From 0ce8251dec93ffe75ac888cd2b07715eee0707ee Mon Sep 17 00:00:00 2001 From: michalbil Date: Tue, 16 Apr 2024 02:06:06 +0200 Subject: [PATCH] fix(vmseries): Update default vmseries image and license type --- examples/multi_nic_common/README.md | 2 +- examples/multi_nic_common/example.tfvars | 2 +- examples/multi_nic_common/variables.tf | 2 +- examples/panorama_standalone/variables.tf | 2 ++ .../standalone_vmseries_with_metadata_bootstrap/README.md | 4 ++-- .../example.tfvars | 2 +- .../standalone_vmseries_with_metadata_bootstrap/variables.tf | 4 ++-- examples/vmseries_ha/README.md | 2 +- examples/vmseries_ha/example.tfvars | 2 +- examples/vmseries_ha/variables.tf | 2 +- examples/vpc_peering_common/README.md | 2 +- examples/vpc_peering_common/example.tfvars | 2 +- examples/vpc_peering_common/variables.tf | 2 +- examples/vpc_peering_common_with_network_tags/README.md | 2 +- examples/vpc_peering_common_with_network_tags/example.tfvars | 2 +- examples/vpc_peering_common_with_network_tags/variables.tf | 2 +- examples/vpc_peering_dedicated/README.md | 2 +- examples/vpc_peering_dedicated/example.tfvars | 2 +- examples/vpc_peering_dedicated/variables.tf | 2 +- modules/vmseries/README.md | 2 +- modules/vmseries/variables.tf | 4 ++-- 21 files changed, 25 insertions(+), 23 deletions(-) diff --git a/examples/multi_nic_common/README.md b/examples/multi_nic_common/README.md index b8ee7b5..c728168 100644 --- a/examples/multi_nic_common/README.md +++ b/examples/multi_nic_common/README.md @@ -217,7 +217,7 @@ please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the | [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.

Example of variable deployment :
routes = {
"default-route-trust" = {
name = "fw-default-trust"
destination_range = "0.0.0.0/0"
vpc_network_key = "fw-trust-vpc"
lb_internal_name = "internal-lb"
}
}
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | | [service\_accounts](#input\_service\_accounts) | A map containing each service account setting.

Example of variable deployment :
service_accounts = {
"sa-vmseries-01" = {
service_account_id = "sa-vmseries-01"
display_name = "VM-Series SA"
roles = [
"roles/compute.networkViewer",
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
"roles/monitoring.viewer",
"roles/viewer"
]
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/iam_service_account#Inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | | [vmseries](#input\_vmseries) | A map containing each individual vmseries setting.

Example of variable deployment :
vmseries = {
"fw-vmseries-01" = {
name = "fw-vmseries-01"
zone = "us-east1-b"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
tags = ["vmseries"]
service_account_key = "sa-vmseries-01"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
bootstrap_options = {
panorama-server = "1.1.1.1"
dns-primary = "8.8.8.8"
dns-secondary = "8.8.4.4"
}
bootstrap_template_map = {
trust_gcp_router_ip = "10.10.12.1"
untrust_gcp_router_ip = "10.10.11.1"
private_network_cidr = "192.168.0.0/16"
untrust_loopback_ip = "1.1.1.1/32" #This is placeholder IP - you must replace it on the vmseries config with the LB public IP address after the infrastructure is deployed
trust_loopback_ip = "10.10.12.5/32"
}
named_ports = [
{
name = "http"
port = 80
},
{
name = "https"
port = 443
}
]
network_interfaces = [
{
vpc_network_key = "fw-untrust-vpc"
subnetwork_key = "fw-untrust-sub"
private_ip = "10.10.11.2"
create_public_ip = true
},
{
vpc_network_key = "fw-mgmt-vpc"
subnetwork_key = "fw-mgmt-sub"
private_ip = "10.10.10.2"
create_public_ip = true
},
{
vpc_network_key = "fw-trust-vpc"
subnetwork_key = "fw-trust-sub"
private_ip = "10.10.12.2"
},
]
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vmseries#inputs)

The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | `{}` | no | -| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.

Example of variable deployment :
vmseries_common = {
ssh_keys = "admin:AAAABBBB..."
vmseries_image = "vmseries-flex-byol-1022h2"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}
Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `any` | `{}` | no | +| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.

