoscale`) variables. If values for the same item are specified in both of them, one from the latter will take precedence.
Example of variable deployment :autoscale_common = {
image = "vmseries-flex-byol-1110"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
disk_type = "pd-ssd"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
tags = ["vmseries-autoscale"]
update_policy_type = "OPPORTUNISTIC"
cooldown_period = 480
bootstrap_options = [
panorama_server = "1.1.1.1"
]
} | `any` | `{}` | no |
| [autoscale\_regional\_mig](#input\_autoscale\_regional\_mig) | Sets the managed instance group type to either a regional (if `true`) or a zonal (if `false`).
For more information please see [About regional MIGs](https://cloud.google.com/compute/docs/instance-groups/regional-migs#why_choose_regional_managed_instance_groups). | `bool` | `true` | no |
| [lbs\_external](#input\_lbs\_external) | A map containing each external loadbalancer setting.
Example of variable deployment :lbs_external = {
"external-lb" = {
name = "external-lb"
backends = ["fw-vmseries-01", "fw-vmseries-02"]
rules = {
"all-ports" = {
ip_protocol = "L3_DEFAULT"
}
}
http_health_check_port = "80"
http_health_check_request_path = "/php/login.php"
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/lb_external#inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [lbs\_internal](#input\_lbs\_internal) | A map containing each internal loadbalancer setting.
Note : private IP reservation is not by default within the example as it may overlap with autoscale IP allocation.
Example of variable deployment :lbs_internal = {
"internal-lb" = {
name = "internal-lb"
health_check_port = "80"
backends = ["fw-vmseries-01", "fw-vmseries-02"]
subnetwork_key = "fw-trust-sub"
vpc_network_key = "fw-trust-vpc"
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/lb_internal#inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
diff --git a/examples/vpc_peering_common_with_autoscale/example.tfvars b/examples/vpc_peering_common_with_autoscale/example.tfvars
index 2573804..c2d0799 100644
--- a/examples/vpc_peering_common_with_autoscale/example.tfvars
+++ b/examples/vpc_peering_common_with_autoscale/example.tfvars
@@ -213,9 +213,19 @@ autoscale_common = {
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
- tags = ["vmseries-autoscale"]
- update_policy_type = "OPPORTUNISTIC"
- cooldown_period = 480
+ tags = ["vmseries-autoscale"]
+ update_policy_type = "OPPORTUNISTIC"
+ cooldown_period = 480
+ scale_in_control_time_window_sec = 1800
+ scale_in_control_replicas_fixed = 1
+ autoscaler_metrics = {
+ "custom.googleapis.com/VMSeries/panSessionUtilization" = {
+ target = 70
+ }
+ "custom.googleapis.com/VMSeries/panSessionThroughputKbps" = {
+ target = 700000
+ }
+ }
}
autoscale = {
@@ -239,14 +249,6 @@ autoscale = {
min_vmseries_replicas = 2
max_vmseries_replicas = 4
create_pubsub_topic = true
- autoscaler_metrics = {
- "custom.googleapis.com/VMSeries/panSessionUtilization" = {
- target = 70
- }
- "custom.googleapis.com/VMSeries/panSessionThroughputKbps" = {
- target = 700000
- }
- }
bootstrap_options = {
type = "dhcp-client"
dhcp-send-hostname = "yes"
diff --git a/examples/vpc_peering_common_with_autoscale/main.tf b/examples/vpc_peering_common_with_autoscale/main.tf
index 78a48ae..728bccc 100644
--- a/examples/vpc_peering_common_with_autoscale/main.tf
+++ b/examples/vpc_peering_common_with_autoscale/main.tf
@@ -68,42 +68,36 @@ module "autoscale" {
name = "${var.name_prefix}${each.value.name}"
region = var.region
project_id = var.project
+ image = "projects/paloaltonetworksgcp-public/global/images/${try(each.value.image, var.autoscale_common.image)}"
regional_mig = try(var.autoscale_regional_mig, true)
zones = try(each.value.zones, {})
- image = "https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/${try(each.value.image, var.autoscale_common.image)}"
+ service_account_email = try(module.iam_service_account[each.value.service_account_key].email, module.iam_service_account[var.autoscale_common.service_account_key].email)
named_ports = try(each.value.named_ports, var.autoscale_common.named_ports)
machine_type = try(each.value.machine_type, var.autoscale_common.machine_type)
- min_cpu_platform = try(each.value.min_cpu_platform, var.autoscale_common.min_cpu_platform, "Intel Cascade Lake")
- disk_type = try(each.value.disk_type, var.autoscale_common.disk_type, "pd-ssd")
