John 04 30

docs/data-sources/profile_bgp.md

@@ -0,0 +1,20 @@
+# DataSource: ciscomcd_profile_bgp
+Data source for obtaining attributes of an BGP Profile resource.  The attributes can be used in the arguments of a Gateway resource.
+
+## Example Usage
+```hcl
+data "ciscomcd_profile_bgp" "bgp1" {
+	name = "bgp1"
+}
+
+resource "ciscomcd_gateway" "aws_gw1" {
+	# Other arguments hidden for brevity
+	bgp_profile = data.ciscomcd_bgp.bgp1.id
+}
+```
+
+## Argument Reference
+* `name` - (Required) Name of the BGP Profile resource
+
+## Attributes Reference
+* `id` - ID of the BGP Profile resource

docs/data-sources/profile_dlp.md

@@ -21,7 +21,7 @@ resource "ciscomcd_policy_rules" "egress_policy_rules" {
 ```
 
 ## Argument Reference
-* `name` - (Required) Name of the Data Loss Prevention (DLP) IP Profile resource
+* `name` - (Required) Name of the Data Loss Prevention (DLP) Profile resource
 
 ## Attributes Reference
 * `id` - ID of the Data Loss Prevention (DLP) Profile resource

docs/data-sources/profile_ipsec.md

@@ -0,0 +1,23 @@
+# DataSource: ciscomcd_profile_ipsec
+Data source for obtaining attributes of an IP Security (IPSec) Profile resource.  The attributes can be used in the arguments of a VPN Connections resource.
+
+## Example Usage
+```hcl
+data "ciscomcd_profile_ipsec" "ipsec1" {
+	name = "ipsec1"
+}
+
+resource "ciscomcd_vpn_connections" "vpn_connections1" {
+	connection_set_id = 1
+	vpn_connection {
+		# Other arguments hidden for brevity
+		ipsec_profile = data.ciscomcd_profile_ipsec.ipsec1.id
+	}
+}
+```
+
+## Argument Reference
+* `name` - (Required) Name of the IP Security (IPSec) Profile resource
+
+## Attributes Reference
+* `id` - ID of the IP Security (IPSec) Profile resource

docs/data-sources/vpn_connection_set.md

@@ -0,0 +1,42 @@
+# DataSource: ciscomcd_vpn_connection_set
+Data source for obtaining attributes of an VPN Connection Set resource.  The attributes can be used in the arguments of a Gateway resource and VPN Connections resource.
+
+## Example Usage
+```hcl
+data "ciscomcd_vpn_connection_set" "vpn_connection_set1" {
+	name = "vpn_connection_set1"
+}
+
+resource "ciscomcd_gateway" "aws_gw1" {
+  # Other arguments hidden for brevity
+  vpn_connection_set_id = data.ciscomcd_vpn_connection_set.vpn_connections1.id
+}
+
+resource "ciscomcd_vpn_connections" "vpn_connections1" {
+  connection_set_id = data.ciscomcd_vpn_connection_set.vpn_connections1.id
+  vpn_connection {
+    name = "vpn-connection1"
+    tunnel_endpoint_left = "aws-egress-gateway"
+    tunnel_address_left = "85.0.0.1"
+    tunnel_endpoint_right = "azure-egress-gateway"
+    tunnel_address_right = "85.0.0.2"
+    pre_shared_key = "abcd1234"
+    ipsec_profile = ciscomcd_profile_ipsec.ipsec1.id
+  }
+  vpn_connection {
+    name = "vpn-connection2"
+    tunnel_endpoint_left = "aws-egress-gateway" 
+    tunnel_address_left = "50.0.0.1"
+    tunnel_endpoint_right = ""
+    tunnel_address_right = "50.0.0.2"
+    pre_shared_key = "abcd1234"
+    ipsec_profile = ciscomcd_profile_ipsec.ipsec2.id
+  }
+}
+```
+
+## Argument Reference
+* `name` - (Required) Name of the VPN Connection Set resource
+
+## Attributes Reference
+* `id` - ID of the VPN Connection Set resource

docs/resources/address_object.md

@@ -297,8 +297,8 @@ If the Address Object is configured with a set of FQDNs, the Multicloud Defense
 * `name` - (Required) Name of the Address Object
 * `description` - (Optional) Description of the Address Object
 * `type` = `GROUP` - (Required) Type of the Address Object
-* `address_group_ids` - (Required) List of Standalone Address Objects whos addresses will be included in the membership
-* `excluded_address_group_ids` - (Optional) List of Standalone Address Objects whos addresses will be excluded in the membership
+* `address_group_ids` - (Required) List of Standalone Address Objects whose addresses will be included in the membership
+* `excluded_address_group_ids` - (Optional) List of Standalone Address Objects whose addresses will be excluded from the membership
 <br><br>For an example, see [GROUP (Source Destination) Example](#group-source-destination-example)
 
 #### DYNAMIC_ASG (Source Destination) Arguments

docs/resources/gateway.md

@@ -254,10 +254,10 @@ For EDGE mode EGRESS Gateway set the `security_type = EGRESS`
 * `azure_resource_group` - (Required - Azure) Azure Resource Group name used to associate all created Gateway resources
 * `oci_compartment_id` - (Required - OCI) OCI Compartment ID where the Gateway will be deployed
 * `region` - (Required) Region where the Gateway will be deployed
-* `vpc_id` - (Required) VPC/VNet where the Gateway will be deployed.  For HUB mode deployments, the value must refer to the **id** attribute of the [`ciscomcd_service_vpc`](/terraform/ciscomcd_service_vpc/#ciscomcd_service_vpc) resource. For AWS, use the VPC ID.  For Azure, use the full path of the VNet resource.  For GCP, use the self link for the VPC.
