" # Modify this value as per deployment requirements
- vmseries_image = "vmseries-flex-byol-1114"
+ vmseries_image = "vmseries-flex-byol-1114h7"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
diff --git a/examples/vpc_peering_common_dual_stack/variables.tf b/examples/vpc_peering_common_dual_stack/variables.tf
index 5f8cb29..f2383f5 100644
--- a/examples/vpc_peering_common_dual_stack/variables.tf
+++ b/examples/vpc_peering_common_dual_stack/variables.tf
@@ -101,8 +101,8 @@ variable "networks" {
}
firewall_rules = {
allow-mgmt-ingress = {
- name = "allow-mgmt-vpc"
- source_ranges = ["10.10.10.0/24", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes.
+ name = "allow-mgmt-ingress"
+ source_ranges = ["10.10.10.0/24"]
priority = "1000"
allowed_protocol = "all"
allowed_ports = []
@@ -219,7 +219,7 @@ variable "vmseries_common" {
```
vmseries_common = {
ssh_keys = "admin:AAAABBBB..."
- vmseries_image = "vmseries-flex-byol-1029h1"
+ vmseries_image = "vmseries-flex-byol-10210h9"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
diff --git a/examples/vpc_peering_common_with_autoscale/README.md b/examples/vpc_peering_common_with_autoscale/README.md
index ad307ba..d93147e 100644
--- a/examples/vpc_peering_common_with_autoscale/README.md
+++ b/examples/vpc_peering_common_with_autoscale/README.md
@@ -190,13 +190,13 @@ please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [autoscale](#input\_autoscale) | A map containing each vmseries autoscale setting.
Zonal or regional managed instance group type is controolled from the `autoscale_regional_mig` variable for all autoscale instances.
Example of variable deployment :autoscale = {
fw-autoscale-common = {
name = "fw-autoscale-common"
zones = {
zone1 = "us-east4-b"
zone2 = "us-east4-c"
}
named_ports = [
{
name = "http"
port = 80
},
{
name = "https"
port = 443
}
]
service_account_key = "sa-vmseries-01"
min_vmseries_replicas = 2
max_vmseries_replicas = 4
create_pubsub_topic = true
autoscaler_metrics = {
"custom.googleapis.com/VMSeries/panSessionUtilization" = {
target = 70
}
"custom.googleapis.com/VMSeries/panSessionThroughputKbps" = {
target = 700000
}
}
bootstrap_options = {
type = "dhcp-client"
dhcp-send-hostname = "yes"
dhcp-send-client-id = "yes"
dhcp-accept-server-hostname = "yes"
dhcp-accept-server-domain = "yes"
mgmt-interface-swap = "enable"
panorama-server = "1.1.1.1"
ssh-keys = "admin:" # Replace this value with client data
}
network_interfaces = [
{
vpc_network_key = "fw-untrust-vpc"
subnetwork_key = "fw-untrust-sub"
create_public_ip = true
},
{
vpc_network_key = "fw-mgmt-vpc"
subnetwork_key = "fw-mgmt-sub"
create_public_ip = true
},
{
vpc_network_key = "fw-trust-vpc"
subnetwork_key = "fw-trust-sub"
}
]
}
} | `any` | `{}` | no |
-| [autoscale\_common](#input\_autoscale\_common) | A map containing common vmseries autoscale setting.
Majority of settings can be moved between this common and individual autoscale setup (ie. `var.autoscale`) variables. If values for the same item are specified in both of them, one from the latter will take precedence.
Example of variable deployment :autoscale_common = {
image = "vmseries-flex-byol-1110"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
disk_type = "pd-ssd"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
tags = ["vmseries-autoscale"]
update_policy_type = "OPPORTUNISTIC"
cooldown_period = 480
bootstrap_options = [
panorama_server = "1.1.1.1"
]
} | `any` | `{}` | no |
+| [autoscale\_common](#input\_autoscale\_common) | A map containing common vmseries autoscale setting.
Majority of settings can be moved between this common and individual autoscale setup (ie. `var.autoscale`) variables. If values for the same item are specified in both of them, one from the latter will take precedence.
Example of variable deployment :autoscale_common = {
image = "vmseries-flex-byol-1114h7"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
disk_type = "pd-ssd"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
tags = ["vmseries-autoscale"]
update_policy_type = "OPPORTUNISTIC"
cooldown_period = 480
bootstrap_options = [
panorama_server = "1.1.1.1"
]
} | `any` | `{}` | no |
| [autoscale\_regional\_mig](#input\_autoscale\_regional\_mig) | Sets the managed instance group type to either a regional (if `true`) or a zonal (if `false`).
For more information please see [About regional MIGs](https://cloud.google.com/compute/docs/instance-groups/regional-migs#why_choose_regional_managed_instance_groups). | `bool` | `true` | no |
| [lbs\_external](#input\_lbs\_external) | A map containing each external loadbalancer setting.
Example of variable deployment :lbs_external = {
"external-lb" = {
name = "external-lb"
backends = ["fw-vmseries-01", "fw-vmseries-02"]
rules = {
"all-ports" = {
ip_protocol = "L3_DEFAULT"
}
}
http_health_check_port = "80"
http_health_check_request_path = "/php/login.php"
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/lb_external#inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [lbs\_internal](#input\_lbs\_internal) | A map containing each internal loadbalancer setting.
Note : private IP reservation is not by default within the example as it may overlap with autoscale IP allocation.