Example of variable deployment :
vmseries_common = {
ssh_keys = "admin:AAAABBBB..."
vmseries_image = "vmseries-flex-byol-1029h1"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}
Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `any` | `{}` | no | | [vpc\_peerings](#input\_vpc\_peerings) | A map containing each VPC peering setting.

Example of variable deployment :
vpc_peerings = {
"trust-to-spoke1" = {
local_network_key = "fw-trust-vpc"
peer_network_key = "fw-spoke1-vpc"

local_export_custom_routes = true
local_import_custom_routes = true
local_export_subnet_routes_with_public_ip = true
local_import_subnet_routes_with_public_ip = true

peer_export_custom_routes = true
peer_import_custom_routes = true
peer_export_subnet_routes_with_public_ip = true
peer_import_subnet_routes_with_public_ip = true
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vpc-peering#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | ### Outputs diff --git a/examples/multi_nic_common/example.tfvars b/examples/multi_nic_common/example.tfvars index 690adcc..d551ddc 100644 --- a/examples/multi_nic_common/example.tfvars +++ b/examples/multi_nic_common/example.tfvars @@ -171,7 +171,7 @@ routes = { vmseries_common = { ssh_keys = "admin:" - vmseries_image = "vmseries-flex-byol-1022h2" + vmseries_image = "vmseries-flex-byol-1029h1" machine_type = "n2-standard-4" min_cpu_platform = "Intel Cascade Lake" service_account_key = "sa-vmseries-01" diff --git a/examples/multi_nic_common/variables.tf b/examples/multi_nic_common/variables.tf index cc93431..140215d 100644 --- a/examples/multi_nic_common/variables.tf +++ b/examples/multi_nic_common/variables.tf @@ -184,7 +184,7 @@ variable "vmseries_common" { ``` vmseries_common = { ssh_keys = "admin:AAAABBBB..." - vmseries_image = "vmseries-flex-byol-1022h2" + vmseries_image = "vmseries-flex-byol-1029h1" machine_type = "n2-standard-4" min_cpu_platform = "Intel Cascade Lake" service_account_key = "sa-vmseries-01" diff --git a/examples/panorama_standalone/variables.tf b/examples/panorama_standalone/variables.tf index be0ac3a..c02f6c5 100644 --- a/examples/panorama_standalone/variables.tf +++ b/examples/panorama_standalone/variables.tf @@ -4,11 +4,13 @@ variable "project" { type = string default = null } + variable "region" { description = "The region into which to deploy the infrastructure in to" type = string default = "us-central1" } + variable "name_prefix" { description = "A string to prefix resource namings" type = string diff --git a/examples/standalone_vmseries_with_metadata_bootstrap/README.md b/examples/standalone_vmseries_with_metadata_bootstrap/README.md index 865f9c8..0aa3452 100644 --- a/examples/standalone_vmseries_with_metadata_bootstrap/README.md +++ b/examples/standalone_vmseries_with_metadata_bootstrap/README.md @@ -37,8 +37,8 @@ No resources. | [name\_prefix](#input\_name\_prefix) | A string to prefix resource namings | `string` | `""` | no | | [networks](#input\_networks) | A map containing each network setting.

Example of variable deployment :
networks = {
"vmseries-vpc" = {
vpc_name = "firewall-vpc"
create_network = true
delete_default_routes_on_create = "false"
mtu = "1460"
routing_mode = "REGIONAL"
subnetworks = {
"vmseries-sub" = {
name = "vmseries-subnet"
create_subnetwork = true
ip_cidr_range = "172.21.21.0/24"
region = "us-central1"
}
}
firewall_rules = {
"allow-vmseries-ingress" = {
name = "vmseries-mgmt"
source_ranges = ["1.1.1.1/32", "2.2.2.2/32"]
priority = "1000"
allowed_protocol = "all"
allowed_ports = []
}
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vpc#input_networks)

Multiple keys can be added and will be deployed by the code | `any` | n/a | yes | | [project](#input\_project) | The project name to deploy the infrastructure in to. | `string` | `null` | no | -| [vmseries](#input\_vmseries) | A map containing each individual vmseries setting.