- service_account_email = try(module.iam_service_account[each.value.service_account_key].email, module.iam_service_account[var.autoscale_common.service_account_key].email)
+ min_cpu_platform = try(each.value.min_cpu_platform, var.autoscale_common.min_cpu_platform)
+ disk_type = try(each.value.disk_type, var.autoscale_common.disk_type)
scopes = try(each.value.scopes, var.autoscale_common.scopes, [])
tags = try(each.value.tags, var.autoscale_common.tags, [])
- update_policy_type = try(each.value.update_policy_type, var.autoscale_common.update_policy_type, "OPPORTUNISTIC")
+ update_policy_type = try(each.value.update_policy_type, var.autoscale_common.update_policy_type)
min_vmseries_replicas = try(each.value.min_vmseries_replicas, var.autoscale_common.min_vmseries_replicas)
max_vmseries_replicas = try(each.value.max_vmseries_replicas, var.autoscale_common.max_vmseries_replicas)
- cooldown_period = try(each.value.cooldown_period, var.autoscale_common.cooldown_period, 480)
- scale_in_control_time_window_sec = try(each.value.scale_in_control_time_window_sec, var.autoscale_common.scale_in_control_time_window_sec, 1800)
- scale_in_control_replicas_fixed = try(each.value.scale_in_control_replicas_fixed, var.autoscale_common.scale_in_control_replicas_fixed, 1)
+ cooldown_period = try(each.value.cooldown_period, var.autoscale_common.cooldown_period)
+ scale_in_control_time_window_sec = try(each.value.scale_in_control_time_window_sec, var.autoscale_common.scale_in_control_time_window_sec)
+ scale_in_control_replicas_fixed = try(each.value.scale_in_control_replicas_fixed, var.autoscale_common.scale_in_control_replicas_fixed)
create_pubsub_topic = try(each.value.create_pubsub_topic, var.autoscale_common.create_pubsub_topic)
- autoscaler_metrics = try(each.value.autoscaler_metrics, var.autoscale_common.autoscaler_metrics,
- {
- "custom.googleapis.com/VMSeries/panSessionUtilization" = {
- target = 70
- }
- "custom.googleapis.com/VMSeries/panSessionThroughputKbps" = {
- target = 700000
- }
- })
+ autoscaler_metrics = try(each.value.autoscaler_metrics, var.autoscale_common.autoscaler_metrics)
network_interfaces = [for v in each.value.network_interfaces :
{
subnetwork = module.vpc[v.vpc_network_key].subnetworks[v.subnetwork_key].self_link
create_public_ip = try(v.create_public_ip, false)
public_ip = try(v.public_ip, null)
- }]
+ }
+ ]
+
metadata = merge(
- try(each.value.bootstrap_options, {}),
- try(var.autoscale_common.bootstrap_options, {})
+ try(var.autoscale_common.bootstrap_options, {}),
+ try(each.value.bootstrap_options, {})
)
}
diff --git a/examples/vpc_peering_common_with_autoscale/variables.tf b/examples/vpc_peering_common_with_autoscale/variables.tf
index faccd9b..6ed14d5 100644
--- a/examples/vpc_peering_common_with_autoscale/variables.tf
+++ b/examples/vpc_peering_common_with_autoscale/variables.tf
@@ -4,18 +4,20 @@ variable "project" {
type = string
default = null
}
+
variable "region" {
description = "The region into which to deploy the infrastructure in to."
type = string
default = "us-central1"
}
+
variable "name_prefix" {
description = "A string to prefix resource namings."
type = string
default = "example-"
}
-#Service Account
+# Service Account
variable "service_accounts" {
description = <<-EOF
@@ -46,7 +48,7 @@ variable "service_accounts" {
default = {}
}
-#VPC
+# VPC
variable "networks" {
description = <<-EOF
@@ -146,7 +148,7 @@ variable "routes" {
default = {}
}
-#Autoscale
+# Autoscale
variable "autoscale_regional_mig" {
description = <<-EOF
Sets the managed instance group type to either a regional (if `true`) or a zonal (if `false`).
@@ -155,10 +157,11 @@ variable "autoscale_regional_mig" {
type = bool
default = true
}
+
variable "autoscale_common" {
description = <<-EOF
A map containing common vmseries autoscale setting.
- Bootstrap options can be moved between vmseries autoscale individual instances variable (`autoscale`) and this common vmseries autoscale variable (`autoscale_common`).
+ Majority of settings can be moved between this common and individual autoscale setup (ie. `var.autoscale`) variables. If values for the same item are specified in both of them, one from the latter will take precedence.
Example of variable deployment :
@@ -259,7 +262,7 @@ variable "autoscale" {
default = {}
}
-#Load Balancers
+# Load Balancers
variable "lbs_internal" {
description = <<-EOF
@@ -286,6 +289,7 @@ variable "lbs_internal" {
type = map(any)
default = {}
}
+
variable "lbs_external" {
description = <<-EOF
A map containing each external loadbalancer setting.
