From f374555873a38ecc3c3537075a9c20b8175290d0 Mon Sep 17 00:00:00 2001 From: Alp Eren Kose Date: Mon, 14 Aug 2023 19:03:23 +0300 Subject: [PATCH] feat(examples/common_vmseries_and_autoscale): example for SWFW Hub (#299) --- examples/common_vmseries/main.tf | 1 - .../common_vmseries_and_autoscale/Makefile | 32 ++ .../common_vmseries_and_autoscale/README.md | 211 ++++++++++ .../example.tfvars | 243 ++++++++++++ .../common_vmseries_and_autoscale/main.tf | 239 ++++++++++++ .../common_vmseries_and_autoscale/outputs.tf | 21 + .../variables.tf | 362 ++++++++++++++++++ .../common_vmseries_and_autoscale/versions.tf | 30 ++ examples/dedicated_vmseries/main.tf | 1 - .../README.md | 2 +- .../example.tfvars | 4 +- .../dedicated_vmseries_and_autoscale/main.tf | 1 - .../variables.tf | 2 +- examples/standalone_vmseries/main.tf | 1 - 14 files changed, 1142 insertions(+), 8 deletions(-) create mode 100644 examples/common_vmseries_and_autoscale/Makefile create mode 100644 examples/common_vmseries_and_autoscale/README.md create mode 100644 examples/common_vmseries_and_autoscale/example.tfvars create mode 100644 examples/common_vmseries_and_autoscale/main.tf create mode 100644 examples/common_vmseries_and_autoscale/outputs.tf create mode 100644 examples/common_vmseries_and_autoscale/variables.tf create mode 100644 examples/common_vmseries_and_autoscale/versions.tf diff --git a/examples/common_vmseries/main.tf b/examples/common_vmseries/main.tf index 0a532330..0622f08d 100644 --- a/examples/common_vmseries/main.tf +++ b/examples/common_vmseries/main.tf @@ -115,7 +115,6 @@ module "load_balancer" { subnet_id = try(module.vnet[v.vnet_key].subnet_ids[v.subnet_key], null) in_rules = try(v.in_rules, {}) out_rules = try(v.out_rules, {}) - zones = var.enable_zones ? try(v.zones, null) : null # For the regions without AZ support. } } diff --git a/examples/common_vmseries_and_autoscale/Makefile b/examples/common_vmseries_and_autoscale/Makefile new file mode 100644 index 00000000..b0a5fc36 --- /dev/null +++ b/examples/common_vmseries_and_autoscale/Makefile @@ -0,0 +1,32 @@ +init: + @../../makefile.sh init + +prep_vars: check_uuid + @if [ ! -f ghci.tfvars ]; then sed -E "s/example-/${PREFIX}/g;s/^resource_group_name.*/resource_group_name = \"${RG}\"/g" example.tfvars > ghci.tfvars; fi + +validate: + @../../makefile.sh validate + +plan: init prep_vars + @../../makefile.sh plan + +apply: init prep_vars + @../../makefile.sh apply + +idempotence: + @../../makefile.sh idempotence + +destroy: + @../../makefile.sh destroy + @rm ghci.tfvars + +check_uuid: +ifndef UUID + $(info Missing UUID, generate one for yourself using command:) + $(info export UUID=$$(uuidgen | tr '[:upper:]' '[:lower:]')) + $(error ) +else +RG := $(shell echo ${UUID} | cut -d '-' -f 1,5) +PREFIX := ghci$(shell echo ${UUID} | cut -d '-' -f 2)- +STORAGE := $(shell echo ${UUID} | cut -d '-' -f 2,3,4 | tr -d '-') +endif \ No newline at end of file diff --git a/examples/common_vmseries_and_autoscale/README.md b/examples/common_vmseries_and_autoscale/README.md new file mode 100644 index 00000000..f7ddfad8 --- /dev/null +++ b/examples/common_vmseries_and_autoscale/README.md @@ -0,0 +1,211 @@ +--- +short_title: Common Firewall Option with Autoscaling +type: refarch +show_in_hub: false +--- +# Reference Architecture with Terraform: VM-Series in Azure, Centralized Architecture, Common NGFW Option with Autoscaling + +Palo Alto Networks produces several [validated reference architecture design and deployment documentation guides](https://www.paloaltonetworks.com/resources/reference-architectures), which describe well-architected and tested deployments. When deploying VM-Series in a public cloud, the reference architectures guide users toward the best security outcomes, whilst reducing rollout time and avoiding common integration efforts. +The Terraform code presented here will deploy Palo Alto Networks VM-Series firewalls in Azure based on a centralized design with common VM-Series with autoscaling(Virtual Machine Scale Sets); for a discussion of other options, please see the design guide from [the reference architecture guides](https://www.paloaltonetworks.com/resources/reference-architectures). + +Virtual Machine Scale Sets (VMSS) are used for autoscaling to run the Next Generation Firewalls, with custom data plane oriented metrics published by PanOS it is possible to adjust the number of firewall appliances to the current workload (data plane utilization). Since firewalls are added or removed automatically, they cannot be managed in a classic way. To ease licensing, management and updates a Panorama appliance is suggested. Deployment of a Panorama instance is not covered in this example, but a [dedicated one exists](../standalone_panorama/README.md). + +## Reference Architecture Design + +![simple](https://github.com/PaloAltoNetworks/terraform-azurerm-vmseries-modules/assets/6574404/a7c2452d-f926-49da-bf21-9d840282a0a2) + +This code implements: +- a _centralized design_, a hub-and-spoke topology with a Transit VNet containing VM-Series to inspect all inbound, outbound, east-west, and enterprise traffic +- the _common option_, which routes all traffic flows onto a single set of VM-Series +- _auto scaling_ for the VM-Series, where a Virtual Machine Scale Set (VMSS) is used to provision VM-Series that will scale in and out dynamically, as workload demands fluctuate + +## Detailed Architecture and Design + +### Centralized Design + +This design uses a Transit VNet. Application functions and resources are deployed across multiple VNets that are connected in a hub-and-spoke topology. The hub of the topology, or transit VNet, is the central point of connectivity for all inbound, outbound, east-west, and enterprise traffic. You deploy all VM-Series firewalls within the transit VNet. + +### Common Option + +The common firewall option leverages a single set of VM-Series firewalls. The sole set of firewalls operates as a shared resource and may present scale limitations with all traffic flowing through a single set of firewalls due to the performance degradation that occurs when traffic crosses virtual routers. This option is suitable for smaller scale deployments because inbound and outbound traffic flows occur on the same set of firewalls. However, the technical integration complexity is high. + +![Common-VMSeries-with-autoscaling](https://github.com/PaloAltoNetworks/terraform-azurerm-vmseries-modules/assets/6500664/4594683f-546c-4dc2-a4ea-cc211377bea8) + +This reference architecture consists of: + +* a VNET containing: + * 4 subnets: + * 3 of them dedicated to the firewalls: management, private and public + * one dedicated to an Application Gateway + * Route Tables and Network Security Groups +* 1 Virtual Machine Scale set: + * deployed across availability zones + * for inbound, outbound and east-west traffic + * with 3 network interfaces: management, public, private + * with public IP addresses assigned to: + * management interface + * public interface - due to use of a public Load Balancer this public IP is used mainly for outgoing traffic +* 2 Load Balancers: + * public - with a public IP address assigned, in front of the public interfaces of the firewalls in VMSS, for incoming traffic + * private - in front of the private interfaces of the firewalls in VMSS, for outgoing and east-west traffic +* an Application Insights, used to store the custom PanOS metrics sent from firewalls in scale set +* an Application Gateway, serving as a reverse proxy for incoming traffic, with a sample rule setting the XFF header properly + +_DISCLAIMER_ - Public IP addresses are assigned to management interfaces in this example in order to simplify the deployment. With a private Panorama connectivity in place and Panorama Software Firewall License plugin you can bootstrap the firewalls without public IPs assigned to the management interfaces. You should also enable [Automatically push content when software device registers to Panorama](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-new-features/panorama-features/automatic-content-push-for-vm-series-and-cn-series-firewalls) on the template stack and [schedule content updates using Panorama](https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/upgrade-panorama/deploy-updates-to-firewalls-log-collectors-and-wildfire-appliances-using-panorama/schedule-a-content-update-using-panorama). Alternatively content updates can be configured to be fetched via data plane interfaces with service routes. + +### Auto Scaling VM-Series + +Auto scaling: Public-cloud environments focus on scaling out a deployment instead of scaling up. This architectural difference stems primarily from the capability of public-cloud environments to dynamically increase or decrease the number of resources allocated to your environment. Using native Azure services like Virtual Machine Scale Sets (VMSS), Application Insights and VM-Series automation features, the guide implements VM-Series that will scale in and out dynamically, as your protected workload demands fluctuate. The VM-Series firewalls are deployed in a Virtual Machine Scale Set for inbound and outbound/east-west firewalls in common option, and are automatically registered to Azure Load Balancers. + +## Prerequisites + +A list of requirements might vary depending on the platform used to deploy the infrastructure but a minimum one includes: + +* (in case of non cloud shell deployment) credentials and (optionally) tools required to authenticate against Azure Cloud, see [AzureRM provider documentation for details](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#authenticating-to-azure) +* [supported](#requirements) version of [`Terraform`]() +* if you have not run Palo Alto NGFW images in a subscription it might be necessary to accept the license first ([see this note](../../modules/vmseries/README.md#accept-azure-marketplace-terms)) + +A non-platform requirement would be a running Panorama instance. For full automation you might want to consider the following requirements: + +* a template and a template stack with `DAY0` configuration +* a device group with security configuration (`DAY1` [iron skillet](https://github.com/PaloAltoNetworks/iron-skillet) for example) + any security and NAT rules of your choice +* a [Panorama Software Firewall License](https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/license-the-vm-series-firewall/use-panorama-based-software-firewall-license-management) plugin to automatically manage licenses on newly created devices +* a [VM-Series](https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-plugins/plugins-types/install-the-vm-series-plugin-on-panorama) plugin to enable additional template options (custom metrics) + +**NOTE:** + +* after the deployment the firewalls remain not configured and not licensed. +* this example contains some **files** that **can contain sensitive data**. Keep in mind that **this code** is **only an example**. It's main purpose is to introduce the Terraform modules. + +## Usage + +### Deployment Steps + +* checkout the code locally (if you haven't done so yet) +* copy the [`example.tfvars`](./example.tfvars) file, rename it to `terraform.tfvars` and adjust it to your needs (take a closer look at the `TODO` markers). If you already have a configured Panorama (with at least minimum configuration described above) you might want to also adjust the `bootstrap_options` for the scale set ([common](./example.tfvars#L205) . +* (optional) authenticate to AzureRM, switch to the Subscription of your choice if necessary +* initialize the Terraform module: + + terraform init + +* (optional) plan you infrastructure to see what will be actually deployed: + + terraform plan + +* deploy the infrastructure (you will have to confirm it with typing in `yes`): + + terraform apply + + The deployment takes couple of minutes. Observe the output. At the end you should see a summary similar to this: + + Apply complete! Resources: 43 added, 0 changed, 0 destroyed. + + Outputs: + + lb_frontend_ips = { + "private" = { + "ha-ports" = "1.2.3.4" + } + "public" = { + "palo-lb-app1-pip" = "1.2.3.4" + } + } + metrics_instrumentation_keys = + password = + username = "panadmin" + +* at this stage you have to wait couple of minutes for the firewalls to bootstrap. + +### Post deploy + +The most important post-deployment action is (for deployments with auto scaling and Panorama) to retrieve the Application Insights instrumentation keys. This can be done by looking up the AI resources in the Azure portal, or directly from Terraform outputs: + +```sh +terraform output metrics_instrumentation_keys +``` + +The retrieved keys should be put into appropriate templates in Panorama and pushed to the devices. From this moment on, custom metrics are being sent to Application Insights and retrieved by the Virtual Machine Scale Set to trigger scale-in and scale-out operations. + +Although firewalls in a Scale Set are not meant to be managed directly, they are still configured with password authentication. To retrieve the initial credentials run: + +* for username: + + terraform output username + +* for password: + + terraform output password + +### Cleanup + +To remove the deployed infrastructure run: + +```sh +terraform destroy +``` + +## Reference + +### Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.2, < 2.0 | + +### Providers + +| Name | Version | +|------|---------| +| [random](#provider\_random) | n/a | +| [azurerm](#provider\_azurerm) | n/a | + +### Modules + +| Name | Source | Version | +|------|--------|---------| +| [vnet](#module\_vnet) | ../../modules/vnet | n/a | +| [natgw](#module\_natgw) | ../../modules/natgw | n/a | +| [load\_balancer](#module\_load\_balancer) | ../../modules/loadbalancer | n/a | +| [ai](#module\_ai) | ../../modules/application_insights | n/a | +| [appgw](#module\_appgw) | ../../modules/appgw | n/a | +| [vmss](#module\_vmss) | ../../modules/vmss | n/a | + +### Resources + +| Name | Type | +|------|------| +| [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource | +| [random_password.this](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/password) | resource | +| [azurerm_resource_group.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/resource_group) | data source | + +### Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [tags](#input\_tags) | Map of tags to assign to the created resources. | `map(string)` | `{}` | no | +| [location](#input\_location) | The Azure region to use. | `string` | n/a | yes | +| [name\_prefix](#input\_name\_prefix) | A prefix that will be added to all created resources.
There is no default delimiter applied between the prefix and the resource name. Please include the delimiter in the actual prefix.

