fortinetdev
diff --git a/‎CHANGELOG.md‎
Lines changed: 25 additions & 1 deletion b/‎CHANGELOG.md‎
Lines changed: 25 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 10 additions & 1 deletion b/‎README.md‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎docs/autoscale_fgt_as_hub.md‎
Lines changed: 31 additions & 6 deletions b/‎docs/autoscale_fgt_as_hub.md‎
Lines changed: 31 additions & 6 deletions
diff --git a/‎docs/autoscale_fgt_lb_sandwich.md‎
Lines changed: 16 additions & 6 deletions b/‎docs/autoscale_fgt_lb_sandwich.md‎
Lines changed: 16 additions & 6 deletions
diff --git a/‎docs/fgt_single.md‎
Lines changed: 5 additions & 2 deletions b/‎docs/fgt_single.md‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎docs/guide_funtion.md‎ ‎docs/guide_function.md‎docs/guide_funtion.md renamed to docs/guide_function.md b/‎docs/guide_funtion.md‎ ‎docs/guide_function.md‎docs/guide_funtion.md renamed to docs/guide_function.md
diff --git a/‎docs/guide_gcp_modules.md‎
Lines changed: 66 additions & 0 deletions b/‎docs/guide_gcp_modules.md‎
Lines changed: 66 additions & 0 deletions
@@ -1,4 +1,28 @@
-## 1.3.0 (2025)
+## 1.4.0 (May, 16, 2025)
+
+FEATURES:
+
+* **New Module**: `module/fortigate/fgt_ha`.
+* **New Module**: `module/fortinet/generic_vm_standalone`.
+
+IMPROVEMENTS:
+* Module `modules/fortigate/fgt_asg_with_function`:
+  * Data source `google_compute_default_service_account` will not be retrieved if the variable `service_account_email` is specified.
+  * Added a new optional variable `bucket`. You can set "uniform_bucket_level_access = true" to the resource `google_storage_bucket` to enable uniform bucket-level access.
+  * Added two new variables `cloud_function->service_config->ingress_settings` and `cloud_function->service_config->egress_settings`, to configure the ingress and egress traffic settings of the Cloud Function.
+  * Added a new optional variable `cloud_function->build_service_account_email`. This account is used to build the Cloud Function and should have the role "roles/cloudbuild.builds.builder".
+  * Added a new optional variable `cloud_function->trigger_service_account_email`. This account is used to trigger the Cloud Function and should have the role "roles/run.invoker".
+  * Added a new variable `fmg_integration` to support FortiManager integration.
+* Example `examples/autoscale_fgt_as_hub`:
+  * Supported everything changed in Module `fgt_asg_with_function`.
+* Example `examples/autoscale_fgt_lb_sandwich`:
+  * Supported everything changed in Module `fgt_asg_with_function`.
+  * Added variable `special_behavior`. Please only use this variable under the suggestion of the developer.
+* Document:
+  * Added new file `/docs/guide_gcp_modules.md`.
+  * Added new file `/docs/module_generic_vm_standalone.md`.
+
+## 1.3.0 (Febuary, 25, 2025)
 
 FEATURES:
 * **New Module**: `modules/gcp/iam`. It helps you create a new service account with specified roles.
 
@@ -22,10 +22,18 @@ Please click the following links for visual diagrams, requirements, example depl
     Utilize Autoscale FortiGate as a central hub to connect up to eight existing VPCs. FortiGates connect your VPCs and manage traffic between VPCs.
 
 ### Modules
-1. [Single FortiGate](https://github.com/fortinetdev/terraform-google-cloud-modules/blob/main/docs/fgt_single.md):
+1. [generic_vm_standalone](https://github.com/fortinetdev/terraform-google-cloud-modules/blob/main/docs/module_generic_vm_standalone.md)
+
+    This module can be used to deploy any Fortinet VM: FortiGate / FortiManager / FortiAnalyzer / FortiAIOPS / FortiGuest ...
+
+
+2. [Single FortiGate](https://github.com/fortinetdev/terraform-google-cloud-modules/blob/main/docs/fgt_single.md)  (Deprecated, please use [generic_vm_standalone](https://github.com/fortinetdev/terraform-google-cloud-modules/blob/main/docs/module_generic_vm_standalone.md)):
 
     You can use this module to quickly deploy one single FortiGate.
 
