PaloAltoNetworks · create-pr-on-fork-for-pan-dev · Nov 14, 2025
diff --git a/products/terraform/docs/swfw/aws/cloudngfw/examples/panorama_standalone.md b/products/terraform/docs/swfw/aws/cloudngfw/examples/panorama_standalone.md
diff --git a/products/terraform/docs/swfw/aws/cloudngfw/modules/alb.md b/products/terraform/docs/swfw/aws/cloudngfw/modules/alb.md
@@ -145,7 +145,7 @@ No modules.
 | <a name="input_enable_cross_zone_load_balancing"></a> [enable\_cross\_zone\_load\_balancing](#input\_enable\_cross\_zone\_load\_balancing) | Enable load balancing between instances in different AZs. Defaults to `true`. <br/>Change to `false` only if absolutely necessary. By default, there is only one FW in each AZ. <br/>Turning this off means 1:1 correlation between a public IP assigned to an AZ and a FW deployed in that AZ. | `bool` | `true` | no |
 | <a name="input_idle_timeout"></a> [idle\_timeout](#input\_idle\_timeout) | The time in seconds that the connection to the Load Balancer can be idle. | `number` | `60` | no |
 | <a name="input_lb_name"></a> [lb\_name](#input\_lb\_name) | Name of the Load Balancer to be created. | `string` | n/a | yes |
-| <a name="input_rules"></a> [rules](#input\_rules) | An object that contains the listener, listener\_rules, target group, and health check configuration. <br/>It consists of maps of applications with their properties, like in the following example:<pre>rules = {<br/>  "application\_name" = {<br/>    protocol            = "communication protocol, since this is an ALB module accepted values are `HTTP` or `HTTPS`"<br/>    port                = "communication port, defaults to protocol's default port"<br/><br/>    certificate\_arn   = "(HTTPS ONLY) this is the arn of an existing certificate, this module will not create one for you"<br/>    ssl\_policy        = "(HTTPS ONLY) name of an ssl policy used by the Load Balancer's listener, defaults to AWS default, for available options see [AWS documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies)"<br/><br/>    health\_check\_protocol            = "this can be either `HTTP` or `HTTPS`, defaults to communication protocol"<br/>    health\_check\_port                = "port used by the target group health check, if omitted, `traffic-port` will be used (which will be the same as communication port)"<br/>    health\_check\_healthy\_threshold   = "number of consecutive health checks before considering target healthy, defaults to 3"<br/>    health\_check\_unhealthy\_threshold = "number of consecutive health checks before considering target unhealthy, defaults to 3"<br/>    health\_check\_interval            = "time between each health check, between 5 and 300 seconds, defaults to 30s"<br/>    health\_check\_timeout             = "health check probe timeout, defaults to AWS default value"<br/>    health\_check\_matcher             = "response codes expected during health check, defaults to `200`"<br/>    health\_check\_path                = "destination used by the health check request, defaults to `/`"<br/><br/>    listener\_rules    = "a map of rules for a listener created for this application, see `listener\_rules` block below for more information<br/>  }<br/>}</pre>The `application_name` key is valid only for letters, numbers and a dash (`-`) - that's an AWS limitation.<br/><br/><hr /><br/>There is always one listener created per application. The listener has always a default action that responds with `503`. This should be treated as a `catch-all` rule. For the listener to send traffic to backends a listener rule has to be created. This is controlled via the `listener_rules` map. <br/><br/>A key in this map is the priority of the listener rule. Priority can be between `1` and `50000` (AWS specifics). All properties under a particular key refer to either rule's condition(s) or the target group that should receive traffic if a rule is met. <br/><br/>Rule conditions - at least one but not more than five of: `host_headers`, `http_headers`, `http_request_method`, `path_pattern`, `query_strings` or `source_ip` has to be set. For more information on what conditions can be set for each type refer to [documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule#condition-blocks).<br/><br/>Target group - keep in mind that all target group attachments are always pointing to VMSeries' public interfaces. The difference between target groups for each rule is the protocol and/or port to which the traffic is being directed. And these are the only properties you can configure (`target_protocol`, `protocol_version` and `target_port` respectively).<br/><br/>The `listener_rules` map presents as follows:<pre>listener\_rules = {<br/>  "rule\_priority" = {      # string representation of a rule's priority (number from 1 - 50000)<br/>    target\_port           = "port on which the target is listening for requests"<br/>    target\_protocol       = "target protocol, can be `HTTP` or `HTTPS`"<br/>    protocol\_version      = "one of `HTTP1`, `HTTP/2` or `GRPC`, defaults to `HTTP1`"<br/><br/>    round\_robin           = "bool, if set to true (default) the `round-robin` load balancing algorithm is used, otherwise a target attachment with least outstanding requests is chosen.