fortinetdev
diff --git a/‎CHANGELOG.md‎
Lines changed: 17 additions & 1 deletion b/‎CHANGELOG.md‎
Lines changed: 17 additions & 1 deletion
diff --git a/‎docs/guide_upgrade_fgt_asg.md‎
Lines changed: 3 additions & 1 deletion b/‎docs/guide_upgrade_fgt_asg.md‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎examples/autoscale_fgt_as_hub/README.md‎
Lines changed: 1 addition & 1 deletion b/‎examples/autoscale_fgt_as_hub/README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎examples/autoscale_fgt_as_hub/terraform.tfvars.template‎
Lines changed: 1 addition & 1 deletion b/‎examples/autoscale_fgt_as_hub/terraform.tfvars.template‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎examples/autoscale_fgt_as_hub/variable.tf‎
Lines changed: 3 additions & 3 deletions b/‎examples/autoscale_fgt_as_hub/variable.tf‎
Lines changed: 3 additions & 3 deletions
@@ -1,3 +1,19 @@
+## 1.4.2 (September, 16, 2025)
+
+IMPROVEMENTS:
+
+* Module `modules/fortigate/fgt_asg_with_function`:
+  * Change the default value of `autoscaler.cooldown_period` to 600;
+  * Improved FAZ interaction logic;
+  * Support API changes in FGT 7.6.4;
+* Module `modules/fortinet/generic_vm_standalone`:
+  * Added the latest versions for every Fortinet product;
+* Example `examples/autoscale_fgt_as_hub`:
+  * Supported everything changed in Module `fgt_asg_with_function`.
+* Example `examples/autoscale_fgt_lb_sandwich`:
+  * Supported everything changed in Module `fgt_asg_with_function`.
+
+
 ## 1.4.1 (June, 11, 2025)
 
 IMPROVEMENTS:
@@ -10,7 +26,7 @@ IMPROVEMENTS:
   * Improved concurrency logic.
   * The cloud function can read the value of `autohealing->health_check_port` and change the probe port of FGT to this value.
   * "HEALTHCHECK_PORT" configuration will only be uploaded to the primary FGT. The secondary FGTs could only get this information by syncing with the primary FGT.
-* Example `autoscale_fgt_as_hub`:
+* Example `examples/autoscale_fgt_as_hub`:
   * Supported everything changed in Module `fgt_asg_with_function`.
   * The resource `google_compute_region_health_check` will not be created if no LB is created by this example.
 * Example `examples/autoscale_fgt_lb_sandwich`:
 
@@ -4,13 +4,15 @@ After deploying the examples `autoscale_fgt_as_hub`, `autoscale_fgt_lb_sandwich`
 
 ### Upgrading the FortiGate Image Version
 
+Once the project is deployed, you may modify the FortiGate image version. This change will affect only newly provisioned FortiGate instances. Existing instances will retain their current version.
+
 The upgrade process depends on how the FGT image is specified in your Terraform configuration:
 
 - Using `image_type`:
 
     If you specify the image via the variable `image_type`, Terraform will automatically retrieve the latest available image. Simply run the command `terraform apply` and confirm the changes.
 
-- Using `image_type`:
+- Using `image_source`:
 
     If the FGT image is set via the variable `image_source`, update this variable with the new image reference. Then, run the command `terraform apply` and confirm the changes.
 