Example:
name_prefix = "test-"
NOTICE. This prefix is not applied to existing resources. If you plan to reuse i.e. a VNET please specify it's full name, even if it is also prefixed with the same value as the one in this property. | `string` | `""` | no | +| [create\_resource\_group](#input\_create\_resource\_group) | When set to `true` it will cause a Resource Group creation. Name of the newly specified RG is controlled by `resource_group_name`.
When set to `false` the `resource_group_name` parameter is used to specify a name of an existing Resource Group. | `bool` | `true` | no | +| [resource\_group\_name](#input\_resource\_group\_name) | Name of the Resource Group. | `string` | n/a | yes | +| [enable\_zones](#input\_enable\_zones) | If `true`, enable zone support for resources. | `bool` | `true` | no | +| [vnets](#input\_vnets) | A map defining VNETs.

For detailed documentation on each property refer to [module documentation](../../modules/vnet/README.md)

- `name` : A name of a VNET.
- `create_virtual_network` : (default: `true`) when set to `true` will create a VNET, `false` will source an existing VNET, in both cases the name of the VNET is specified with `name`
- `address_space` : a list of CIDRs for VNET
- `resource_group_name` : (default: current RG) a name of a Resource Group in which the VNET will reside

- `create_subnets` : (default: `true`) if true, create the Subnets inside the Virtual Network, otherwise use pre-existing subnets
- `subnets` : map of Subnets to create

- `network_security_groups` : map of Network Security Groups to create
- `route_tables` : map of Route Tables to create. | `any` | n/a | yes | +| [natgws](#input\_natgws) | A map defining Nat Gateways.

Please note that a NatGW is a zonal resource, this means it's always placed in a zone (even when you do not specify one explicitly). Please refer to Microsoft documentation for notes on NatGW's zonal resiliency.

Following properties are supported:

- `name` : a name of the newly created NatGW.
- `create_natgw` : (default: `true`) create or source (when `false`) an existing NatGW. Created or sourced: the NatGW will be assigned to a subnet created by the `vnet` module.
- `resource_group_name : name of a Resource Group hosting the NatGW (newly create or the existing one).
- `zone` : Availability Zone in which the NatGW will be placed, when skipped AzureRM will pick a zone.
- `idle\_timeout` : connection IDLE timeout in minutes, for newly created resources
- `vnet\_key` : a name (key value) of a VNET defined in `var.vnets` that hosts a subnet this NatGW will be assigned to.
- `subnet\_keys` : a list of subnets (key values) the NatGW will be assigned to, defined in `var.vnets` for a VNET described by `vnet\_name`.
- `create\_pip` : (default: `true`) create a Public IP that will be attached to a NatGW
- `existing\_pip\_name` : when `create\_pip` is set to `false`, source and attach and existing Public IP to the NatGW
- `existing\_pip\_resource\_group\_name` : when `create\_pip` is set to `false`, name of the Resource Group hosting the existing Public IP
- `create\_pip\_prefix` : (default: `false`) create a Public IP Prefix that will be attached to the NatGW.
- `pip\_prefix\_length` : length of the newly created Public IP Prefix, can bet between 0 and 31 but this actually supported value depends on the Subscription.
- `existing\_pip\_prefix\_name` : when `create\_pip\_prefix` is set to `false`, source and attach and existing Public IP Prefix to the NatGW
- `existing\_pip\_prefix\_resource\_group\_name` : when `create\_pip\_prefix` is set to `false`, name of the Resource Group hosting the existing Public IP Prefix.

Example:
`
natgws = {
"natgw" = {
name = "public-natgw"
vnet_key = "transit-vnet"
subnet_keys = ["public"]
zone = 1
}
}
| `any` | `{}` | no | +| [load\_balancers](#input\_load\_balancers) | A map containing configuration for all (private and public) Load Balancer that will be created in this deployment.

Following properties are available (for details refer to module's documentation):

- `name`: name of the Load Balancer resource.
- `network_security_group_name`: (public LB) a name of a security group, an ingress rule will be created in that NSG for each listener. **NOTE** this is the FULL NAME of the NSG (including prefixes).
- `network_security_group_rg_name`: (public LB) a name of a resource group for the security group, to be used when the NSG is hosted in a different RG than the one described in `var.resource_group_name`.
- `network_security_allow_source_ips`: (public LB) a list of IP addresses that will used in the ingress rules.
- `avzones`: (both) for regional Load Balancers, a list of supported zones (this has different meaning for public and private LBs - please refer to module's documentation for details).
- `frontend_ips`: (both) a map configuring both a listener and a load balancing rule, key is the name that will be used as an application name inside LB config as well as to create a rule in NSG (for public LBs), value is an object with the following properties:
- `create_public_ip`: (public LB) defaults to `false`, when set to `true` a Public IP will be created and associated with a listener
- `public_ip_name`: (public LB) defaults to `null`, when `create_public_ip` is set to `false` this property is used to reference an existing Public IP object in Azure
- `public_ip_resource_group`: (public LB) defaults to `null`, when using an existing Public IP created in a different Resource Group than the currently used use this property is to provide the name of that RG
- `private_ip_address`: (private LB) defaults to `null`, specify a static IP address that will be used by a listener
- `vnet_key`: (private LB) defaults to `null`, when `private_ip_address` is set specifies a vnet's key (as defined in `vnet` variable). This will be the VNET hosting this Load Balancer
- `subnet_key`: (private LB) defaults to `null`, when `private_ip_address` is set specifies a subnet's key (as defined in `vnet` variable) to which the LB will be attached, in case of VMSeries this should be a internal/trust subnet
- `rules` - a map configuring the actual rules load balancing rules, a key is a rule name, a value is an object with the following properties:
- `protocol`: protocol used by the rule, can be one the following: `TCP`, `UDP` or `All` when creating an HA PORTS rule
- `port`: port used by the rule, for HA PORTS rule set this to `0`

Example of a public Load Balancer:
"public_lb" = {
name = "https_app_lb"
network_security_group_name = "untrust_nsg"
network_security_allow_source_ips = ["1.2.3.4"]
avzones = ["1", "2", "3"]
frontend_ips = {
"https_app_1" = {
create_public_ip = true
rules = {
"balanceHttps" = {
protocol = "Tcp"
port = 443
}
}
}
}
}
Example of a private Load Balancer with HA PORTS rule:
"private_lb" = {
name = "ha_ports_internal_lb
frontend_ips = {
"ha-ports" = {
vnet_key = "trust_vnet"
subnet_key = "trust_snet"
private_ip_address = "10.0.0.1"
rules = {
HA_PORTS = {
port = 0
protocol = "All"
}
}
}
}
}
| `map` | `{}` | no | +| [application\_insights](#input\_application\_insights) | A map defining Azure Application Insights. There are three ways to use this variable:

* when the value is set to `null` (default) no AI is created
* when the value is a map containing `name` key (other keys are optional) a single AI instance will be created under the name that is the value of the `name` key
* when the value is an empty map or a map w/o the `name` key, an AI instance per each VMSeries VM will be created. All instances will share the same configuration. All instances will have names corresponding to their VM name.