Example of variable deployment :lbs_internal = {
"internal-lb" = {
name = "internal-lb"
health_check_port = "80"
backends = ["fw-vmseries-01", "fw-vmseries-02"]
subnetwork_key = "fw-trust-sub"
vpc_network_key = "fw-trust-vpc"
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/lb_internal#inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [linux\_vms](#input\_linux\_vms) | A map containing each Linux VM configuration that will be placed in SPOKE VPCs for testing purposes.
Example of varaible deployment:linux_vms = {
spoke1-vm = {
linux_machine_type = "n2-standard-4"
zone = "us-east1-b"
linux_disk_size = "50" # Modify this value as per deployment requirements
vpc_network_key = "fw-spoke1-vpc"
subnetwork_key = "fw-spoke1-sub"
private_ip = "192.168.1.2"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
service_account_key = "sa-linux-01"
}
} | `map(any)` | `{}` | no |
| [name\_prefix](#input\_name\_prefix) | A string to prefix resource namings. | `string` | `"example-"` | no |
-| [networks](#input\_networks) | A map containing each network setting.
Example of variable deployment :networks = {
fw-mgmt-vpc = {
vpc_name = "fw-mgmt-vpc"
create_network = true
delete_default_routes_on_create = false
mtu = "1460"
routing_mode = "REGIONAL"
subnetworks = {
fw-mgmt-sub = {
name = "fw-mgmt-sub"
create_subnetwork = true
ip_cidr_range = "10.10.10.0/28"
region = "us-east1"
}
}
firewall_rules = {
allow-mgmt-ingress = {
name = "allow-mgmt-vpc"
source_ranges = ["10.10.10.0/24", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes.
priority = "1000"
allowed_protocol = "all"
allowed_ports = []
}
}
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vpc#input_networks)
Multiple keys can be added and will be deployed by the code. | `any` | `{}` | no |
+| [networks](#input\_networks) | A map containing each network setting.
Example of variable deployment :networks = {
fw-mgmt-vpc = {
vpc_name = "fw-mgmt-vpc"
create_network = true
delete_default_routes_on_create = false
mtu = "1460"
routing_mode = "REGIONAL"
subnetworks = {
fw-mgmt-sub = {
name = "fw-mgmt-sub"
create_subnetwork = true
ip_cidr_range = "10.10.10.0/28"
region = "us-east1"
}
}
firewall_rules = {
allow-mgmt-ingress = {
name = "allow-mgmt-ingress"
source_ranges = ["10.10.10.0/24"]
priority = "1000"
allowed_protocol = "all"
allowed_ports = []
}
}
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vpc#input_networks)
Multiple keys can be added and will be deployed by the code. | `any` | `{}` | no |
| [project](#input\_project) | The project name to deploy the infrastructure in to. | `string` | `null` | no |
| [region](#input\_region) | The region into which to deploy the infrastructure in to. | `string` | `"us-central1"` | no |
| [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.
Example of variable deployment :routes = {
"default-route-trust" = {
name = "fw-default-trust"
destination_range = "0.0.0.0/0"
vpc_network_key = "fw-trust-vpc"
lb_internal_name = "internal-lb"
}
}Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
diff --git a/examples/vpc_peering_common_with_autoscale/example.tfvars b/examples/vpc_peering_common_with_autoscale/example.tfvars
index c2d0799..7bbda63 100644
--- a/examples/vpc_peering_common_with_autoscale/example.tfvars
+++ b/examples/vpc_peering_common_with_autoscale/example.tfvars
@@ -49,8 +49,8 @@ networks = {
}
firewall_rules = {
allow-mgmt-ingress = {
- name = "allow-mgmt-vpc"
- source_ranges = ["1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes.
+ name = "allow-mgmt-ingress"
+ source_ranges = ["1.1.1.1/32"] # Set your own management source IP range.
priority = "1000"
allowed_protocol = "all"
allowed_ports = []
@@ -74,7 +74,7 @@ networks = {
firewall_rules = {
allow-untrust-ingress = {
name = "allow-untrust-vpc"
- source_ranges = ["35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes.
+ source_ranges = ["35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22"] # Add app client IP range.
priority = "1000"
allowed_protocol = "all"
allowed_ports = []
@@ -202,7 +202,7 @@ routes = {
autoscale_regional_mig = true
autoscale_common = {
- image = "vmseries-flex-byol-1110"
+ image = "vmseries-flex-byol-1114h7"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
disk_type = "pd-ssd"
diff --git a/examples/vpc_peering_common_with_autoscale/variables.tf b/examples/vpc_peering_common_with_autoscale/variables.tf
index 6ed14d5..c3cabea 100644
--- a/examples/vpc_peering_common_with_autoscale/variables.tf
+++ b/examples/vpc_peering_common_with_autoscale/variables.tf
@@ -74,8 +74,8 @@ variable "networks" {
}
firewall_rules = {
allow-mgmt-ingress = {
- name = "allow-mgmt-vpc"
- source_ranges = ["10.10.10.0/24", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes.
