From ffa9a62ca71b6acd1f0a20f76a7aa90013da5506 Mon Sep 17 00:00:00 2001
From: "create-pr-on-fork-for-pan-dev[bot]"
 <135888023+create-pr-on-fork-for-pan-dev[bot]@users.noreply.github.com>
Date: Tue, 17 Oct 2023 14:27:35 +0100
Subject: [PATCH] Sync aws Terraform module documentation (#472)

Co-authored-by: pan-dev-content-sync-trigger[bot] <pan-dev-content-sync-trigger[bot]@users.noreply.github.com>
---
 .../vmseries/examples/panorama_standalone.md  |   8 +-
 .../docs/swfw/aws/vmseries/modules/alb.md     |   7 +-
 .../docs/swfw/aws/vmseries/modules/asg.md     |   7 +-
 .../swfw/aws/vmseries/modules/bootstrap.md    |   7 +-
 .../vmseries/modules/crosszone_failover.md    |  88 ++++++++
 .../docs/swfw/aws/vmseries/modules/gwlb.md    |  11 +-
 .../aws/vmseries/modules/gwlb_endpoint_set.md |   6 +-
 .../aws/vmseries/modules/names_generator.md   | 213 ++++++++++++++++++
 .../aws/vmseries/modules/nat_gateway_set.md   |   7 +-
 .../docs/swfw/aws/vmseries/modules/nlb.md     |  11 +-
 .../swfw/aws/vmseries/modules/panorama.md     |   7 +-
 .../swfw/aws/vmseries/modules/subnet_set.md   |   8 +-
 .../aws/vmseries/modules/transit_gateway.md   |   6 +-
 .../modules/transit_gateway_attachment.md     |   6 +-
 .../modules/transit_gateway_peering.md        |   8 +-
 .../swfw/aws/vmseries/modules/vmseries.md     |   7 +-
 .../docs/swfw/aws/vmseries/modules/vpc.md     |  12 +-
 .../swfw/aws/vmseries/modules/vpc_endpoint.md |  77 +++++++
 .../swfw/aws/vmseries/modules/vpc_route.md    |   6 +-
 .../docs/swfw/aws/vmseries/modules/vpn.md     |  85 +++++++
 .../centralized_design.md                     |   8 +-
 .../centralized_design_autoscale.md           |   8 +-
 .../combined_design.md                        |   8 +-
 .../combined_design_autoscale.md              |  14 +-
 .../isolated_design.md                        |   8 +-
 .../isolated_design_autoscale.md              |  14 +-
 26 files changed, 569 insertions(+), 78 deletions(-)
 create mode 100644 products/terraform/docs/swfw/aws/vmseries/modules/crosszone_failover.md
 create mode 100644 products/terraform/docs/swfw/aws/vmseries/modules/names_generator.md
 create mode 100644 products/terraform/docs/swfw/aws/vmseries/modules/vpc_endpoint.md
 create mode 100644 products/terraform/docs/swfw/aws/vmseries/modules/vpn.md
diff --git a/products/terraform/docs/swfw/aws/vmseries/examples/panorama_standalone.md b/products/terraform/docs/swfw/aws/vmseries/examples/panorama_standalone.md
index 6ff278cd7..4cf207dba 100644
--- a/products/terraform/docs/swfw/aws/vmseries/examples/panorama_standalone.md
+++ b/products/terraform/docs/swfw/aws/vmseries/examples/panorama_standalone.md
@@ -76,13 +76,13 @@ Use a web browser to access https://x.x.x.x and login with admin and your previo
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.25 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.25 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
 
 ### Modules
 
@@ -100,8 +100,10 @@ Use a web browser to access https://x.x.x.x and login with admin and your previo
 | [aws_iam_instance_profile.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_instance_profile) | resource |
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
 | [aws_iam_role_policy.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_ebs_default_kms_key.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
 | [aws_kms_alias.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
+| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ### Inputs
 
@@ -112,7 +114,7 @@ Use a web browser to access https://x.x.x.x and login with admin and your previo
 | <a name="input_panoramas"></a> [panoramas](#input\_panoramas) | A map defining Panorama instances<br /><br />Following properties are available:<br />- `instances`: map of Panorama instances with attributes:<br />  - `az`: name of the Availability Zone<br />  - `private_ip_address`: private IP address for management interface<br />- `panos_version`: PAN-OS version used for Panorama<br />- `network`: definition of network settings in object with attributes:<br />  - `vpc`: name of the VPC (needs to be one of the keys in map `vpcs`)<br />  - `vpc_subnet`: key of the VPC and subnet connected by '-' character<br />  - `security_group`: security group assigned to ENI used by Panorama<br />  - `create_public_ip`: true, if public IP address for management should be created<br />- `ebs`: EBS settings defined in object with attributes:<br />  - `volumes`: list of EBS volumes attached to each instance<br />  - `kms_key_alias`: KMS key alias used for encrypting Panorama EBS<br />- `iam`: IAM settings in object with attrbiutes:<br />  - `create_role`: enable creation of IAM role<br />  - `role_name`: name of the role to create or use existing one<br />- `enable_imdsv2`: whether to enable IMDSv2 on the EC2 instance<br /><br />Example:<pre>{<br />  panorama\_ha\_pair = {<br />    instances = {<br />      "primary" = {<br />        az                 = "eu-central-1a"<br />        private\_ip\_address = "10.255.0.4"<br />      }<br />      "secondary" = {<br />        az                 = "eu-central-1b"<br />        private\_ip\_address = "10.255.1.4"<br />      }<br />    }<br /><br />    panos\_version = "10.2.3"<br /><br />    network = {<br />      vpc              = "management\_vpc"<br />      vpc\_subnet       = "management\_vpc-mgmt"<br />      security\_group   = "panorama\_mgmt"<br />      create\_public\_ip = true<br />    }<br /><br />    ebs = {<br />      volumes = [<br />        {<br />          name            = "ebs-1"<br />          ebs\_device\_name = "/dev/sdb"<br />          ebs\_size        = "2000"<br />          ebs\_encrypted   = true<br />        },<br />        {<br />          name            = "ebs-2"<br />          ebs\_device\_name = "/dev/sdc"<br />          ebs\_size        = "2000"<br />          ebs\_encrypted   = true<br />        }<br />      ]<br />      kms\_key\_alias = "aws/ebs"<br />    }<br /><br />    iam = {<br />      create\_role = true<br />      role\_name   = "panorama"<br />    }<br /><br />    enable\_imdsv2 = false<br />  }<br />}</pre> | <pre>map(object({<br />    instances = map(object({<br />      az                 = string<br />      private\_ip\_address = string<br />    }))<br /><br />    panos\_version = string<br /><br />    network = object({<br />      vpc              = string<br />      vpc\_subnet       = string<br />      security\_group   = string<br />      create\_public\_ip = bool<br />    })<br /><br />    ebs = object({<br />      volumes = list(object({<br />        name            = string<br />        ebs\_device\_name = string<br />        ebs\_size        = string<br />        ebs\_encrypted   = bool<br />      }))<br />      kms\_key\_alias = string<br />    })<br /><br />    iam = object({<br />      create\_role = bool<br />      role\_name   = string<br />    })<br /><br />    enable\_imdsv2 = bool<br />  }))</pre> | `{}` | no |
 | <a name="input_region"></a> [region](#input\_region) | AWS region used to deploy whole infrastructure | `string` | n/a | yes |
 | <a name="input_ssh_key_name"></a> [ssh\_key\_name](#input\_ssh\_key\_name) | Name of the SSH key pair existing in AWS key pairs and used to authenticate to VM-Series or test boxes | `string` | n/a | yes |
-| <a name="input_vpcs"></a> [vpcs](#input\_vpcs) | A map defining VPCs with security groups and subnets.<br /><br />Following properties are available:<br />- `name`: VPC name<br />- `cidr`: CIDR for VPC<br />- `security_groups`: map of security groups<br />- `subnets`: map of subnets with properties:<br />   - `az`: availability zone<br />   - `set`: internal identifier referenced by main.tf<br />- `routes`: map of routes with properties:<br />   - `vpc_subnet`: built from key of VPCs concatenate with `-` and key of subnet in format: `VPCKEY-SUBNETKEY`<br />   - `to_cidr`: destination IP range<br />   - `next_hop_key`: must match keys use to create TGW attachment, IGW, GWLB endpoint or other resources<br />   - `next_hop_type`: internet\_gateway, nat\_gateway, transit\_gateway\_attachment or gwlbe\_endpoint<br /><br />Example:<pre>{<br />  security\_vpc = {<br />    name = "security-vpc"<br />    cidr = "10.100.0.0/16"<br />    security\_groups = {<br />      panorama\_mgmt = {<br />        name = "panorama\_mgmt"<br />        rules = {<br />          all\_outbound = {<br />            description = "Permit All traffic outbound"<br />            type        = "egress", from\_port = "0", to\_port = "0", protocol = "-1"<br />            cidr\_blocks = ["0.0.0.0/0"]<br />          }<br />          https = {<br />            description = "Permit HTTPS"<br />            type        = "ingress", from\_port = "443", to\_port = "443", protocol = "tcp"<br />            cidr\_blocks = ["130.41.247.0/24"]<br />          }<br />          ssh = {<br />            description = "Permit SSH"<br />            type        = "ingress", from\_port = "22", to\_port = "22", protocol = "tcp"<br />            cidr\_blocks = ["130.41.247.0/24"]<br />          }<br />        }<br />      }<br />    }<br />    subnets = {<br />      "10.100.0.0/24"  = { az = "eu-central-1a", set = "mgmt" }<br />      "10.100.64.0/24" = { az = "eu-central-1b", set = "mgmt" }<br />    }<br />    routes = {<br />      mgmt\_default = {<br />        vpc\_subnet    = "security\_vpc-mgmt"<br />        to\_cidr       = "0.0.0.0/0"<br />        next\_hop\_key  = "security\_vpc"<br />        next\_hop\_type = "internet\_gateway"<br />      }<br />    }<br />  }<br />}</pre> | <pre>map(object({<br />    name = string<br />    cidr = string<br />    security\_groups = map(object({<br />      name = string<br />      rules = map(object({<br />        description = string<br />        type        = string,<br />        from\_port   = string<br />        to\_port     = string,<br />        protocol    = string<br />        cidr\_blocks = list(string)<br />      }))<br />    }))<br />    subnets = map(object({<br />      az  = string<br />      set = string<br />    }))<br />    routes = map(object({<br />      vpc\_subnet    = string<br />      to\_cidr       = string<br />      next\_hop\_key  = string<br />      next\_hop\_type = string<br />    }))<br />  }))</pre> | `{}` | no |
+| <a name="input_vpcs"></a> [vpcs](#input\_vpcs) | A map defining VPCs with security groups and subnets.<br /><br />Following properties are available:<br />- `name`: VPC name<br />- `cidr`: CIDR for VPC<br />- `security_groups`: map of security groups<br />- `subnets`: map of subnets with properties:<br />   - `az`: availability zone<br />   - `set`: internal identifier referenced by main.tf<br />- `routes`: map of routes with properties:<br />   - `vpc_subnet`: built from key of VPCs concatenate with `-` and key of subnet in format: `VPCKEY-SUBNETKEY`<br />   - `to_cidr`: destination IP range<br />   - `next_hop_key`: must match keys use to create TGW attachment, IGW, GWLB endpoint or other resources<br />   - `next_hop_type`: internet\_gateway, nat\_gateway, transit\_gateway\_attachment or gwlbe\_endpoint<br /><br />Example:<pre>{<br />  security\_vpc = {<br />    name = "security-vpc"<br />    cidr = "10.100.0.0/16"<br />    security\_groups = {<br />      panorama\_mgmt = {<br />        name = "panorama\_mgmt"<br />        rules = {<br />          all\_outbound = {<br />            description = "Permit All traffic outbound"<br />            type        = "egress", from\_port = "0", to\_port = "0", protocol = "-1"<br />            cidr\_blocks = ["0.0.0.0/0"]<br />          }<br />          https = {<br />            description = "Permit HTTPS"<br />            type        = "ingress", from\_port = "443", to\_port = "443", protocol = "tcp"<br />            cidr\_blocks = ["130.41.247.0/24"]<br />          }<br />          ssh = {<br />            description = "Permit SSH"<br />            type        = "ingress", from\_port = "22", to\_port = "22", protocol = "tcp"<br />            cidr\_blocks = ["130.41.247.0/24"]<br />          }<br />        }<br />      }<br />    }<br />    subnets = {<br />      "10.100.0.0/24"  = { az = "eu-central-1a", set = "mgmt" }<br />      "10.100.64.0/24" = { az = "eu-central-1b", set = "mgmt" }<br />    }<br />    routes = {<br />      mgmt\_default = {<br />        vpc\_subnet    = "security\_vpc-mgmt"<br />        to\_cidr       = "0.0.0.0/0"<br />        next\_hop\_key  = "security\_vpc"<br />        next\_hop\_type = "internet\_gateway"<br />      }<br />    }<br />  }<br />}</pre> | <pre>map(object({<br />    name            = string<br />    cidr            = string<br />    security\_groups = any<br />    subnets = map(object({<br />      az  = string<br />      set = string<br />    }))<br />    routes = map(object({<br />      vpc\_subnet    = string<br />      to\_cidr       = string<br />      next\_hop\_key  = string<br />      next\_hop\_type = string<br />    }))<br />  }))</pre> | `{}` | no |
 