+    This module can also be used to create FortiManager and FortiAnalyzer if you change the `image_type` or `image_source` to the [target value](https://github.com/fortinetdev/terraform-google-cloud-modules/blob/main/docs/guide_image.md#image-list).
+
+
 
 ## How to Use Examples/Modules:
 
@@ -53,6 +61,7 @@ module "your_module_name" {
 ## FAQ
 - [How to Specify Image](https://github.com/fortinetdev/terraform-google-cloud-modules/blob/main/docs/guide_image.md)
 - [What is Cloud Function](https://github.com/fortinetdev/terraform-google-cloud-modules/blob/main/docs/guide_function.md)
+- [Useful GCP Modules](https://github.com/fortinetdev/terraform-google-cloud-modules/blob/main/docs/guide_gcp_modules.md)
 
 ## Request, Question or Issue
 
 
@@ -58,12 +58,16 @@ zones   = ["<YOUR-OWN-VALUE1>",     # e.g., ["us-central1-b", "us-central1-c"].
            "<YOUR-OWN-VALUE2>"]     # If zones is empty, GCP will select 3 zones for you.
 
 # IAM variables (Optional)
-# service_account_email = "example@example.com " # The e-mail address of the service account. 
-                                                 # This service account should already have "roles/datastore.user" and "roles/compute.viewer".
-                                                 # If not given, the default Google Compute Engine service account is used.
+# service_account_email = "example@<your-project-name>.iam.gserviceaccount.com"
+# The e-mail address of the service account. This service account will control the cloud function created by this project.
+# This service account should already have "roles/datastore.user", "roles/compute.viewer" and "roles/run.invoker".
+# If this variable is not specified, the default Google Compute Engine service account is used.
 ```
 Modify these variables based on your needs.
 
+`service_account_email` should comply with the least privilege principle.
+You can [create dedicated service account by using our GCP module](https://github.com/fortinetdev/terraform-google-cloud-modules/blob/main/docs/guide_gcp_modules.md#create-dedicated-service-account).
+
 If you want to deploy more than one examples, please make sure the `prefix` of those examples are different.
 
 
@@ -183,14 +187,14 @@ cloud_function = {
   # "fortiflex" parameters is required if license_source is "fortiflex" or "file_fortiflex"
   # fortiflex = {
   #   retrieve_mode = "use_active"           # How to retrieve an existing fortiflex license (entitlement)
-  #                                          # "use_stopped" selects and reactivates a stopped entitlement where the description field is empty;
-  #                                          # "use_active" selects one active and unused entitlement where the description field is empty.
+  #                                          # "use_active": Retrieves "ACTIVE" or "PENDING" licenses. If the license is released, the license keeps "ACTIVE".
+  #                                          # "use_stopped" (default behavior): Retrieves "STOPPED", "EXPIRED" or "PENDING" licenses, and changes them to "ACTIVE". If the license is released, change the license to "STOPPED".
   #   username      = "<YOUR-OWN-VALUE>"     # The username of your FortiFlex account.
   #   password      = "<YOUR-OWN-VALUE>"     # The password of your FortiFlex account.
   #   config        = <YOUR-OWN-VALUE>       # The config ID of your FortiFlex configuration.
   # }
 
-  # This parameter controls the instance that runs the cloud function.
+  # This parameter controls the instance that runs the cloud function. For simplicity, it is recommended to use the default value.
   service_config = {
     max_instance_count               = 1    # The limit on the maximum number of function instances that may coexist at a given time.
     max_instance_request_concurrency = 3    # Sets the maximum number of concurrent requests that one cloud function can handle at the same time.
@@ -200,6 +204,12 @@ cloud_function = {
   }
 
   # additional_variables = {}               # Additional Cloud Function Variables
+
+  # The following parameters are optional, and no need to be specified in most of cases
+  # build_service_account_email = "your-name@example.com" # The email address of the service account used to build the cloud function. This account needs to have role "roles/cloudbuild.builds.builder".
+                                                          # The <PROJECT_NUMBER>@cloudbuild.gserviceaccount.com will be used if it is not specified.
+  # trigger_service_account_email = "your-name@example.com" # The email address of the service account used to trigger the cloud function. This account needs to have role "roles/run.invoker".
+                                                            # The default service account will be used if it is not specified.
 }
 ```
 
@@ -356,6 +366,21 @@ In addition to the variable config_script, you can also save the configuration s
 
 If you specify both config_script and config_file, this terraform project will upload both of them.
 