+ name = "allow-mgmt-ingress"
+ source_ranges = ["10.10.10.0/24"]
priority = "1000"
allowed_protocol = "all"
allowed_ports = []
@@ -167,7 +167,7 @@ variable "autoscale_common" {
```
autoscale_common = {
- image = "vmseries-flex-byol-1110"
+ image = "vmseries-flex-byol-1114h7"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
disk_type = "pd-ssd"
diff --git a/examples/vpc_peering_common_with_network_tags/README.md b/examples/vpc_peering_common_with_network_tags/README.md
index 810832b..9c18bfc 100644
--- a/examples/vpc_peering_common_with_network_tags/README.md
+++ b/examples/vpc_peering_common_with_network_tags/README.md
@@ -247,12 +247,12 @@ please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the
| [lbs\_internal](#input\_lbs\_internal) | A map containing each internal loadbalancer setting .
Example of variable deployment :lbs_internal = {
internal-lb-region-1 = {
name = "internal-lb"
region = "us-east1"
health_check_port = "80"
backends = ["fw-vmseries-01", "fw-vmseries-02"]
ip_address = "10.10.12.5"
subnetwork_key = "fw-trust-sub-region-1"
vpc_network_key = "fw-trust-vpc"
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/lb_internal#inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [linux\_vms](#input\_linux\_vms) | A map containing each Linux VM configuration in region\_1 that will be placed in spoke VPC network for testing purposes.
Example of varaible deployment:linux_vms = {
spoke1-vm = {
linux_machine_type = "n2-standard-4"
region = "us-east1"
zone = "us-east1-b"
linux_disk_size = "50" # Modify this value as per deployment requirements
vpc_network_key = "fw-spoke1-vpc"
subnetwork_key = "fw-spoke1-sub-region-1"
private_ip = "192.168.1.2"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
service_account_key = "sa-linux-01"
}
} | `map(any)` | `{}` | no |
| [name\_prefix](#input\_name\_prefix) | A string to prefix resource namings. | `string` | `"example-"` | no |
-| [networks](#input\_networks) | A map containing each network setting.
Example of variable deployment :networks = {
fw-mgmt-vpc = {
vpc_name = "fw-mgmt-vpc"
create_network = true
delete_default_routes_on_create = false
mtu = "1460"
routing_mode = "REGIONAL"
subnetworks = {
fw-mgmt-sub = {
name = "fw-mgmt-sub"
create_subnetwork = true
ip_cidr_range = "10.10.10.0/28"
region = "us-east1"
}
}
firewall_rules = {
allow-mgmt-ingress = {
name = "allow-mgmt-vpc"
source_ranges = ["10.10.10.0/24", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes.
priority = "1000"
allowed_protocol = "all"
allowed_ports = []
}
}
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vpc#input_networks)
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes |
+| [networks](#input\_networks) | A map containing each network setting.
Example of variable deployment :networks = {
fw-mgmt-vpc = {
vpc_name = "fw-mgmt-vpc"
create_network = true
delete_default_routes_on_create = false
mtu = "1460"
routing_mode = "REGIONAL"
subnetworks = {
fw-mgmt-sub = {
name = "fw-mgmt-sub"
create_subnetwork = true
ip_cidr_range = "10.10.10.0/28"
region = "us-east1"
}
}
firewall_rules = {
allow-mgmt-ingress = {
name = "allow-mgmt-ingress"
source_ranges = ["10.10.10.0/24"]
priority = "1000"
allowed_protocol = "all"
allowed_ports = []
}
}
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vpc#input_networks)
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes |
| [project](#input\_project) | The project name to deploy the infrastructure in to. | `string` | `null` | no |
| [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.
Example of variable deployment :routes = {
fw-default-trust-region-1 = {
name = "fw-default-trust"
destination_range = "0.0.0.0/0"
vpc_network_key = "fw-spoke1-vpc"
lb_internal_key = "internal-lb-region-1"
region = "us-east1"
tags = ["us-east1"]
},
fw-default-trust-region-2 = {
name = "fw-default-trust"
destination_range = "0.0.0.0/0"
vpc_network_key = "fw-spoke1-vpc"
lb_internal_key = "internal-lb-region-2"
region = "us-west1"
tags = ["us-west1"]
}
}Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [service\_accounts](#input\_service\_accounts) | A map containing each service account setting.
Example of variable deployment :service_accounts = {
"sa-vmseries-01" = {
service_account_id = "sa-vmseries-01"
display_name = "VM-Series SA"
roles = [
"roles/compute.networkViewer",
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
"roles/monitoring.viewer",
"roles/viewer"
]
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/iam_service_account#Inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [vmseries](#input\_vmseries) | A map containing each individual vmseries setting for vmseries instances.
Example of variable deployment :vmseries = {
fw-vmseries-01 = {
name = "fw-vmseries-01"
region = "us-east1"
zone = "us-east1-b"
tags = ["vmseries"]
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
bootstrap_options = {
panorama-server = "1.1.1.1" # Modify this value as per deployment requirements
dns-primary = "8.8.8.8" # Modify this value as per deployment requirements
dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements
}
bootstrap_template_map = {
trust_gcp_router_ip = "10.10.12.1"
untrust_gcp_router_ip = "10.10.11.1"
private_network_cidr = "192.168.0.0/16"
untrust_loopback_ip = "1.1.1.1/32" # This is placeholder IP - you must replace it on the vmseries config with the LB public IP address (Region-1) after the infrastructure is deployed
trust_loopback_ip = "10.10.12.5/32"
}
named_ports = [
{
name = "http"
port = 80
},
{
name = "https"
port = 443
}
]
network_interfaces = [
{
vpc_network_key = "fw-untrust-vpc"
subnetwork_key = "fw-untrust-sub-region-1"
private_ip = "10.10.11.2"
create_public_ip = true
},
{
vpc_network_key = "fw-mgmt-vpc"
subnetwork_key = "fw-mgmt-sub-region-1"
private_ip = "10.10.10.2"
create_public_ip = true
},
{
vpc_network_key = "fw-trust-vpc"
subnetwork_key = "fw-trust-sub-region-1"
private_ip = "10.10.12.2"
}
]
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vmseries#inputs)
The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes |
-| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.