@@ -315,7 +319,7 @@ variable "lbs_external" {
default = {}
}
-#Spoke VPCs Linux VMs
+# Spoke VPCs Linux VMs
variable "linux_vms" {
description = <<-EOF
diff --git a/examples/vpc_peering_common_with_network_tags/README.md b/examples/vpc_peering_common_with_network_tags/README.md
index e4f81f1..810832b 100644
--- a/examples/vpc_peering_common_with_network_tags/README.md
+++ b/examples/vpc_peering_common_with_network_tags/README.md
@@ -252,7 +252,7 @@ please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the
| [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.
Example of variable deployment :routes = {
fw-default-trust-region-1 = {
name = "fw-default-trust"
destination_range = "0.0.0.0/0"
vpc_network_key = "fw-spoke1-vpc"
lb_internal_key = "internal-lb-region-1"
region = "us-east1"
tags = ["us-east1"]
},
fw-default-trust-region-2 = {
name = "fw-default-trust"
destination_range = "0.0.0.0/0"
vpc_network_key = "fw-spoke1-vpc"
lb_internal_key = "internal-lb-region-2"
region = "us-west1"
tags = ["us-west1"]
}
}Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [service\_accounts](#input\_service\_accounts) | A map containing each service account setting.
Example of variable deployment :service_accounts = {
"sa-vmseries-01" = {
service_account_id = "sa-vmseries-01"
display_name = "VM-Series SA"
roles = [
"roles/compute.networkViewer",
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
"roles/monitoring.viewer",
"roles/viewer"
]
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/iam_service_account#Inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [vmseries](#input\_vmseries) | A map containing each individual vmseries setting for vmseries instances.
Example of variable deployment :vmseries = {
fw-vmseries-01 = {
name = "fw-vmseries-01"
region = "us-east1"
zone = "us-east1-b"
tags = ["vmseries"]
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
bootstrap_options = {
panorama-server = "1.1.1.1" # Modify this value as per deployment requirements
dns-primary = "8.8.8.8" # Modify this value as per deployment requirements
dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements
}
bootstrap_template_map = {
trust_gcp_router_ip = "10.10.12.1"
untrust_gcp_router_ip = "10.10.11.1"
private_network_cidr = "192.168.0.0/16"
untrust_loopback_ip = "1.1.1.1/32" # This is placeholder IP - you must replace it on the vmseries config with the LB public IP address (Region-1) after the infrastructure is deployed
trust_loopback_ip = "10.10.12.5/32"
}
named_ports = [
{
name = "http"
port = 80
},
{
name = "https"
port = 443
}
]
network_interfaces = [
{
vpc_network_key = "fw-untrust-vpc"
subnetwork_key = "fw-untrust-sub-region-1"
private_ip = "10.10.11.2"
create_public_ip = true
},
{
vpc_network_key = "fw-mgmt-vpc"
subnetwork_key = "fw-mgmt-sub-region-1"
private_ip = "10.10.10.2"
create_public_ip = true
},
{
vpc_network_key = "fw-trust-vpc"
subnetwork_key = "fw-trust-sub-region-1"
private_ip = "10.10.12.2"
}
]
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vmseries#inputs)
The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes |
-| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.
Example of variable deployment :vmseries_common = {
ssh_keys = "admin:AAABBB..."
vmseries_image = "vmseries-flex-byol-1029h1"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `any` | n/a | yes |
+| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.
Example of variable deployment :vmseries_common = {
ssh_keys = "admin:AAABBB..."
vmseries_image = "vmseries-flex-byol-1029h1"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}Majority of settings can be moved between this common and individual instance (ie. `var.vmseries`) variables. If values for the same item are specified in both of them, one from the latter will take precedence. | `any` | n/a | yes |
| [vpc\_peerings](#input\_vpc\_peerings) | A map containing each VPC peering setting.