 ### Outputs
 
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/alb.md b/products/terraform/docs/swfw/aws/vmseries/modules/alb.md
index 855221ce6..10f0c826a 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/alb.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/alb.md
@@ -20,7 +20,7 @@ title: Palo Alto Networks Application Load Balancer Module for AWS
 
 A Terraform module for deploying an Application Load Balancer in AWS cloud. This is always a public Load Balancer with Target Groups of `IP` type. It is intended to be placed just in front of Next Generation Firewalls.
 
-[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/examples/alb) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/examples/alb)
+[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/modules/alb) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/submodules/alb)
 
 ## Usage
 
@@ -98,13 +98,13 @@ module "public_alb" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.25 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.25 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
 
 ### Modules
 
@@ -127,6 +127,7 @@ No modules.
 | [aws_s3_bucket_versioning.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [aws_elb_service_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source |
 | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 | [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |
 
 ### Inputs
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/asg.md b/products/terraform/docs/swfw/aws/vmseries/modules/asg.md
index 82dcbe63a..be0681ca9 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/asg.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/asg.md
@@ -20,7 +20,7 @@ title: Palo Alto Networks Autoscaling Group Module for AWS
 
 A Terraform module for deploying VM-Series in Autoscaling group in AWS cloud. 
 
-[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/examples/asg) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/examples/asg)
+[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/modules/asg) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/submodules/asg)
 
 ## Usage
 
@@ -34,7 +34,7 @@ For example usage, please refer to the [Examples](https://github.com/PaloAltoNet
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
 | <a name="requirement_archive"></a> [archive](#requirement\_archive) | ~> 2.2 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.25 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | 3.2.1 |
 
 ### Providers
@@ -42,7 +42,7 @@ For example usage, please refer to the [Examples](https://github.com/PaloAltoNet
 | Name | Version |
 |------|---------|
 | <a name="provider_archive"></a> [archive](#provider\_archive) | ~> 2.2 |
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.25 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
 | <a name="provider_null"></a> [null](#provider\_null) | 3.2.1 |
 
 ### Modules
@@ -70,6 +70,7 @@ No modules.
 | [aws_ami.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_kms_alias.ebs_kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
+| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ### Inputs
 
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/bootstrap.md b/products/terraform/docs/swfw/aws/vmseries/modules/bootstrap.md
index 1f8b932af..9a2c3b47f 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/bootstrap.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/bootstrap.md
@@ -29,7 +29,7 @@ The bootstrap package may optionally include a PAN-OS software image,
 application and threat signature updates, VM-Series plug-ins, and/or license
 files.
 
-[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/examples/bootstrap) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/examples/bootstrap)
+[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/modules/bootstrap) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/submodules/bootstrap)
 
 ## Directory and file structure
 The root directory of the Terraform plan calling this module should include a
@@ -93,14 +93,14 @@ variables and associated values.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.25 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.3.2 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.25 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
 | <a name="provider_random"></a> [random](#provider\_random) | ~> 3.3.2 |
 
 ### Modules
@@ -125,6 +125,7 @@ No modules.
 | [aws_s3_object.init_cfg](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource |
 | [random_id.sufix](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_role) | data source |
+| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 | [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |
 
 ### Inputs
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/crosszone_failover.md b/products/terraform/docs/swfw/aws/vmseries/modules/crosszone_failover.md
new file mode 100644
index 000000000..15c13a578
--- /dev/null
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/crosszone_failover.md
@@ -0,0 +1,88 @@
+---
+hide_title: true
+id: crosszone_failover
+keywords:
+- pan-os
+- panos
+- firewall
+- configuration
+- terraform
+- vmseries
+- vm-series
+- aws
+pagination_next: null
+pagination_prev: null
+sidebar_label: Crosszone Failover
+title: Crosszone Failover Module for AWS
+---
+
+# Crosszone Failover Module for AWS
+
+A Terraform module for deploying a Crosszone Failover for VM-Series firewalls.
+
+[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/modules/crosszone_failover) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/submodules/crosszone_failover)
+
+## Reference
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+### Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
+
+### Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
+
+### Modules
+
+No modules.
+
+### Resources
+
+| Name | Type |
+|------|------|
+| [aws_api_gateway_deployment.pan_failover](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_deployment) | resource |
+| [aws_api_gateway_integration.pan_failover](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_integration) | resource |
+| [aws_api_gateway_integration_response.pan_failover](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_integration_response) | resource |
+| [aws_api_gateway_method.pan_failover](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method) | resource |
+| [aws_api_gateway_method_response.pan_failover](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_method_response) | resource |
+| [aws_api_gateway_resource.pan_failover](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_resource) | resource |
+| [aws_api_gateway_rest_api.pan_failover](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/api_gateway_rest_api) | resource |
+| [aws_iam_role.lambda_exec](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy.lambda_exec](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
+| [aws_iam_role_policy_attachment.test_attach](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_lambda_function.rt_failover](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource |
+| [aws_lambda_permission.apigw](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_permission) | resource |
+| [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_public_access_block.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.example](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_s3_bucket_versioning.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
+| [aws_s3_object.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_object) | resource |
+| [aws_vpc_endpoint.api](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_lambda_file_location"></a> [lambda\_file\_location](#input\_lambda\_file\_location) | Name of folder where lambda package is stored in this workspace. | `string` | `"lambda-package"` | no |
+| <a name="input_lambda_file_name"></a> [lambda\_file\_name](#input\_lambda\_file\_name) | File name of lambda package. | `string` | `"crosszone_ha_instance_id.zip"` | no |
+| <a name="input_lambda_s3_bucket"></a> [lambda\_s3\_bucket](#input\_lambda\_s3\_bucket) | Name of bucket with lambda zip package to deploy. | `string` | `""` | no |
+| <a name="input_prefix_name_tag"></a> [prefix\_name\_tag](#input\_prefix\_name\_tag) | Prefix used to build name tags for resources. | `string` | `""` | no |
+| <a name="input_region"></a> [region](#input\_region) | AWS Region. | `any` | n/a | yes |
+| <a name="input_reserved_concurrent_executions"></a> [reserved\_concurrent\_executions](#input\_reserved\_concurrent\_executions) | Amount of reserved concurrent execussions for lambda function. | `number` | `100` | no |
+| <a name="input_sg_state"></a> [sg\_state](#input\_sg\_state) | Exported state from base infra workspace to make SG names to IDs. | `any` | n/a | yes |
+| <a name="input_subnet_state"></a> [subnet\_state](#input\_subnet\_state) | Exported state from base VPC workspace to map resource names to IDs. | `any` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | Map of additional tags to apply to all resources. | `map(any)` | `{}` | no |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | VPC ID. | `any` | n/a | yes |
+
+### Outputs
+
+No outputs.
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
\ No newline at end of file
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/gwlb.md b/products/terraform/docs/swfw/aws/vmseries/modules/gwlb.md
index 65da1bef6..92a19bc34 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/gwlb.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/gwlb.md
@@ -21,7 +21,7 @@ title: AWS Gateway Load Balancer Module
 This module creates a single Gateway Load Balancer (GWLB). Routes from other VPCs can direct traffic towards the GWLB
 through the use of a separate module `gwlb_endpoint_set`.
 
