PaloAltoNetworks
diff --git a/‎products/terraform/docs/swfw/azure/cloudngfw/modules/name_templater.md‎
Lines changed: 2 additions & 2 deletions b/‎products/terraform/docs/swfw/azure/cloudngfw/modules/name_templater.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎products/terraform/docs/swfw/azure/cloudngfw/modules/vmseries.md‎
Lines changed: 74 additions & 35 deletions b/‎products/terraform/docs/swfw/azure/cloudngfw/modules/vmseries.md‎
Lines changed: 74 additions & 35 deletions
diff --git a/‎products/terraform/docs/swfw/azure/cloudngfw/modules/vmss.md‎
Lines changed: 50 additions & 25 deletions b/‎products/terraform/docs/swfw/azure/cloudngfw/modules/vmss.md‎
Lines changed: 50 additions & 25 deletions
@@ -61,7 +61,7 @@ As you can see:
 * the `prefix` key is just a placeholder that eventually is replaced with the value of `name_prefix`
 * the `__random__` string is replaced with a name of a [random pet](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/pet) (in case you need to randomize some name, for testing purposes for example)
 * the `__default__` string is replaced with a resource abbreviation.
-  This abbreviations are defined with `var.abbreviations` variable. The module contains basic abbreviations following Microsoft suggestions, but they can be overridden with custom definitions.
+  This abbreviations are defined with `var.abbreviations` variable. The module contains basic abbreviations following Microsoft suggestions, but they can be overriden with custom definitions.
   The important part is that the `resource_type` has to match an entry in `abbreviations` variable, otherwise the abbreviation will be replaced with an empty string.
 
 To create the actual resource name the following code can be used:
@@ -199,4 +199,4 @@ Type: map(string)
 
 Default value: `map[application_gw:agw application_insights:appi availability_set:avail bastion:bas data_disk:disk file_share:share load_balancer:lb log_analytics_workspace:log managed_identity:id nat_gw:ng network_interface:nic nsg:nsg nsg_rule:nsgsr os_disk:osdisk public_ip:pip public_ip_prefix:ippre resource_group:rg route_table:rt service_endpoint:se storage_account:st subnet:snet udr:udr virtual_machine:vm virtual_machine_scale_set:vmss virtual_network_gateway:vgw vnet:vnet vnet_peering:peer]`
 
-<sup>[back to list](#modules-optional-inputs)</sup>
+<sup>[back to list](#modules-optional-inputs)</sup>
@@ -212,7 +212,7 @@ Firewall parameters configuration.
 This map contains basic, as well as some optional Firewall parameters. Both types contain sane defaults.
 Nevertheless they should be at least reviewed to meet deployment requirements.
 
-List of either required or important properties: 
+List of either required or important properties:
 
 - `size`              - (`string`, optional, defaults to `Standard_D3_v2`) Azure VM size (type). Consult the *VM-Series
                         Deployment Guide* as only a few selected sizes are supported.
@@ -231,7 +231,7 @@ List of either required or important properties:
 
   For more details on bootstrapping [see documentation](https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/bootstrap-the-vm-series-firewall/create-the-init-cfgtxt-file/init-cfgtxt-file-components).
 
-List of other, optional properties: 
+List of other, optional properties:
 
 - `avset_id`                      - (`string`, optional, default to `null`) identifier of the Availability Set to use.
 - `capacity_reservation_group_id` - (`string`, optional, defaults to `null`) specifies the ID of the Capacity Reservation Group
@@ -250,7 +250,7 @@ List of other, optional properties:
 - `identity_type`                 - (`string`, optional, defaults to `SystemAssigned`) type of Managed Service Identity that
                                     should be configured on this VM. Can be one of "SystemAssigned", "UserAssigned" or
                                     "SystemAssigned, UserAssigned".
-- `identity_ids`                  - (`list`, optional, defaults to `[]`) a list of User Assigned Managed Identity IDs to be 
+- `identity_ids`                  - (`list`, optional, defaults to `[]`) a list of User Assigned Managed Identity IDs to be
                                     assigned to this VM. Required only if `identity_type` is not "SystemAssigned".
 