+#### Others
+```
+# FortiManager integration
+fmg_integration = {
+  ip = "<Your FMG IP>"             # The public IP address of the FortiManager.
+  sn = "<Your FMG Serial Number>"  # The serial number of the FortiManager.
+  ums = {
+    autoscale_psksecret = "<RANDOM-STRING>"  # The secret key used to synchronize information between FortiGates.
+    fmg_reg_password    = "fmg_reg_passwd>"  # The password used to register the FortiGate to the FortiManager.
+    sync_interface      = "port1"            # The interface used to synchronize information between FortiGates.
+    api_key             = ""                 # The API key used to register the FortiGate to the FortiManager. Only used when license type is BYOL.
+  }
+}
+```
+
 
 ## FortiGates Licenses
 
 
@@ -57,12 +57,16 @@ zones   = ["<YOUR-OWN-VALUE1>",     # e.g., ["us-central1-b", "us-central1-c"].
            "<YOUR-OWN-VALUE2>"]     # If zones is empty, GCP will select 3 zones for you.
 
 # IAM variables (Optional)
-# service_account_email = "example@example.com " # The e-mail address of the service account. 
-                                                 # This service account should already have "roles/datastore.user" and "roles/compute.viewer".
-                                                 # If not given, the default Google Compute Engine service account is used.
+# service_account_email = "example@<your-project-name>.iam.gserviceaccount.com"
+# The e-mail address of the service account. This service account will control the cloud function created by this project.
+# This service account should already have "roles/datastore.user", "roles/compute.viewer" and "roles/run.invoker".
+# If this variable is not specified, the default Google Compute Engine service account is used.
 ```
 Modify these variables based on your needs.
 
+`service_account_email` should comply with the least privilege principle.
+You can [create dedicated service account by using our GCP module](https://github.com/fortinetdev/terraform-google-cloud-modules/blob/main/docs/guide_gcp_modules.md#create-dedicated-service-account).
+
 If you want to deploy more than one examples, please make sure the `prefix` of those examples are different.
 
 #### FortiGate Variables:
@@ -159,14 +163,14 @@ cloud_function = {
   # "fortiflex" parameters is required if license_source is "fortiflex" or "file_fortiflex"
   # fortiflex = {
   #   retrieve_mode = "use_active"         # How to retrieve an existing fortiflex license (entitlement)
-  #                                        # "use_stopped" selects and reactivates a stopped entitlement where the description field is empty;
-  #                                        # "use_active" selects one active and unused entitlement where the description field is empty.
+  #                                        # "use_active": Retrieves "ACTIVE" or "PENDING" licenses. If the license is released, the license keeps "ACTIVE".
+  #                                        # "use_stopped" (default behavior): Retrieves "STOPPED", "EXPIRED" or "PENDING" licenses, and changes them to "ACTIVE". If the license is released, change the license to "STOPPED".
   #   username      = "<YOUR-OWN-VALUE>"   # The username of your FortiFlex account.
   #   password      = "<YOUR-OWN-VALUE>"   # The password of your FortiFlex account.
   #   config        = <YOUR-OWN-VALUE>     # The config ID of your FortiFlex configuration.
   # }
 
-  # This parameter controls the instance that runs the cloud function.
+  # This parameter controls the instance that runs the cloud function. For simplicity, it is recommended to use the default value.
   service_config = {
     max_instance_count               = 1    # The limit on the maximum number of function instances that may coexist at a given time.
     max_instance_request_concurrency = 3    # Sets the maximum number of concurrent requests that one cloud function can handle at the same time.
@@ -176,6 +180,12 @@ cloud_function = {
   }
 
   # additional_variables = {}               # Additional Cloud Function Variables
+
+  # The following parameters are optional, and no need to be specified in most of cases
+  # build_service_account_email = "your-name@example.com" # The email address of the service account used to build the cloud function. This account needs to have role "roles/cloudbuild.builds.builder".
+                                                          # The <PROJECT_NUMBER>@cloudbuild.gserviceaccount.com will be used if it is not specified.
+  # trigger_service_account_email = "your-name@example.com" # The email address of the service account used to trigger the cloud function. This account needs to have role "roles/run.invoker".
+                                                            # The default service account will be used if it is not specified.
 }
 ```
 Cloud Function is used to manage FGT synchronization and inject license into FGT. For more information about the Cloud Function, please check [here](https://github.com/fortinetdev/terraform-google-cloud-modules/blob/main/docs/guide_function.md).
 