Example of variable deployment :vmseries_common = {
ssh_keys = "admin:AAABBB..."
vmseries_image = "vmseries-flex-byol-1029h1"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}Majority of settings can be moved between this common and individual instance (ie. `var.vmseries`) variables. If values for the same item are specified in both of them, one from the latter will take precedence. | `any` | n/a | yes |
+| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.
Example of variable deployment :vmseries_common = {
ssh_keys = "admin:AAABBB..."
vmseries_image = "vmseries-flex-byol-10210h9"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}Majority of settings can be moved between this common and individual instance (ie. `var.vmseries`) variables. If values for the same item are specified in both of them, one from the latter will take precedence. | `any` | n/a | yes |
| [vpc\_peerings](#input\_vpc\_peerings) | A map containing each VPC peering setting.
Example of variable deployment :vpc_peerings = {
"trust-to-spoke1" = {
local_network_key = "fw-trust-vpc"
peer_network_key = "fw-spoke1-vpc"
local_export_custom_routes = true
local_import_custom_routes = true
local_export_subnet_routes_with_public_ip = true
local_import_subnet_routes_with_public_ip = true
peer_export_custom_routes = true
peer_import_custom_routes = true
peer_export_subnet_routes_with_public_ip = true
peer_import_subnet_routes_with_public_ip = true
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vpc-peering#inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
### Outputs
diff --git a/examples/vpc_peering_common_with_network_tags/example.tfvars b/examples/vpc_peering_common_with_network_tags/example.tfvars
index 4b95726..db07e18 100644
--- a/examples/vpc_peering_common_with_network_tags/example.tfvars
+++ b/examples/vpc_peering_common_with_network_tags/example.tfvars
@@ -62,8 +62,8 @@ networks = {
}
firewall_rules = {
allow-mgmt-ingress = {
- name = "allow-mgmt-vpc"
- source_ranges = ["1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes.
+ name = "allow-mgmt-ingress"
+ source_ranges = ["1.1.1.1/32"] # Set your own management source IP range.
priority = "1000"
allowed_protocol = "all"
allowed_ports = []
@@ -93,7 +93,7 @@ networks = {
firewall_rules = {
allow-untrust-ingress = {
name = "allow-untrust-vpc"
- source_ranges = ["35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22"]
+ source_ranges = ["35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22"] # Add app client IP range.
priority = "1000"
allowed_protocol = "all"
allowed_ports = []
@@ -205,7 +205,7 @@ routes = {
vmseries_common = {
ssh_keys = "admin:"
- vmseries_image = "vmseries-flex-byol-1029h1"
+ vmseries_image = "vmseries-flex-byol-10210h9"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
diff --git a/examples/vpc_peering_common_with_network_tags/variables.tf b/examples/vpc_peering_common_with_network_tags/variables.tf
index 229314f..52a8439 100644
--- a/examples/vpc_peering_common_with_network_tags/variables.tf
+++ b/examples/vpc_peering_common_with_network_tags/variables.tf
@@ -95,8 +95,8 @@ variable "networks" {
}
firewall_rules = {
allow-mgmt-ingress = {
- name = "allow-mgmt-vpc"
- source_ranges = ["10.10.10.0/24", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes.
+ name = "allow-mgmt-ingress"
+ source_ranges = ["10.10.10.0/24"]
priority = "1000"
allowed_protocol = "all"
allowed_ports = []
@@ -189,7 +189,7 @@ variable "vmseries_common" {
```
vmseries_common = {
ssh_keys = "admin:AAABBB..."
- vmseries_image = "vmseries-flex-byol-1029h1"
+ vmseries_image = "vmseries-flex-byol-10210h9"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
diff --git a/examples/vpc_peering_dedicated/README.md b/examples/vpc_peering_dedicated/README.md
index 149a677..4f1f62f 100644
--- a/examples/vpc_peering_dedicated/README.md
+++ b/examples/vpc_peering_dedicated/README.md
@@ -243,13 +243,13 @@ The GCP Global HTTP LB acts as a proxy and sends traffic to the VM-Series `Untru
| [lbs\_internal](#input\_lbs\_internal) | A map containing each internal loadbalancer setting.
Example of variable deployment :lbs_internal = {
"internal-lb" = {
name = "internal-lb"
health_check_port = "80"
backends = ["fw-vmseries-01", "fw-vmseries-02"]
ip_address = "10.10.12.5"
subnetwork_key = "fw-trust-sub"
vpc_network_key = "fw-trust-vpc"
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/lb_internal#inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [linux\_vms](#input\_linux\_vms) | A map containing each Linux VM configuration that will be placed in SPOKE VPCs for testing purposes.
Example of variable deployment:linux_vms = {
spoke1-vm = {
linux_machine_type = "n2-standard-4"
zone = "us-east1-b"
linux_disk_size = "50" # Modify this value as per deployment requirements
subnetwork = "spoke1-sub"
private_ip = "192.168.1.2"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
service_account_key = "sa-linux-01"
}
} | `map(any)` | `{}` | no |
| [name\_prefix](#input\_name\_prefix) | A string to prefix resource namings. | `string` | `"example-"` | no |
-| [networks](#input\_networks) | A map containing each network setting.