+* `vpc_id` - (Required) VPC/VNet/VNC where the Gateway will be deployed. For HUB mode deployments, the value must refer to the `id` attribute of the [`ciscomcd_service_vpc`](/terraform/ciscomcd_service_vpc/#ciscomcd_service_vpc) resource.  For EDGE mode deployments, the CSP-specific resource should be used:  For AWS, use the VPC resource ID; For Azure, use the VNet resource full path; For GCP, use the VPC resource self-link; For OCI, use the VNC resource OCID.
 * `aws_gateway_lb` - (Optional - AWS) `true` or `false`. This argument only applies to Gateway deployments in AWS with `security_type` set to `EGRESS`. If the argument is set to `true`, the Gateway will be deployed using an AWS Gateway Load Balancer (GWLB).  If the argument is set to `false`, the Gateway will be deployed using an internal AWS Network Load Balancer (NLB), which is a legacy deployment mode prior to AWS offering the GWLB.  If not specified, the default value is `true`.
 * `azure_gateway_lb` - (Optional - Azure) *[Public Preview]* `true` or `false`. This argument only applies to Gateway deployments in Azure with `security_type` set to `INGRESS`. If the argument is set to `true`, the Gateway will be deployed using an Azure Gateway Load Balancer (GWLB).  If not specified, the default value is `false` and the Gateway will be deployed using an Internet-facing Azure Network Load Balancer (NLB), which is the default deployment for an Ingress Gateway in Azure.
-* `mgmt_vpc_id` - (Required - GCP) Self link of the GCP VPC where the management interface of the Gateway is attached
+* `mgmt_vpc_id` - (Required - GCP EDGE Mode) Self link of the GCP VPC where the management interface of the Gateway is attached
 * `mgmt_security_group` - (Required - EDGE Mode) AWS Security Group ID, Azure Network Security Group ID, GCP Network Tag name assigned to the management interface, or OCI Security Group OCID to permit management traffic to egress the Gateway. This must allow all outbound traffic for the Gateway to communicate with the Multicloud Defense Controller, Multicloud Defense S3 Bucket and for DNS resolution.
 * `datapath_security_group` - (Required - EDGE Mode) AWS Security Group ID, Azure Network Security Group ID, GCP Network Tag name assigned to the datapath interface, or OCI Security Group OCID to permit datapath traffic to ingress and egress the Gateway. It's recommended to leave this open so that all traffic can be sent and received by the Gateway where the Gateway Policy will control whether traffic is allowed or denied.
 * `min_instances` - (Optional) Minimum number of instances per availability zone.  If not specified, the default value is `1`.
@@ -483,6 +483,25 @@ settings {
 ~> **Note on Gateway GCP Internal Load Balancer IP Setting**
 When a Gateway resoure in GCP is created, a GCP internal Load Balancer (LB) is also created to front the Gateway instances.  This LB requires an internal IP address to be used as the endpoint for routing traffic to the LB. When this setting is not used, the Controller will orchestrate creating the IP resource and assigning it to the LB.  When using this setting, the IP address resource is created by the user and supplied to the Gateway resource for the Controller to assign to the created LB.  The IP address resource is a `google_compute_address` resource.  The `address_type` must be set to "INTERNAL", the `subnetwork` must be the same as the Gateway datapath subnet, and the `region` must be the same region as the Gateway.
 
+### Gateway Instance Creation Retry Settings
+```hcl
+settings {
+  name = "controller.gateway.instance_creation_retry_count"
+  value = "3"
+}
+settings {
+  name = "controller.gateway.instance_creation_retry_reset_time"
+  value = "360"
+}
+```
+
+~> **Note on Gateway Instance Creation Retry Settings**
+When a Gateway resource is created, if an instance creation fails, the Controller will initiate a retry.  If the issue is corrected, then the Gateway will eventually be successfully created. If the issue is not corrected, then the Controller will retry indefinitely.  If the Controller continues to retry without success, Terraform will timeout after 15 minutes and produce an error stating the Gateway is not yet ACTIVE.