@@ -1,5 +1,8 @@
 # Module: Single FortiGate - fgt_single
 
+> This module is used to deploy one single FortiGate.
+To deploy any Forti products (e.g., FortiGate, FortiAnalyzer, FortiManager... ), please use the module: [generic_vm_standalone](https://github.com/fortinetdev/terraform-google-cloud-modules/blob/main/docs/module_generic_vm_standalone.md).
+
 Create a FortiGate and using existing VPCs.
 
 ## How To Deploy
@@ -8,11 +11,11 @@ You can use this module directly:
 
 ```
 module "single_fortigate" {
-  source = "fortinetdev/cloud-modules/google//modules/fortigate/fgt_single"
+  source = "fortinetdev/cloud-modules/google//modules/fortinet/fgt_single"
 
   prefix   = "single-fortigate"             # The prefix name of all Google Cloud resources created by this module.
   hostname = "single-fortigate"             # The name of your FortiGate. If not set, it will be <prefix>-instance.
-  # password     = "<Your admin password>"  # Optional. If not set, it will be the GCP instance id.
+  # password     = "<Your admin password>"  # Optional. If not set, it will be the GCP instance id. This variable only works for FortiGate (Not working for FortiAnalyzer and FortiManager).
   region       = "us-central1"              # Region to deploy FortiGate.
   zone         = "us-central1-a"            # Zone to deploy FortiGate.
   machine_type = "n1-standard-4"            # The GCP Virtual Machine type to deploy FGT.
 
@@ -0,0 +1,66 @@
+# Guide: GCP Modules
+
+In order to use Google Cloud Terraform resources more conveniently, this Terraform project includes some GCP Modules (`/modules/gcp`).
+
+Here are some useful modules you may need:
+
+### Create dedicated service account
+
+This script will create a dedicated service account: `<SERVICE-ACCOUNT-NAME>@<YOUR-PROJECT-NAME>.iam.gserviceaccount.com`.
+
+This service account has roles ["roles/datastore.user", "roles/compute.viewer", "roles/run.invoker"].
+
+```hcl
+module "dedicated_service_account" {
+  source               = "fortinetdev/cloud-modules/google//modules/gcp/iam"
+  project              = "<YOUR-PROJECT-NAME>"
+  service_account_name = "<SERVICE-ACCOUNT-NAME>"
+  roles = [
+    "roles/datastore.user",
+    "roles/compute.viewer",
+    "roles/run.invoker",
+    # Add any roles you want here
+  ]
+}
+
+output "dedicated_service_account" {
+  value = module.dedicated_service_account.service_account_email
+}
+```
+
+
+### Create a new VPC
+
+You can use this script to create a new VPC with subnets and firewall rules.
+
+```
+module "example_vpc" {
+  source = "fortinetdev/cloud-modules/google//modules/gcp/vpc"
+
+  network_name = "example-network-name"
+
+  # You can specify a list of subnets in this VPC
+  subnets = [
+    {
+      name          = "example-subnet-name"
+      region        = "<YOUR-REGION>"   # e.g., us-central1
+      ip_cidr_range = "<YOUR-IP-RANGE>" # e.g., "10.0.0.0/24"
+    }
+  ]
+
+  # You can specify a list of firewall rules
+  firewall_rules = [
+    {
+      name          = "example-network-firewall-1"
+      source_ranges = ["0.0.0.0/0"]
+      target_tags   = ["example-access"]
+      allow = [
+        {
+          protocol = "all"
+        }
+      ]
+    }
+  ]
+}
+
+```