-[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/examples/gwlb) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/examples/gwlb)
+[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/modules/gwlb) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/submodules/gwlb)
 
 ## Attaching new targets to the pre-existing GWLB
 
@@ -42,13 +42,13 @@ resource aws_lb_target_group_attachment this {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.25 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.25 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
 
 ### Modules
 
@@ -65,11 +65,13 @@ No modules.
 | [aws_vpc_endpoint_service.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_service) | resource |
 | [aws_vpc_endpoint_service_allowed_principal.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_service_allowed_principal) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ### Inputs
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_acceptance_required"></a> [acceptance\_required](#input\_acceptance\_required) | Whether or not VPC endpoint connection requests to the service must be accepted by the service owner - true or false | `bool` | `false` | no |
 | <a name="input_allowed_principals"></a> [allowed\_principals](#input\_allowed\_principals) | List of AWS Principal ARNs who are allowed access to the GWLB Endpoint Service. For example `["arn:aws:iam::123456789000:root"]`. | `list(string)` | `[]` | no |
 | <a name="input_deregistration_delay"></a> [deregistration\_delay](#input\_deregistration\_delay) | See the `aws` provider [documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group#deregistration_delay). | `number` | `null` | no |
 | <a name="input_enable_lb_deletion_protection"></a> [enable\_lb\_deletion\_protection](#input\_enable\_lb\_deletion\_protection) | Whether to enable deletion protection on the gateway loadbalancer. | `bool` | `false` | no |
@@ -85,10 +87,11 @@ No modules.
 | <a name="input_healthy_threshold"></a> [healthy\_threshold](#input\_healthy\_threshold) | The number of successful health checks required before an unhealthy target becomes healthy. Minimum 2 and maximum 10. | `number` | `3` | no |
 | <a name="input_lb_tags"></a> [lb\_tags](#input\_lb\_tags) | Map of AWS tags to apply to the created Load Balancer object. These tags are applied after the `global_tags`. | `map(string)` | `{}` | no |
 | <a name="input_lb_target_group_tags"></a> [lb\_target\_group\_tags](#input\_lb\_target\_group\_tags) | Map of AWS tags to apply to the created GWLB Target Group. These tags are applied after the `global_tags`. | `map(string)` | `{}` | no |
-| <a name="input_name"></a> [name](#input\_name) | Name of the created GWLB and its Target Group. Must be unique per AWS region per AWS account. | `string` | n/a | yes |
+| <a name="input_name"></a> [name](#input\_name) | Name of the created GWLB. Must be unique per AWS region per AWS account. | `string` | n/a | yes |
 | <a name="input_stickiness_type"></a> [stickiness\_type](#input\_stickiness\_type) | If `stickiness_type` is `null`, then attribute `enabled` is set to `false` in stickiness configuration block,<br />value provided in `type` is ignored and by default the Gateway Load Balancer uses 5-tuple to maintain flow stickiness to a specific target appliance.<br />If `stickiness_type` is not `null`, then attribute `enabled` is set to `true` in stickiness configuration block<br />and the stickiness `type` can be then customized by using value:<br />- `source_ip_dest_ip_proto` for 3-tuple (Source IP, Destination IP and Transport Protocol)<br />- `source_ip_dest_ip` for 2-tuple (Source IP and Destination IP)<pre></pre> | `string` | `null` | no |
 | <a name="input_subnets"></a> [subnets](#input\_subnets) | Map of subnets where to create the GWLB. Each map's key is the availability zone name and each map's object has an attribute<br />`id` identifying AWS subnet.<br />Example for users of module `subnet_set`:<pre>subnets = module.subnet\_set.subnets</pre>Example:<pre>subnets = {<br />  "us-east-1a" = { id = "snet-123007" }<br />  "us-east-1b" = { id = "snet-123008" }<br />}</pre> | <pre>map(object({<br />    id = string<br />  }))</pre> | n/a | yes |
 | <a name="input_target_instances"></a> [target\_instances](#input\_target\_instances) | Map of instances to attach to the GWLB Target Group. | <pre>map(object({<br />    id = string<br />  }))</pre> | `{}` | no |
+| <a name="input_tg_name"></a> [tg\_name](#input\_tg\_name) | Name of the created Target Group for GWLB. If not set, then value of variable name is used. | `string` | `null` | no |
 | <a name="input_unhealthy_threshold"></a> [unhealthy\_threshold](#input\_unhealthy\_threshold) | The number of failed health checks required before a healthy target becomes unhealthy. Minimum 2 and maximum 10. | `number` | `3` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | AWS identifier of a VPC containing the Endpoint. | `string` | n/a | yes |
 
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/gwlb_endpoint_set.md b/products/terraform/docs/swfw/aws/vmseries/modules/gwlb_endpoint_set.md
index 41d67dd79..6cdde4f3c 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/gwlb_endpoint_set.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/gwlb_endpoint_set.md
@@ -21,7 +21,7 @@ title: AWS GWLB Endpoint Set
 This module creates a set of [VPC GWLB Endpoints](https://docs.aws.amazon.com/vpc/latest/privatelink/vpce-gateway-load-balancer.html)
 over a range of one or more Availability Zones. All the Endpoints transfer the traffic to the same Gateway Load Balancer (GWLB).
 
-[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/examples/gwlb_endpoint_set) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/examples/gwlb_endpoint_set)
+[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/modules/gwlb_endpoint_set) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/submodules/gwlb_endpoint_set)
 
 ## Reference
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -30,13 +30,13 @@ over a range of one or more Availability Zones. All the Endpoints transfer the t
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.25 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.25 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
 