 
@@ -290,26 +290,30 @@ Interfaces will be attached to VM in the order you define here, therefore:
 
 - The first should be the management interface, which does not participate in data filtering.
 - The remaining ones are the dataplane interfaces.
-  
+
 Following configuration options are available:
 
 - `name`                          - (`string`, required) the interface name.
 - `subnet_id`                     - (`string`, required) ID of an existing subnet to create the interface in.
-- `ip_configuration_name`         - (`string`, optional, defaults to `primary`) the name of the interface IP configuration.
-- `private_ip_address`            - (`string`, optional, defaults to `null`) static private IP to assign to the interface. When
-                                    skipped Azure will assign one dynamically. Keep in mind that a dynamic IP is guarantied not
-                                    to change as long as the VM is running. Any stop/deallocate/restart operation might cause
-                                    the IP to change.
-- `create_public_ip`              - (`bool`, optional, defaults to `false`) if `true`, creates a public IP for the interface.
-- `public_ip_name`                - (`string`, optional, defaults to `null`) name of the public IP to associate with the
-                                    interface. When `create_public_ip` is set to `true` this will become a name of a newly
-                                    created Public IP interface. Otherwise this is a name of an existing interfaces that will
-                                    be sourced and attached to the interface. Not used when using `public_ip` module.
-- `public_ip_resource_group_name` - (`string`, optional, defaults to `var.resource_group_name`) name of a Resource Group that
-                                    contains public IP that that will be associated with the interface. Used only when 
-                                    `create_public_ip` is `false`.
-- `public_ip_id`                  - (`string`, optional, defaults to `null`) ID of the public IP to associate with the
-                                    interface. Property is used when public IP is not created or sourced within this module.
+- ip_configurations               - (`map`, required) A map that contains the IP configurations for the interface.
+  - `name`                          - (`string`, optional, defaults to `primary`) the name of the interface IP configuration.
+  - `primary`                       - (`bool`, optional, defaults to `true`) sets the current IP configuration as the primary
+                                      one.
+  - `private_ip_address`            - (`string`, optional, defaults to `null`) static private IP to assign to the interface. 
+                                      When skipped Azure will assign one dynamically. Keep in mind that a dynamic IP is
+                                      guaranteed not to change as long as the VM is running. Any stop/deallocate/restart
+                                      operation might cause the IP to change.
+  - `create_public_ip`              - (`bool`, optional, defaults to `false`) if `true`, creates a public IP for the interface.
+                                      **Note!** When you define multiple IP configurations, exactly one must be the primary.
+  - `public_ip_name`                - (`string`, optional, defaults to `null`) name of the public IP to associate with the
+                                      interface. When `create_public_ip` is set to `true` this will become a name of a newly
+                                      created Public IP interface. Otherwise this is a name of an existing interfaces that will
+                                      be sourced and attached to the interface. Not used when using `public_ip` module.
+  - `public_ip_resource_group_name` - (`string`, optional, defaults to `var.resource_group_name`) name of a Resource Group that
+                                      contains public IP that that will be associated with the interface. Used only when
+                                      `create_public_ip` is `false`.
+  - `public_ip_id`                  - (`string`, optional, defaults to `null`) ID of the public IP to associate with the
+                                      interface. Property is used when public IP is not created or sourced within this module.
 - `attach_to_lb_backend_pool`     - (`bool`, optional, defaults to `false`) set to `true` if you would like to associate this
                                     interface with a Load Balancer backend pool.
 - `lb_backend_pool_id`            - (`string`, optional, defaults to `null`) ID of an existing backend pool to associate the
@@ -327,17 +331,49 @@ Example:
   {
     name                 = "fw-mgmt"
     subnet_id            = azurerm_subnet.my_mgmt_subnet.id
-    public_ip_name       = "fw-mgmt-pip"
-    create_public_ip     = true
+    ip_configurations = {
+      primary-ip = {
+        name = "primary-ip"
+        primary               = true
+        create_public_ip      = true
+        public_ip_name       = "fw-mgmt-pip"
+      }
   },
   # public interface reusing an existing public IP resource
   {
     name                      = "fw-public"
     subnet_id                 = azurerm_subnet.my_pub_subnet.id
     attach_to_lb_backend_pool = true
     lb_backend_pool_id        = module.inbound_lb.backend_pool_id
-    create_public_ip          = false
-    public_ip_name            = "fw-public-pip"
+    ip_configurations = {
+      primary-ip = {
+        name = "primary-ip"
+        primary               = true
+        create_public_ip      = false
+        public_ip_name        = "fw-public-pip"
+      }
+  },
+  # interface with 2 IP addresses
+  {
+    name                      = "fw-two-ips"
+    subnet_id                 = azurerm_subnet.my_pub_subnet.id
+    attach_to_lb_backend_pool = true
+    lb_backend_pool_id        = module.inbound_lb.backend_pool_id
+    ip_configurations = {
+      primary-ip = {
+        name = "primary-ip"
+        primary               = true
+        create_public_ip      = false
+        private_ip_address    = "10.0.0.5"
+        public_ip_name        = "fw-public-pip"
+      },
+      secondary-ip = {
+        name = "secondary-ip"
+        primary               = false
+        create_public_ip      = false
+        private_ip_address    = "10.0.0.6"
+        public_ip_name        = "fw-public-pip"
+      }
   },
 ]
 ```
@@ -347,18 +383,21 @@ Type:
 