Example of variable deployment :networks = {
fw-mgmt-vpc = {
vpc_name = "fw-mgmt-vpc"
create_network = true
delete_default_routes_on_create = false
mtu = "1460"
routing_mode = "REGIONAL"
subnetworks = {
fw-mgmt-sub = {
name = "fw-mgmt-sub"
create_subnetwork = true
ip_cidr_range = "10.10.10.0/28"
region = "us-east1"
}
}
firewall_rules = {
allow-mgmt-ingress = {
name = "allow-mgmt-vpc"
source_ranges = ["10.10.10.0/24", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes.
priority = "1000"
allowed_protocol = "all"
allowed_ports = []
}
}
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vpc#input_networks)
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes |
+| [networks](#input\_networks) | A map containing each network setting.
Example of variable deployment :networks = {
fw-mgmt-vpc = {
vpc_name = "fw-mgmt-vpc"
create_network = true
delete_default_routes_on_create = false
mtu = "1460"
routing_mode = "REGIONAL"
subnetworks = {
fw-mgmt-sub = {
name = "fw-mgmt-sub"
create_subnetwork = true
ip_cidr_range = "10.10.10.0/28"
region = "us-east1"
}
}
firewall_rules = {
allow-mgmt-ingress = {
name = "allow-mgmt-ingress"
source_ranges = ["10.10.10.0/24"]
priority = "1000"
allowed_protocol = "all"
allowed_ports = []
}
}
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vpc#input_networks)
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes |
| [project](#input\_project) | The project name to deploy the infrastructure in to. | `string` | `null` | no |
| [region](#input\_region) | The region into which to deploy the infrastructure in to. | `string` | `"us-central1"` | no |
| [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.
Example of variable deployment :routes = {
"default-route-trust" = {
name = "fw-default-trust"
destination_range = "0.0.0.0/0"
vpc_network_key = "fw-trust-vpc"
lb_internal_name = "internal-lb"
}
}Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [service\_accounts](#input\_service\_accounts) | A map containing each service account setting.
Example of variable deployment :service_accounts = {
"sa-vmseries-01" = {
service_account_id = "sa-vmseries-01"
display_name = "VM-Series SA"
roles = [
"roles/compute.networkViewer",
"roles/logging.logWriter",
"roles/monitoring.metricWriter",
"roles/monitoring.viewer",
"roles/viewer"
]
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/iam_service_account#Inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [vmseries](#input\_vmseries) | A map containing each individual vmseries setting.
Example of variable deployment :vmseries = {
"fw-vmseries-01" = {
name = "fw-vmseries-01"
zone = "us-east1-b"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
tags = ["vmseries"]
service_account_key = "sa-vmseries-01"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
bootstrap_bucket_key = "vmseries-bootstrap-bucket-01"
bootstrap_options = {
panorama-server = "1.1.1.1"
dns-primary = "8.8.8.8"
dns-secondary = "8.8.4.4"
}
bootstrap_template_map = {
trust_gcp_router_ip = "10.10.12.1"
untrust_gcp_router_ip = "10.10.11.1"
private_network_cidr = "192.168.0.0/16"
untrust_loopback_ip = "1.1.1.1/32" #This is placeholder IP - you must replace it on the vmseries config with the LB public IP address after the infrastructure is deployed
trust_loopback_ip = "10.10.12.5/32"
}
named_ports = [
{
name = "http"
port = 80
},
{
name = "https"
port = 443
}
]
network_interfaces = [
{
vpc_network_key = "fw-untrust-vpc"
subnetwork_key = "fw-untrust-sub"
private_ip = "10.10.11.2"
create_public_ip = true
},
{
vpc_network_key = "fw-mgmt-vpc"
subnetwork_key = "fw-mgmt-sub"
private_ip = "10.10.10.2"
create_public_ip = true
},
{
vpc_network_key = "fw-trust-vpc"
subnetwork_key = "fw-trust-sub"
private_ip = "10.10.12.2"
},
]
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vmseries#inputs)
The bootstrap\_template\_map contains variables that will be applied to the bootstrap template. Each firewall Day 0 bootstrap will be parametrised based on these inputs.
Multiple keys can be added and will be deployed by the code. | `any` | n/a | yes |
-| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.
Example of variable deployment :vmseries_common = {
ssh_keys = "admin:AAABBB..."
vmseries_image = "vmseries-flex-byol-1029h1"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}Majority of settings can be moved between this common and individual instance (ie. `var.vmseries`) variables. If values for the same item are specified in both of them, one from the latter will take precedence. | `any` | n/a | yes |
+| [vmseries\_common](#input\_vmseries\_common) | A map containing common vmseries setting.
Example of variable deployment :vmseries_common = {
ssh_keys = "admin:AAABBB..."
vmseries_image = "vmseries-flex-byol-10210h9"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
bootstrap_options = {
type = "dhcp-client"
mgmt-interface-swap = "enable"
}
}Majority of settings can be moved between this common and individual instance (ie. `var.vmseries`) variables. If values for the same item are specified in both of them, one from the latter will take precedence. | `any` | n/a | yes |
| [vpc\_peerings](#input\_vpc\_peerings) | A map containing each VPC peering setting.