Example of variable deployment :vpc_peerings = {
"trust-to-spoke1" = {
local_network_key = "fw-trust-vpc"
peer_network_key = "fw-spoke1-vpc"
local_export_custom_routes = true
local_import_custom_routes = true
local_export_subnet_routes_with_public_ip = true
local_import_subnet_routes_with_public_ip = true
peer_export_custom_routes = true
peer_import_custom_routes = true
peer_export_subnet_routes_with_public_ip = true
peer_import_subnet_routes_with_public_ip = true
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vpc-peering#inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
### Outputs
diff --git a/examples/vpc_peering_common_with_network_tags/main.tf b/examples/vpc_peering_common_with_network_tags/main.tf
index abf0553..6c9cdcd 100644
--- a/examples/vpc_peering_common_with_network_tags/main.tf
+++ b/examples/vpc_peering_common_with_network_tags/main.tf
@@ -118,7 +118,7 @@ module "vmseries" {
ssh_keys = try(each.value.ssh_keys, var.vmseries_common.ssh_keys)
vmseries_image = try(each.value.vmseries_image, var.vmseries_common.vmseries_image)
machine_type = try(each.value.machine_type, var.vmseries_common.machine_type)
- min_cpu_platform = try(each.value.min_cpu_platform, var.vmseries_common.min_cpu_platform, "Intel Cascade Lake")
+ min_cpu_platform = try(each.value.min_cpu_platform, var.vmseries_common.min_cpu_platform)
tags = try(each.value.tags, var.vmseries_common.tags, [])
service_account = try(module.iam_service_account[each.value.service_account_key].email, module.iam_service_account[var.vmseries_common.service_account_key].email)
scopes = try(each.value.scopes, var.vmseries_common.scopes, [])
@@ -127,11 +127,13 @@ module "vmseries" {
bootstrap_options = try(
merge(
{ vmseries-bootstrap-gce-storagebucket = "${module.bootstrap[each.value.bootstrap_bucket_key].bucket_name}/${each.key}/" },
- var.vmseries_common.bootstrap_options),
+ var.vmseries_common.bootstrap_options
+ ),
merge(
- try(each.value.bootstrap_options, {}),
- try(var.vmseries_common.bootstrap_options, {})
- ))
+ try(var.vmseries_common.bootstrap_options, {}),
+ try(each.value.bootstrap_options, {})
+ )
+ )
named_ports = try(each.value.named_ports, [])
@@ -141,7 +143,8 @@ module "vmseries" {
private_ip = v.private_ip
create_public_ip = try(v.create_public_ip, false)
public_ip = try(v.public_ip, null)
- }]
+ }
+ ]
}
data "google_compute_image" "my_image" {
diff --git a/examples/vpc_peering_common_with_network_tags/variables.tf b/examples/vpc_peering_common_with_network_tags/variables.tf
index 12bb06c..229314f 100644
--- a/examples/vpc_peering_common_with_network_tags/variables.tf
+++ b/examples/vpc_peering_common_with_network_tags/variables.tf
@@ -4,13 +4,14 @@ variable "project" {
type = string
default = null
}
+
variable "name_prefix" {
description = "A string to prefix resource namings."
type = string
default = "example-"
}
-#Service Account
+# Service Account
variable "service_accounts" {
description = <<-EOF
@@ -41,7 +42,7 @@ variable "service_accounts" {
default = {}
}
-#Bootstrap bucket
+# Bootstrap bucket
variable "bootstrap_buckets" {
description = <<-EOF
@@ -68,7 +69,7 @@ variable "bootstrap_buckets" {
default = {}
}
-#VPC
+# VPC
variable "networks" {
description = <<-EOF
@@ -177,7 +178,7 @@ variable "routes" {
default = {}
}
-#vmseries
+# VM-Series
variable "vmseries_common" {
description = <<-EOF
@@ -199,9 +200,10 @@ variable "vmseries_common" {
}
```
- Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`).
+ Majority of settings can be moved between this common and individual instance (ie. `var.vmseries`) variables. If values for the same item are specified in both of them, one from the latter will take precedence.
EOF
}
+
variable "vmseries" {
description = <<-EOF
A map containing each individual vmseries setting for vmseries instances.
@@ -275,7 +277,7 @@ variable "vmseries" {
EOF
}
-#Load Balancers
+# Load Balancers
variable "lbs_internal" {
description = <<-EOF
@@ -334,7 +336,7 @@ variable "lbs_external" {
default = {}
}
-#Spoke VPCs Linux VMs
+# Spoke VPCs Linux VMs
variable "linux_vms" {
description = <<-EOF
diff --git a/examples/vpc_peering_dedicated/README.md b/examples/vpc_peering_dedicated/README.md
index 0e1ebfb..149a677 100644
--- a/examples/vpc_peering_dedicated/README.md
+++ b/examples/vpc_peering_dedicated/README.md
@@ -249,7 +249,7 @@ The GCP Global HTTP LB acts as a proxy and sends traffic to the VM-Series `Untru
| [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.
Example of variable deployment :routes = {
"default-route-trust" = {
name = "fw-default-trust"
destination_range = "0.0.0.0/0"
vpc_network_key = "fw-trust-vpc"
lb_internal_name = "internal-lb"
}
}Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [service\_accounts](#input\_service\_accounts) | A map containing each service account setting.
Example of variable deployment :service_accounts = {
"sa-vmseries-01" = {
service_account_id = "sa-vmseries-01"
display_name = "VM-Series SA"
roles = [
"roles/compute.networkViewer",
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
"roles/monitoring.viewer",
"roles/viewer"
]
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/iam_service_account#Inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [vmseries](#input\_vmseries) | A map containing each individual vmseries setting.