 ```hcl
 list(object({
-    name                          = string
-    subnet_id                     = string
-    ip_configuration_name         = optional(string, "primary")
-    create_public_ip              = optional(bool, false)
-    public_ip_name                = optional(string)
-    public_ip_resource_group_name = optional(string)
-    public_ip_id                  = optional(string)
-    private_ip_address            = optional(string)
-    lb_backend_pool_id            = optional(string)
-    attach_to_lb_backend_pool     = optional(bool, false)
-    appgw_backend_pool_id         = optional(string)
-    attach_to_appgw_backend_pool  = optional(bool, false)
+    name      = string
+    subnet_id = string
+    ip_configurations = map(object({
+      name                          = optional(string, "primary")
+      primary                       = optional(bool, true)
+      create_public_ip              = optional(bool, false)
+      public_ip_name                = optional(string)
+      public_ip_resource_group_name = optional(string)
+      public_ip_id                  = optional(string)
+      private_ip_address            = optional(string)
+    }))
+    lb_backend_pool_id           = optional(string)
+    attach_to_lb_backend_pool    = optional(bool, false)
+    appgw_backend_pool_id        = optional(string)
+    attach_to_appgw_backend_pool = optional(bool, false)
   }))
 ```
 
 
@@ -292,22 +292,26 @@ Following configuration options are available:
 
 - `name`                           - (`string`, required) the interface name.
 - `subnet_id`                      - (`string`, required) ID of an existing subnet to create the interface in.
-- `create_public_ip`               - (`bool`, optional, defaults to `false`) if `true`, create a public IP for the interface.
-- `pip_domain_name_label`          - (`string`, optional, defaults to `null`) the Prefix which should be used for the Domain
-                                     Name Label for each Virtual Machine Instance.
-- `pip_idle_timeout_in_minutes`    - (`number`, optional, defaults to Azure default) the Idle Timeout in minutes for the Public
-                                     IP Address, possible values are in the range from 4 to 32.
-- `pip_prefix_name`                - (`string`, optional) the name of an existing Public IP Address Prefix from where Public IP
-                                     Addresses should be allocated.
-- `pip_prefix_resource_group_name` - (`string`, optional, defaults to the VMSS's RG) name of a Resource Group hosting an 
-                                     existing Public IP Prefix resource.
-- `pip_prefix_id`                  - (`string`, optional) you can specify Public IP Prefix ID as an alternative to the
-                                     properties above (name and resource group), in case you want to avoid using a data source
-                                     block.
+- `ip_configurations`              - (`map`, required) A map that contains the IP configurations for the interface.
+  - `name`                           - (`string`, optional, defaults to `primary`) the name of the interface IP configuration.
+  - `primary`                        - (`bool`, optional, defaults to `true`) sets the current IP configuration as the primary
+                                       one.
+  - `create_public_ip`               - (`bool`, optional, defaults to `false`) if `true`, create a public IP for the interface.
+  - `pip_domain_name_label`          - (`string`, optional, defaults to `null`) the Prefix which should be used for the Domain
+                                       Name Label for each Virtual Machine Instance.
+  - `pip_idle_timeout_in_minutes`    - (`number`, optional, defaults to Azure default) the Idle Timeout in minutes for the 