Example of variable deployment :vpc_peerings = {
"trust-to-spoke1" = {
local_network_key = "fw-trust-vpc"
peer_network_key = "fw-spoke1-vpc"
local_export_custom_routes = true
local_import_custom_routes = true
local_export_subnet_routes_with_public_ip = true
local_import_subnet_routes_with_public_ip = true
peer_export_custom_routes = true
peer_import_custom_routes = true
peer_export_subnet_routes_with_public_ip = true
peer_import_subnet_routes_with_public_ip = true
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vpc-peering#inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
### Outputs
diff --git a/examples/vpc_peering_dedicated/example.tfvars b/examples/vpc_peering_dedicated/example.tfvars
index 00e4d89..3fc4911 100644
--- a/examples/vpc_peering_dedicated/example.tfvars
+++ b/examples/vpc_peering_dedicated/example.tfvars
@@ -57,8 +57,8 @@ networks = {
}
firewall_rules = {
allow-mgmt-ingress = {
- name = "allow-mgmt-vpc"
- source_ranges = ["1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes.
+ name = "allow-mgmt-ingress"
+ source_ranges = ["1.1.1.1/32"] # Set your own management source IP range.
priority = "1000"
allowed_protocol = "all"
allowed_ports = []
@@ -82,7 +82,7 @@ networks = {
firewall_rules = {
allow-untrust-ingress = {
name = "allow-untrust-vpc"
- source_ranges = ["35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes.
+ source_ranges = ["35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22"] # Add app client IP range.
priority = "1000"
allowed_protocol = "all"
allowed_ports = []
@@ -210,7 +210,7 @@ routes = {
# VM-Series
vmseries_common = {
ssh_keys = "admin:"
- vmseries_image = "vmseries-flex-byol-1029h1"
+ vmseries_image = "vmseries-flex-byol-10210h9"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
diff --git a/examples/vpc_peering_dedicated/variables.tf b/examples/vpc_peering_dedicated/variables.tf
index d8992cc..493f94a 100644
--- a/examples/vpc_peering_dedicated/variables.tf
+++ b/examples/vpc_peering_dedicated/variables.tf
@@ -101,8 +101,8 @@ variable "networks" {
}
firewall_rules = {
allow-mgmt-ingress = {
- name = "allow-mgmt-vpc"
- source_ranges = ["10.10.10.0/24", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes.
+ name = "allow-mgmt-ingress"
+ source_ranges = ["10.10.10.0/24"]
priority = "1000"
allowed_protocol = "all"
allowed_ports = []
@@ -184,7 +184,7 @@ variable "vmseries_common" {
```
vmseries_common = {
ssh_keys = "admin:AAABBB..."
- vmseries_image = "vmseries-flex-byol-1029h1"
+ vmseries_image = "vmseries-flex-byol-10210h9"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
service_account_key = "sa-vmseries-01"
diff --git a/examples/vpc_peering_dedicated_with_autoscale/README.md b/examples/vpc_peering_dedicated_with_autoscale/README.md
index 0e6e595..7ccbbfd 100644
--- a/examples/vpc_peering_dedicated_with_autoscale/README.md
+++ b/examples/vpc_peering_dedicated_with_autoscale/README.md
@@ -194,13 +194,13 @@ please see https://cloud.google.com/iap/docs/using-tcp-forwarding#increasing_the
| Name | Description | Type | Default | Required |
|------|-------------|------|---------|:--------:|
| [autoscale](#input\_autoscale) | A map containing each vmseries autoscale setting.
Zonal or regional managed instance group type is controolled from the `autoscale_regional_mig` variable for all autoscale instances.
Example of variable deployment :autoscale = {
fw-autoscale-common = {
name = "fw-autoscale-common"
zones = {
zone1 = "us-east4-b"
zone2 = "us-east4-c"
}
named_ports = [
{
name = "http"
port = 80
},
{
name = "https"
port = 443
}
]
service_account_key = "sa-vmseries-01"
min_vmseries_replicas = 2
max_vmseries_replicas = 4
create_pubsub_topic = true
autoscaler_metrics = {
"custom.googleapis.com/VMSeries/panSessionUtilization" = {
target = 70
}
"custom.googleapis.com/VMSeries/panSessionThroughputKbps" = {
target = 700000
}
}
bootstrap_options = {
type = "dhcp-client"
dhcp-send-hostname = "yes"
dhcp-send-client-id = "yes"
dhcp-accept-server-hostname = "yes"
dhcp-accept-server-domain = "yes"
mgmt-interface-swap = "enable"
panorama-server = "1.1.1.1"
ssh-keys = "admin:" # Replace this value with client data
}
network_interfaces = [
{
vpc_network_key = "fw-untrust-vpc"
subnetwork_key = "fw-untrust-sub"
create_public_ip = true
},
{
vpc_network_key = "fw-mgmt-vpc"
subnetwork_key = "fw-mgmt-sub"
create_public_ip = true
},
{
vpc_network_key = "fw-trust-vpc"
subnetwork_key = "fw-trust-sub"
}
]
}
} | `any` | `{}` | no |
-| [autoscale\_common](#input\_autoscale\_common) | A map containing common vmseries autoscale setting.
Majority of settings can be moved between this common and individual autoscale setup (ie. `var.autoscale`) variables. If values for the same item are specified in both of them, one from the latter will take precedence.