 
@@ -62,7 +62,7 @@ Please do not destroy *"(default)"* database once it is created. Please do not t
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_additional_disk"></a> [additional\_disk](#input\_additional\_disk) | Additional disk for logging.<br><br>Options:<br><br>    - size : (Optional \| number \| default:0) Log disk size (GB) for each FGT. If set to 0, no additional log disk is created.<br>    - type : (Optional \| string \| default:"pd-standard") The Google Compute Engine disk type. Such as "pd-ssd", "local-ssd", "pd-balanced" or "pd-standard".<br><br>Example:<pre>additional_disk = {<br>  size = 30<br>  type = "pd-standard"<br>}</pre> | <pre>object({<br>    size = optional(number, 0)<br>    type = optional(string, "pd-standard")<br>  })</pre> | <pre>{<br>  "size": 0,<br>  "type": "pd-standard"<br>}</pre> | no |
-| <a name="input_autoscaler"></a> [autoscaler](#input\_autoscaler) | Auto Scaler parameters. This variable controls when to autoscale and the maximum number of instances.<br>Options:<br><br>    - max\_instances     : (Required \| number) The maximum number of FGT instances.<br>    - min\_instances     : (Optional \| number \| default:2) The minimum number of FGT instances.<br>    - cooldown\_period   : (Optional \| number \| default:300) Specify how long (seconds) it takes for FGT to initialize from boot time until it is ready to serve.<br>    - cpu\_utilization   : (Optional \| number \| default:0.9) Autoscaling signal. If cpu utilization above this value, google cloud will create new FGT instance.<br>    - autohealing       : (Optional \| Object) Parameters about autohealing. Autohealing recreates VM instances if your application cannot be reached by the health check.<br>        - health\_check\_port   : (Optional \| number \| default:8008) The port used for health checks by autohealing.<br>        - timeout\_sec         : (Optional \| number \| default:5) How long (in seconds) to wait before claiming a health check failure.<br>        - check\_interval\_sec  : (Optional \| number \| default:30) How often (in seconds) to send a health check.<br>        - unhealthy\_threshold : (Optional \| number \| default:10) A so-far healthy instance will be marked unhealthy after this many consecutive failures.<br>    - scale\_in\_control\_sec : (Optional \| number \| default:300)  When the group scales down, Google Cloud will delete at most one FGT every 'scale\_in\_control\_sec' seconds.<br><br>Example:<pre>autoscaler = {<br>    max_instances   = 10<br>    min_instances   = 2<br>    cooldown_period = 300<br>    cpu_utilization = 0.9<br>    scale_in_control_sec = 300<br>}</pre> | <pre>object({<br>    max_instances   = number<br>    min_instances   = optional(number, 2)<br>    cooldown_period = optional(number, 300)<br>    cpu_utilization = optional(number, 0.9)<br>    autohealing = optional(object({<br>      health_check_port   = optional(number, 8008)<br>      timeout_sec         = optional(number, 5)<br>      check_interval_sec  = optional(number, 30)<br>      unhealthy_threshold = optional(number, 10)<br>      }), {}<br>    )<br>    scale_in_control_sec = optional(number, 300)<br>  })</pre> | n/a | yes |
+| <a name="input_autoscaler"></a> [autoscaler](#input\_autoscaler) | Auto Scaler parameters. This variable controls when to autoscale and the maximum number of instances.<br>Options:<br><br>    - max\_instances     : (Required \| number) The maximum number of FGT instances.<br>    - min\_instances     : (Optional \| number \| default:2) The minimum number of FGT instances.<br>    - cooldown\_period   : (Optional \| number \| default:600) Specify how long (seconds) it takes for FGT to initialize from boot time until it is ready to serve.<br>    - cpu\_utilization   : (Optional \| number \| default:0.9) Autoscaling signal. If cpu utilization above this value, google cloud will create new FGT instance.<br>    - autohealing       : (Optional \| Object) Parameters about autohealing. Autohealing recreates VM instances if your application cannot be reached by the health check.<br>        - health\_check\_port   : (Optional \| number \| default:8008) The port used for health checks by autohealing.<br>        - timeout\_sec         : (Optional \| number \| default:5) How long (in seconds) to wait before claiming a health check failure.<br>        - check\_interval\_sec  : (Optional \| number \| default:30) How often (in seconds) to send a health check.<br>        - unhealthy\_threshold : (Optional \| number \| default:10) A so-far healthy instance will be marked unhealthy after this many consecutive failures.<br>    - scale\_in\_control\_sec : (Optional \| number \| default:300)  When the group scales down, Google Cloud will delete at most one FGT every 'scale\_in\_control\_sec' seconds.<br><br>Example:<pre>autoscaler = {<br>    max_instances   = 10<br>    min_instances   = 2<br>    cooldown_period = 600<br>    cpu_utilization = 0.9<br>    scale_in_control_sec = 300<br>}</pre> | <pre>object({<br>    max_instances   = number<br>    min_instances   = optional(number, 2)<br>    cooldown_period = optional(number, 600)<br>    cpu_utilization = optional(number, 0.9)<br>    autohealing = optional(object({<br>      health_check_port   = optional(number, 8008)<br>      timeout_sec         = optional(number, 5)<br>      check_interval_sec  = optional(number, 30)<br>      unhealthy_threshold = optional(number, 10)<br>      }), {}<br>    )<br>    scale_in_control_sec = optional(number, 300)<br>  })</pre> | n/a | yes |