Example of variable deployment :
vmseries = {
"fw-vmseries-01" = {
name = "fw-vmseries-01"
zone = "us-central1-b"
vmseries_image = "vmseries-flex-byol-1022h2"
ssh_keys = "admin:"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
tags = ["vmseries"]
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
bootstrap_options = {
panorama-server = "1.1.1.1" # Modify this value as per deployment requirements
dns-primary = "8.8.8.8" # Modify this value as per deployment requirements
dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements
}
named_ports = [
{
name = "http"
port = 80
},
{
name = "https"
port = 443
}
]
network_interfaces = [
{
vpc_network_key = "vmseries-vpc"
subnetwork_key = "fw-mgmt-sub"
private_ip = "10.10.10.2"
create_public_ip = true
}
]
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vmseries#inputs)

The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | -| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.

Example of variable deployment :
vmseries_common = {
ssh_keys = "admin:AAAABBBB..."
vmseries_image = "vmseries-flex-byol-1022h2"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}
Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `map` | `{}` | no | +| [vmseries](#input\_vmseries) | A map containing each individual vmseries setting.

Example of variable deployment :
vmseries = {
"fw-vmseries-01" = {
name = "fw-vmseries-01"
zone = "us-central1-b"
vmseries_image = "vmseries-flex-byol-1029h1"
ssh_keys = "admin:"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
tags = ["vmseries"]
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
bootstrap_options = {
panorama-server = "1.1.1.1" # Modify this value as per deployment requirements
dns-primary = "8.8.8.8" # Modify this value as per deployment requirements
dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements
}
named_ports = [
{
name = "http"
port = 80
},
{
name = "https"
port = 443
}
]
network_interfaces = [
{
vpc_network_key = "vmseries-vpc"
subnetwork_key = "fw-mgmt-sub"
private_ip = "10.10.10.2"
create_public_ip = true
}
]
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vmseries#inputs)

The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | +| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.

Example of variable deployment :
vmseries_common = {
ssh_keys = "admin:AAAABBBB..."
vmseries_image = "vmseries-flex-byol-1029h1"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}
Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `map` | `{}` | no | ### Outputs diff --git a/examples/standalone_vmseries_with_metadata_bootstrap/example.tfvars b/examples/standalone_vmseries_with_metadata_bootstrap/example.tfvars index 9619eaa..e0b93e6 100644 --- a/examples/standalone_vmseries_with_metadata_bootstrap/example.tfvars +++ b/examples/standalone_vmseries_with_metadata_bootstrap/example.tfvars @@ -32,7 +32,7 @@ vmseries = { "fw-vmseries-01" = { name = "fw-vmseries-01" zone = "us-central1-b" - vmseries_image = "vmseries-flex-byol-1022h2" + vmseries_image = "vmseries-flex-byol-1029h1" ssh_keys = "admin:" machine_type = "n2-standard-4" min_cpu_platform = "Intel Cascade Lake" diff --git a/examples/standalone_vmseries_with_metadata_bootstrap/variables.tf b/examples/standalone_vmseries_with_metadata_bootstrap/variables.tf index 3d1fce0..3061c5c 100644 --- a/examples/standalone_vmseries_with_metadata_bootstrap/variables.tf +++ b/examples/standalone_vmseries_with_metadata_bootstrap/variables.tf @@ -62,7 +62,7 @@ variable "vmseries" { "fw-vmseries-01" = { name = "fw-vmseries-01" zone = "us-central1-b" - vmseries_image = "vmseries-flex-byol-1022h2" + vmseries_image = "vmseries-flex-byol-1029h1" ssh_keys = "admin:" machine_type = "n2-standard-4" min_cpu_platform = "Intel Cascade Lake" @@ -117,7 +117,7 @@ variable "vmseries_common" { ``` vmseries_common = { ssh_keys = "admin:AAAABBBB..." - vmseries_image = "vmseries-flex-byol-1022h2" + vmseries_image = "vmseries-flex-byol-1029h1" machine_type = "n2-standard-4" min_cpu_platform = "Intel Cascade Lake" service_account_key = "sa-vmseries-01" diff --git a/examples/vmseries_ha/README.md b/examples/vmseries_ha/README.md index cdb8a82..9e0dc47 100644 --- a/examples/vmseries_ha/README.md +++ b/examples/vmseries_ha/README.md @@ -271,7 +271,7 @@ Check the succesful inbound and outbound traffic fail-over to and from the spoke | [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.