Example of variable deployment :vmseries = {
"fw-vmseries-01" = {
name = "fw-vmseries-01"
zone = "us-east1-b"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
tags = ["vmseries"]
service_account_key = "sa-vmseries-01"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
bootstrap_options = {
panorama-server = "1.1.1.1"
dns-primary = "8.8.8.8"
dns-secondary = "8.8.4.4"
}
bootstrap_template_map = {
trust_gcp_router_ip = "10.10.12.1"
untrust_gcp_router_ip = "10.10.11.1"
private_network_cidr = "192.168.0.0/16"
untrust_loopback_ip = "1.1.1.1/32" #This is placeholder IP - you must replace it on the vmseries config with the LB public IP address after the infrastructure is deployed
trust_loopback_ip = "10.10.12.5/32"
}
named_ports = [
{
name = "http"
port = 80
},
{
name = "https"
port = 443
}
]
network_interfaces = [
{
vpc_network_key = "fw-untrust-vpc"
subnetwork_key = "fw-untrust-sub"
private_ip = "10.10.11.2"
create_public_ip = true
},
{
vpc_network_key = "fw-mgmt-vpc"
subnetwork_key = "fw-mgmt-sub"
private_ip = "10.10.10.2"
create_public_ip = true
},
{
vpc_network_key = "fw-trust-vpc"
subnetwork_key = "fw-trust-sub"
private_ip = "10.10.12.2"
},
]
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vmseries#inputs)
The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes |
-| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.
Example of variable deployment :vmseries_common = {
ssh_keys = "admin:AAABBB..."
vmseries_image = "vmseries-flex-byol-1029h1"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `any` | n/a | yes |
+| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.
Example of variable deployment :vmseries_common = {
ssh_keys = "admin:AAABBB..."
vmseries_image = "vmseries-flex-byol-1029h1"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}Majority of settings can be moved between this common and individual instance (ie. `var.vmseries`) variables. If values for the same item are specified in both of them, one from the latter will take precedence. | `any` | n/a | yes |
| [vpc\_peerings](#input\_vpc\_peerings) | A map containing each VPC peering setting.
Example of variable deployment :vpc_peerings = {
"trust-to-spoke1" = {
local_network_key = "fw-trust-vpc"
peer_network_key = "fw-spoke1-vpc"
local_export_custom_routes = true
local_import_custom_routes = true
local_export_subnet_routes_with_public_ip = true
local_import_subnet_routes_with_public_ip = true
peer_export_custom_routes = true
peer_import_custom_routes = true
peer_export_subnet_routes_with_public_ip = true
peer_import_subnet_routes_with_public_ip = true
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vpc-peering#inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
### Outputs
diff --git a/examples/vpc_peering_dedicated/main.tf b/examples/vpc_peering_dedicated/main.tf
index 318a65e..4a686ab 100644
--- a/examples/vpc_peering_dedicated/main.tf
+++ b/examples/vpc_peering_dedicated/main.tf
@@ -117,7 +117,7 @@ module "vmseries" {
ssh_keys = try(each.value.ssh_keys, var.vmseries_common.ssh_keys)
vmseries_image = try(each.value.vmseries_image, var.vmseries_common.vmseries_image)
machine_type = try(each.value.machine_type, var.vmseries_common.machine_type)
- min_cpu_platform = try(each.value.min_cpu_platform, var.vmseries_common.min_cpu_platform, "Intel Cascade Lake")
+ min_cpu_platform = try(each.value.min_cpu_platform, var.vmseries_common.min_cpu_platform)
tags = try(each.value.tags, var.vmseries_common.tags, [])
service_account = try(module.iam_service_account[each.value.service_account_key].email, module.iam_service_account[var.vmseries_common.service_account_key].email)
scopes = try(each.value.scopes, var.vmseries_common.scopes, [])
@@ -126,11 +126,13 @@ module "vmseries" {
bootstrap_options = try(
merge(
{ vmseries-bootstrap-gce-storagebucket = "${module.bootstrap[each.value.bootstrap_bucket_key].bucket_name}/${each.key}/" },
- var.vmseries_common.bootstrap_options),
+ var.vmseries_common.bootstrap_options
+ ),
merge(
- try(each.value.bootstrap_options, {}),
- try(var.vmseries_common.bootstrap_options, {})
- ))
+ try(var.vmseries_common.bootstrap_options, {}),
+ try(each.value.bootstrap_options, {})
+ )
+ )
named_ports = try(each.value.named_ports, [])
@@ -140,7 +142,8 @@ module "vmseries" {
private_ip = v.private_ip
create_public_ip = try(v.create_public_ip, false)
public_ip = try(v.public_ip, null)
- }]
+ }
+ ]
}
data "google_compute_image" "my_image" {
diff --git a/examples/vpc_peering_dedicated/variables.tf b/examples/vpc_peering_dedicated/variables.tf
index 3c41758..d8992cc 100644
--- a/examples/vpc_peering_dedicated/variables.tf
+++ b/examples/vpc_peering_dedicated/variables.tf
@@ -4,18 +4,20 @@ variable "project" {
type = string
default = null
}
+
variable "region" {
description = "The region into which to deploy the infrastructure in to."
type = string
default = "us-central1"
}
+
variable "name_prefix" {
description = "A string to prefix resource namings."
type = string
default = "example-"
}
-#Service Account
+# Service Account
variable "service_accounts" {
description = <<-EOF
@@ -46,7 +48,7 @@ variable "service_accounts" {
default = {}
}
-#Bootstrap bucket
+# Bootstrap bucket
variable "bootstrap_buckets" {
description = <<-EOF
@@ -73,7 +75,7 @@ variable "bootstrap_buckets" {
default = {}
}
-#VPC
+# VPC
variable "networks" {
description = <<-EOF
@@ -171,7 +173,7 @@ variable "routes" {
default = {}
}
-#vmseries
+# VM-Series
variable "vmseries_common" {
description = <<-EOF
@@ -193,9 +195,10 @@ variable "vmseries_common" {
}
```
- Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`).