+                                       Public IP Address, possible values are in the range from 4 to 32.
+  - `pip_prefix_name`                - (`string`, optional) the name of an existing Public IP Address Prefix from where Public
+                                       IP Addresses should be allocated.
+  - `pip_prefix_resource_group_name` - (`string`, optional, defaults to the VMSS's RG) name of a Resource Group hosting an 
+                                       existing Public IP Prefix resource.
+  - `pip_prefix_id`                  - (`string`, optional) you can specify Public IP Prefix ID as an alternative to the
+                                       properties above (name and resource group), in case you want to avoid using a data
+                                       source block.
 - `lb_backend_pool_ids`            - (`list`, optional, defaults to `[]`) a list of identifiers of existing Load Balancer
-                                     backend pools to associate the interface with.
+                                     backend pools to associate the interface with. Only applied to primary IP configuration.
 - `appgw_backend_pool_ids`         - (`list`, optional, defaults to `[]`) a list of identifier of Application Gateway's backend
-                                     pools to associate the interface with.
+                                     pools to associate the interface with. Only applied to primary IP configuration.
 
 Example:
 
@@ -316,16 +320,33 @@ Example:
   {
     name       = "management"
     subnet_id  = azurerm_subnet.my_mgmt_subnet.id
-    create_pip = true
+    ip_configurations = {
+        primary-ip = {
+          name             = "primary-ip"
+          primary          = true
+          create_public_ip = true
+    }
   },
   {
     name      = "private"
     subnet_id = azurerm_subnet.my_priv_subnet.id
+    ip_configurations = {
+        primary-ip = {
+          name             = "primary-ip"
+          primary          = true
+          create_public_ip = false
+    }
   },
   {
     name                = "public"
     subnet_id           = azurerm_subnet.my_pub_subnet.id
     lb_backend_pool_ids = [azurerm_lb_backend_address_pool.lb_backend.id]
+    ip_configurations = {
+        primary-ip = {
+          name             = "primary-ip"
+          primary          = true
+          create_public_ip = true
+    }
   }
 ]
 ```
@@ -335,16 +356,20 @@ Type:
 
 ```hcl
 list(object({
-    name                           = string
-    subnet_id                      = string
-    create_public_ip               = optional(bool, false)
-    pip_domain_name_label          = optional(string)
-    pip_idle_timeout_in_minutes    = optional(number)
-    pip_prefix_name                = optional(string)
-    pip_prefix_resource_group_name = optional(string)
-    pip_prefix_id                  = optional(string)
-    lb_backend_pool_ids            = optional(list(string), [])
-    appgw_backend_pool_ids         = optional(list(string), [])
+    name      = string
+    subnet_id = string
+    ip_configurations = map(object({
+      name                           = optional(string, "primary")
+      primary                        = optional(bool, true)
+      create_public_ip               = optional(bool, false)
+      pip_domain_name_label          = optional(string)
+      pip_idle_timeout_in_minutes    = optional(number)
+      pip_prefix_name                = optional(string)
+      pip_prefix_resource_group_name = optional(string)
+      pip_prefix_id                  = optional(string)
+    }))
+    lb_backend_pool_ids    = optional(list(string), [])
+    appgw_backend_pool_ids = optional(list(string), [])
   }))
 ```