 ### Modules
 
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/names_generator.md b/products/terraform/docs/swfw/aws/vmseries/modules/names_generator.md
new file mode 100644
index 000000000..20381e204
--- /dev/null
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/names_generator.md
@@ -0,0 +1,213 @@
+---
+hide_title: true
+id: names_generator
+keywords:
+- pan-os
+- panos
+- firewall
+- configuration
+- terraform
+- vmseries
+- vm-series
+- aws
+pagination_next: null
+pagination_prev: null
+sidebar_label: Names Generator
+title: Palo Alto Networks Flexible Names Generator
+---
+
+# Palo Alto Networks Flexible Names Generator
+
+A Terraform module for flexible names generation for resources created in AWS by VM-Series modules.
+
+[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/modules/names_generator) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/submodules/names_generator)
+
+## Usage
+
+In order to invoke the module to generated flexible names for all resources created by Terraform for VM-Series, you need to defined map e.g. as below for combined design example:
+
+```hcl
+module "generator" {
+  source = "../../modules/names_generator"
+
+  region               = var.region
+  name_prefix          = var.name_prefix
+  name_template        = var.name_templates.name_template
+  template_assignments = var.template_assignments.assigned_template
+  names = {
+    vpc              = { for k, v in var.vpcs : k => v.name }
+    internet_gateway = { for k, v in var.vpcs : k => v.name }
+    vpn_gateway      = { for k, v in var.vpcs : k => v.name }
+    subnet           = { for _, v in local.subnets : "${v.name}${v.az}" => "${v.name}${v.az}" }
+    security_group   = { for _, v in local.security_groups : v.key => v.name }
+    route_table = merge(
+      { for k, v in var.vpcs : k => "igw_${v.name}" },
+      { for _, v in local.subnets : "${v.name}${v.az}" => "${v.name}${v.az}" }
+    )
+    nat_gateway                           = { for _, v in local.nat_gateways : v.key => v.name }
+    transit_gateway                       = { "tgw" : var.tgw.name }
+    transit_gateway_route_table           = { for k, v in var.tgw.route_tables : k => v.name }
+    transit_gateway_attachment            = { for k, v in var.tgw.attachments : k => v.name }
+    gateway_loadbalancer                  = { for k, v in var.gwlbs : k => v.name }
+    gateway_loadbalancer_target_group     = { for k, v in var.gwlbs : k => v.name }
+    gateway_loadbalancer_endpoint         = { for k, v in var.gwlb_endpoints : k => v.name }
+    application_loadbalancer              = { for k, v in var.spoke_albs : k => k }
+    application_loadbalancer_target_group = { for _, v in local.alb_tg : v.key => v.value }
+    network_loadbalancer                  = { for k, v in var.spoke_nlbs : k => k }
+    network_loadbalancer_target_group     = { for _, v in local.nlb_tg : v.key => v.value }
+    vm                                    = { for k, v in var.spoke_vms : k => k }
+    vmseries                              = { for vmseries in local.vmseries_instances : "${vmseries.group}-${vmseries.instance}" => "${vmseries.group}-${vmseries.instance}" }
+    vmseries_network_interface            = { for n in local.vmseries_network_interfaces : "${n.group}-${n.instance}-${n.nic}" => "${n.nic}-${n.instance}" }
+    iam_role = {
+      security : "vmseries"
+      spoke : "spokevm"
+    }
+    iam_instance_profile = {
+      security : "vmseries"
+      spoke : "spokevm"
+    }
+  }
+}
+```
+
+For each kind of resource output from module can be used e.g. as below for VPC:
+
+```hcl
+module "vpc" {
+  source = "../../modules/vpc"
+
+  for_each = var.vpcs
+
+  name = module.generator.names.vpc[each.key]
+  ...
+}
+```
+
+or GWLB and its endpoints:
+
+```hcl
+module "gwlb" {
+  source = "../../../modules/gwlb"
+
+  for_each = var.gwlbs
+
+  name    = module.generator.names.gateway_loadbalancer[each.key]
+  ...
+}
+
+module "gwlbe_endpoint" {
+  source = "../../../modules/gwlb_endpoint_set"
+
+  for_each = var.gwlb_endpoints
+
+  name              = module.generator.names.gateway_loadbalancer_endpoint[each.key]
+  ...
+}
+```
+
+Map of templates needs to be defined in ``terraform.tfvars``:
+
+```hcl
+name_templates = {
+  name_at_the_end = {
+    delimiter = "-"
+    parts = [
+      { prefix = null },
+      { abbreviation = "__default__" },
+      { bu = "cloud" },
+      { env = "tst" },
+      { suffix = "ec1" },
+      { name = "%s" },
+  ] }
+  name_after_abbr = {
+    delimiter = "-"
+    parts = [
+      { prefix = null },
+      { abbreviation = "__default__" },
+      { name = "%s" },
+      { bu = "cloud" },
+      { env = "tst" },
+      { suffix = "ec1" },
+  ] }
+  name_with_az = {
+    delimiter = "-"
+    parts = [
+      { prefix = null },
+      { abbreviation = "__default__" },
+      { name = "%s" },
+      { bu = "cloud" },
+      { env = "tst" },
+      { suffix = "ec1" },
+      { az = "__az_numeric__" }, # __az_literal__, __az_numeric__
+  ] }
+  name_max_32_characters = {
+    delimiter = "-"
+    parts = [
+      { prefix = null },
+      { abbreviation = "__default__" },
+      { name = "%s" },
+      { bu = "cloud" },
+      { env = "tst" },
+  ] }
+}
+```
+
+Besides that for each kind template needs to be assigned (or default template needs to be used):
+
+```hcl
+template_assignments = {
+  default                               = "name_after_abbr"
+  subnet                                = "name_with_az"
+  route_table                           = "name_with_az"
+  nat_gateway                           = "name_at_the_end"
+  vm                                    = "name_at_the_end"
+  vmseries                              = "name_at_the_end"
+  vmseries_network_interface            = "name_at_the_end"
+  application_loadbalancer              = "name_max_32_characters"
+  application_loadbalancer_target_group = "name_max_32_characters"
+  network_loadbalancer                  = "name_max_32_characters"
+  network_loadbalancer_target_group     = "name_max_32_characters"
+  gateway_loadbalancer                  = "name_max_32_characters"
+  gateway_loadbalancer_target_group     = "name_max_32_characters"
+}
+```
+
+## Reference
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+### Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
+
+### Providers
+
+No providers.
+
+### Modules
+
+No modules.
+
+### Resources
+
+No resources.
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_abbreviations"></a> [abbreviations](#input\_abbreviations) | Map of abbreviations used for resources (placed in place of "\_\_default\_\_"). | `map(string)` | <pre>{<br />  "application\_loadbalancer": "alb",<br />  "application\_loadbalancer\_target\_group": "atg",<br />  "gateway\_loadbalancer": "gwlb",<br />  "gateway\_loadbalancer\_endpoint": "gwep",<br />  "gateway\_loadbalancer\_target\_group": "gwtg",<br />  "iam\_instance\_profile": "profile",<br />  "iam\_role": "role",<br />  "internet\_gateway": "igw",<br />  "nat\_gateway": "ngw",<br />  "network\_loadbalancer": "nlb",<br />  "network\_loadbalancer\_target\_group": "ntg",<br />  "route\_table": "rt",<br />  "route\_table\_internet\_gateway": "rt",<br />  "security\_group": "sg",<br />  "subnet": "snet",<br />  "transit\_gateway": "tgw",<br />  "transit\_gateway\_attachment": "att",<br />  "transit\_gateway\_route\_table": "trt",<br />  "vm": "vm",<br />  "vmseries": "vm",<br />  "vmseries\_network\_interface": "nic",<br />  "vpc": "vpc",<br />  "vpn\_gateway": "vgw"<br />}</pre> | no |
+| <a name="input_az_map_literal_to_numeric"></a> [az\_map\_literal\_to\_numeric](#input\_az\_map\_literal\_to\_numeric) | Map of number used instead of letters for AZs (placed in place of "\_\_az\_numeric\_\_"). | `map(string)` | <pre>{<br />  "a": 1,<br />  "b": 2,<br />  "c": 3,<br />  "d": 4,<br />  "e": 5,<br />  "f": 6,<br />  "g": 7,<br />  "h": 8,<br />  "i": 9<br />}</pre> | no |
+| <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | Prefix used in names for the resources | `string` | n/a | yes |
+| <a name="input_name_templates"></a> [name\_templates](#input\_name\_templates) | Map of templates used to generate names. Each template is defined by list of objects. Each object contains 1 element defined by key and string value.<br /><br />Important:<br />0. Delimiter specifies the delimiter used between all components of the new name.<br />1. Elements with key `prefix` (value is not important) will be replaced with value of the `name_prefix` variable (e.g. `{ prefix = null }`)<br />2. `%s` will be eventually replaced by resource name<br />3. `__default__` is a marker that we will be replaced with a default resource abbreviation, anything else will be used literally.<br />4. `__az_numeric__` is a marker that will be used to replace the availability zone letter indicator with a number (e.g. a->1, b->2, ...)<br />5. `__az_literal__` is a marker that will be used to replace the full availability zone name with a letter (e.g. `eu-central-1a` will become `a`)<br />6. Order matters<br /><br />Example:<br /><br />name\_template = {<br />  name\_at\_the\_end = {<br />    delimiter = "-"<br />    parts = [<br />      { prefix = null },<br />      { abbreviation = "\_\_default\_\_" },<br />      { bu = "cloud" },<br />      { env = "tst" },<br />      { suffix = "ec1" },<br />      { name = "%s" },<br />  ] }<br />  name\_after\_abbr = {<br />    delimiter = "-"<br />    parts = [<br />      { prefix = null },<br />      { abbreviation = "\_\_default\_\_" },<br />      { name = "%s" },<br />      { bu = "cloud" },<br />      { env = "tst" },<br />      { suffix = "ec1" },<br />  ] }<br />  name\_with\_az = {<br />    delimiter = "-"<br />    parts = [<br />      { prefix = null },<br />      { abbreviation = "\_\_default\_\_" },<br />      { name = "%s" },<br />      { bu = "cloud" },<br />      { env = "tst" },<br />      { suffix = "ec1" },<br />      { az = "\_\_az\_numeric\_\_" }, # \_\_az\_literal\_\_, \_\_az\_numeric\_\_<br />  ] }<br />  name\_max\_32\_characters = {<br />    delimiter = "-"<br />    parts = [<br />      { prefix = null },<br />      { abbreviation = "\_\_default\_\_" },<br />      { name = "%s" },<br />      { bu = "cloud" },<br />      { env = "tst" },<br />  ] }<br />} | <pre>map(object({<br />    delimiter = string<br />    parts     = list(map(string))<br />  }))</pre> | `{}` | no |
+| <a name="input_names"></a> [names](#input\_names) | Map of objects defining names used for resources.<br /><br />Example:<br /><br />names = {<br />  vpc                           = { for k, v in var.vpcs : k => v.name }<br />  gateway\_loadbalancer          = { for k, v in var.gwlbs : k => v.name }<br />  gateway\_loadbalancer\_endpoint = { for k, v in var.gwlb\_endpoints : k => v.name }<br />}<br /><br />Please take a look combined\_design example, which contains full map for names. | `map(map(string))` | `{}` | no |
+| <a name="input_region"></a> [region](#input\_region) | AWS region used to deploy whole infrastructure | `string` | n/a | yes |
+| <a name="input_template_assignments"></a> [template\_assignments](#input\_template\_assignments) | Map of templates (used to generate names) assigned to each kind of resource.<br /><br />Example:<br /><br />template\_assignments = {<br />  default                               = "name\_after\_abbr"<br />  subnet                                = "name\_with\_az"<br />  route\_table                           = "name\_with\_az"<br />  nat\_gateway                           = "name\_at\_the\_end"<br />  vm                                    = "name\_at\_the\_end"<br />  vmseries                              = "name\_at\_the\_end"<br />  vmseries\_network\_interface            = "name\_at\_the\_end"<br />  application\_loadbalancer              = "name\_max\_32\_characters"<br />  application\_loadbalancer\_target\_group = "name\_max\_32\_characters"<br />  network\_loadbalancer                  = "name\_max\_32\_characters"<br />  network\_loadbalancer\_target\_group     = "name\_max\_32\_characters"<br />  gateway\_loadbalancer                  = "name\_max\_32\_characters"<br />  gateway\_loadbalancer\_target\_group     = "name\_max\_32\_characters"<br />} | `map(string)` | `{}` | no |
+
+### Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_names"></a> [names](#output\_names) | Map of generated names for each kind of resources.<br /><br />Example:<br /><br />names = {<br />    vpc                           = {<br />        app1\_vpc     = "example-vpc-app1-cloud-tst-ec1"<br />        app2\_vpc     = "example-vpc-app2-cloud-tst-ec1"<br />        security\_vpc = "example-vpc-security-cloud-tst-ec1"<br />    }<br />    gateway\_loadbalancer          = {<br />        security\_gwlb = "example-gwlb-security-cloud-tst"<br />    }<br />    gateway\_loadbalancer\_endpoint = {<br />        app1\_inbound           = "example-gwep-app1-cloud-tst-ec1"<br />        app2\_inbound           = "example-gwep-app2-cloud-tst-ec1"<br />        security\_gwlb\_eastwest = "example-gwep-eastwest-cloud-tst-ec1"<br />        security\_gwlb\_outbound = "example-gwep-outbound-cloud-tst-ec1"<br />    }<br />} |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
\ No newline at end of file
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/nat_gateway_set.md b/products/terraform/docs/swfw/aws/vmseries/modules/nat_gateway_set.md
index e2300dc5e..40aa2abbb 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/nat_gateway_set.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/nat_gateway_set.md
@@ -20,7 +20,7 @@ title: Palo Alto Networks NAT Gateway Set Module for AWS
 
 A Terraform module for deploying a NAT Gateway set in AWS cloud. The "set" means that the module will create an identical/similar NAT Gateway in each specified Availability Zone.
 