 | <a name="input_bucket"></a> [bucket](#input\_bucket) | The bucket used to store license files and cloud function source code.<br>The bucket name is generated by the module.<br><br>Options:<br><br>    - uniform\_bucket\_level\_access : (Optional \| bool \| default:false) Whether to enable uniform bucket-level access for the bucket.<br><br>Example:<pre>bucket = {<br>  uniform_bucket_level_access = true<br>}</pre> | <pre>object({<br>    uniform_bucket_level_access = optional(bool, false)<br>  })</pre> | `{}` | no |
 | <a name="input_cloud_function"></a> [cloud\_function](#input\_cloud\_function) | Parameters for Cloud Function. The Cloud Function is used to inject licenses to FGTs,<br>upload user-specified configurations and manage the FGT autoscale group.<br><br>Options:<br><br>    - cloud\_func\_interface : (Optional \| string \| default:"port1")<br>      To communicate with FGTs, the Cloud Function must be connected to the VPC where FGTs also exist.<br>      By default, this project assumes the Cloud Function connects to the first VPC you specified in "network\_interfaces", and configure your FGTs through port1.<br>      You can also set it to "port2", "port3", ..., "port8" to force the Cloud Function to connect to other VPC and communicate with your FortiGates through that port,<br>      but you need to specify the corresponding route of FGTs in "config\_script" or "config\_file" so FGTs can reply to the Cloud Function requests from "cloud\_function.function\_ip\_range".<br>    - function\_ip\_range : (Required \| string) Cloud function needs to have its only CIDR ip range ending with "/28", which cannot be used by other resources. Example "10.1.0.0/28".<br>      This IP range subnet cannot be used by other resources, such as VMs, Private Service Connect, or load balancers.<br>      A static route will be created in the FGT that routes data destined for "cloud\_function.function\_ip\_range" to port "cloud\_function.cloud\_func\_interface".<br>    - license\_source : (Optional \| string \| default:"none") The source of license if your image\_type is "byol".<br>        "none" : Don't inject licenses to FGTs.<br>        "file" : Injecting licenses based on license files. All license files should be in license\_file\_folder.<br>        "fortiflex" : Injecting licenses based on FortiFlex. Need to specify the parameter fortiflex if license\_source is "fortiflex".<br>        "file\_fortiflex" : Injecting licenses based on license files first. If all license files are in use, try FortiFlex next.<br>    - license\_file\_folder : (Optional \| string \| default:"./licenses") The folder where all ".lic" license files are located. Default is "./licenses" folder.<br>    - autoscale\_psksecret : (Optional \| string \| default:"psksecret") The secret key used to synchronize information between FortiGates. If not set, the module will randomly generate a 16-character secret key.<br>    - logging\_level : (Optional \| string \| default:"INFO") Verbosity of logs. Possible values include "NONE", "ERROR", "WARN", "INFO", "DEBUG", and "TRACE". You can find logs in Google Cloud Logs Explorer.<br>    - fortiflex: (Optional \| object) You need to specify this parameter if your license\_source is "fortiflex" or "file\_fortiflex".<br>        - retrieve\_mode : (Optional \| string \| default:"use\_stopped") How to retrieve an existing fortiflex license (entitlement):<br>            "use\_stopped" Retrieves "STOPPED", "EXPIRED" or "PENDING" licenses, and changes them to "ACTIVE". If the license is released, change the license to "STOPPED".<br>            "use\_active" Retrieves "ACTIVE" or "PENDING" licenses. If the license is released, the license keeps "ACTIVE".<br>        - username : (Reuqired if license\_source is "fortiflex" or "file\_fortiflex" \| string \| default:"") The username of your FortiFlex account.<br>        - password : (Reuqired if license\_source is "fortiflex" or "file\_fortiflex" \| string \| default:"") The password of your FortiFlex account.<br>        - config : (Reuqired if license\_source is "fortiflex" or "file\_fortiflex" \| string \| default:"") The configuration ID of your FortiFlex configuration (product type should be FortiGate-VM).