Example of variable deployment :
routes = {
"default-route-trust" = {
name = "fw-default-trust"
destination_range = "0.0.0.0/0"
vpc_network_key = "fw-trust-vpc"
lb_internal_name = "internal-lb"
}
}
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | | [service\_accounts](#input\_service\_accounts) | A map containing each service account setting.

Example of variable deployment :
service_accounts = {
"sa-vmseries-01" = {
service_account_id = "sa-vmseries-01"
display_name = "VM-Series SA"
roles = [
"roles/compute.networkViewer",
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
"roles/monitoring.viewer",
"roles/viewer"
]
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/iam_service_account#Inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | | [vmseries](#input\_vmseries) | A map containing each individual vmseries setting.

Example of variable deployment :
vmseries = {
"fw-vmseries-01" = {
name = "fw-vmseries-01"
zone = "us-east1-b"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
tags = ["vmseries"]
service_account_key = "sa-vmseries-01"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
bootstrap_options = {
panorama-server = "1.1.1.1"
dns-primary = "8.8.8.8"
dns-secondary = "8.8.4.4"
}
bootstrap_template_map = {
trust_gcp_router_ip = "10.10.12.1"
untrust_gcp_router_ip = "10.10.11.1"
private_network_cidr = "192.168.0.0/16"
untrust_loopback_ip = "1.1.1.1/32" #This is placeholder IP - you must replace it on the vmseries config with the LB public IP address after the infrastructure is deployed
trust_loopback_ip = "10.10.12.5/32"
}
named_ports = [
{
name = "http"
port = 80
},
{
name = "https"
port = 443
}
]
network_interfaces = [
{
vpc_network_key = "fw-untrust-vpc"
subnetwork_key = "fw-untrust-sub"
private_ip = "10.10.11.2"
create_public_ip = true
},
{
vpc_network_key = "fw-mgmt-vpc"
subnetwork_key = "fw-mgmt-sub"
private_ip = "10.10.10.2"
create_public_ip = true
},
{
vpc_network_key = "fw-trust-vpc"
subnetwork_key = "fw-trust-sub"
private_ip = "10.10.12.2"
},
]
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vmseries#inputs)

The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | -| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.

Example of variable deployment :
vmseries_common = {
ssh_keys = "admin:AAAABBBB..."
vmseries_image = "vmseries-flex-byol-1022h2"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}
Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `any` | n/a | yes | +| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.

Example of variable deployment :
vmseries_common = {
ssh_keys = "admin:AAAABBBB..."
vmseries_image = "vmseries-flex-byol-1029h1"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}
Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `any` | n/a | yes | | [vpc\_peerings](#input\_vpc\_peerings) | A map containing each VPC peering setting.

Example of variable deployment :
vpc_peerings = {
"trust-to-spoke1" = {
local_network_key = "fw-trust-vpc"
peer_network_key = "fw-spoke1-vpc"

local_export_custom_routes = true
local_import_custom_routes = true
local_export_subnet_routes_with_public_ip = true
local_import_subnet_routes_with_public_ip = true

peer_export_custom_routes = true
peer_import_custom_routes = true
peer_export_subnet_routes_with_public_ip = true
peer_import_subnet_routes_with_public_ip = true
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vpc-peering#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | ### Outputs diff --git a/examples/vmseries_ha/example.tfvars b/examples/vmseries_ha/example.tfvars index 31c7633..a083328 100644 --- a/examples/vmseries_ha/example.tfvars +++ b/examples/vmseries_ha/example.tfvars @@ -234,7 +234,7 @@ routes = { vmseries_common = { ssh_keys = "admin:" - vmseries_image = "vmseries-flex-byol-1022h2" + vmseries_image = "vmseries-flex-byol-1029h1" machine_type = "n2-standard-4" min_cpu_platform = "Intel Cascade Lake" service_account_key = "sa-vmseries-01" diff --git a/examples/vmseries_ha/variables.tf b/examples/vmseries_ha/variables.tf index b918c55..82e7d18 100644 --- a/examples/vmseries_ha/variables.tf +++ b/examples/vmseries_ha/variables.tf @@ -182,7 +182,7 @@ variable "vmseries_common" { ``` vmseries_common = { ssh_keys = "admin:AAAABBBB..." - vmseries_image = "vmseries-flex-byol-1022h2" + vmseries_image = "vmseries-flex-byol-1029h1" machine_type = "n2-standard-4" min_cpu_platform = "Intel Cascade Lake" service_account_key = "sa-vmseries-01" diff --git a/examples/vpc_peering_common/README.md b/examples/vpc_peering_common/README.md index 3a9673a..a06d6fd 100644 --- a/examples/vpc_peering_common/README.md +++ b/examples/vpc_peering_common/README.md @@ -235,7 +235,7 @@ please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the | [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.