+
+The Gateway Instance Creation Retry Settings provide a user with some control over the instance creation retry behavior.  The settings are defined and behave as follows:
+* `controller.gateway.instance_creation_retry_count` - Defines the number of times the Controller will retry creating each instance.  If the retry count is exceeded, then the Controller will no longer retry the creation and the Gateway will remain in ACTIVE_PENDING state.  The Controller will reinitiate its retry attempts once the retry reset time has expired.  If this setting is not specified, the Controller will retry indefinitely.
+* `controller.gateway.instance_creation_retry_reset_time` - Defines the amount of time (in minutes) after the retry count has been exceeded that the Controller will reinitiate its retry attempts. If this setting is not specified, the reset time will be infinite and the Controller will never reinitiate its retry attempts. This setting is only applicable if the retry count setting is specifed.
+
 ## Gateway Tags
 Gateway tags define a map of Tags that will apply to each Gateway instance when instantiated
 
@@ -519,7 +538,7 @@ tags = {
     ```json
     "gateway_gwlb_endpoints": [
       {
-        "endpoint_id": "/subscriptions/8b29c730-36f9-4f5c-86e4-96129569d6a0/resourceGroups/hardik-eastus-resources/providers/Microsoft.Network/loadBalancers/valtix-l-azure-injkczap/frontendIPConfigurations/valtix-l-azure-injkczap-fip"
+        "endpoint_id": "/subscriptions/8b29c730-36f9-4f5c-86e4-96129569d6a0/resourceGroups/hardik-eastus-resources/providers/Microsoft.Network/loadBalancers/ciscomcd-l-azure-injkczap/frontendIPConfigurations/ciscomcd-l-azure-injkczap-fip"
       }
     ]
     ```

docs/resources/profile_bgp.md

@@ -0,0 +1,34 @@
+# Resource: ciscomcd_profile_bgp
+Resource for creating and managing a BGP Profile
+
+## Example Usage
+```hcl
+resource "ciscomcd_profile_bgp" "bgp1" {
+  name = "bgp1"
+  local_as = 1234
+  neighbor {
+    ip_address = "1.2.3.4"
+    autonomous_system = 201
+  }
+}
+```
+
+## Argument Reference
+* `name` - (Required) Name of the Profile
+* `description` - (Optional) Description of the Profile
+* `local_as` - (Required) The local Autonomous System (AS) number for the BGP peer
+* `neighbor` - (Required) One or more blocks, where each block is a row in the BGP Profile that defines the BGP neighbor relationship. Structure [defined below](#neighbor).
+
+### Neighbor
+* `ip_address` - (Required) The neighbor IP address of the BGP peer
+* `autonomous_system` - (Required) The neighbor Autonomous System (AS) number of the BGP peer
+
+## Attribute Reference
+* `id` - ID of the BGP Profile resource that can be referenced in other resources (e.g., *ciscomcd_gateway*)
+
+## Import
+BGP Profile resources can be imported using the resource `id`:
+
+```hcl
+$ terraform import ciscomcd_profile_bgp.bgp1 10
+```

docs/resources/profile_decryption.md

@@ -7,6 +7,7 @@ resource "ciscomcd_profile_decryption" "decryption_profile1" {
   name             = "decryption_profile1"
   certificate_name = ciscomcd_certificate.cert1.name
   min_tls_version  = "TLS_VERSION_1_3"
+	cert_validation	 = "Default"
 	cipher_suite_and_group {
 		cipher_suite = "ECDHE_RSA_AES256_GCM_SHA384"
 		cipher_suite_group = "PFS"
@@ -30,7 +31,7 @@ resource "ciscomcd_profile_decryption" "decryption_profile1" {
 * `description` - (Optional) Description of the profile
 * `certificate_name` - (Required) Name of certificate that is defined in the `ciscomcd_certificate` resource that contains the desired certificate
 * `min_tls_version` - (Optional) The minimum TLS version to use when establishing a secure frontend and backend connection when processing traffic via a forward or reverse proxy.  Applicable values are:  `TLS_VERSION_1_3`, `TLS_VERSION_1_2`, `TLS_VERSION_1_1`, `TLS_VERSION_1_0`.  If not specified, the default value is `TLS_VERSION_1_0`.  IMPORTANT: It is required to use the same value for `min_tls_version` in all Decryption Profiles that are used by Service Objects referenced by a Policy Ruleset or Policy Ruleset Group.  If different values are used, the value that will be applied cannot be predetermined.