<br>    - service\_config : (Optional \| object) This parameter controls the instance that runs the cloud function. For simplicity, it is recommended to use the default value.<br>        - max\_instance\_count : (Optional \| number \| default:1) The limit on the maximum number of function instances that may coexist at a given time.<br>        - max\_instance\_request\_concurrency : (Optional \| number \| default:10) Sets the maximum number of concurrent requests that one cloud function can handle at the same time. Recommended to set it to no less than the maximum number of FGT instances (variable "autoscaler.max\_instances").<br>        - available\_cpu : (Optional \| string \| default:"1") The number of CPUs used in a single container instance.<br>        - available\_memory : (Optional \| string \| default:"1G") The amount of memory available for a function. Supported units are k, M, G, Mi, Gi. If no unit is supplied the value is interpreted as bytes.<br>        - timeout\_seconds : (Optional \| number \| default:240) The function execution timeout. Execution is considered failed and can be terminated if the function is not completed at the end of the timeout period.<br>        - ingress\_settings: (Optional \| string \| default:"ALLOW\_ALL") The cloud function accepts what type of ingress traffic. Possible values are: ALLOW\_ALL, ALLOW\_INTERNAL\_ONLY, ALLOW\_INTERNAL\_AND\_GCLB.<br>        - egress\_settings: (Optional \| string \| default:"PRIVATE\_RANGES\_ONLY") What type of egress traffic will be sent to the VPC connector. Possible values are: VPC\_CONNECTOR\_EGRESS\_SETTINGS\_UNSPECIFIED, PRIVATE\_RANGES\_ONLY, ALL\_TRAFFIC.<br>    - build\_service\_account\_email: (Optional \| string \| default:"") The email address of the service account used to build the cloud function. This account needs to have role "roles/cloudbuild.builds.builder".<br>        The <PROJECT\_NUMBER>@cloudbuild.gserviceaccount.com will be used if it is not specified.<br>    - trigger\_service\_account\_email: (Optional \| string \| default:"") The email address of the service account used to trigger the cloud function. This account needs to have role "roles/run.invoker".<br>        The default service account will be used if it is not specified.<br>    - additional\_variables : (Optional \| map \| default: {}) Additional variables used in cloud function. It is used to specify example-specific variables.<br><br>Example:<pre>cloud_function = {<br>  function_ip_range      = "10.1.0.0/28"  # Cloud function needs to have its own CIDR ip range ending with "/28". This IP range cannot be used by other resources.<br>  license_source         = "file"         # "none", "fortiflex", "file", "file_fortiflex"<br>  license_file_folder    = "./licenses"<br>  autoscale_psksecret    = "psksecret"<br>  logging_level          = "INFO"         # "NONE", "ERROR", "WARN", "INFO", "DEBUG", "TRACE"<br>  # Specify fortiflex parameters if license_source is "fortiflex" or "file_fortiflex"<br>  # fortiflex = {<br>  #   retrieve_mode = "use_active"<br>  #   username      = "Your fortiflex username"<br>  #   password      = "Your fortiflex password"<br>  #   config        = "Your fortiflex configuration ID"<br>  # }<br>  # Parameters of google cloud function.<br>  service_config = {<br>    max_instance_request_concurrency = 10<br>    timeout_seconds                  = 360<br>  }<br>}</pre> | <pre>object({<br>    cloud_func_interface = optional(string, "port1")<br>    function_ip_range    = string<br>    license_source       = optional(string, "none")<br>    license_file_folder  = optional(string, "./licenses")<br>    autoscale_psksecret  = optional(string, "psksecret")<br>    logging_level        = optional(string, "NONE")<br>    fortiflex = optional(object({<br>      retrieve_mode = optional(string, "use_stopped")<br>      username      = optional(string, "")<br>      password      = optional(string, "")<br>      config        = optional(string, "")<br>    }), {})<br>    service_config = optional(object({<br>      max_instance_count               = optional(number, 1)<br>      max_instance_request_concurrency = optional(number, 10)<br>      available_cpu                    = optional(string, "1")<br>      available_memory                 = optional(string, "1G")<br>      timeout_seconds                  = optional(number, 240)<br>      ingress_settings                 = optional(string, "ALLOW_ALL")<br>      egress_settings                  = optional(string, "PRIVATE_RANGES_ONLY")<br>    }), {})<br>    build_service_account_email = optional(string, "")<br>    trigger_service_account_email = optional(string, "")<br>    additional_variables        = optional(map(string), {})<br>  })</pre> | n/a | yes |
 | <a name="input_config_file"></a> [config\_file](#input\_config\_file) | Additional FGT configuration script file. | `string` | `""` | no |
 