Example of variable deployment :
routes = {
"default-route-trust" = {
name = "fw-default-trust"
destination_range = "0.0.0.0/0"
vpc_network_key = "fw-trust-vpc"
lb_internal_name = "internal-lb"
}
}
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | | [service\_accounts](#input\_service\_accounts) | A map containing each service account setting.

Example of variable deployment :
service_accounts = {
"sa-vmseries-01" = {
service_account_id = "sa-vmseries-01"
display_name = "VM-Series SA"
roles = [
"roles/compute.networkViewer",
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
"roles/monitoring.viewer",
"roles/viewer"
]
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/iam_service_account#Inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | | [vmseries](#input\_vmseries) | A map containing each individual vmseries setting.

Example of variable deployment :
vmseries = {
"fw-vmseries-01" = {
name = "fw-vmseries-01"
zone = "us-east1-b"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
tags = ["vmseries"]
service_account_key = "sa-vmseries-01"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
bootstrap_options = {
panorama-server = "1.1.1.1"
dns-primary = "8.8.8.8"
dns-secondary = "8.8.4.4"
}
bootstrap_template_map = {
trust_gcp_router_ip = "10.10.12.1"
untrust_gcp_router_ip = "10.10.11.1"
private_network_cidr = "192.168.0.0/16"
untrust_loopback_ip = "1.1.1.1/32" #This is placeholder IP - you must replace it on the vmseries config with the LB public IP address after the infrastructure is deployed
trust_loopback_ip = "10.10.12.5/32"
}
named_ports = [
{
name = "http"
port = 80
},
{
name = "https"
port = 443
}
]
network_interfaces = [
{
vpc_network_key = "fw-untrust-vpc"
subnetwork_key = "fw-untrust-sub"
private_ip = "10.10.11.2"
create_public_ip = true
},
{
vpc_network_key = "fw-mgmt-vpc"
subnetwork_key = "fw-mgmt-sub"
private_ip = "10.10.10.2"
create_public_ip = true
},
{
vpc_network_key = "fw-trust-vpc"
subnetwork_key = "fw-trust-sub"
private_ip = "10.10.12.2"
},
]
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vmseries#inputs)

The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | -| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.

Example of variable deployment :
vmseries_common = {
ssh_keys = "admin:AAAABBBB..."
vmseries_image = "vmseries-flex-byol-1022h2"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}
Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `any` | n/a | yes | +| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.

Example of variable deployment :
vmseries_common = {
ssh_keys = "admin:AAAABBBB..."
vmseries_image = "vmseries-flex-byol-1029h1"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}
Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `any` | n/a | yes | | [vpc\_peerings](#input\_vpc\_peerings) | A map containing each VPC peering setting.

Example of variable deployment :
vpc_peerings = {
"trust-to-spoke1" = {
local_network_key = "fw-trust-vpc"
peer_network_key = "fw-spoke1-vpc"

local_export_custom_routes = true
local_import_custom_routes = true
local_export_subnet_routes_with_public_ip = true
local_import_subnet_routes_with_public_ip = true