Names for all AI instances are prefixed with `var.name_prefix`.

Properties supported (for details on each property see [modules documentation](../../modules/application\_insights/README.md)):

- `name` : (optional, string) a name of a single AI instance
- `workspace_mode` : (optional, bool) defaults to `true`, use AI Workspace mode instead of the Classical (deprecated)
- `workspace_name` : (optional, string) defaults to AI name suffixed with `-wrkspc`, name of the Log Analytics Workspace created when AI is deployed in Workspace mode
- `workspace_sku` : (optional, string) defaults to PerGB2018, SKU used by WAL, see module documentation for details
- `metrics_retention_in_days` : (optional, number) defaults to current Azure default value, see module documentation for details

Example of an AIs created per VM, in Workspace mode, with metrics retention set to 1 year:
vmseries = {
'vm-1' = {
....
}
'vm-2' = {
....
}
}

application_insights = {
metrics_retention_in_days = 365
}
| `map(string)` | `null` | no | +| [vmseries\_version](#input\_vmseries\_version) | VM-Series PAN-OS version - list available with `az vm image list -o table --all --publisher paloaltonetworks`. It's also possible to specify the Pan-OS version per Scale Set, see `var.vmss` variable. | `string` | n/a | yes | +| [vmseries\_vm\_size](#input\_vmseries\_vm\_size) | Azure VM size (type) to be created. Consult the *VM-Series Deployment Guide* as only a few selected sizes are supported. It's also possible to specify the the VM size per Scale Set, see `var.vmss` variable. | `string` | n/a | yes | +| [vmseries\_sku](#input\_vmseries\_sku) | VM-Series SKU - list available with `az vm image list -o table --all --publisher paloaltonetworks` | `string` | `"byol"` | no | +| [vmseries\_username](#input\_vmseries\_username) | Initial administrative username to use for all systems. | `string` | `"panadmin"` | no | +| [vmseries\_password](#input\_vmseries\_password) | Initial administrative password to use for all systems. Set to null for an auto-generated password. | `string` | `null` | no | +| [vmss](#input\_vmss) | A map defining all Virtual Machine Scale Sets.

For detailed documentation on how to configure this resource, for available properties, especially for the defaults refer to [module documentation](../../modules/vmss/README.md)

Following properties are available:
- `name` : (string\|required) name of the Virtual Machine Scale Set.
- `vm_size` : size of the VMSeries virtual machines created with this Scale Set, when specified overrides `var.vmseries_vm_size`.
- `version` : PanOS version, when specified overrides `var.vmseries_version`.
- `vnet_key` : (string\|required) a key of a VNET defined in the `var.vnets` map.
- `bootstrap_options` : (string\|`''`) bootstrap options passed to every VM instance upon creation.
- `zones` : (list(string)\|`[]`) a list of Availability Zones to use for Zone redundancy
- `encryption_at_host_enabled` : (bool\|`null` - Azure defaults) should all of the disks attached to this Virtual Machine be encrypted
- `overprovision` : (bool\|`null` - module defaults) when provisioning new VM, multiple will be provisioned but the 1st one to run will be kept
- `platform_fault_domain_count` : (number\|`null` - Azure defaults) number of fault domains to use
- `proximity_placement_group_id` : (string\|`null`) ID of a proximity placement group the VMSS should be placed in
- `scale_in_policy` : (string\|`null` - Azure defaults) policy of removing VMs when scaling in
- `scale_in_force_deletion` : (bool\|`null` - module default) forces (`true`) deletion of VMs during scale in
- `single_placement_group` : (bool\|`null` - Azure defaults) limit the Scale Set to one Placement Group
- `storage_account_type` : (string\|`null` - module defaults) type of managed disk that will be used on all VMs
- `disk_encryption_set_id` : (string\|`null`) the ID of the Disk Encryption Set which should be used to encrypt this Data Disk
- `accelerated_networking` : (bool\|`null`- module defaults) enable Azure accelerated networking for all dataplane network interfaces
- `use_custom_image` : (bool\|`false`)
- `custom_image_id` : (string\|reqquired when `use_custom_image` is `true`) absolute ID of your own Custom Image to be used for creating new VM-Series
- `application_insights_id` : (string\|`null`) ID of Application Insights instance that should be used to provide metrics for autoscaling
- `interfaces` : (list(string)\|`[]`) configuration of all NICs assigned to a VM. A list of maps, each map is a NIC definition. Notice that the order DOES matter. NICs are attached to VMs in Azure in the order they are defined in this list, therefore the management interface has to be defined first. Following properties are available:
- `name` : (string\|required) string that will form the NIC name
- `subnet_key` : (string\|required) a key of a subnet as defined in `var.vnets`
- `create_pip` : (bool\|`false`) flag to create Public IP for an interface, defaults to `false`
- `load_balancer_key` : (string\|`null`) key of a Load Balancer defined in the `var.loadbalancers` variable
- `application_gateway_key` : (string\|`null`) key of an Application Gateway defined in the `var.appgws`
- `pip_domain_name_label` : (string\|`null`) prefix which should be used for the Domain Name Label for each VM instance
- `autoscale_config` : (map\|`{}`) map containing basic autoscale configuration
- `count_default` : (number\|`null` - module defaults) default number or instances when autoscalling is not available
- `count_minimum` : (number\|`null` - module defaults) minimum number of instances to reach when scaling in
- `count_maximum` : (number\|`null` - module defaults) maximum number of instances when scaling out
- `notification_emails` : (list(string)\|`null` - module defaults) a list of e-mail addresses to notify about scaling events
- `autoscale_metrics` : (map\|`{}`) metrics and thresholds used to trigger scaling events, see module documentation for details
- `scaleout_config` : (map\|`{}`) scale out configuration, for details see module documentation
- `statistic` : (string\|`null` - module defaults) aggregation method for statistics coming from different VMs
- `time_aggregation` : (string\|`null` - module defaults) aggregation method applied to statistics in time window
- `window_minutes` : (string\|`null` - module defaults) time windows used to analyze statistics
- `cooldown_minutes` : (string\|`null` - module defaults) time to wait after a scaling event before analyzing the statistics again
- `scalein_config` : (map\|`{}`) scale in configuration, same properties supported as for `scaleout_config`

Example, no auto scaling:
{
"vmss" = {
name = "ngfw-vmss"
vnet_key = "transit"
bootstrap_options = "type=dhcp-client"

interfaces = [
{
name = "management"
subnet_key = "management"
},
{
name = "private"
subnet_key = "private"
},
{
name = "public"
subnet_key = "public"
load_balancer_key = "public"
application_gateway_key = "public"
}
]
}
| `any` | `{}` | no | +| [appgws](#input\_appgws) | A map defining all Application Gateways in the current deployment.

For detailed documentation on how to configure this resource, for available properties, especially for the defaults and the `rules` property refer to [module documentation](../../modules/appgw/README.md).