-[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/examples/nat_gateway_set) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/examples/nat_gateway_set)
+[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/modules/nat_gateway_set) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/submodules/nat_gateway_set)
 
 ## Usage
 
@@ -61,13 +61,13 @@ module "nat_gateway_set" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.25 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.25 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
 
 ### Modules
 
@@ -88,6 +88,7 @@ No modules.
 |------|-------------|------|---------|:--------:|
 | <a name="input_create_eip"></a> [create\_eip](#input\_create\_eip) | If false, does not create a new Elastic IP, but instead reads a pre-existing one. This input is ignored if `create_nat_gateway` is false. | `bool` | `true` | no |
 | <a name="input_create_nat_gateway"></a> [create\_nat\_gateway](#input\_create\_nat\_gateway) | If false, does not create a new NAT Gateway, but instead reads a pre-existing one. | `bool` | `true` | no |
+| <a name="input_eip_domain"></a> [eip\_domain](#input\_eip\_domain) | Indicates if this EIP is for use in VPC | `string` | `"vpc"` | no |
 | <a name="input_eip_tags"></a> [eip\_tags](#input\_eip\_tags) | n/a | `map(string)` | `{}` | no |
 | <a name="input_eips"></a> [eips](#input\_eips) | Optional map of Elastic IP attributes. Each key is an Availability Zone name, for example "us-east-1b". Each entry has optional attributes `name`, `public_ip`, `id`.<br />These are mainly useful to select a pre-existing Elastic IP when create\_eip is false. Example:<pre>eips = {<br />    "us-east-1a" = { id = aws\_eip.a.id }<br />    "us-east-1b" = { id = aws\_eip.b.id }<br />}</pre>The `name` attribute can be used both for selecting the pre-existing Elastic IP, or for customizing a newly created Elastic IP:<pre>eips = {<br />    "us-east-1a" = { name = "Alice" }<br />    "us-east-1b" = { name = "Bob" }<br />}</pre> | `map` | `{}` | no |
 | <a name="input_global_tags"></a> [global\_tags](#input\_global\_tags) | n/a | `map(string)` | `{}` | no |
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/nlb.md b/products/terraform/docs/swfw/aws/vmseries/modules/nlb.md
index 75ba2ddc5..63b29e623 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/nlb.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/nlb.md
@@ -20,11 +20,11 @@ title: Palo Alto Networks Network Load Balancer Module for AWS
 
 A Terraform module for deploying a Network Load Balancer in AWS cloud. This can be used both as a public facing Load Balancer (to balance incoming traffic to Firewalls) or as an internal Load Balancer (to balance traffic from Firewalls to the actual application.)
 
-[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/examples/nlb) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/examples/nlb)
+[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/modules/nlb) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/submodules/nlb)
 
 ## Usage
 
-For example usage please refer to the [tgw_inbound_with_alb_nlb](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/examples/tgw_inbound_with_alb_nlb) example.
+For example usage please refer to the [*Centralized Design*](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/examples/centralized_design), [*Combined Design*](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/examples/combined_design/) or [*Isolated Design*](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/examples/isolated_design/) examples.
 
 ## Reference
 <!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
@@ -33,13 +33,13 @@ For example usage please refer to the [tgw_inbound_with_alb_nlb](https://registr
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.25 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.25 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
 
 ### Modules
 
@@ -62,6 +62,7 @@ No modules.
 | [aws_s3_bucket_versioning.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_versioning) | resource |
 | [aws_elb_service_account.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/elb_service_account) | data source |
 | [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 | [aws_s3_bucket.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |
 
 ### Inputs
@@ -71,7 +72,7 @@ No modules.
 | <a name="input_access_logs_byob"></a> [access\_logs\_byob](#input\_access\_logs\_byob) | Bring Your Own Bucket - in case you would like to re-use an existing S3 Bucket for Load Balancer's access logs.<br /><br />NOTICE.<br />This code does not set up proper `Bucket Policies` for existing buckets. They have to be already in place. | `bool` | `false` | no |
 | <a name="input_access_logs_s3_bucket_name"></a> [access\_logs\_s3\_bucket\_name](#input\_access\_logs\_s3\_bucket\_name) | Name of an S3 Bucket that will be used as storage for Load Balancer's access logs.<br /><br />When used with `configure_access_logs` it becomes the name of a newly created S3 Bucket.<br />When used with `access_logs_byob` it is a name of an existing bucket. | `string` | `"pantf-alb-access-logs-bucket"` | no |
 | <a name="input_access_logs_s3_bucket_prefix"></a> [access\_logs\_s3\_bucket\_prefix](#input\_access\_logs\_s3\_bucket\_prefix) | A path to a location inside a bucket under which access logs will be stored. When omitted defaults to the root folder of a bucket. | `string` | `null` | no |
-| <a name="input_balance_rules"></a> [balance\_rules](#input\_balance\_rules) | An object that contains the listener, target group, and health check configuration.<br />It consist of maps of applications like follows:<pre>balance\_rules = {<br />  "application\_name" = {<br />    protocol            = "communication protocol, since this is a NLB module accepted values are TCP or TLS"<br />    port                = "communication port"<br />    target\_type         = "type of the target that will be attached to a target group, no defaults here, has to be provided explicitly (regardless the defaults terraform could accept)"<br />    target\_port         = "for target types supporting port values, the port number on which the target accepts communication, defaults to the communication port value"<br />    targets             = "a map of targets, where key is the target name (used to create a name for the target attachment), value is the target ID (IP, resource ID, etc - the actual value depends on the target type)"<br /><br />    health\_check\_port   = "port used by the target group healthcheck, if ommited, `traffic-port` will be used"<br />    threshold           = "number of consecutive health checks before considering target healthy or unhealthy, defaults to 3"<br />    interval            = "time between each health check, between 5 and 300 seconds, defaults to 30s"<br /><br />    certificate\_arn     = "(TLS ONLY) this is the arn of a certificate"<br />    alpn\_policy         = "(TLS ONLY) ALPN policy name, for possible values check (terraform documentation)[https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb\_listener#alpn\_policy], defaults to `None`"<br />  }<br />}</pre>The `application_name` key is valid only for letters, numbers and a dash (`-`) - that's an AWS limitation.<br /><br /><hr /><br />`protocol` and `port` are used for `listener`, `target group` and `target group attachment`. Partially also for health checks (see below).<br /><br /><hr /><br />All listeners are always of forward action.<br /><br /><hr /><br />If you add FWs as targets, make sure you use `target_type = "ip"` and you provide the correct FW IPs in `target` map. IPs should be from the subnet set that the Load Balancer was created in. An example on how to feed this variable with data:<pre>fw\_instance\_ips = { for k, v in var.vmseries : k => module.vmseries[k].interfaces["untrust"].private\_ip }</pre>For format of `var.vmseries` check the (`vmseries` module)[../vmseries/README.md]. The key is the VM name. By using those keys, we can loop through all vmseries modules and take the private IP from the interface that is assigned to the subnet we require. The subnet can be identified by the subnet set name (like above). In other words, the `for` loop returns the following map:<pre>{<br />  vm01 = "1.1.1.1"<br />  vm02 = "2.2.2.2"<br />  ...<br />}</pre><hr /><br />Healthchecks are by default of type TCP. Reason for that is the fact, that HTTP requests might flow through the FW to the actual application. So instead of checking the status of the FW we might check the status of the application.<br /><br />You have an option to specify a health check port. This way you can set up a Management Profile with an Administrative Management Service limited only to NLBs private IPs and use a port for that service as the health check port. This way you make sure you separate the actual health check from the application rule's port.<br /><br /><hr /><br />EXAMPLE<pre>balance\_rules = {<br />  "HTTPS-APP" = {<br />    protocol          = "TCP"<br />    port              = "443"<br />    health\_check\_port = "80"<br />    threshold         = 2<br />    interval          = 10<br />    target\_port       = 8443<br />    target\_type       = "ip"<br />    targets           = { for k, v in var.vmseries : k => module.vmseries[k].interfaces["untrust"].private\_ip }<br />    stickiness        = true<br />  }<br />}</pre> | `any` | n/a | yes |
+| <a name="input_balance_rules"></a> [balance\_rules](#input\_balance\_rules) | An object that contains the listener, target group, and health check configuration.<br />It consist of maps of applications like follows:<pre>balance\_rules = {<br />  "application\_name" = {<br />    protocol            = "communication protocol, since this is a NLB module accepted values are TCP or TLS"<br />    port                = "communication port"<br />    target\_type         = "type of the target that will be attached to a target group, no defaults here, has to be provided explicitly (regardless the defaults terraform could accept)"<br />    target\_port         = "for target types supporting port values, the port number on which the target accepts communication, defaults to the communication port value"<br />    targets             = "a map of targets, where key is the target name (used to create a name for the target attachment), value is the target ID (IP, resource ID, etc - the actual value depends on the target type)"<br />    target\_az           = "This parameter is not supported if the target type of the target group is instance or alb. If the target type is ip and the IP address is outside the VPC, this parameter is required."<br />    health\_check\_port   = "port used by the target group healthcheck, if ommited, `traffic-port` will be used"<br />    threshold           = "number of consecutive health checks before considering target healthy or unhealthy, defaults to 3"<br />    interval            = "time between each health check, between 5 and 300 seconds, defaults to 30s"<br /><br />    certificate\_arn     = "(TLS ONLY) this is the arn of a certificate"<br />    alpn\_policy         = "(TLS ONLY) ALPN policy name, for possible values check (terraform documentation)[https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb\_listener#alpn\_policy], defaults to `None`"<br />  }<br />}</pre>The `application_name` key is valid only for letters, numbers and a dash (`-`) - that's an AWS limitation.<br /><br /><hr /><br />`protocol` and `port` are used for `listener`, `target group` and `target group attachment`. Partially also for health checks (see below).<br /><br /><hr /><br />All listeners are always of forward action.<br /><br /><hr /><br />If you add FWs as targets, make sure you use `target_type = "ip"` and you provide the correct FW IPs in `target` map. IPs should be from the subnet set that the Load Balancer was created in. An example on how to feed this variable with data:<pre>fw\_instance\_ips = { for k, v in var.vmseries : k => module.vmseries[k].interfaces["untrust"].private\_ip }</pre>For format of `var.vmseries` check the (`vmseries` module)[../vmseries/README.md]. The key is the VM name. By using those keys, we can loop through all vmseries modules and take the private IP from the interface that is assigned to the subnet we require. The subnet can be identified by the subnet set name (like above). In other words, the `for` loop returns the following map:<pre>{<br />  vm01 = "1.1.1.1"<br />  vm02 = "2.2.2.2"<br />  ...<br />}</pre><hr /><br />Healthchecks are by default of type TCP. Reason for that is the fact, that HTTP requests might flow through the FW to the actual application. So instead of checking the status of the FW we might check the status of the application.<br /><br />You have an option to specify a health check port. This way you can set up a Management Profile with an Administrative Management Service limited only to NLBs private IPs and use a port for that service as the health check port. This way you make sure you separate the actual health check from the application rule's port.<br /><br /><hr /><br />EXAMPLE<pre>balance\_rules = {<br />  "HTTPS-APP" = {<br />    protocol          = "TCP"<br />    port              = "443"<br />    health\_check\_port = "80"<br />    threshold         = 2<br />    interval          = 10<br />    target\_port       = 8443<br />    target\_type       = "ip"<br />    targets           = { for k, v in var.vmseries : k => module.vmseries[k].interfaces["untrust"].private\_ip }<br />    target\_az         = "all"<br />    stickiness        = true<br />  }<br />}</pre> | `any` | n/a | yes |
 | <a name="input_configure_access_logs"></a> [configure\_access\_logs](#input\_configure\_access\_logs) | Configure Load Balancer to store access logs in an S3 Bucket.<br /><br />When used with `access_logs_byob` set to `false` forces creation of a new bucket.<br />If, however, `access_logs_byob` is set to `true` an existing bucket can be used.<br /><br />The name of the newly created or existing bucket is controlled via `access_logs_s3_bucket_name`. | `bool` | `false` | no |
 | <a name="input_create_dedicated_eips"></a> [create\_dedicated\_eips](#input\_create\_dedicated\_eips) | If set to `true`, a set of EIPs will be created for each zone/subnet. Otherwise AWS will handle IP management. | `bool` | `false` | no |
 | <a name="input_enable_cross_zone_load_balancing"></a> [enable\_cross\_zone\_load\_balancing](#input\_enable\_cross\_zone\_load\_balancing) | Enable load balancing between instances in different AZs. Defaults to `true`.<br />Change to `false` only if absolutely necessary. By default, there is only one FW in each AZ.<br />Turning this off means 1:1 correlation between a public IP assigned to an AZ and a FW deployed in that AZ. | `bool` | `true` | no |
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/panorama.md b/products/terraform/docs/swfw/aws/vmseries/modules/panorama.md
index da9c7266d..f6d49d4e3 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/panorama.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/panorama.md
@@ -22,7 +22,7 @@ A Terraform module for deploying Panorama in AWS cloud.
 