peer_export_custom_routes = true
peer_import_custom_routes = true
peer_export_subnet_routes_with_public_ip = true
peer_import_subnet_routes_with_public_ip = true
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vpc-peering#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | ### Outputs diff --git a/examples/vpc_peering_common/example.tfvars b/examples/vpc_peering_common/example.tfvars index 23691db..49d9257 100644 --- a/examples/vpc_peering_common/example.tfvars +++ b/examples/vpc_peering_common/example.tfvars @@ -210,7 +210,7 @@ routes = { vmseries_common = { ssh_keys = "admin:" - vmseries_image = "vmseries-flex-byol-1022h2" + vmseries_image = "vmseries-flex-byol-1029h1" machine_type = "n2-standard-4" min_cpu_platform = "Intel Cascade Lake" service_account_key = "sa-vmseries-01" diff --git a/examples/vpc_peering_common/variables.tf b/examples/vpc_peering_common/variables.tf index 43ae113..d1e610a 100644 --- a/examples/vpc_peering_common/variables.tf +++ b/examples/vpc_peering_common/variables.tf @@ -182,7 +182,7 @@ variable "vmseries_common" { ``` vmseries_common = { ssh_keys = "admin:AAAABBBB..." - vmseries_image = "vmseries-flex-byol-1022h2" + vmseries_image = "vmseries-flex-byol-1029h1" machine_type = "n2-standard-4" min_cpu_platform = "Intel Cascade Lake" service_account_key = "sa-vmseries-01" diff --git a/examples/vpc_peering_common_with_network_tags/README.md b/examples/vpc_peering_common_with_network_tags/README.md index 7e9d975..4a80684 100644 --- a/examples/vpc_peering_common_with_network_tags/README.md +++ b/examples/vpc_peering_common_with_network_tags/README.md @@ -252,7 +252,7 @@ please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the | [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.

Example of variable deployment :
routes = {
fw-default-trust-region-1 = {
name = "fw-default-trust"
destination_range = "0.0.0.0/0"
vpc_network_key = "fw-spoke1-vpc"
lb_internal_key = "internal-lb-region-1"
region = "us-east1"
tags = ["us-east1"]
},
fw-default-trust-region-2 = {
name = "fw-default-trust"
destination_range = "0.0.0.0/0"
vpc_network_key = "fw-spoke1-vpc"
lb_internal_key = "internal-lb-region-2"
region = "us-west1"
tags = ["us-west1"]
}
}
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | | [service\_accounts](#input\_service\_accounts) | A map containing each service account setting.

Example of variable deployment :
service_accounts = {
"sa-vmseries-01" = {
service_account_id = "sa-vmseries-01"
display_name = "VM-Series SA"
roles = [
"roles/compute.networkViewer",
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
"roles/monitoring.viewer",
"roles/viewer"
]
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/iam_service_account#Inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | | [vmseries](#input\_vmseries) | A map containing each individual vmseries setting for vmseries instances.

Example of variable deployment :
vmseries = {
fw-vmseries-01 = {
name = "fw-vmseries-01"
region = "us-east1"
zone = "us-east1-b"
tags = ["vmseries"]
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
bootstrap_options = {
panorama-server = "1.1.1.1" # Modify this value as per deployment requirements
dns-primary = "8.8.8.8" # Modify this value as per deployment requirements
dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements
}
bootstrap_template_map = {
trust_gcp_router_ip = "10.10.12.1"
untrust_gcp_router_ip = "10.10.11.1"
private_network_cidr = "192.168.0.0/16"
untrust_loopback_ip = "1.1.1.1/32" # This is placeholder IP - you must replace it on the vmseries config with the LB public IP address (Region-1) after the infrastructure is deployed
trust_loopback_ip = "10.10.12.5/32"
}
named_ports = [
{
name = "http"
port = 80
},
{
name = "https"
port = 443
}
]
network_interfaces = [
{
vpc_network_key = "fw-untrust-vpc"
subnetwork_key = "fw-untrust-sub-region-1"
private_ip = "10.10.11.2"
create_public_ip = true
},
{
vpc_network_key = "fw-mgmt-vpc"
subnetwork_key = "fw-mgmt-sub-region-1"
private_ip = "10.10.10.2"
create_public_ip = true
},
{
vpc_network_key = "fw-trust-vpc"
subnetwork_key = "fw-trust-sub-region-1"
private_ip = "10.10.12.2"
}
]
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vmseries#inputs)

The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | -| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.

Example of variable deployment :
vmseries_common = {
ssh_keys = "admin:AAABBB..."
vmseries_image = "vmseries-flex-byol-1022h2"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}
Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `any` | n/a | yes | +| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.

Example of variable deployment :
vmseries_common = {
ssh_keys = "admin:AAABBB..."
vmseries_image = "vmseries-flex-byol-1029h1"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}
Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `any` | n/a | yes | | [vpc\_peerings](#input\_vpc\_peerings) | A map containing each VPC peering setting.