<br/>      <br/>    host\_headers          = "a list of possible host headers, case insensitive, wildcards (`*`,`?`) are supported"<br/>    http\_headers          = "a map of key-value pairs, where key is a name of an HTTP header and value is a list of possible values, same rules apply like for `host\_headers`"<br/>    http\_request\_method   = "a list of possible HTTP request methods, case sensitive (upper case only), strict matching (no wildcards)"<br/>    path\_pattern          = "a list of path patterns (w/o query strings), case sensitive, wildcards supported"<br/>    query\_strings         = "a map of key-value pairs, key is a query string key pattern and value is a query string value pattern, case insensitive, wildcards supported, it is possible to match only a value pattern (the key value should be prefixed with `nokey\_`)"<br/>    source\_ip             = "a list of source IP CDIR notation to match"<br/>  }<br/>}</pre><hr /><br/>EXAMPLE<pre>listener\_rules = {<br/>  "1" = {<br/>    target\_port     = 8080<br/>    target\_protocol = "HTTP"<br/>    host\_headers    = ["public-alb-1050443040.eu-west-1.elb.amazonaws.com"]<br/>    http\_headers = {<br/>      "X-Forwarded-For" = ["192.168.1.*"]<br/>    }<br/>    http\_request\_method = ["GET"]<br/>  }<br/>  "99" = {<br/>    host\_headers    = ["www.else.org"]<br/>    target\_port     = 8081<br/>    target\_protocol = "HTTP"<br/>    path\_pattern    = ["/", "/login.php"]<br/>    query\_strings = {<br/>      "lang"    = "us"<br/>      "nokey\_1" = "test"<br/>    }<br/>    source\_ip = ["10.0.0.0/8"]<br/>  }<br/>}</pre> | `any` | n/a | yes |
+| <a name="input_rules"></a> [rules](#input\_rules) | An object that contains the listener, listener\_rules, target group, and health check configuration. <br/>It consists of maps of applications with their properties, like in the following example:<pre>rules = {<br/>  "application\_name" = {<br/>    protocol            = "communication protocol, since this is an ALB module accepted values are `HTTP` or `HTTPS`"<br/>    port                = "communication port, defaults to protocol's default port"<br/><br/>    certificate\_arn   = "(HTTPS ONLY) this is the arn of an existing certificate, this module will not create one for you"<br/>    ssl\_policy        = "(HTTPS ONLY) name of an ssl policy used by the Load Balancer's listener, defaults to AWS default, for available options see [AWS documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies)"<br/><br/>    health\_check\_protocol            = "this can be either `HTTP` or `HTTPS`, defaults to communication protocol"<br/>    health\_check\_port                = "port used by the target group health check, if omitted, `traffic-port` will be used (which will be the same as communication port)"<br/>    health\_check\_healthy\_threshold   = "number of consecutive health checks before considering target healthy, defaults to 3"<br/>    health\_check\_unhealthy\_threshold = "number of consecutive health checks before considering target unhealthy, defaults to 3"<br/>    health\_check\_interval            = "time between each health check, between 5 and 300 seconds, defaults to 30s"<br/>    health\_check\_timeout             = "health check probe timeout, defaults to AWS default value"<br/>    health\_check\_matcher             = "response codes expected during health check, defaults to `200`"<br/>    health\_check\_path                = "destination used by the health check request, defaults to `/`"<br/><br/>    listener\_rules    = "a map of rules for a listener created for this application, see `listener\_rules` block below for more information<br/>  }<br/>}</pre>The `application_name` key is valid only for letters, numbers and a dash (`-`) - that's an AWS limitation.<br/><br/><hr /><br/>There is always one listener created per application. The listener has always a default action that responds with `503`. This should be treated as a `catch-all` rule. For the listener to send traffic to backends a listener rule has to be created. This is controlled via the `listener_rules` map. <br/><br/>A key in this map is the priority of the listener rule. Priority can be between `1` and `50000` (AWS specifics). All properties under a particular key refer to either rule's condition(s) or the target group that should receive traffic if a rule is met. <br/><br/>Rule conditions - at least one but not more than five of: `host_headers`, `http_headers`, `http_request_method`, `path_pattern`, `query_strings` or `source_ip` has to be set. For more information on what conditions can be set for each type refer to [documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_listener_rule#condition-blocks).