@@ -111,7 +111,7 @@ cloud_function = {
 autoscaler = {
   max_instances     = 4     # The maximum number of FGT instances
   min_instances     = 3     # The minimum number of FGT instances
-  cooldown_period   = 360   # Specify how long (seconds) it takes for FGT to initialize from boot time until it is ready to serve.
+  cooldown_period   = 600   # Specify how long (seconds) it takes for FGT to initialize from boot time until it is ready to serve.
   cpu_utilization   = 0.8   # Autoscaling signal. If CPU utilization is above this value, Google Cloud will create new FGT instances.
   autohealing = {              # Parameters about autohealing. Autohealing recreates VM instances if your application cannot be reached by the health check.
     health_check_port = 8008   # The port used for health checks by autohealing.
 
@@ -374,7 +374,7 @@ variable "autoscaler" {
   type = object({
     max_instances   = number
     min_instances   = optional(number, 2)
-    cooldown_period = optional(number, 300)
+    cooldown_period = optional(number, 600)
     cpu_utilization = optional(number, 0.9)
     autohealing = optional(object({
       health_check_port   = optional(number, 8008)
@@ -391,7 +391,7 @@ variable "autoscaler" {
 
         - max_instances     : (Required | number) The maximum number of FGT instances.
         - min_instances     : (Optional | number | default:2) The minimum number of FGT instances.
-        - cooldown_period   : (Optional | number | default:300) Specify how long (seconds) it takes for FGT to initialize from boot time until it is ready to serve.
+        - cooldown_period   : (Optional | number | default:600) Specify how long (seconds) it takes for FGT to initialize from boot time until it is ready to serve.
         - cpu_utilization   : (Optional | number | default:0.9) Autoscaling signal. If cpu utilization above this value, google cloud will create new FGT instance.
         - autohealing       : (Optional | Object) Parameters about autohealing. Autohealing recreates VM instances if your application cannot be reached by the health check.
             - health_check_port   : (Optional | number | default:8008) The port used for health checks by autohealing.
@@ -405,7 +405,7 @@ variable "autoscaler" {
     autoscaler = {
         max_instances   = 10
         min_instances   = 2
-        cooldown_period = 300
+        cooldown_period = 600
         cpu_utilization = 0.9
         scale_in_control_sec = 300
     }