Example of variable deployment :autoscale_common = {
image = "vmseries-flex-byol-1110"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
disk_type = "pd-ssd"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
tags = ["vmseries-autoscale"]
update_policy_type = "OPPORTUNISTIC"
cooldown_period = 480
bootstrap_options = [
panorama_server = "1.1.1.1"
]
} | `any` | `{}` | no |
+| [autoscale\_common](#input\_autoscale\_common) | A map containing common vmseries autoscale setting.
Majority of settings can be moved between this common and individual autoscale setup (ie. `var.autoscale`) variables. If values for the same item are specified in both of them, one from the latter will take precedence.
Example of variable deployment :autoscale_common = {
image = "vmseries-flex-byol-1114h7"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
disk_type = "pd-ssd"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
tags = ["vmseries-autoscale"]
update_policy_type = "OPPORTUNISTIC"
cooldown_period = 480
bootstrap_options = [
panorama_server = "1.1.1.1"
]
} | `any` | `{}` | no |
| [autoscale\_regional\_mig](#input\_autoscale\_regional\_mig) | Sets the managed instance group type to either a regional (if `true`) or a zonal (if `false`).
For more information please see [About regional MIGs](https://cloud.google.com/compute/docs/instance-groups/regional-migs#why_choose_regional_managed_instance_groups). | `bool` | `true` | no |
| [lbs\_external](#input\_lbs\_external) | A map containing each external loadbalancer setting.
Example of variable deployment :lbs_external = {
"external-lb" = {
name = "external-lb"
backends = ["fw-vmseries-01", "fw-vmseries-02"]
rules = {
"all-ports" = {
ip_protocol = "L3_DEFAULT"
}
}
http_health_check_port = "80"
http_health_check_request_path = "/php/login.php"
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/lb_external#inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [lbs\_internal](#input\_lbs\_internal) | A map containing each internal loadbalancer setting.
Note : private IP reservation is not by default within the example as it may overlap with autoscale IP allocation.
Example of variable deployment :lbs_internal = {
"internal-lb" = {
name = "internal-lb"
health_check_port = "80"
backends = ["fw-vmseries-01", "fw-vmseries-02"]
subnetwork_key = "fw-trust-sub"
vpc_network_key = "fw-trust-vpc"
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/lb_internal#inputs)
Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
| [linux\_vms](#input\_linux\_vms) | A map containing each Linux VM configuration that will be placed in SPOKE VPCs for testing purposes.
Example of varaible deployment:linux_vms = {
spoke1-vm = {
linux_machine_type = "n2-standard-4"
zone = "us-east1-b"
linux_disk_size = "50" # Modify this value as per deployment requirements
vpc_network_key = "fw-spoke1-vpc"
subnetwork_key = "fw-spoke1-sub"
private_ip = "192.168.1.2"
scopes = [
"https://www.googleapis.com/auth/compute.readonly",
"https://www.googleapis.com/auth/cloud.useraccounts.readonly",
"https://www.googleapis.com/auth/devstorage.read_only",
"https://www.googleapis.com/auth/logging.write",
"https://www.googleapis.com/auth/monitoring.write",
]
service_account_key = "sa-linux-01"
}
} | `map(any)` | `{}` | no |
| [name\_prefix](#input\_name\_prefix) | A string to prefix resource namings. | `string` | `"example-"` | no |
-| [networks](#input\_networks) | A map containing each network setting.
Example of variable deployment :networks = {
fw-mgmt-vpc = {
vpc_name = "fw-mgmt-vpc"
create_network = true
delete_default_routes_on_create = false
mtu = "1460"
routing_mode = "REGIONAL"
subnetworks = {
fw-mgmt-sub = {
name = "fw-mgmt-sub"
create_subnetwork = true
ip_cidr_range = "10.10.10.0/28"
region = "us-east1"
}
}
firewall_rules = {
allow-mgmt-ingress = {
name = "allow-mgmt-vpc"
source_ranges = ["10.10.10.0/24", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes.
priority = "1000"
allowed_protocol = "all"
allowed_ports = []
}
}
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vpc#input_networks)
Multiple keys can be added and will be deployed by the code. | `any` | `{}` | no |
+| [networks](#input\_networks) | A map containing each network setting.
Example of variable deployment :networks = {
fw-mgmt-vpc = {
vpc_name = "fw-mgmt-vpc"
create_network = true
delete_default_routes_on_create = false
mtu = "1460"
routing_mode = "REGIONAL"
subnetworks = {
fw-mgmt-sub = {
name = "fw-mgmt-sub"
create_subnetwork = true
ip_cidr_range = "10.10.10.0/28"
region = "us-east1"
}
}
firewall_rules = {
allow-mgmt-ingress = {
name = "allow-mgmt-ingress"
source_ranges = ["10.10.10.0/24"]
priority = "1000"
allowed_protocol = "all"
allowed_ports = []
}
}
}
}For a full list of available configuration items - please refer to [module documentation](https://github.com/PaloAltoNetworks/terraform-google-swfw-modules/tree/main/modules/vpc#input_networks)
Multiple keys can be added and will be deployed by the code. | `any` | `{}` | no |
| [project](#input\_project) | The project name to deploy the infrastructure in to. | `string` | `null` | no |
| [region](#input\_region) | The region into which to deploy the infrastructure in to. | `string` | `"us-central1"` | no |
| [routes](#input\_routes) | A map containing each route setting. Note that you can only add routes using a next-hop type of internal load-balance rule.