<br/><br/>Target group - keep in mind that all target group attachments are always pointing to VMSeries' public interfaces. The difference between target groups for each rule is the protocol and/or port to which the traffic is being directed. And these are the only properties you can configure (`target_protocol`, `protocol_version` and `target_port` respectively).<br/><br/>The `listener_rules` map presents as follows:<pre>listener\_rules = {<br/>  "rule\_priority" = {      # string representation of a rule's priority (number from 1 - 50000)<br/>    target\_port           = "port on which the target is listening for requests"<br/>    target\_protocol       = "target protocol, can be `HTTP` or `HTTPS`"<br/>    protocol\_version      = "one of `HTTP1`, `HTTP/2` or `GRPC`, defaults to `HTTP1`"<br/><br/>    round\_robin           = "bool, if set to true (default) the `round-robin` load balancing algorithm is used, otherwise a target attachment with least outstanding requests is chosen.<br/>      <br/>    host\_headers          = "a list of possible host headers, case insensitive, wildcards (`*`,`?`) are supported"<br/>    http\_headers          = "a map of key-value pairs, where key is a name of an HTTP header and value is a list of possible values, same rules apply like for `host\_headers`"<br/>    http\_request\_method   = "a list of possible HTTP request methods, case sensitive (upper case only), strict matching (no wildcards)"<br/>    path\_pattern          = "a list of path patterns (w/o query strings), case sensitive, wildcards supported"<br/>    query\_strings         = "a map of key-value pairs, key is a query string key pattern and value is a query string value pattern, case insensitive, wildcards supported, it is possible to match only a value pattern (the key value should be prefixed with `nokey\_`)"<br/>    source\_ip             = "a list of source IP CDIR notation to match"<br/>  }<br/>}</pre><hr /><br/>EXAMPLE<pre>listener\_rules = {<br/>  "1" = {<br/>    target\_port     = 8080<br/>    target\_protocol = "HTTP"<br/>    host\_headers    = ["public-alb-1050443040.eu-west-1.elb.amazonaws.com"]<br/>    http\_headers = {<br/>      "X-Forwarded-For" = ["192.168.1.*"]<br/>    }<br/>    http\_request\_method = ["GET"]<br/>  }<br/>  "99" = {<br/>    host\_headers    = ["www.else.org"]<br/>    target\_port     = 8081<br/>    target\_protocol = "HTTP"<br/>    path\_pattern    = ["/", "/login.php"]<br/>    query\_strings = {<br/>      "lang"    = "us"<br/>      "nokey\_1" = "test"<br/>    }<br/>    source\_ip = ["10.0.0.0/8"]<br/>  }<br/>}</pre> | <pre>map(object({<br/>    protocol                         = string<br/>    port                             = number<br/>    certificate\_arn                  = optional(string)<br/>    ssl\_policy                       = optional(string)<br/>    health\_check\_protocol            = optional(string)<br/>    health\_check\_port                = optional(string)<br/>    health\_check\_healthy\_threshold   = optional(number)<br/>    health\_check\_unhealthy\_threshold = optional(number)<br/>    health\_check\_interval            = optional(number)<br/>    health\_check\_timeout             = optional(number)<br/>    health\_check\_matcher             = optional(string, "200")<br/>    health\_check\_path                = optional(string, "/")<br/>    listener\_rules = map(object({<br/>      target\_port         = number<br/>      target\_protocol     = string<br/>      protocol\_version    = optional(string)<br/>      round\_robin         = optional(bool, true)<br/>      host\_headers        = optional(list(string))<br/>      http\_headers        = optional(map(string))<br/>      http\_request\_method = optional(list(string))<br/>      path\_pattern        = optional(list(string))<br/>      query\_strings       = optional(map(string))<br/>      source\_ip           = optional(list(string))<br/>    }))<br/>  }))</pre> | n/a | yes |
 | <a name="input_security_groups"></a> [security\_groups](#input\_security\_groups) | A list of security group IDs to use with a Load Balancer.<br/><br/>If security groups are created with a [VPC module](../vpc) you can use output from that module like this:<pre>security\_groups              = [module.vpc.security\_group\_ids["load\_balancer\_security\_group"]]</pre>For more information on the `load_balancer_security_group` key refer to the [VPC module documentation](../vpc). | `list(string)` | n/a | yes |
 | <a name="input_subnets"></a> [subnets](#input\_subnets) | Map of subnets used with a Load Balancer. Each key is the availability zone name and the value is an object that has an attribute<br/>`id` identifying AWS subnet.<br/><br/>Examples:<br/><br/>You can define the values directly:<pre>subnets = {<br/>  "us-east-1a" = { id = "snet-123007" }<br/>  "us-east-1b" = { id = "snet-123008" }<br/>}</pre>You can also use output from the `subnet_sets` module:<pre>subnets        = { for k, v in module.subnet\_sets["untrust"].subnets : k => { id = v.id } }</pre> | <pre>map(object({<br/>    id = string<br/>  }))</pre> | n/a | yes |
 | <a name="input_tags"></a> [tags](#input\_tags) | Map of AWS tags to apply to all the created resources. | `map(string)` | `{}` | no |