Following properties are supported:
- `name` : name of the Application Gateway.
- `vnet_key` : a key of a VNET defined in the `var.vnets` map.
- `subnet_key` : a key of a subnet as defined in `var.vnets`. This has to be a subnet dedicated to Application Gateways v2.
- `vnet_key` : a key of a VNET defined in the `var.vnets` map.
- `subnet_key` : a key of a subnet as defined in `var.vnets`. This has to be a subnet dedicated to Application Gateways v2.
- `zones` : for zonal deployment this is a list of all zones in a region - this property is used by both: the Application Gateway and the Public IP created in front of the AppGW.
- `capacity` : (optional) number of Application Gateway instances, not used when autoscalling is enabled (see `capacity_min`)
- `capacity_min` : (optional) when set enables autoscaling and becomes the minimum capacity
- `capacity_max` : (optional) maximum capacity for autoscaling
- `enable_http2` : enable HTTP2 support on the Application Gateway
- `waf_enabled` : (optional) enables WAF Application Gateway, defining WAF rules is not supported, defaults to `false`
- `vmseries_public_nic_name` : name of the public VMSeries interface as defined in `interfaces` property.
- `managed_identities` : (optional) a list of existing User-Assigned Managed Identities, which Application Gateway uses to retrieve certificates from Key Vault
- `ssl_policy_type` : (optional) type of an SSL policy, defaults to `Predefined`
- `ssl_policy_name` : (optional) name of an SSL policy, for `ssl_policy_type` set to `Predefined`
- `ssl_policy_min_protocol_version` : (optional) minimum version of the TLS protocol for SSL Policy, for `ssl_policy_type` set to `Custom`
- `ssl_policy_cipher_suites` : (optional) a list of accepted cipher suites, for `ssl_policy_type` set to `Custom`
- `ssl_profiles` : (optional) a map of SSL profiles that can be later on referenced in HTTPS listeners by providing a name of the profile in the `ssl_profile_name` property | `map` | `{}` | no | + +### Outputs + +| Name | Description | +|------|-------------| +| [username](#output\_username) | Initial administrative username to use for VM-Series. | +| [password](#output\_password) | Initial administrative password to use for VM-Series. | +| [metrics\_instrumentation\_keys](#output\_metrics\_instrumentation\_keys) | The Instrumentation Key of the created instance(s) of Azure Application Insights. | +| [lb\_frontend\_ips](#output\_lb\_frontend\_ips) | IP Addresses of the load balancers. | + diff --git a/examples/common_vmseries_and_autoscale/example.tfvars b/examples/common_vmseries_and_autoscale/example.tfvars new file mode 100644 index 00000000..d04d9a14 --- /dev/null +++ b/examples/common_vmseries_and_autoscale/example.tfvars @@ -0,0 +1,243 @@ +# --- GENERAL --- # +location = "North Europe" +resource_group_name = "autoscale-common" +name_prefix = "example-" +tags = { + "CreatedBy" = "Palo Alto Networks" + "CreatedWith" = "Terraform" +} +enable_zones = true + +# --- VNET PART --- # +vnets = { + "transit" = { + name = "transit" + address_space = ["10.0.0.0/25"] + network_security_groups = { + "management" = { + name = "mgmt-nsg" + rules = { + vmseries_mgmt_allow_inbound = { + priority = 100 + direction = "Inbound" + access = "Allow" + protocol = "Tcp" + source_address_prefixes = ["1.2.3.4"] # TODO: whitelist public IP addresses that will be used to manage the appliances + source_port_range = "*" + destination_address_prefix = "10.0.0.0/28" + destination_port_ranges = ["22", "443"] + } + } + } + "public" = { + name = "public-nsg" + } + } + route_tables = { + "management" = { + name = "mgmt-rt" + routes = { + "private_blackhole" = { + address_prefix = "10.0.0.16/28" + next_hop_type = "None" + } + "public_blackhole" = { + address_prefix = "10.0.0.32/28" + next_hop_type = "None" + } + "appgw_blackhole" = { + address_prefix = "10.0.0.48/28" + next_hop_type = "None" + } + } + } + "private" = { + name = "private-rt" + routes = { + "default" = { + address_prefix = "0.0.0.0/0" + next_hop_type = "VirtualAppliance" + next_hop_in_ip_address = "10.0.0.30" + } + "mgmt_blackhole" = { + address_prefix = "10.0.0.0/28" + next_hop_type = "None" + } + "public_blackhole" = { + address_prefix = "10.0.0.32/28" + next_hop_type = "None" + } + "appgw_blackhole" = { + address_prefix = "10.0.0.48/28" + next_hop_type = "None" + } + } + } + "public" = { + name = "public-rt" + routes = { + "mgmt_blackhole" = { + address_prefix = "10.0.0.0/28" + next_hop_type = "None" + } + "private_blackhole" = { + address_prefix = "10.0.0.16/28" + next_hop_type = "None" + } + } + } + } + subnets = { + "management" = { + name = "mgmt-snet" + address_prefixes = ["10.0.0.0/28"] + network_security_group = "management" + route_table = "management" + enable_storage_service_endpoint = true + } + "private" = { + name = "private-snet" + address_prefixes = ["10.0.0.16/28"] + route_table = "private" + } + "public" = { + name = "public-snet" + address_prefixes = ["10.0.0.32/28"] + network_security_group = "public" + route_table = "public" + } + "appgw" = { + name = "appgw-snet" + address_prefixes = ["10.0.0.48/28"] + } + } + } +} + + +# --- LOAD BALANCING PART --- # +load_balancers = { + "public" = { + name = "public-lb" + network_security_group_name = "example-public-nsg" + network_security_allow_source_ips = [ + # "x.x.x.x", # Put your own public IP address here <-- TODO to be adjusted by the customer + "0.0.0.0/0", + ] + avzones = ["1", "2", "3"] + + frontend_ips = { + "palo-lb-app1-pip" = { + create_public_ip = true + in_rules = { + "balanceHttp" = { + protocol = "Tcp" + port = 80 + } + } + } + } + } + "private" = { + name = "private-lb" + avzones = ["1", "2", "3"] + + frontend_ips = { + "ha-ports" = { + vnet_key = "transit" + subnet_key = "private" + private_ip_address = "10.0.0.30" + in_rules = { + HA_PORTS = { + port = 0 + protocol = "All" + } + } + } + } + } +} + +appgws = { + "public" = { + name = "public-appgw" + vnet_key = "transit" + subnet_key = "appgw" + zones = ["1", "2", "3"] + capacity = 2 + rules = { + "minimum" = { + priority = 1 + listener = { + port = 80 + } + rewrite_sets = { + "xff-strip-port" = { + sequence = 100 + request_headers = { + "X-Forwarded-For" = "{var_add_x_forwarded_for_proxy}" + } + } + } + } + } + } +} + + + +# --- VMSERIES PART --- # +application_insights = {} + +vmseries_version = "10.2.3" +vmseries_vm_size = "Standard_DS3_v2" +vmss = { + "common" = { + name = "common-vmss" + vnet_key = "transit" + zones = ["1", "2", "3"] + bootstrap_options = "type=dhcp-client" + + interfaces = [ + { + name = "management" + subnet_key = "management" + create_pip = true # see disclaimer on README for details + }, + { + name = "private" + subnet_key = "private" + load_balancer_key = "private" + }, + { + name = "public" + subnet_key = "public" + load_balancer_key = "public" + application_gateway_key = "public" + create_pip = true + } + ] + + autoscale_config = { + count_default = 2 + count_minimum = 1 + count_maximum = 3 + } + autoscale_metrics = { + "DataPlaneCPUUtilizationPct" = { + scaleout_threshold = 80 + scalein_threshold = 20 + } + } + scaleout_config = { + statistic = "Average" + time_aggregation = "Average" + window_minutes = 10 + cooldown_minutes = 30 + } + scalein_config = { + window_minutes = 10 + cooldown_minutes = 300 + } + } +} diff --git a/examples/common_vmseries_and_autoscale/main.tf b/examples/common_vmseries_and_autoscale/main.tf new file mode 100644 index 00000000..b11ce7e9 --- /dev/null +++ b/examples/common_vmseries_and_autoscale/main.tf @@ -0,0 +1,239 @@ +# Generate a random password. +resource "random_password" "this" { + count = var.vmseries_password == null ? 1 : 0 + + length = 16 + min_lower = 16 - 4 + min_numeric = 1 + min_special = 1 + min_upper = 1 + override_special = "_%@" +} + +locals { + vmseries_password = coalesce(var.vmseries_password, try(random_password.this[0].result, null)) + disable_password_authentication = local.vmseries_password == null ? true : false +} + +# Create or source the Resource Group. +resource "azurerm_resource_group" "this" { + count = var.create_resource_group ? 1 : 0 + name = "${var.name_prefix}${var.resource_group_name}" + location = var.location + + tags = var.tags +} + +data "azurerm_resource_group" "this" { + count = var.create_resource_group ? 0 : 1 + name = var.resource_group_name +} + +locals { + resource_group = var.create_resource_group ? azurerm_resource_group.this[0] : data.azurerm_resource_group.this[0] +} + +# Manage the network required for the topology. +module "vnet" { + source = "../../modules/vnet" + + for_each = var.vnets + + name = each.value.name + name_prefix = var.name_prefix + create_virtual_network = try(each.value.create_virtual_network, true) + resource_group_name = try(each.value.resource_group_name, local.resource_group.name) + location = var.location + + address_space = try(each.value.create_virtual_network, true) ? each.value.address_space : [] + + create_subnets = try(each.value.create_subnets, true) + subnets = each.value.subnets + + network_security_groups = try(each.value.network_security_groups, {}) + route_tables = try(each.value.route_tables, {}) + + tags = var.tags +} + +module "natgw" { + source = "../../modules/natgw" + + for_each = var.natgws + + create_natgw = try(each.value.create_natgw, true) + name = "${var.name_prefix}${each.value.name}" + resource_group_name = try(each.value.resource_group_name, local.resource_group.name) + location = var.location + zone = try(each.value.zone, null) + idle_timeout = try(each.value.idle_timeout, null) + subnet_ids = { for v in each.value.subnet_keys : v => module.vnet[each.value.vnet_key].subnet_ids[v] } + + create_pip = try(each.value.create_pip, true) + existing_pip_name = try(each.value.existing_pip_name, null) + existing_pip_resource_group_name = try(each.value.existing_pip_resource_group_name, null) + + create_pip_prefix = try(each.value.create_pip_prefix, false) + pip_prefix_length = try(each.value.create_pip_prefix, false) ? try(each.value.pip_prefix_length, null) : null + existing_pip_prefix_name = try(each.value.existing_pip_prefix_name, null) + existing_pip_prefix_resource_group_name = try(each.value.existing_pip_prefix_resource_group_name, null) + + + tags = var.tags + depends_on = [module.vnet] +} + + + +# create load balancers, both internal and external +module "load_balancer" { + source = "../../modules/loadbalancer" + + for_each = var.load_balancers + + name = "${var.name_prefix}${each.value.name}" + location = var.location + resource_group_name = local.resource_group.name + enable_zones = var.enable_zones + avzones = try(each.value.avzones, null) + + network_security_group_name = try(each.value.network_security_group_name, null) + network_security_resource_group_name = try(each.value.network_security_group_rg_name, null) + network_security_allow_source_ips = try(each.value.network_security_allow_source_ips, []) + + frontend_ips = { + for k, v in each.value.frontend_ips : k => { + create_public_ip = try(v.create_public_ip, false) + public_ip_name = try(v.public_ip_name, null) + public_ip_resource_group = try(v.public_ip_resource_group, null) + private_ip_address = try(v.private_ip_address, null) + subnet_id = try(module.vnet[v.vnet_key].subnet_ids[v.subnet_key], null) + in_rules = try(v.in_rules, {}) + out_rules = try(v.out_rules, {}) + } + } + + tags = var.tags + depends_on = [module.vnet] +} + + +# Create the scale sets and related resources. +module "ai" { + source = "../../modules/application_insights" + + for_each = { for k, v in var.vmss : k => "${v.name}-ai" if can(v.autoscale_metrics) } + + name = "${var.name_prefix}${each.value}" + resource_group_name = local.resource_group.name + location = var.location + + workspace_mode = try(var.application_insights.workspace_mode, null) + workspace_name = try(var.application_insights.workspace_name, "${var.name_prefix}${each.key}-wrkspc") + workspace_sku = try(var.application_insights.workspace_sku, null) + metrics_retention_in_days = try(var.application_insights.metrics_retention_in_days, null) + + tags = var.tags +} + +module "appgw" { + source = "../../modules/appgw" + + for_each = var.appgws + + name = "${var.name_prefix}${each.value.name}" + resource_group_name = local.resource_group.name + location = var.location + subnet_id = module.vnet[each.value.vnet_key].subnet_ids[each.value.subnet_key] + + managed_identities = try(each.value.managed_identities, null) + waf_enabled = try(each.value.waf_enabled, false) + capacity = try(each.value.capacity, null) + capacity_min = try(each.value.capacity_min, null) + capacity_max = try(each.value.capacity_max, null) + enable_http2 = try(each.value.enable_http2, null) + zones = try(each.value.zones, null) + + rules = each.value.rules + + ssl_policy_type = try(each.value.ssl_policy_type, null) + ssl_policy_name = try(each.value.ssl_policy_name, null) + ssl_policy_min_protocol_version = try(each.value.ssl_policy_min_protocol_version, null) + ssl_policy_cipher_suites = try(each.value.ssl_policy_cipher_suites, []) + ssl_profiles = try(each.value.ssl_profiles, {}) + + tags = var.tags + depends_on = [module.vnet] +} + +module "vmss" { + source = "../../modules/vmss" + + for_each = var.vmss + + name = "${var.name_prefix}${each.value.name}" + resource_group_name = local.resource_group.name + location = var.location + + username = var.vmseries_username + password = local.vmseries_password + disable_password_authentication = local.disable_password_authentication + img_sku = var.vmseries_sku + img_version = try(each.value.version, var.vmseries_version) + vm_size = try(each.value.vm_size, var.vmseries_vm_size) + zone_balance = var.enable_zones + zones = var.enable_zones ? try(each.value.zones, null) : [] + + encryption_at_host_enabled = try(each.value.encryption_at_host_enabled, null) + overprovision = try(each.value.overprovision, null) + platform_fault_domain_count = try(each.value.platform_fault_domain_count, null) + proximity_placement_group_id = try(each.value.proximity_placement_group_id, null) + scale_in_policy = try(each.value.scale_in_policy, null) + scale_in_force_deletion = try(each.value.scale_in_force_deletion, null) + single_placement_group = try(each.value.single_placement_group, null) + storage_account_type = try(each.value.storage_account_type, null) + disk_encryption_set_id = try(each.value.disk_encryption_set_id, null) + use_custom_image = try(each.value.use_custom_image, false) + custom_image_id = try(each.value.use_custom_image, false) ? each.value.custom_image_id : null + + accelerated_networking = try(each.value.accelerated_networking, null) + interfaces = [ + for v in each.value.interfaces : { + name = v.name + subnet_id = module.vnet[each.value.vnet_key].subnet_ids[v.subnet_key] + create_pip = try(v.create_pip, false) + pip_domain_name_label = try(v.pip_domain_name_label, null) + lb_backend_pool_ids = try([module.load_balancer[v.load_balancer_key].backend_pool_id], []) + appgw_backend_pool_ids = try([module.appgw[v.application_gateway_key].backend_pool_id], []) + } + ] + + bootstrap_options = each.value.bootstrap_options + + application_insights_id = can(each.value.autoscale_metrics) ? module.ai[each.key].application_insights_id : null + + autoscale_count_default = try(each.value.autoscale_config.count_default, null) + autoscale_count_minimum = try(each.value.autoscale_config.count_minimum, null) + autoscale_count_maximum = try(each.value.autoscale_config.count_maximum, null) + autoscale_notification_emails = try(each.value.autoscale_config.notification_emails, null) + + autoscale_metrics = try(each.value.autoscale_metrics, {}) + + scaleout_statistic = try(each.value.scaleout_config.statistic, null) + scaleout_time_aggregation = try(each.value.scaleout_config.time_aggregation, null) + scaleout_window_minutes = try(each.value.scaleout_config.window_minutes, null) + scaleout_cooldown_minutes = try(each.value.scaleout_config.cooldown_minutes, null) + + scalein_statistic = try(each.value.scalein_config.statistic, null) + scalein_time_aggregation = try(each.value.scalein_config.time_aggregation, null) + scalein_window_minutes = try(each.value.scalein_config.window_minutes, null) + scalein_cooldown_minutes = try(each.value.scalein_config.cooldown_minutes, null) + + tags = var.tags + + depends_on = [ + module.ai, + module.vnet, + module.appgw + ] +} diff --git a/examples/common_vmseries_and_autoscale/outputs.tf b/examples/common_vmseries_and_autoscale/outputs.tf new file mode 100644 index 00000000..688a40da --- /dev/null +++ b/examples/common_vmseries_and_autoscale/outputs.tf @@ -0,0 +1,21 @@ +output "username" { + description = "Initial administrative username to use for VM-Series." + value = var.vmseries_username +} + +output "password" { + description = "Initial administrative password to use for VM-Series." + value = local.vmseries_password + sensitive = true +} + +output "metrics_instrumentation_keys" { + description = "The Instrumentation Key of the created instance(s) of Azure Application Insights." + value = var.application_insights != null ? { for k, v in module.ai : k => v.metrics_instrumentation_key } : null + sensitive = true +} + +output "lb_frontend_ips" { + description = "IP Addresses of the load balancers." + value = length(var.load_balancers) > 0 ? { for k, v in module.load_balancer : k => v.frontend_ip_configs } : null +} diff --git a/examples/common_vmseries_and_autoscale/variables.tf b/examples/common_vmseries_and_autoscale/variables.tf new file mode 100644 index 00000000..05a927d8 --- /dev/null +++ b/examples/common_vmseries_and_autoscale/variables.tf @@ -0,0 +1,362 @@ +### GENERAL +variable "tags" { + description = "Map of tags to assign to the created resources." + default = {} + type = map(string) +} + +variable "location" { + description = "The Azure region to use." + type = string +} + +variable "name_prefix" { + description = <<-EOF + A prefix that will be added to all created resources. + There is no default delimiter applied between the prefix and the resource name. Please include the delimiter in the actual prefix. + + Example: + ``` + name_prefix = "test-" + ``` + + NOTICE. This prefix is not applied to existing resources. If you plan to reuse i.e. a VNET please specify it's full name, even if it is also prefixed with the same value as the one in this property. + EOF + default = "" + type = string +} + +variable "create_resource_group" { + description = <<-EOF + When set to `true` it will cause a Resource Group creation. Name of the newly specified RG is controlled by `resource_group_name`. + When set to `false` the `resource_group_name` parameter is used to specify a name of an existing Resource Group. + EOF + default = true + type = bool +} + +variable "resource_group_name" { + description = "Name of the Resource Group." + type = string +} + +variable "enable_zones" { + description = "If `true`, enable zone support for resources." + default = true + type = bool +} + + + +### VNET +variable "vnets" { + description = <<-EOF + A map defining VNETs. + + For detailed documentation on each property refer to [module documentation](../../modules/vnet/README.md) + + - `name` : A name of a VNET. + - `create_virtual_network` : (default: `true`) when set to `true` will create a VNET, `false` will source an existing VNET, in both cases the name of the VNET is specified with `name` + - `address_space` : a list of CIDRs for VNET + - `resource_group_name` : (default: current RG) a name of a Resource Group in which the VNET will reside + + - `create_subnets` : (default: `true`) if true, create the Subnets inside the Virtual Network, otherwise use pre-existing subnets + - `subnets` : map of Subnets to create + + - `network_security_groups` : map of Network Security Groups to create + - `route_tables` : map of Route Tables to create. + EOF +} + +variable "natgws" { + description = <<-EOF + A map defining Nat Gateways. + + Please note that a NatGW is a zonal resource, this means it's always placed in a zone (even when you do not specify one explicitly). Please refer to Microsoft documentation for notes on NatGW's zonal resiliency. + + Following properties are supported: + + - `name` : a name of the newly created NatGW. + - `create_natgw` : (default: `true`) create or source (when `false`) an existing NatGW. Created or sourced: the NatGW will be assigned to a subnet created by the `vnet` module. + - `resource_group_name : name of a Resource Group hosting the NatGW (newly create or the existing one). + - `zone` : Availability Zone in which the NatGW will be placed, when skipped AzureRM will pick a zone. + - `idle_timeout` : connection IDLE timeout in minutes, for newly created resources + - `vnet_key` : a name (key value) of a VNET defined in `var.vnets` that hosts a subnet this NatGW will be assigned to. + - `subnet_keys` : a list of subnets (key values) the NatGW will be assigned to, defined in `var.vnets` for a VNET described by `vnet_name`. + - `create_pip` : (default: `true`) create a Public IP that will be attached to a NatGW + - `existing_pip_name` : when `create_pip` is set to `false`, source and attach and existing Public IP to the NatGW + - `existing_pip_resource_group_name` : when `create_pip` is set to `false`, name of the Resource Group hosting the existing Public IP + - `create_pip_prefix` : (default: `false`) create a Public IP Prefix that will be attached to the NatGW. + - `pip_prefix_length` : length of the newly created Public IP Prefix, can bet between 0 and 31 but this actually supported value depends on the Subscription. + - `existing_pip_prefix_name` : when `create_pip_prefix` is set to `false`, source and attach and existing Public IP Prefix to the NatGW + - `existing_pip_prefix_resource_group_name` : when `create_pip_prefix` is set to `false`, name of the Resource Group hosting the existing Public IP Prefix. + + Example: + ``` + natgws = { + "natgw" = { + name = "public-natgw" + vnet_key = "transit-vnet" + subnet_keys = ["public"] + zone = 1 + } + } + ``` + EOF + default = {} + type = any +} + + + +### Load Balancing +variable "load_balancers" { + description = <<-EOF + A map containing configuration for all (private and public) Load Balancer that will be created in this deployment. + + Following properties are available (for details refer to module's documentation): + + - `name`: name of the Load Balancer resource. + - `network_security_group_name`: (public LB) a name of a security group, an ingress rule will be created in that NSG for each listener. **NOTE** this is the FULL NAME of the NSG (including prefixes). + - `network_security_group_rg_name`: (public LB) a name of a resource group for the security group, to be used when the NSG is hosted in a different RG than the one described in `var.resource_group_name`. + - `network_security_allow_source_ips`: (public LB) a list of IP addresses that will used in the ingress rules. + - `avzones`: (both) for regional Load Balancers, a list of supported zones (this has different meaning for public and private LBs - please refer to module's documentation for details). + - `frontend_ips`: (both) a map configuring both a listener and a load balancing rule, key is the name that will be used as an application name inside LB config as well as to create a rule in NSG (for public LBs), value is an object with the following properties: + - `create_public_ip`: (public LB) defaults to `false`, when set to `true` a Public IP will be created and associated with a listener + - `public_ip_name`: (public LB) defaults to `null`, when `create_public_ip` is set to `false` this property is used to reference an existing Public IP object in Azure + - `public_ip_resource_group`: (public LB) defaults to `null`, when using an existing Public IP created in a different Resource Group than the currently used use this property is to provide the name of that RG + - `private_ip_address`: (private LB) defaults to `null`, specify a static IP address that will be used by a listener + - `vnet_key`: (private LB) defaults to `null`, when `private_ip_address` is set specifies a vnet's key (as defined in `vnet` variable). This will be the VNET hosting this Load Balancer + - `subnet_key`: (private LB) defaults to `null`, when `private_ip_address` is set specifies a subnet's key (as defined in `vnet` variable) to which the LB will be attached, in case of VMSeries this should be a internal/trust subnet + - `rules` - a map configuring the actual rules load balancing rules, a key is a rule name, a value is an object with the following properties: + - `protocol`: protocol used by the rule, can be one the following: `TCP`, `UDP` or `All` when creating an HA PORTS rule + - `port`: port used by the rule, for HA PORTS rule set this to `0` + + Example of a public Load Balancer: + + ``` + "public_lb" = { + name = "https_app_lb" + network_security_group_name = "untrust_nsg" + network_security_allow_source_ips = ["1.2.3.4"] + avzones = ["1", "2", "3"] + frontend_ips = { + "https_app_1" = { + create_public_ip = true + rules = { + "balanceHttps" = { + protocol = "Tcp" + port = 443 + } + } + } + } + } + ``` + + Example of a private Load Balancer with HA PORTS rule: + + ``` + "private_lb" = { + name = "ha_ports_internal_lb + frontend_ips = { + "ha-ports" = { + vnet_key = "trust_vnet" + subnet_key = "trust_snet" + private_ip_address = "10.0.0.1" + rules = { + HA_PORTS = { + port = 0 + protocol = "All" + } + } + } + } + } + ``` + + EOF + default = {} +} + + +variable "application_insights" { + description = <<-EOF + A map defining Azure Application Insights. There are three ways to use this variable: + + * when the value is set to `null` (default) no AI is created + * when the value is a map containing `name` key (other keys are optional) a single AI instance will be created under the name that is the value of the `name` key + * when the value is an empty map or a map w/o the `name` key, an AI instance per each VMSeries VM will be created. All instances will share the same configuration. All instances will have names corresponding to their VM name. + + Names for all AI instances are prefixed with `var.name_prefix`. + + Properties supported (for details on each property see [modules documentation](../../modules/application_insights/README.md)): + + - `name` : (optional, string) a name of a single AI instance + - `workspace_mode` : (optional, bool) defaults to `true`, use AI Workspace mode instead of the Classical (deprecated) + - `workspace_name` : (optional, string) defaults to AI name suffixed with `-wrkspc`, name of the Log Analytics Workspace created when AI is deployed in Workspace mode + - `workspace_sku` : (optional, string) defaults to PerGB2018, SKU used by WAL, see module documentation for details + - `metrics_retention_in_days` : (optional, number) defaults to current Azure default value, see module documentation for details + + Example of an AIs created per VM, in Workspace mode, with metrics retention set to 1 year: + ``` + vmseries = { + 'vm-1' = { + .... + } + 'vm-2' = { + .... + } + } + + application_insights = { + metrics_retention_in_days = 365 + } + ``` + EOF + default = null + type = map(string) +} + + + +### GENERIC VMSERIES +variable "vmseries_version" { + description = "VM-Series PAN-OS version - list available with `az vm image list -o table --all --publisher paloaltonetworks`. It's also possible to specify the Pan-OS version per Scale Set, see `var.vmss` variable." + type = string +} + +variable "vmseries_vm_size" { + description = "Azure VM size (type) to be created. Consult the *VM-Series Deployment Guide* as only a few selected sizes are supported. It's also possible to specify the the VM size per Scale Set, see `var.vmss` variable." + type = string +} + +variable "vmseries_sku" { + description = "VM-Series SKU - list available with `az vm image list -o table --all --publisher paloaltonetworks`" + default = "byol" + type = string +} + +variable "vmseries_username" { + description = "Initial administrative username to use for all systems." + default = "panadmin" + type = string +} + +variable "vmseries_password" { + description = "Initial administrative password to use for all systems. Set to null for an auto-generated password." + default = null + type = string +} + +variable "vmss" { + description = <<-EOF + A map defining all Virtual Machine Scale Sets. + + For detailed documentation on how to configure this resource, for available properties, especially for the defaults refer to [module documentation](../../modules/vmss/README.md) + + Following properties are available: + - `name` : (string|required) name of the Virtual Machine Scale Set. + - `vm_size` : size of the VMSeries virtual machines created with this Scale Set, when specified overrides `var.vmseries_vm_size`. + - `version` : PanOS version, when specified overrides `var.vmseries_version`. + - `vnet_key` : (string|required) a key of a VNET defined in the `var.vnets` map. + - `bootstrap_options` : (string|`''`) bootstrap options passed to every VM instance upon creation. + - `zones` : (list(string)|`[]`) a list of Availability Zones to use for Zone redundancy + - `encryption_at_host_enabled` : (bool|`null` - Azure defaults) should all of the disks attached to this Virtual Machine be encrypted + - `overprovision` : (bool|`null` - module defaults) when provisioning new VM, multiple will be provisioned but the 1st one to run will be kept + - `platform_fault_domain_count` : (number|`null` - Azure defaults) number of fault domains to use + - `proximity_placement_group_id` : (string|`null`) ID of a proximity placement group the VMSS should be placed in + - `scale_in_policy` : (string|`null` - Azure defaults) policy of removing VMs when scaling in + - `scale_in_force_deletion` : (bool|`null` - module default) forces (`true`) deletion of VMs during scale in + - `single_placement_group` : (bool|`null` - Azure defaults) limit the Scale Set to one Placement Group + - `storage_account_type` : (string|`null` - module defaults) type of managed disk that will be used on all VMs + - `disk_encryption_set_id` : (string|`null`) the ID of the Disk Encryption Set which should be used to encrypt this Data Disk + - `accelerated_networking` : (bool|`null`- module defaults) enable Azure accelerated networking for all dataplane network interfaces + - `use_custom_image` : (bool|`false`) + - `custom_image_id` : (string|reqquired when `use_custom_image` is `true`) absolute ID of your own Custom Image to be used for creating new VM-Series + - `application_insights_id` : (string|`null`) ID of Application Insights instance that should be used to provide metrics for autoscaling + - `interfaces` : (list(string)|`[]`) configuration of all NICs assigned to a VM. A list of maps, each map is a NIC definition. Notice that the order DOES matter. NICs are attached to VMs in Azure in the order they are defined in this list, therefore the management interface has to be defined first. Following properties are available: + - `name` : (string|required) string that will form the NIC name + - `subnet_key` : (string|required) a key of a subnet as defined in `var.vnets` + - `create_pip` : (bool|`false`) flag to create Public IP for an interface, defaults to `false` + - `load_balancer_key` : (string|`null`) key of a Load Balancer defined in the `var.loadbalancers` variable + - `application_gateway_key` : (string|`null`) key of an Application Gateway defined in the `var.appgws` + - `pip_domain_name_label` : (string|`null`) prefix which should be used for the Domain Name Label for each VM instance + - `autoscale_config` : (map|`{}`) map containing basic autoscale configuration + - `count_default` : (number|`null` - module defaults) default number or instances when autoscalling is not available + - `count_minimum` : (number|`null` - module defaults) minimum number of instances to reach when scaling in + - `count_maximum` : (number|`null` - module defaults) maximum number of instances when scaling out + - `notification_emails` : (list(string)|`null` - module defaults) a list of e-mail addresses to notify about scaling events + - `autoscale_metrics` : (map|`{}`) metrics and thresholds used to trigger scaling events, see module documentation for details + - `scaleout_config` : (map|`{}`) scale out configuration, for details see module documentation + - `statistic` : (string|`null` - module defaults) aggregation method for statistics coming from different VMs + - `time_aggregation` : (string|`null` - module defaults) aggregation method applied to statistics in time window + - `window_minutes` : (string|`null` - module defaults) time windows used to analyze statistics + - `cooldown_minutes` : (string|`null` - module defaults) time to wait after a scaling event before analyzing the statistics again + - `scalein_config` : (map|`{}`) scale in configuration, same properties supported as for `scaleout_config` + + Example, no auto scaling: + + ``` + { + "vmss" = { + name = "ngfw-vmss" + vnet_key = "transit" + bootstrap_options = "type=dhcp-client" + + interfaces = [ + { + name = "management" + subnet_key = "management" + }, + { + name = "private" + subnet_key = "private" + }, + { + name = "public" + subnet_key = "public" + load_balancer_key = "public" + application_gateway_key = "public" + } + ] + } + ``` + + EOF + default = {} + type = any +} + + + +# Application Gateway +variable "appgws" { + description = <<-EOF + A map defining all Application Gateways in the current deployment. + + For detailed documentation on how to configure this resource, for available properties, especially for the defaults and the `rules` property refer to [module documentation](../../modules/appgw/README.md). + + Following properties are supported: + - `name` : name of the Application Gateway. + - `vnet_key` : a key of a VNET defined in the `var.vnets` map. + - `subnet_key` : a key of a subnet as defined in `var.vnets`. This has to be a subnet dedicated to Application Gateways v2. + - `vnet_key` : a key of a VNET defined in the `var.vnets` map. + - `subnet_key` : a key of a subnet as defined in `var.vnets`. This has to be a subnet dedicated to Application Gateways v2. + - `zones` : for zonal deployment this is a list of all zones in a region - this property is used by both: the Application Gateway and the Public IP created in front of the AppGW. + - `capacity` : (optional) number of Application Gateway instances, not used when autoscalling is enabled (see `capacity_min`) + - `capacity_min` : (optional) when set enables autoscaling and becomes the minimum capacity + - `capacity_max` : (optional) maximum capacity for autoscaling + - `enable_http2` : enable HTTP2 support on the Application Gateway + - `waf_enabled` : (optional) enables WAF Application Gateway, defining WAF rules is not supported, defaults to `false` + - `vmseries_public_nic_name` : name of the public VMSeries interface as defined in `interfaces` property. + - `managed_identities` : (optional) a list of existing User-Assigned Managed Identities, which Application Gateway uses to retrieve certificates from Key Vault + - `ssl_policy_type` : (optional) type of an SSL policy, defaults to `Predefined` + - `ssl_policy_name` : (optional) name of an SSL policy, for `ssl_policy_type` set to `Predefined` + - `ssl_policy_min_protocol_version` : (optional) minimum version of the TLS protocol for SSL Policy, for `ssl_policy_type` set to `Custom` + - `ssl_policy_cipher_suites` : (optional) a list of accepted cipher suites, for `ssl_policy_type` set to `Custom` + - `ssl_profiles` : (optional) a map of SSL profiles that can be later on referenced in HTTPS listeners by providing a name of the profile in the `ssl_profile_name` property + + EOF + default = {} +} diff --git a/examples/common_vmseries_and_autoscale/versions.tf b/examples/common_vmseries_and_autoscale/versions.tf new file mode 100644 index 00000000..1f99597c --- /dev/null +++ b/examples/common_vmseries_and_autoscale/versions.tf @@ -0,0 +1,30 @@ +terraform { + required_version = ">= 1.2, < 2.0" + required_providers { + azurerm = { + source = "hashicorp/azurerm" + } + random = { + source = "hashicorp/random" + } + } +} + +provider "azurerm" { + features { + virtual_machine_scale_set { + # Make upgrade_policy_mode = "Manual" actually work. On a default setting: + # The image version or the user data cannot be modified on a scale set. Despite the Upgrade Mode being "Manual", + # each vm is rebooted in a rolling-like manner. The health probe is not used and the rolling-like reboot does not + # have any "cooldown" time. The impact is that for about 5 minutes the freshly rebooted VM-Series is not able to + # handle the load. With 3 VMs it is a degradation, but with 2 VMs it would be a loss of production traffic. + # Tests show one VM down while another "running" VM cannot even accept SSH management traffic for many more + # minutes, because contrary to what Azure assumes it has not booted yet. + # Tested on panos 10.0.6 and azurerm provider 2.64. + roll_instances_when_required = false + } + resource_group { + prevent_deletion_if_contains_resources = false + } + } +} diff --git a/examples/dedicated_vmseries/main.tf b/examples/dedicated_vmseries/main.tf index 0a532330..0622f08d 100644 --- a/examples/dedicated_vmseries/main.tf +++ b/examples/dedicated_vmseries/main.tf @@ -115,7 +115,6 @@ module "load_balancer" { subnet_id = try(module.vnet[v.vnet_key].subnet_ids[v.subnet_key], null) in_rules = try(v.in_rules, {}) out_rules = try(v.out_rules, {}) - zones = var.enable_zones ? try(v.zones, null) : null # For the regions without AZ support. } } diff --git a/examples/dedicated_vmseries_and_autoscale/README.md b/examples/dedicated_vmseries_and_autoscale/README.md index a95d95da..b61bdc93 100644 --- a/examples/dedicated_vmseries_and_autoscale/README.md +++ b/examples/dedicated_vmseries_and_autoscale/README.md @@ -195,7 +195,7 @@ terraform destroy | [vmseries\_sku](#input\_vmseries\_sku) | VM-Series SKU - list available with `az vm image list -o table --all --publisher paloaltonetworks` | `string` | `"byol"` | no | | [vmseries\_username](#input\_vmseries\_username) | Initial administrative username to use for all systems. | `string` | `"panadmin"` | no | | [vmseries\_password](#input\_vmseries\_password) | Initial administrative password to use for all systems. Set to null for an auto-generated password. | `string` | `null` | no | -| [vmss](#input\_vmss) | A map defining all Virtual Machine Scale Sets.