 Panorama deployed on AWS is Bring Your Own License (BYOL), supports all deployment modes (Panorama, Log Collector, and Management Only), and shares the same processes and functionality as the M-Series hardware appliances. For more information on Panorama modes, see [Panorama Models](https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-overview/panorama-models).
 
-[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/examples/panorama) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/examples/panorama)
+[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/modules/panorama) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/submodules/panorama)
 
 ## Usage
 
@@ -35,13 +35,13 @@ For usage, check the "examples" folder in the root of the repository.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.25 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.25 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
 
 ### Modules
 
@@ -68,6 +68,7 @@ No modules.
 | <a name="input_ebs_encrypted"></a> [ebs\_encrypted](#input\_ebs\_encrypted) | Whether to enable EBS encryption on root volume. | `bool` | `true` | no |
 | <a name="input_ebs_kms_key_alias"></a> [ebs\_kms\_key\_alias](#input\_ebs\_kms\_key\_alias) | The alias for the customer managed KMS key to use for volume encryption.<br />If this is set to `null` the default master key that protects EBS volumes will be used | `string` | `null` | no |
 | <a name="input_ebs_volumes"></a> [ebs\_volumes](#input\_ebs\_volumes) | List of EBS volumes to create and attach to Panorama.<br />Available options:<br />- `name`              (Optional) Name tag for the EBS volume. If not provided defaults to the value of `var.name`.<br />- `ebs_device_name`   (Required) The EBS device name to expose to the instance (for example, /dev/sdh or xvdh). <br />See [Device Naming on Linux Instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/device_naming.html#available-ec2-device-names) for more information.<br />- `ebs_size`          (Optional) The size of the EBS volume in GiBs. Defaults to 2000 GiB.<br />- `force_detach`      (Optional) Set to true if you want to force the volume to detach. Useful if previous attempts failed, but use this option only as a last resort, as this can result in data loss.<br />- `skip_destroy`      (Optional) Set this to true if you do not wish to detach the volume from the instance to which it is attached at destroy time, and instead just remove the attachment from Terraform state. <br />This is useful when destroying an instance attached to third-party volumes.<br /><br />Note: Terraform must be running with credentials which have the `GenerateDataKeyWithoutPlaintext` permission on the specified KMS key <br />as required by the [EBS KMS CMK volume provisioning process](https://docs.aws.amazon.com/kms/latest/developerguide/services-ebs.html#ebs-cmk) to prevent a volume from being created and almost immediately deleted.<br />If null, the default EBS encryption KMS key in the current region is used.<br /><br />Example:<pre>ebs\_volumes = [<br />  {<br />    name              = "ebs-1"<br />    ebs\_device\_name   = "/dev/sdb"<br />    ebs\_size          = "2000"<br />  },<br />  {<br />    name              = "ebs-2"<br />    ebs\_device\_name   = "/dev/sdb"<br />    ebs\_size          = "2000"<br />  },<br />  {<br />    name              = "ebs-3"<br />    ebs\_device\_name   = "/dev/sdb"<br />    ebs\_size          = "2000"<br />  },<br />]</pre> | `list(any)` | `[]` | no |
+| <a name="input_eip_domain"></a> [eip\_domain](#input\_eip\_domain) | Indicates if this EIP is for use in VPC | `string` | `"vpc"` | no |
 | <a name="input_enable_imdsv2"></a> [enable\_imdsv2](#input\_enable\_imdsv2) | Whether to enable IMDSv2 on the EC2 instance.<br />Support for this feature has been added in VM-Series Plugin [3.0.0](https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/vm-series-plugin/vm-series-plugin-30/vm-series-plugin-300#id126d0957-95d7-4b29-9147-fff20027986e), which in turn requires PAN-OS version 10.2.0 at minimum. | `string` | `false` | no |
 | <a name="input_global_tags"></a> [global\_tags](#input\_global\_tags) | A map of tags to assign to the resources.<br />If configured with a provider `default_tags` configuration block present, tags with matching keys will overwrite those defined at the provider-level." | `map(any)` | `{}` | no |
 | <a name="input_instance_type"></a> [instance\_type](#input\_instance\_type) | EC2 instance type for Panorama. Default set to Palo Alto Networks recommended instance type. | `string` | `"c5.4xlarge"` | no |
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/subnet_set.md b/products/terraform/docs/swfw/aws/vmseries/modules/subnet_set.md
index 1943e0530..3704bc079 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/subnet_set.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/subnet_set.md
@@ -20,7 +20,7 @@ title: Palo Alto Networks Subnet-Set Module for AWS
 
 A Terraform module for deploying a subnet-set in AWS cloud. The "set" means that the module will create an identical/similar subnet in each specified Availability Zone.
 
-[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/examples/subnet_set) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/examples/subnet_set)
+[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/modules/subnet_set) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/submodules/subnet_set)
 
 ## Usage
 
@@ -55,13 +55,13 @@ module "subnet_sets" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.25 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.25 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
 
 ### Modules
 
@@ -88,7 +88,7 @@ No modules.
 | <a name="input_global_tags"></a> [global\_tags](#input\_global\_tags) | Optional map of arbitrary tags to apply to all the created resources. | `map(string)` | `{}` | no |
 | <a name="input_has_secondary_cidrs"></a> [has\_secondary\_cidrs](#input\_has\_secondary\_cidrs) | The input that depends on the secondary CIDR ranges of the VPC `vpc_id`. The actual value (true or false) is ignored, the input is used only to delay subnet creation until the secondary CIDR ranges are processed by Terraform. | `bool` | `true` | no |
 | <a name="input_map_public_ip_on_launch"></a> [map\_public\_ip\_on\_launch](#input\_map\_public\_ip\_on\_launch) | See the [provider's documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/subnet#map_public_ip_on_launch). | `bool` | `null` | no |
-| <a name="input_nacl_associations"></a> [nacl\_associations](#input\_nacl\_associations) | NACLs associations with subnets | `map(string)` | `null` | no |
+| <a name="input_nacl_associations"></a> [nacl\_associations](#input\_nacl\_associations) | NACLs associations with subnets | `map(string)` | `{}` | no |
 | <a name="input_name"></a> [name](#input\_name) | Subnet set name, used to construct default subnet names. | `string` | `null` | no |
 | <a name="input_propagating_vgws"></a> [propagating\_vgws](#input\_propagating\_vgws) | See the [provider's documentation](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route_table). | `list(string)` | `[]` | no |
 | <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | Id of the VPC to create resource in. | `string` | n/a | yes |
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/transit_gateway.md b/products/terraform/docs/swfw/aws/vmseries/modules/transit_gateway.md
index ef67d8a3a..7305af387 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/transit_gateway.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/transit_gateway.md
@@ -23,7 +23,7 @@ tables explicitly through respective input variables.
 
 >A transit gateway is a network transit hub that you can use to interconnect your virtual private clouds (VPCs) and on-premises networks. As your cloud infrastructure expands globally, inter-Region peering connects transit gateways together using the AWS Global Infrastructure.
 
-[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/examples/transit_gateway) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/examples/transit_gateway)
+[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/modules/transit_gateway) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/submodules/transit_gateway)
 
 ## Usage
 
@@ -36,13 +36,13 @@ For example usage, please refer to the [Examples](https://github.com/PaloAltoNet
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.25 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.25 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
 
 ### Modules
 
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/transit_gateway_attachment.md b/products/terraform/docs/swfw/aws/vmseries/modules/transit_gateway_attachment.md
index 8a502fa6d..43a26297c 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/transit_gateway_attachment.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/transit_gateway_attachment.md
@@ -22,7 +22,7 @@ A Terraform module for deploying AWS Transit Gateways Attachments.
 
 >AWS provides a network transit hub called a Transit Gateway. One or more VPCs can connect to a Transit Gateway through a Transit Gateway (TGW) Attachment.
 
-[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/examples/transit_gateway_attachment) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/examples/transit_gateway_attachment)
+[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/modules/transit_gateway_attachment) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/submodules/transit_gateway_attachment)
 
 ## Usage
 
@@ -35,13 +35,13 @@ For example usage, please refer to the [Examples](https://github.com/PaloAltoNet
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.25 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.25 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
 
 ### Modules
 
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/transit_gateway_peering.md b/products/terraform/docs/swfw/aws/vmseries/modules/transit_gateway_peering.md
index eb8804cc3..cf312b3ce 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/transit_gateway_peering.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/transit_gateway_peering.md
@@ -18,7 +18,7 @@ title: AWS Transit Gateway Peering
 
 # AWS Transit Gateway Peering
 
-[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/examples/transit_gateway_peering) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/examples/transit_gateway_peering)
+[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/modules/transit_gateway_peering) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/submodules/transit_gateway_peering)
 
 ## Usage
 
@@ -60,14 +60,14 @@ The static routes are currently not handled by this module.
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.25 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.25 |
-| <a name="provider_aws.remote"></a> [aws.remote](#provider\_aws.remote) | ~> 4.25 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
+| <a name="provider_aws.remote"></a> [aws.remote](#provider\_aws.remote) | ~> 5.17 |
 
 ### Modules
 
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/vmseries.md b/products/terraform/docs/swfw/aws/vmseries/modules/vmseries.md
index 41e78bca0..c4f6cd3f6 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/vmseries.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/vmseries.md
@@ -20,7 +20,7 @@ title: Palo Alto Networks VM-Series Module for AWS
 
 A Terraform module for deploying a VM-Series firewall in AWS cloud.
 