Example of variable deployment :
vpc_peerings = {
"trust-to-spoke1" = {
local_network_key = "fw-trust-vpc"
peer_network_key = "fw-spoke1-vpc"

local_export_custom_routes = true
local_import_custom_routes = true
local_export_subnet_routes_with_public_ip = true
local_import_subnet_routes_with_public_ip = true

peer_export_custom_routes = true
peer_import_custom_routes = true
peer_export_subnet_routes_with_public_ip = true
peer_import_subnet_routes_with_public_ip = true
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vpc-peering#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | ### Outputs diff --git a/examples/vpc_peering_common_with_network_tags/example.tfvars b/examples/vpc_peering_common_with_network_tags/example.tfvars index 9b1481e..4b95726 100644 --- a/examples/vpc_peering_common_with_network_tags/example.tfvars +++ b/examples/vpc_peering_common_with_network_tags/example.tfvars @@ -205,7 +205,7 @@ routes = { vmseries_common = { ssh_keys = "admin:" - vmseries_image = "vmseries-flex-byol-1022h2" + vmseries_image = "vmseries-flex-byol-1029h1" machine_type = "n2-standard-4" min_cpu_platform = "Intel Cascade Lake" service_account_key = "sa-vmseries-01" diff --git a/examples/vpc_peering_common_with_network_tags/variables.tf b/examples/vpc_peering_common_with_network_tags/variables.tf index 44b35ab..12bb06c 100644 --- a/examples/vpc_peering_common_with_network_tags/variables.tf +++ b/examples/vpc_peering_common_with_network_tags/variables.tf @@ -188,7 +188,7 @@ variable "vmseries_common" { ``` vmseries_common = { ssh_keys = "admin:AAABBB..." - vmseries_image = "vmseries-flex-byol-1022h2" + vmseries_image = "vmseries-flex-byol-1029h1" machine_type = "n2-standard-4" min_cpu_platform = "Intel Cascade Lake" service_account_key = "sa-vmseries-01" diff --git a/examples/vpc_peering_dedicated/README.md b/examples/vpc_peering_dedicated/README.md index 6fd3453..1753903 100644 --- a/examples/vpc_peering_dedicated/README.md +++ b/examples/vpc_peering_dedicated/README.md @@ -249,7 +249,7 @@ The GCP Global HTTP LB acts as a proxy and sends traffic to the VM-Series `Untru | [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.

Example of variable deployment :
routes = {
"default-route-trust" = {
name = "fw-default-trust"
destination_range = "0.0.0.0/0"
vpc_network_key = "fw-trust-vpc"
lb_internal_name = "internal-lb"
}
}
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | | [service\_accounts](#input\_service\_accounts) | A map containing each service account setting.

Example of variable deployment :
service_accounts = {
"sa-vmseries-01" = {
service_account_id = "sa-vmseries-01"
display_name = "VM-Series SA"
roles = [
"roles/compute.networkViewer",
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
"roles/monitoring.viewer",
"roles/viewer"
]
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/iam_service_account#Inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | | [vmseries](#input\_vmseries) | A map containing each individual vmseries setting.

Example of variable deployment :
vmseries = {
"fw-vmseries-01" = {
name = "fw-vmseries-01"
zone = "us-east1-b"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
tags = ["vmseries"]
service_account_key = "sa-vmseries-01"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
bootstrap_options = {
panorama-server = "1.1.1.1"
dns-primary = "8.8.8.8"
dns-secondary = "8.8.4.4"
}
bootstrap_template_map = {
trust_gcp_router_ip = "10.10.12.1"
untrust_gcp_router_ip = "10.10.11.1"
private_network_cidr = "192.168.0.0/16"
untrust_loopback_ip = "1.1.1.1/32" #This is placeholder IP - you must replace it on the vmseries config with the LB public IP address after the infrastructure is deployed
trust_loopback_ip = "10.10.12.5/32"
}
named_ports = [
{
name = "http"
port = 80
},
{
name = "https"
port = 443
}
]
network_interfaces = [
{
vpc_network_key = "fw-untrust-vpc"
subnetwork_key = "fw-untrust-sub"
private_ip = "10.10.11.2"
create_public_ip = true
},
{
vpc_network_key = "fw-mgmt-vpc"
subnetwork_key = "fw-mgmt-sub"
private_ip = "10.10.10.2"
create_public_ip = true
},
{
vpc_network_key = "fw-trust-vpc"
subnetwork_key = "fw-trust-sub"
private_ip = "10.10.12.2"
},
]
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vmseries#inputs)

The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes | -| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.