For detailed documentation on how to configure this resource, for available properties, especially for the defaults refer to [module documentation](../../modules/vmss/README.md)

Following properties are available:
- `name` : (string\|required) name of the Virtual Machine Scale Set.
- `vm_size` : size of the VMSeries virtual machines created with this Scale Set, when specified overrides `var.vmseries_vm_size`.
- `version` : PanOS version, when specified overrides `var.vmseries_version`.
- `vnet_key` : (string\|required) a key of a VNET defined in the `var.vnets` map.
- `bootstrap_options` : (string\|`''`) bootstrap options passed to every VM instance upon creation.
- `zones` : (list(string)\|`[]`) a list of Availability Zones to use for Zone redundancy
- `encryption_at_host_enabled` : (bool\|`null` - Azure defaults) should all of the disks attached to this Virtual Machine be encrypted
- `overprovision` : (bool\|`null` - module defaults) when provisioning new VM, multiple will be provisioned but the 1st one to run will be kept
- `platform_fault_domain_count` : (number\|`null` - Azure defaults) number of fault domains to use
- `proximity_placement_group_id` : (string\|`null`) ID of a proximity placement group the VMSS should be placed in
- `scale_in_policy` : (string\|`null` - Azure defaults) policy of removing VMs when scaling in
- `scale_in_force_deletion` : (bool\|`null` - module default) forces (`true`) deletion of VMs during scale in
- `single_placement_group` : (bool\|`null` - Azure defaults) limit the Scale Set to one Placement Group
- `storage_account_type` : (string\|`null` - module defaults) type of managed disk that will be used on all VMs
- `disk_encryption_set_id` : (string\|`null`) the ID of the Disk Encryption Set which should be used to encrypt this Data Disk
- `accelerated_networking` : (bool\|`null`- module defaults) enable Azure accelerated networking for all dataplane network interfaces
- `use_custom_image` : (bool\|`false`)
- `custom_image_id` : (string\|reqquired when `use_custom_image` is `true`) absolute ID of your own Custom Image to be used for creating new VM-Series
- `application_insights_id` : (string\|`null`) ID of Application Insights instance that should be used to provide metrics for autoscaling
- `interfaces` : (list(string)\|`[]`) configuration of all NICs assigned to a VM. A list of maps, each map is a NIC definition. Notice that the order DOES matter. NICs are attached to VMs in Azure in the order they are defined in this list, therefore the management interface has to be defined first. Following properties are available:
- `name` : (string\|required) string that will form the NIC name
- `subnet_key` : (string\|required) a key of a subnet as defined in `var.vnets`
- `create_pip` : (bool\|`false`) flag to create Public IP for an interface, defaults to `false`
- `load_balancer_key` : (string\|`null`) key of a Load Balancer defined in the `var.loadbalancers` variable
- `application_gateway_key` : (string\|`null`) key of an Application Gateway defined in the `var.appgws`
- `pip_domain_name_label` : (string\|`null`) prefix which should be used for the Domain Name Label for each VM instance
- `autoscale_config` : (map\|`{}`) map containing basic autoscale configuration
- `count_default` : (number\|`null` - module defaults) default number or instances when autoscalling is not available
- `count_minimum` : (number\|`null` - module defaults) minimum number of instances to reach when scaling in
- `count_maximum` : (number\|`null` - module defaults) maximum number of instances when scaling out
- `notification_emails` : (list(string)\|`null` - module defaults) a list of e-mail addresses to notify about scaling events
- `autoscale_metrics` : (map\|`{}`) metrics and thresholds used to trigger scaling events, see module documentation for details
- `scaleout_config` : (map\|`{}`) scale out configuration, for details see module documentation
- `statistic` : (string\|`null` - module defaults) aggregation method for statistics coming from different VMs
- `time_aggregation` : (string\|`null` - module defaults) aggregation method applied to statistics in time window
- `window_minutes` : (string\|`null` - module defaults) time windows used to analyze statistics
- `cooldown_minutes` : (string\|`null` - module defaults) time to wait after a scaling event before analyzing the statistics again
- `scalein_config` : (map\|`{}`) scale in configuration, same properties supported as for `scaleout_config`