-[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/examples/vmseries) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/examples/vmseries)
+[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/modules/vmseries) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/submodules/vmseries)
 
 ## Usage
 
@@ -37,13 +37,13 @@ The changes in user data bootstrap entries will not affect the existing VM-Serie
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.25 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.25 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
 
 ### Modules
 
@@ -69,6 +69,7 @@ No modules.
 | <a name="input_bootstrap_options"></a> [bootstrap\_options](#input\_bootstrap\_options) | VM-Series bootstrap options to provide using instance user data. Contents determine type of bootstap method to use.<br />If empty (the default), bootstrap process is not triggered at all.<br />For more information on available methods, please refer to VM-Series documentation for specific version.<br />For 10.0 docs are available [here](https://docs.paloaltonetworks.com/vm-series/10-0/vm-series-deployment/bootstrap-the-vm-series-firewall.html). | `string` | `""` | no |
 | <a name="input_ebs_encrypted"></a> [ebs\_encrypted](#input\_ebs\_encrypted) | Whether to enable EBS encryption on volumes. | `bool` | `true` | no |
 | <a name="input_ebs_kms_key_alias"></a> [ebs\_kms\_key\_alias](#input\_ebs\_kms\_key\_alias) | The alias for the customer managed KMS key to use for volume encryption. Should be prepended with the word "alias" followed by a forward slash (alias/example-key-alias).<br />If `null` (the default), the default master key that protects EBS volumes will be used. | `string` | `null` | no |
+| <a name="input_eip_domain"></a> [eip\_domain](#input\_eip\_domain) | Indicates if this EIP is for use in VPC | `string` | `"vpc"` | no |
 | <a name="input_enable_imdsv2"></a> [enable\_imdsv2](#input\_enable\_imdsv2) | Whether to enable IMDSv2 on the EC2 instance.<br />Support for this feature has been added in VM-Series Plugin [3.0.0](https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/vm-series-plugin/vm-series-plugin-30/vm-series-plugin-300#id126d0957-95d7-4b29-9147-fff20027986e), which in turn requires VM-Series version 10.2.0 at minimum. | `string` | `false` | no |
 | <a name="input_enable_instance_termination_protection"></a> [enable\_instance\_termination\_protection](#input\_enable\_instance\_termination\_protection) | Whether to enable termination protection on the EC2 instance. | `bool` | `false` | no |
 | <a name="input_iam_instance_profile"></a> [iam\_instance\_profile](#input\_iam\_instance\_profile) | IAM instance profile. | `string` | `null` | no |
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/vpc.md b/products/terraform/docs/swfw/aws/vmseries/modules/vpc.md
index 414363251..e3d861d03 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/vpc.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/vpc.md
@@ -25,7 +25,7 @@ module is that it does not create multiple resources based on Terraform `count`
 [easier removal](https://github.com/PaloAltoNetworks/terraform-best-practices#22-looping) of any single subnet,
 without the need to briefly destroy and re-create any other subnet.
 
-[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/examples/vpc) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/examples/vpc)
+[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/modules/vpc) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/submodules/vpc)
 
 ## Usage
 
@@ -50,13 +50,13 @@ module "vpc" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.25 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.25 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
 