+ Majority of settings can be moved between this common and individual instance (ie. `var.vmseries`) variables. If values for the same item are specified in both of them, one from the latter will take precedence.
EOF
}
+
variable "vmseries" {
description = <<-EOF
A map containing each individual vmseries setting.
@@ -271,7 +274,7 @@ variable "vmseries" {
EOF
}
-#Load Balancers
+# Load Balancers
variable "lbs_internal" {
description = <<-EOF
@@ -298,6 +301,7 @@ variable "lbs_internal" {
type = map(any)
default = {}
}
+
variable "lbs_global_http" {
description = <<-EOF
A map containing each Global HTTP loadbalancer setting.
@@ -324,7 +328,7 @@ variable "lbs_global_http" {
default = {}
}
-#Spoke VPCs Linux VMs
+# Spoke VPCs Linux VMs
variable "linux_vms" {
description = <<-EOF
diff --git a/examples/vpc_peering_dedicated_with_autoscale/README.md b/examples/vpc_peering_dedicated_with_autoscale/README.md
index fa8ca03..0e6e595 100644
--- a/examples/vpc_peering_dedicated_with_autoscale/README.md
+++ b/examples/vpc_peering_dedicated_with_autoscale/README.md
@@ -194,7 +194,7 @@ please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [autoscale](#input\_autoscale) | A map containing each vmseries autoscale setting.
Zonal or regional managed instance group type is controolled from the `autoscale_regional_mig` variable for all autoscale instances.
Example of variable deployment :autoscale = {
fw-autoscale-common = {
name = "fw-autoscale-common"
zones = {
zone1 = "us-east4-b"
zone2 = "us-east4-c"
}
named_ports = [
{
name = "http"
port = 80
},
{
name = "https"
port = 443
}
]
service_account_key = "sa-vmseries-01"
min_vmseries_replicas = 2
max_vmseries_replicas = 4
create_pubsub_topic = true
autoscaler_metrics = {
"custom.googleapis.com/VMSeries/panSessionUtilization" = {
target = 70
}
"custom.googleapis.com/VMSeries/panSessionThroughputKbps" = {
target = 700000
}
}
bootstrap_options = {
type = "dhcp-client"
dhcp-send-hostname = "yes"
dhcp-send-client-id = "yes"
dhcp-accept-server-hostname = "yes"
dhcp-accept-server-domain = "yes"
mgmt-interface-swap = "enable"
panorama-server = "1.1.1.1"
ssh-keys = "admin:" # Replace this value with client data
}
network_interfaces = [
{
vpc_network_key = "fw-untrust-vpc"
subnetwork_key = "fw-untrust-sub"
create_public_ip = true
},
{
vpc_network_key = "fw-mgmt-vpc"
subnetwork_key = "fw-mgmt-sub"
create_public_ip = true
},
{
vpc_network_key = "fw-trust-vpc"
subnetwork_key = "fw-trust-sub"
}
]
}
} | `any` | `{}` | no |
-| [autoscale\_common](#input\_autoscale\_common) | A map containing common vmseries autoscale setting.
Bootstrap options can be moved between vmseries autoscale individual instances variable (`autoscale`) and this common vmseries autoscale variable (`autoscale_common`).
Example of variable deployment :autoscale_common = {
image = "vmseries-flex-byol-1110"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
disk_type = "pd-ssd"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
tags = ["vmseries-autoscale"]
update_policy_type = "OPPORTUNISTIC"
cooldown_period = 480
bootstrap_options = [
panorama_server = "1.1.1.1"
]
} | `any` | `{}` | no |
+| [autoscale\_common](#input\_autoscale\_common) | A map containing common vmseries autoscale setting.
Majority of settings can be moved between this common and individual autoscale setup (ie. `var.autoscale`) variables. If values for the same item are specified in both of them, one from the latter will take precedence.
Example of variable deployment :autoscale_common = {
image = "vmseries-flex-byol-1110"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
disk_type = "pd-ssd"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
tags = ["vmseries-autoscale"]
update_policy_type = "OPPORTUNISTIC"
cooldown_period = 480
bootstrap_options = [
panorama_server = "1.1.1.1"
]
} | `any` | `{}` | no |
| [autoscale\_regional\_mig](#input\_autoscale\_regional\_mig) | Sets the managed instance group type to either a regional (if `true`) or a zonal (if `false`).