Example of variable deployment :
vmseries_common = {
ssh_keys = "admin:AAABBB..."
vmseries_image = "vmseries-flex-byol-1022h2"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}
Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `any` | n/a | yes | +| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.

Example of variable deployment :
vmseries_common = {
ssh_keys = "admin:AAABBB..."
vmseries_image = "vmseries-flex-byol-1029h1"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}
Bootstrap options can be moved between vmseries individual instance variable (`vmseries`) and this common vmserie variable (`vmseries_common`). | `any` | n/a | yes | | [vpc\_peerings](#input\_vpc\_peerings) | A map containing each VPC peering setting.

Example of variable deployment :
vpc_peerings = {
"trust-to-spoke1" = {
local_network_key = "fw-trust-vpc"
peer_network_key = "fw-spoke1-vpc"

local_export_custom_routes = true
local_import_custom_routes = true
local_export_subnet_routes_with_public_ip = true
local_import_subnet_routes_with_public_ip = true

peer_export_custom_routes = true
peer_import_custom_routes = true
peer_export_subnet_routes_with_public_ip = true
peer_import_subnet_routes_with_public_ip = true
}
}
For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vpc-peering#inputs)

Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no | ### Outputs diff --git a/examples/vpc_peering_dedicated/example.tfvars b/examples/vpc_peering_dedicated/example.tfvars index aab1113..00e4d89 100644 --- a/examples/vpc_peering_dedicated/example.tfvars +++ b/examples/vpc_peering_dedicated/example.tfvars @@ -210,7 +210,7 @@ routes = { # VM-Series vmseries_common = { ssh_keys = "admin:" - vmseries_image = "vmseries-flex-byol-1022h2" + vmseries_image = "vmseries-flex-byol-1029h1" machine_type = "n2-standard-4" min_cpu_platform = "Intel Cascade Lake" service_account_key = "sa-vmseries-01" diff --git a/examples/vpc_peering_dedicated/variables.tf b/examples/vpc_peering_dedicated/variables.tf index 56156fc..3c41758 100644 --- a/examples/vpc_peering_dedicated/variables.tf +++ b/examples/vpc_peering_dedicated/variables.tf @@ -182,7 +182,7 @@ variable "vmseries_common" { ``` vmseries_common = { ssh_keys = "admin:AAABBB..." - vmseries_image = "vmseries-flex-byol-1022h2" + vmseries_image = "vmseries-flex-byol-1029h1" machine_type = "n2-standard-4" min_cpu_platform = "Intel Cascade Lake" service_account_key = "sa-vmseries-01" diff --git a/modules/vmseries/README.md b/modules/vmseries/README.md index 9a0c627..30e160b 100644 --- a/modules/vmseries/README.md +++ b/modules/vmseries/README.md @@ -63,7 +63,7 @@ No modules. | [service\_account](#input\_service\_account) | IAM Service Account for running firewall instance (just the email) | `string` | `null` | no | | [ssh\_keys](#input\_ssh\_keys) | Public keys to allow SSH access for, separated by newlines. | `string` | `null` | no | | [tags](#input\_tags) | GCP instance tags. | `list(string)` | `[]` | no | -| [vmseries\_image](#input\_vmseries\_image) | The image name from which to boot an instance, including a license type (bindle/flex) and version.
To get a list of available official images, please run the following command:
`gcloud compute images list --filter="family ~ vmseries" --project paloaltonetworksgcp-public --no-standard-images` | `string` | `"vmseries-flex-byol-10112"` | no | +| [vmseries\_image](#input\_vmseries\_image) | The image name from which to boot an instance, including a license type (bundle/flex) and version.
To get a list of available official images, please run the following command:
`gcloud compute images list --filter="family ~ vmseries" --project paloaltonetworksgcp-public --no-standard-images` | `string` | `"vmseries-flex-byol-1029h1"` | no | | [zone](#input\_zone) | Zone to deploy instance in. | `string` | n/a | yes | ### Outputs diff --git a/modules/vmseries/variables.tf b/modules/vmseries/variables.tf index dfc63fe..104f466 100644 --- a/modules/vmseries/variables.tf +++ b/modules/vmseries/variables.tf @@ -114,11 +114,11 @@ variable "scopes" { variable "vmseries_image" { description = <