Example, no auto scaling:
{
"vmss" = {
name = "ngfw-vmss"
vnet_key = "transit"
bootstrap_options = "type=dhcp"

interfaces = [
{
name = "management"
subnet_key = "management"
},
{
name = "private"
subnet_key = "private"
},
{
name = "public"
subnet_key = "public"
load_balancer_key = "public"
application_gateway_key = "public"
}
]
}
| `any` | `{}` | no | +| [vmss](#input\_vmss) | A map defining all Virtual Machine Scale Sets.

For detailed documentation on how to configure this resource, for available properties, especially for the defaults refer to [module documentation](../../modules/vmss/README.md)

Following properties are available:
- `name` : (string\|required) name of the Virtual Machine Scale Set.
- `vm_size` : size of the VMSeries virtual machines created with this Scale Set, when specified overrides `var.vmseries_vm_size`.
- `version` : PanOS version, when specified overrides `var.vmseries_version`.
- `vnet_key` : (string\|required) a key of a VNET defined in the `var.vnets` map.
- `bootstrap_options` : (string\|`''`) bootstrap options passed to every VM instance upon creation.
- `zones` : (list(string)\|`[]`) a list of Availability Zones to use for Zone redundancy
- `encryption_at_host_enabled` : (bool\|`null` - Azure defaults) should all of the disks attached to this Virtual Machine be encrypted
- `overprovision` : (bool\|`null` - module defaults) when provisioning new VM, multiple will be provisioned but the 1st one to run will be kept
- `platform_fault_domain_count` : (number\|`null` - Azure defaults) number of fault domains to use
- `proximity_placement_group_id` : (string\|`null`) ID of a proximity placement group the VMSS should be placed in
- `scale_in_policy` : (string\|`null` - Azure defaults) policy of removing VMs when scaling in
- `scale_in_force_deletion` : (bool\|`null` - module default) forces (`true`) deletion of VMs during scale in
- `single_placement_group` : (bool\|`null` - Azure defaults) limit the Scale Set to one Placement Group
- `storage_account_type` : (string\|`null` - module defaults) type of managed disk that will be used on all VMs
- `disk_encryption_set_id` : (string\|`null`) the ID of the Disk Encryption Set which should be used to encrypt this Data Disk
- `accelerated_networking` : (bool\|`null`- module defaults) enable Azure accelerated networking for all dataplane network interfaces
- `use_custom_image` : (bool\|`false`)
- `custom_image_id` : (string\|reqquired when `use_custom_image` is `true`) absolute ID of your own Custom Image to be used for creating new VM-Series
- `application_insights_id` : (string\|`null`) ID of Application Insights instance that should be used to provide metrics for autoscaling
- `interfaces` : (list(string)\|`[]`) configuration of all NICs assigned to a VM. A list of maps, each map is a NIC definition. Notice that the order DOES matter. NICs are attached to VMs in Azure in the order they are defined in this list, therefore the management interface has to be defined first. Following properties are available:
- `name` : (string\|required) string that will form the NIC name
- `subnet_key` : (string\|required) a key of a subnet as defined in `var.vnets`
- `create_pip` : (bool\|`false`) flag to create Public IP for an interface, defaults to `false`
- `load_balancer_key` : (string\|`null`) key of a Load Balancer defined in the `var.loadbalancers` variable
- `application_gateway_key` : (string\|`null`) key of an Application Gateway defined in the `var.appgws`
- `pip_domain_name_label` : (string\|`null`) prefix which should be used for the Domain Name Label for each VM instance
- `autoscale_config` : (map\|`{}`) map containing basic autoscale configuration
- `count_default` : (number\|`null` - module defaults) default number or instances when autoscalling is not available
- `count_minimum` : (number\|`null` - module defaults) minimum number of instances to reach when scaling in
- `count_maximum` : (number\|`null` - module defaults) maximum number of instances when scaling out
- `notification_emails` : (list(string)\|`null` - module defaults) a list of e-mail addresses to notify about scaling events
- `autoscale_metrics` : (map\|`{}`) metrics and thresholds used to trigger scaling events, see module documentation for details
- `scaleout_config` : (map\|`{}`) scale out configuration, for details see module documentation
- `statistic` : (string\|`null` - module defaults) aggregation method for statistics coming from different VMs
- `time_aggregation` : (string\|`null` - module defaults) aggregation method applied to statistics in time window
- `window_minutes` : (string\|`null` - module defaults) time windows used to analyze statistics
- `cooldown_minutes` : (string\|`null` - module defaults) time to wait after a scaling event before analyzing the statistics again
- `scalein_config` : (map\|`{}`) scale in configuration, same properties supported as for `scaleout_config`

Example, no auto scaling:
{
"vmss" = {
name = "ngfw-vmss"
vnet_key = "transit"
bootstrap_options = "type=dhcp-client"

interfaces = [
{
name = "management"
subnet_key = "management"
},
{
name = "private"
subnet_key = "private"
},
{
name = "public"
subnet_key = "public"
load_balancer_key = "public"
application_gateway_key = "public"
}
]
}
| `any` | `{}` | no | | [appgws](#input\_appgws) | A map defining all Application Gateways in the current deployment.

For detailed documentation on how to configure this resource, for available properties, especially for the defaults and the `rules` property refer to [module documentation](../../modules/appgw/README.md).

Following properties are supported:
- `name` : name of the Application Gateway.
- `vnet_key` : a key of a VNET defined in the `var.vnets` map.
- `subnet_key` : a key of a subnet as defined in `var.vnets`. This has to be a subnet dedicated to Application Gateways v2.
- `vnet_key` : a key of a VNET defined in the `var.vnets` map.
- `subnet_key` : a key of a subnet as defined in `var.vnets`. This has to be a subnet dedicated to Application Gateways v2.
- `zones` : for zonal deployment this is a list of all zones in a region - this property is used by both: the Application Gateway and the Public IP created in front of the AppGW.
- `capacity` : (optional) number of Application Gateway instances, not used when autoscalling is enabled (see `capacity_min`)
- `capacity_min` : (optional) when set enables autoscaling and becomes the minimum capacity
- `capacity_max` : (optional) maximum capacity for autoscaling
- `enable_http2` : enable HTTP2 support on the Application Gateway
- `waf_enabled` : (optional) enables WAF Application Gateway, defining WAF rules is not supported, defaults to `false`
- `vmseries_public_nic_name` : name of the public VMSeries interface as defined in `interfaces` property.
- `managed_identities` : (optional) a list of existing User-Assigned Managed Identities, which Application Gateway uses to retrieve certificates from Key Vault
- `ssl_policy_type` : (optional) type of an SSL policy, defaults to `Predefined`
- `ssl_policy_name` : (optional) name of an SSL policy, for `ssl_policy_type` set to `Predefined`
- `ssl_policy_min_protocol_version` : (optional) minimum version of the TLS protocol for SSL Policy, for `ssl_policy_type` set to `Custom`
- `ssl_policy_cipher_suites` : (optional) a list of accepted cipher suites, for `ssl_policy_type` set to `Custom`
- `ssl_profiles` : (optional) a map of SSL profiles that can be later on referenced in HTTPS listeners by providing a name of the profile in the `ssl_profile_name` property | `map` | `{}` | no | ### Outputs diff --git a/examples/dedicated_vmseries_and_autoscale/example.tfvars b/examples/dedicated_vmseries_and_autoscale/example.tfvars index d0f5d8b7..29c3cd6e 100644 --- a/examples/dedicated_vmseries_and_autoscale/example.tfvars +++ b/examples/dedicated_vmseries_and_autoscale/example.tfvars @@ -202,7 +202,7 @@ vmss = { "inbound" = { name = "inbound-vmss" vnet_key = "transit" - bootstrap_options = "type=dhcp" + bootstrap_options = "type=dhcp-client" interfaces = [ { @@ -246,7 +246,7 @@ vmss = { "obew" = { name = "obew-vmss" vnet_key = "transit" - bootstrap_options = "type=dhcp" + bootstrap_options = "type=dhcp-client" interfaces = [ { diff --git a/examples/dedicated_vmseries_and_autoscale/main.tf b/examples/dedicated_vmseries_and_autoscale/main.tf index f05e4d43..b11ce7e9 100644 --- a/examples/dedicated_vmseries_and_autoscale/main.tf +++ b/examples/dedicated_vmseries_and_autoscale/main.tf @@ -110,7 +110,6 @@ module "load_balancer" { subnet_id = try(module.vnet[v.vnet_key].subnet_ids[v.subnet_key], null) in_rules = try(v.in_rules, {}) out_rules = try(v.out_rules, {}) - zones = var.enable_zones ? try(v.zones, null) : null # For the regions without AZ support. } } diff --git a/examples/dedicated_vmseries_and_autoscale/variables.tf b/examples/dedicated_vmseries_and_autoscale/variables.tf index 8e0fce41..05a927d8 100644 --- a/examples/dedicated_vmseries_and_autoscale/variables.tf +++ b/examples/dedicated_vmseries_and_autoscale/variables.tf @@ -302,7 +302,7 @@ variable "vmss" { "vmss" = { name = "ngfw-vmss" vnet_key = "transit" - bootstrap_options = "type=dhcp" + bootstrap_options = "type=dhcp-client" interfaces = [ { diff --git a/examples/standalone_vmseries/main.tf b/examples/standalone_vmseries/main.tf index 0a532330..0622f08d 100644 --- a/examples/standalone_vmseries/main.tf +++ b/examples/standalone_vmseries/main.tf @@ -115,7 +115,6 @@ module "load_balancer" { subnet_id = try(module.vnet[v.vnet_key].subnet_ids[v.subnet_key], null) in_rules = try(v.in_rules, {}) out_rules = try(v.out_rules, {}) - zones = var.enable_zones ? try(v.zones, null) : null # For the regions without AZ support. } }