For more information please see [About regional MIGs](https://cloud.google.com/compute/docs/instance-groups/regional-migs#why_choose_regional_managed_instance_groups). | `bool` | `true` | no |
| [lbs\_external](#input\_lbs\_external) | A map containing each external loadbalancer setting.
Example of variable deployment :lbs_external = {
"external-lb" = {
name = "external-lb"
backends = ["fw-vmseries-01", "fw-vmseries-02"]
rules = {
"all-ports" = {
ip_protocol = "L3_DEFAULT"
}
}
http_health_check_port = "80"
http_health_check_request_path = "/php/login.php"
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/lb_external#inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [lbs\_internal](#input\_lbs\_internal) | A map containing each internal loadbalancer setting.
Note : private IP reservation is not by default within the example as it may overlap with autoscale IP allocation.
Example of variable deployment :lbs_internal = {
"internal-lb" = {
name = "internal-lb"
health_check_port = "80"
backends = ["fw-vmseries-01", "fw-vmseries-02"]
subnetwork_key = "fw-trust-sub"
vpc_network_key = "fw-trust-vpc"
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/lb_internal#inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
diff --git a/examples/vpc_peering_dedicated_with_autoscale/example.tfvars b/examples/vpc_peering_dedicated_with_autoscale/example.tfvars
index 17708c0..c77900a 100644
--- a/examples/vpc_peering_dedicated_with_autoscale/example.tfvars
+++ b/examples/vpc_peering_dedicated_with_autoscale/example.tfvars
@@ -213,9 +213,19 @@ autoscale_common = {
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
- tags = ["vmseries-autoscale"]
- update_policy_type = "OPPORTUNISTIC"
- cooldown_period = 480
+ tags = ["vmseries-autoscale"]
+ update_policy_type = "OPPORTUNISTIC"
+ cooldown_period = 480
+ scale_in_control_time_window_sec = 1800
+ scale_in_control_replicas_fixed = 1
+ autoscaler_metrics = {
+ "custom.googleapis.com/VMSeries/panSessionUtilization" = {
+ target = 70
+ }
+ "custom.googleapis.com/VMSeries/panSessionThroughputKbps" = {
+ target = 700000
+ }
+ }
}
autoscale = {
@@ -239,14 +249,6 @@ autoscale = {
min_vmseries_replicas = 2
max_vmseries_replicas = 4
create_pubsub_topic = true
- autoscaler_metrics = {
- "custom.googleapis.com/VMSeries/panSessionUtilization" = {
- target = 70
- }
- "custom.googleapis.com/VMSeries/panSessionThroughputKbps" = {
- target = 700000
- }
- }
bootstrap_options = {
type = "dhcp-client"
dhcp-send-hostname = "yes"
@@ -296,10 +298,7 @@ autoscale = {
create_pubsub_topic = true
autoscaler_metrics = {
"custom.googleapis.com/VMSeries/panSessionUtilization" = {
- target = 70
- }
- "custom.googleapis.com/VMSeries/panSessionThroughputKbps" = {
- target = 700000
+ target = 65
}
}
bootstrap_options = {
diff --git a/examples/vpc_peering_dedicated_with_autoscale/main.tf b/examples/vpc_peering_dedicated_with_autoscale/main.tf
index 78a48ae..728bccc 100644
--- a/examples/vpc_peering_dedicated_with_autoscale/main.tf
+++ b/examples/vpc_peering_dedicated_with_autoscale/main.tf
@@ -68,42 +68,36 @@ module "autoscale" {
name = "${var.name_prefix}${each.value.name}"
region = var.region
project_id = var.project
+ image = "projects/paloaltonetworksgcp-public/global/images/${try(each.value.image, var.autoscale_common.image)}"
regional_mig = try(var.autoscale_regional_mig, true)
zones = try(each.value.zones, {})
- image = "https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/${try(each.value.image, var.autoscale_common.image)}"
+ service_account_email = try(module.iam_service_account[each.value.service_account_key].email, module.iam_service_account[var.autoscale_common.service_account_key].email)
named_ports = try(each.value.named_ports, var.autoscale_common.named_ports)
machine_type = try(each.value.machine_type, var.autoscale_common.machine_type)
- min_cpu_platform = try(each.value.min_cpu_platform, var.autoscale_common.min_cpu_platform, "Intel Cascade Lake")
- disk_type = try(each.value.disk_type, var.autoscale_common.disk_type, "pd-ssd")
- service_account_email = try(module.iam_service_account[each.value.service_account_key].email, module.iam_service_account[var.autoscale_common.service_account_key].email)
+ min_cpu_platform = try(each.value.min_cpu_platform, var.autoscale_common.min_cpu_platform)
+ disk_type = try(each.value.disk_type, var.autoscale_common.disk_type)