Example of variable deployment :routes = {
"default-route-trust" = {
name = "fw-default-trust"
destination_range = "0.0.0.0/0"
vpc_network_key = "fw-trust-vpc"
lb_internal_name = "internal-lb"
}
}Multiple keys can be added and will be deployed by the code. | `map(any)` | `{}` | no |
diff --git a/examples/vpc_peering_dedicated_with_autoscale/example.tfvars b/examples/vpc_peering_dedicated_with_autoscale/example.tfvars
index c77900a..7456aa5 100644
--- a/examples/vpc_peering_dedicated_with_autoscale/example.tfvars
+++ b/examples/vpc_peering_dedicated_with_autoscale/example.tfvars
@@ -49,8 +49,8 @@ networks = {
}
firewall_rules = {
allow-mgmt-ingress = {
- name = "allow-mgmt-vpc"
- source_ranges = ["1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes.
+ name = "allow-mgmt-ingress"
+ source_ranges = ["1.1.1.1/32"] # Set your own management source IP range.
priority = "1000"
allowed_protocol = "all"
allowed_ports = []
@@ -74,7 +74,7 @@ networks = {
firewall_rules = {
allow-untrust-ingress = {
name = "allow-untrust-vpc"
- source_ranges = ["35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes.
+ source_ranges = ["35.191.0.0/16", "209.85.152.0/22", "209.85.204.0/22"] # Add app client IP range.
priority = "1000"
allowed_protocol = "all"
allowed_ports = []
@@ -202,7 +202,7 @@ routes = {
autoscale_regional_mig = true
autoscale_common = {
- image = "vmseries-flex-byol-1110"
+ image = "vmseries-flex-byol-1114h7"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
disk_type = "pd-ssd"
diff --git a/examples/vpc_peering_dedicated_with_autoscale/variables.tf b/examples/vpc_peering_dedicated_with_autoscale/variables.tf
index 6ed14d5..c3cabea 100644
--- a/examples/vpc_peering_dedicated_with_autoscale/variables.tf
+++ b/examples/vpc_peering_dedicated_with_autoscale/variables.tf
@@ -74,8 +74,8 @@ variable "networks" {
}
firewall_rules = {
allow-mgmt-ingress = {
- name = "allow-mgmt-vpc"
- source_ranges = ["10.10.10.0/24", "1.1.1.1/32"] # Replace 1.1.1.1/32 with your own souurce IP address for management purposes.
+ name = "allow-mgmt-ingress"
+ source_ranges = ["10.10.10.0/24"]
priority = "1000"
allowed_protocol = "all"
allowed_ports = []
@@ -167,7 +167,7 @@ variable "autoscale_common" {
```
autoscale_common = {
- image = "vmseries-flex-byol-1110"
+ image = "vmseries-flex-byol-1114h7"
machine_type = "n2-standard-4"
min_cpu_platform = "Intel Cascade Lake"
disk_type = "pd-ssd"
diff --git a/modules/panorama/main.tf b/modules/panorama/main.tf
index 6b2f8d7..0ea2258 100644
--- a/modules/panorama/main.tf
+++ b/modules/panorama/main.tf
@@ -50,6 +50,7 @@ resource "google_compute_instance" "this" {
metadata = merge({
serial-port-enable = true
ssh-keys = var.ssh_keys
+ enable-oslogin = false
}, var.metadata)
service_account {
diff --git a/modules/vmseries/README.md b/modules/vmseries/README.md
index ee2dd5c..42cb07d 100644
--- a/modules/vmseries/README.md
+++ b/modules/vmseries/README.md
@@ -65,7 +65,7 @@ No modules.
| [service\_account](#input\_service\_account) | IAM Service Account for running firewall instance (just the email) | `string` | `null` | no |
| [ssh\_keys](#input\_ssh\_keys) | Public keys to allow SSH access for, separated by newlines. | `string` | `null` | no |
| [tags](#input\_tags) | GCP instance tags. | `list(string)` | `[]` | no |
-| [vmseries\_image](#input\_vmseries\_image) | The image name from which to boot an instance, including a license type (bundle/flex) and version.
To get a list of available official images, please run the following command:
`gcloud compute images list --filter="family ~ vmseries" --project paloaltonetworksgcp-public --no-standard-images` | `string` | `"vmseries-flex-byol-1029h1"` | no |
+| [vmseries\_image](#input\_vmseries\_image) | The image name from which to boot an instance, including a license type (bundle/flex) and version.
To get a list of available official images, please run the following command:
`gcloud compute images list --filter="family ~ vmseries" --project paloaltonetworksgcp-public --no-standard-images` | `string` | `"vmseries-flex-byol-10210h9"` | no |
| [zone](#input\_zone) | Zone to deploy instance in. | `string` | n/a | yes |
### Outputs
diff --git a/modules/vmseries/variables.tf b/modules/vmseries/variables.tf
index cd00d3d..ea65919 100644
--- a/modules/vmseries/variables.tf
+++ b/modules/vmseries/variables.tf
@@ -125,7 +125,7 @@ variable "vmseries_image" {
To get a list of available official images, please run the following command:
`gcloud compute images list --filter="family ~ vmseries" --project paloaltonetworksgcp-public --no-standard-images`
EOF
- default = "vmseries-flex-byol-1029h1"
+ default = "vmseries-flex-byol-10210h9"
type = string
}