-* `cert_validation` - (Optional) Specifies whether server certification validation will be performed, what action to take and whether to log the action.  The validation applies only to Forward Proxy policies and is performed by the Gateway for backend (Gateway to Server) TLS session negotiation.  This feature is available for Gateway versions 23.10 or later.  Applicable values: `Allow Log` (allow and log the event), `Allow No Log` (allow and do not log the event), `Deny Log` (deny and log the event), `Deny No Log` (deny and do not log the event).  If not specified, the default value is `Allow No Log`.
+* `cert_validation` - (Optional) Specifies whether server certification validation will be performed, what action to take and whether to log the action.  The validation applies only to Forward Proxy policies and is performed by the Gateway for backend (Gateway to Server) TLS session negotiation.  This feature is available for Gateway versions 23.10 or later.  Applicable values: `Default` (unspecified, taking on an action of `Allow Log`), `Allow Log` (allow and log the event), `Allow No Log` (allow and do not log the event), `Deny Log` (deny and log the event), `Deny No Log` (deny and do not log the event).  If not specified, the default value is `Allow No Log`.  If not specified, the default value is `Default`.
 * `cipher_suite_and_group` - (Optional) Cipher Suite and Group block. This block can be repeated multiple times. See [Cipher Suite and Group](#cipher-suite-and-group) for the block structure.
 
 ## Cipher Suite and Group

docs/resources/profile_fqdn.md

@@ -62,13 +62,15 @@ resource "ciscomcd_profile_fqdn" "fqdn_match1" {
       ".*\\.website2\\.com"
     ]
     decryption_exception = false
+    cert_validation      = "Inherit from Decryption Profile"
   }
   fqdn_filter_list {
     fqdn_list = [
       "www\\.website3\\.com",
       "www\\.website4\\.com"
     ]
     decryption_exception = false
+    cert_validation      = "Inherit from Decryption Profile"
   }
 }
 ```
@@ -138,11 +140,12 @@ resource "ciscomcd_profile_fqdn" "fqdn_match_group" {
 * `fqdn_list` - (Required) List of FQDNs (maximum of 60 FQDNs per list, combined with categories; maximum 255 characters per FQDN). Applicable values are Perl Compatible Regular Expression (PCRE) patterns representing FQDNs.  When specifying a multi-level domain (e.g., `www.example.com`), it's important to escape the `.` character (e.g., `www\\.example\\.com`) otherwise it will be treated as a wildcard for any single character.  Structure [defined below](#fqdn-list).
 * `vendor_category_list` - (Optional) List of pre-defined Vendor Categories (maximum 60 categories per list, combined with FQDNs).  Structure [defined below](#vendor-category-list). 
 * `policy` - (Required) Action to take when an FQDN matches an entry in the `fqnd_list` or `vendor_category_list`.  Applicable values: `Allow Log` (allow and log the event), `Allow No Log` (allow and do not log the event), `Deny Log` (deny and log the event), `Deny No Log` (deny and do not log the event).
-* `decryption_exception` - (Optional) When used in conjunction with a proxy Rule (ForwardProxy, ReverseProxy), instructs the proxy engine to bypass decryption. Applicable values: `true` or `false`.  If not specified, the default value is `true`.
+* `decryption_exception` - (Optional) When used in conjunction with a ForwardProxy Rule, instructs the proxy engine to bypass decryption. Applicable values: `true` or `false`.  If not specified, the default value is `true`.
 
 ### FQDN Profile Filter List Arguments (Match)
 * `fqdn_list` - (Required) List of FQDNs (maximum of 60 FQDNs per list; maximum 255 characters per FQDN). Applicable values are Perl Compatible Regular Expression (PCRE) patterns representing FQDNs.  When specifying a multi-level domain (e.g., `www.example.com`), it's important to escape the `.` character (e.g., `www\\.example\\.com`) otherwise it will be treated as a wildcard for any single character.  Structure [defined below](#fqdn-list).
-* `decryption_exception` - (Optional) When used in conjunction with a proxy Rule (ForwardProxy, ReverseProxy), instructs the proxy engine to bypass decryption. Applicable values: `true` or `false`.  If not specified, the default value is `true`.
+* `decryption_exception` - (Optional) When used in conjunction with a ForwardProxy Rule, instructs the proxy engine to bypass decryption. Applicable values: `true` or `false`.  If not specified, the default value is `true`.
+* `cert_validation` - (Optional) Specifies whether server certification validation will be performed, what action to take and whether to log the action.  The validation applies only to Forward Proxy policies and is performed by the Gateway for backend (Gateway to Server) TLS session negotiation.  This feature is available for Gateway versions 23.10 or later.  Applicable values: `Inherit from Decryption Profile` (use the configuration specified in the Decryption Profile), `Allow Log` (allow and log the event), `Allow No Log` (allow and do not log the event), `Deny Log` (deny and log the event), `Deny No Log` (deny and do not log the event).  If not specified, the default value is `Allow No Log`.  If not specified, the default value is `Inherit from Decryption Profile`.
 
 ### FQDN Filter List
 ```hcl