scopes = try(each.value.scopes, var.autoscale_common.scopes, [])
tags = try(each.value.tags, var.autoscale_common.tags, [])
- update_policy_type = try(each.value.update_policy_type, var.autoscale_common.update_policy_type, "OPPORTUNISTIC")
+ update_policy_type = try(each.value.update_policy_type, var.autoscale_common.update_policy_type)
min_vmseries_replicas = try(each.value.min_vmseries_replicas, var.autoscale_common.min_vmseries_replicas)
max_vmseries_replicas = try(each.value.max_vmseries_replicas, var.autoscale_common.max_vmseries_replicas)
- cooldown_period = try(each.value.cooldown_period, var.autoscale_common.cooldown_period, 480)
- scale_in_control_time_window_sec = try(each.value.scale_in_control_time_window_sec, var.autoscale_common.scale_in_control_time_window_sec, 1800)
- scale_in_control_replicas_fixed = try(each.value.scale_in_control_replicas_fixed, var.autoscale_common.scale_in_control_replicas_fixed, 1)
+ cooldown_period = try(each.value.cooldown_period, var.autoscale_common.cooldown_period)
+ scale_in_control_time_window_sec = try(each.value.scale_in_control_time_window_sec, var.autoscale_common.scale_in_control_time_window_sec)
+ scale_in_control_replicas_fixed = try(each.value.scale_in_control_replicas_fixed, var.autoscale_common.scale_in_control_replicas_fixed)
create_pubsub_topic = try(each.value.create_pubsub_topic, var.autoscale_common.create_pubsub_topic)
- autoscaler_metrics = try(each.value.autoscaler_metrics, var.autoscale_common.autoscaler_metrics,
- {
- "custom.googleapis.com/VMSeries/panSessionUtilization" = {
- target = 70
- }
- "custom.googleapis.com/VMSeries/panSessionThroughputKbps" = {
- target = 700000
- }
- })
+ autoscaler_metrics = try(each.value.autoscaler_metrics, var.autoscale_common.autoscaler_metrics)
network_interfaces = [for v in each.value.network_interfaces :
{
subnetwork = module.vpc[v.vpc_network_key].subnetworks[v.subnetwork_key].self_link
create_public_ip = try(v.create_public_ip, false)
public_ip = try(v.public_ip, null)
- }]
+ }
+ ]
+
metadata = merge(
- try(each.value.bootstrap_options, {}),
- try(var.autoscale_common.bootstrap_options, {})
+ try(var.autoscale_common.bootstrap_options, {}),
+ try(each.value.bootstrap_options, {})
)
}
diff --git a/examples/vpc_peering_dedicated_with_autoscale/variables.tf b/examples/vpc_peering_dedicated_with_autoscale/variables.tf
index faccd9b..6ed14d5 100644
--- a/examples/vpc_peering_dedicated_with_autoscale/variables.tf
+++ b/examples/vpc_peering_dedicated_with_autoscale/variables.tf
@@ -4,18 +4,20 @@ variable "project" {
type = string
default = null
}
+
variable "region" {
description = "The region into which to deploy the infrastructure in to."
type = string
default = "us-central1"
}
+
variable "name_prefix" {
description = "A string to prefix resource namings."
type = string
default = "example-"
}
-#Service Account
+# Service Account
variable "service_accounts" {
description = <<-EOF
@@ -46,7 +48,7 @@ variable "service_accounts" {
default = {}
}
-#VPC
+# VPC
variable "networks" {
description = <<-EOF
@@ -146,7 +148,7 @@ variable "routes" {
default = {}
}
-#Autoscale
+# Autoscale
variable "autoscale_regional_mig" {
description = <<-EOF
Sets the managed instance group type to either a regional (if `true`) or a zonal (if `false`).
@@ -155,10 +157,11 @@ variable "autoscale_regional_mig" {
type = bool
default = true
}
+
variable "autoscale_common" {
description = <<-EOF
A map containing common vmseries autoscale setting.
- Bootstrap options can be moved between vmseries autoscale individual instances variable (`autoscale`) and this common vmseries autoscale variable (`autoscale_common`).
+ Majority of settings can be moved between this common and individual autoscale setup (ie. `var.autoscale`) variables. If values for the same item are specified in both of them, one from the latter will take precedence.
Example of variable deployment :
@@ -259,7 +262,7 @@ variable "autoscale" {
default = {}
}
-#Load Balancers
+# Load Balancers
variable "lbs_internal" {
description = <<-EOF
@@ -286,6 +289,7 @@ variable "lbs_internal" {
type = map(any)
default = {}
}
+
variable "lbs_external" {
description = <<-EOF
A map containing each external loadbalancer setting.
@@ -315,7 +319,7 @@ variable "lbs_external" {
default = {}
}
-#Spoke VPCs Linux VMs
+# Spoke VPCs Linux VMs
variable "linux_vms" {
description = <<-EOF