 ### Modules
 
@@ -100,9 +100,13 @@ No modules.
 | <a name="input_instance_tenancy"></a> [instance\_tenancy](#input\_instance\_tenancy) | VPC level [instance tenancy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc#instance_tenancy). | `string` | `null` | no |
 | <a name="input_nacls"></a> [nacls](#input\_nacls) | The `nacls` variable is a map of maps, where each map represents an AWS NACL.<br /><br />  Example:<pre>nacls = {<br />    trusted\_path\_monitoring = {<br />      name = "trusted-path-monitoring"<br />      rules = {<br />        block\_outbound\_icmp = {<br />          rule\_number = 110<br />          egress      = true<br />          protocol    = "icmp"<br />          rule\_action = "deny"<br />          cidr\_block  = "10.100.1.0/24"<br />          from\_port   = null<br />          to\_port     = null<br />        }<br />        allow\_inbound = {<br />          rule\_number = 300<br />          egress      = false<br />          protocol    = "-1"<br />          rule\_action = "allow"<br />          cidr\_block  = "0.0.0.0/0"<br />          from\_port   = null<br />          to\_port     = null<br />        }<br />      }<br />    }<br />  }</pre> | `any` | `{}` | no |
 | <a name="input_name"></a> [name](#input\_name) | Name of the VPC to create or use. | `string` | n/a | yes |
+| <a name="input_name_internet_gateway"></a> [name\_internet\_gateway](#input\_name\_internet\_gateway) | Name of the IGW to create or use. | `string` | `null` | no |
+| <a name="input_name_vpn_gateway"></a> [name\_vpn\_gateway](#input\_name\_vpn\_gateway) | Name of the VPN gateway to create. | `string` | `null` | no |
 | <a name="input_ntp_servers"></a> [ntp\_servers](#input\_ntp\_servers) | Specify a list of NTP server addresses for DHCP options set, default to AWS provided | `list(string)` | `[]` | no |
+| <a name="input_route_table_internet_gateway"></a> [route\_table\_internet\_gateway](#input\_route\_table\_internet\_gateway) | Name of route table for the IGW. | `string` | `null` | no |
+| <a name="input_route_table_vpn_gateway"></a> [route\_table\_vpn\_gateway](#input\_route\_table\_vpn\_gateway) | Name of the route table for VPN gateway. | `string` | `null` | no |
 | <a name="input_secondary_cidr_blocks"></a> [secondary\_cidr\_blocks](#input\_secondary\_cidr\_blocks) | Secondary CIDR block to assign to a new VPC. | `list(string)` | `[]` | no |
-| <a name="input_security_groups"></a> [security\_groups](#input\_security\_groups) | The `security_groups` variable is a map of maps, where each map represents an AWS Security Group.<br />  The key of each entry acts as the Security Group name.<br />  List of available attributes of each Security Group entry:<br />  - `rules`: A list of objects representing a Security Group rule. The key of each entry acts as the name of the rule and<br />      needs to be unique across all rules in the Security Group.<br />      List of attributes available to define a Security Group rule:<br />      - `description`: Security Group description.<br />      - `type`: Specifies if rule will be evaluated on ingress (inbound) or egress (outbound) traffic.<br />      - `cidr_blocks`: List of CIDR blocks - for ingress, determines the traffic that can reach your instance. For egress<br />      Determines the traffic that can leave your instance, and where it can go.<br />      - `prefix_list_ids`: List of Prefix List IDs<br /><br /><br />  Example:<pre>security\_groups = {<br />    vmseries-mgmt = {<br />      name = "vmseries-mgmt"<br />      rules = {<br />        all-outbound = {<br />          description = "Permit All traffic outbound"<br />          type        = "egress", from\_port = "0", to\_port = "0", protocol = "-1"<br />          cidr\_blocks = ["0.0.0.0/0"]<br />        }<br />        https-inbound-private = {<br />          description = "Permit HTTPS for VM-Series Management"<br />          type        = "ingress", from\_port = "443", to\_port = "443", protocol = "tcp"<br />          cidr\_blocks = ["10.0.0.0/8"]<br />        }<br />        https-inbound-eip = {<br />          description = "Permit HTTPS for VM-Series Management from known public IPs"<br />          type        = "ingress", from\_port = "443", to\_port = "443", protocol = "tcp"<br />          cidr\_blocks = ["100.100.100.100/32"]<br />        }<br />        ssh-inbound-eip = {<br />          description = "Permit SSH for VM-Series Management from known public IPs"<br />          type        = "ingress", from\_port = "22", to\_port = "22", protocol = "tcp"<br />          cidr\_blocks = ["100.100.100.100/32"]<br />        }<br />        https-inbound-prefix-list = {<br />          description = "Permit HTTPS for VM-Series Management for IPs in managed prefix list"<br />          type        = "ingress", from\_port = "443", to\_port = "443", protocol = "tcp"<br />          prefix\_list\_ids = ["pl-1a2b3c4d5e6f7g8h9i"]<br />        }<br />      }<br />    }<br />  }</pre> | `any` | `{}` | no |
+| <a name="input_security_groups"></a> [security\_groups](#input\_security\_groups) | The `security_groups` variable is a map of maps, where each map represents an AWS Security Group.<br />  The key of each entry acts as the Security Group name.<br />  List of available attributes of each Security Group entry:<br />  - `rules`: A list of objects representing a Security Group rule. The key of each entry acts as the name of the rule and<br />      needs to be unique across all rules in the Security Group.<br />      List of attributes available to define a Security Group rule:<br />      - `description`: Security Group description.<br />      - `type`: Specifies if rule will be evaluated on ingress (inbound) or egress (outbound) traffic.<br />      - `cidr_blocks`: List of CIDR blocks - for ingress, determines the traffic that can reach your instance. For egress<br />      Determines the traffic that can leave your instance, and where it can go.<br />      - `prefix_list_ids`: List of Prefix List IDs<br />      - `self`: security group itself will be added as a source to the rule.  Cannot be specified with cidr\_blocks, or security\_groups.<br />      - `source_security_groups`: list of security group IDs to be used as a source to the rule. Cannot be specified with cidr\_blocks, or self.<br /><br /><br />  Example:<pre>security\_groups = {<br />    vmseries-mgmt = {<br />      name = "vmseries-mgmt"<br />      rules = {<br />        all-outbound = {<br />          description = "Permit All traffic outbound"<br />          type        = "egress", from\_port = "0", to\_port = "0", protocol = "-1"<br />          cidr\_blocks = ["0.0.0.0/0"]<br />        }<br />        https-inbound-private = {<br />          description = "Permit HTTPS for VM-Series Management"<br />          type        = "ingress", from\_port = "443", to\_port = "443", protocol = "tcp"<br />          cidr\_blocks = ["10.0.0.0/8"]<br />        }<br />        https-inbound-eip = {<br />          description = "Permit HTTPS for VM-Series Management from known public IPs"<br />          type        = "ingress", from\_port = "443", to\_port = "443", protocol = "tcp"<br />          cidr\_blocks = ["100.100.100.100/32"]<br />        }<br />        ssh-inbound-eip = {<br />          description = "Permit SSH for VM-Series Management from known public IPs"<br />          type        = "ingress", from\_port = "22", to\_port = "22", protocol = "tcp"<br />          cidr\_blocks = ["100.100.100.100/32"]<br />        }<br />        https-inbound-self = {<br />          description = "Permit HTTPS from instances with the same security group"<br />          type        = "ingress", from\_port = "443", to\_port = "443", protocol = "tcp"<br />          self        = true<br />        }<br />        https-inbound-security-groups = {<br />          description = "Permit HTTPS traffic for the resources associated with the specified security group"<br />          type        = "ingress", from\_port = "443", to\_port = "443", protocol = "tcp"<br />          source\_security\_groups = ["sg-1a2b3c4d5e6f7g8h9i"]<br />        }<br />        https-inbound-prefix-list = {<br />          description = "Permit HTTPS for VM-Series Management for IPs in managed prefix list"<br />          type        = "ingress", from\_port = "443", to\_port = "443", protocol = "tcp"<br />          prefix\_list\_ids = ["pl-1a2b3c4d5e6f7g8h9i"]<br />        }<br />      }<br />    }<br />  }</pre> | `any` | `{}` | no |
 | <a name="input_use_internet_gateway"></a> [use\_internet\_gateway](#input\_use\_internet\_gateway) | If an existing VPC is provided and has IG attached, set to `true` to reuse it. | `bool` | `false` | no |
 | <a name="input_vpc_tags"></a> [vpc\_tags](#input\_vpc\_tags) | Optional map of arbitrary tags to apply to VPC resource. | `map` | `{}` | no |
 | <a name="input_vpn_gateway_amazon_side_asn"></a> [vpn\_gateway\_amazon\_side\_asn](#input\_vpn\_gateway\_amazon\_side\_asn) | ASN for the Amazon side of the gateway. | `string` | `null` | no |
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/vpc_endpoint.md b/products/terraform/docs/swfw/aws/vmseries/modules/vpc_endpoint.md
new file mode 100644
index 000000000..c3ae00ecd
--- /dev/null
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/vpc_endpoint.md
@@ -0,0 +1,77 @@
+---
+hide_title: true
+id: vpc_endpoint
+keywords:
+- pan-os
+- panos
+- firewall
+- configuration
+- terraform
+- vmseries
+- vm-series
+- aws
+pagination_next: null
+pagination_prev: null
+sidebar_label: VPC Endpoint
+title: VPC Endpoint Module for AWS
+---
+
+# VPC Endpoint Module for AWS
+
+A Terraform module for deploying a VPC Endpoint for VM-Series firewalls.
+
+[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/modules/vpc_endpoint) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/submodules/vpc_endpoint)
+
+## Reference
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+### Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
+
+### Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
+
+### Modules
+
+No modules.
+
+### Resources
+
+| Name | Type |
+|------|------|
+| [aws_vpc_endpoint.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint) | resource |
+| [aws_vpc_endpoint_route_table_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_route_table_association) | resource |
+| [aws_vpc_endpoint_subnet_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_endpoint_subnet_association) | resource |
+| [aws_vpc_endpoint.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint) | data source |
+| [aws_vpc_endpoint_service.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_endpoint_service) | data source |
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_auto_accept"></a> [auto\_accept](#input\_auto\_accept) | If a service connection requires service owner's acceptance, the request will be approved automatically, provided that both parties are members of the same AWS account. | `bool` | `null` | no |
+| <a name="input_create"></a> [create](#input\_create) | If false, does not create a new AWS VPC Endpoint, but instead uses a pre-existing one. The inputs `name`, `service_name`, `simple_service_name`, `tags`, `type`, and `vpc_id` can be used to match the pre-existing endpoint. | `bool` | `true` | no |
+| <a name="input_name"></a> [name](#input\_name) | n/a | `string` | `null` | no |
+| <a name="input_policy"></a> [policy](#input\_policy) | n/a | `string` | `null` | no |
+| <a name="input_private_dns_enabled"></a> [private\_dns\_enabled](#input\_private\_dns\_enabled) | n/a | `bool` | `null` | no |
+| <a name="input_route_table_ids"></a> [route\_table\_ids](#input\_route\_table\_ids) | n/a | `map(string)` | `{}` | no |
+| <a name="input_security_group_ids"></a> [security\_group\_ids](#input\_security\_group\_ids) | n/a | `list(string)` | `[]` | no |
+| <a name="input_service_name"></a> [service\_name](#input\_service\_name) | The exact service name. This input is ignored if `simple_service_name` is defined. Typically "com.amazonaws.REGION.SERVICE", for example: "com.amazonaws.us-west-2.s3" | `string` | `null` | no |
+| <a name="input_simple_service_name"></a> [simple\_service\_name](#input\_simple\_service\_name) | The simplified service name for AWS service, for example: "s3". Uses the service from the current region. If null, the `service_name` input is used instead. | `string` | `null` | no |
+| <a name="input_subnets"></a> [subnets](#input\_subnets) | Map of Subnets where to create the Endpoints. Each map's key is the availability zone name and each map's object has an attribute<br />`id` identifying AWS Subnet. Importantly, the traffic returning from the Endpoint uses the Subnet's route table.<br />The keys of this input map are used for the output map `endpoints`.<br />Example for users of module `subnet_set`:<pre>subnets = module.subnet\_set.subnets</pre>Example:<pre>subnets = {<br />  "us-east-1a" = { id = "snet-123007" }<br />  "us-east-1b" = { id = "snet-123008" }<br />}</pre> | <pre>map(object({<br />    id = string<br />  }))</pre> | `{}` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | n/a | `map(string)` | `{}` | no |
+| <a name="input_type"></a> [type](#input\_type) | The type of the service.<br />The type "Gateway" does not tolerate inputs `subnets`,  `security_group_ids`, and `private_dns_enabled`.<br />The type "Interface" does not tolerate input `route_table_ids`.<br />The type "GatewayLoadBalancer" is similar to "Gateway", but can be deployed with the dedicated module `gwlb_endpoint_set`.<br />If null, "Gateway" is used by default. | `string` | n/a | yes |
+| <a name="input_vpc_id"></a> [vpc\_id](#input\_vpc\_id) | n/a | `string` | n/a | yes |
+
+### Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_endpoint"></a> [endpoint](#output\_endpoint) | The created `aws_vpc_endpoint` object. Alternatively, the data resource if the input `create` is false. |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
\ No newline at end of file
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/vpc_route.md b/products/terraform/docs/swfw/aws/vmseries/modules/vpc_route.md
index 31dd549e4..0ce5e19de 100644
--- a/products/terraform/docs/swfw/aws/vmseries/modules/vpc_route.md
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/vpc_route.md
@@ -20,7 +20,7 @@ title: Palo Alto Networks VPC Route Module for AWS
 
 A Terraform module for deploying a VPC route in AWS cloud.
 
-[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/examples/vpc_route) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/examples/vpc_route)
+[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/modules/vpc_route) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/submodules/vpc_route)
 
 ## Usage
 
@@ -86,13 +86,13 @@ module "vpc_route" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.25 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.25 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
 
 ### Modules
 
diff --git a/products/terraform/docs/swfw/aws/vmseries/modules/vpn.md b/products/terraform/docs/swfw/aws/vmseries/modules/vpn.md
new file mode 100644
index 000000000..49ab6c552
--- /dev/null
+++ b/products/terraform/docs/swfw/aws/vmseries/modules/vpn.md
@@ -0,0 +1,85 @@
+---
+hide_title: true
+id: vpn
+keywords:
+- pan-os
+- panos
+- firewall
+- configuration
+- terraform
+- vmseries
+- vm-series
+- aws
+pagination_next: null
+pagination_prev: null
+sidebar_label: VPN
+title: VPN Module for AWS
+---
+
+# VPN Module for AWS
+
+A Terraform module for deploying a VPN for VM-Series firewalls.
+
+[![GitHub Logo](/img/view_on_github.png)](https://github.com/PaloAltoNetworks/terraform-aws-vmseries-modules/tree/main/modules/vpn) [![Terraform Logo](/img/view_on_terraform_registry.png)](https://registry.terraform.io/modules/PaloAltoNetworks/vmseries-modules/aws/latest/submodules/vpn)
+
+## Reference
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+### Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
+
+### Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
+
+### Modules
+
+No modules.
+
+### Resources
+
+| Name | Type |
+|------|------|
+| [aws_cloudwatch_log_group.tunnel1_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_cloudwatch_log_group.tunnel2_log](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
+| [aws_customer_gateway.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/customer_gateway) | resource |
+| [aws_ec2_transit_gateway_route_table_association.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_association) | resource |
+| [aws_ec2_transit_gateway_route_table_propagation.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ec2_transit_gateway_route_table_propagation) | resource |
+| [aws_kms_alias.tunnel1_kms_alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_alias.tunnel2_kms_alias](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_alias) | resource |
+| [aws_kms_key.tunnel1_kms_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_kms_key.tunnel2_kms_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_vpn_connection.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpn_connection) | resource |
+| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
+| [aws_iam_policy_document.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
+
+### Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_customer_gateway"></a> [customer\_gateway](#input\_customer\_gateway) | Customer gateway defined by attributes:<br />- bgp\_asn - (Required) The gateway's Border Gateway Protocol (BGP) Autonomous System Number (ASN).<br />- certificate\_arn - (Optional) The Amazon Resource Name (ARN) for the customer gateway certificate.<br />- device\_name - (Optional) A name for the customer gateway device.<br />- ip\_address - (Optional) The IPv4 address for the customer gateway device's outside interface.<br />- type - (Required) The type of customer gateway. The only type AWS supports at this time is "ipsec.1".<br />- tags - (Optional) Tags to apply to the gateway. If configured with a provider default\_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level. | `any` | n/a | yes |
+| <a name="input_name_prefix"></a> [name\_prefix](#input\_name\_prefix) | A prefix added to all resource names created by this module | `string` | `""` | no |
+| <a name="input_name_suffix"></a> [name\_suffix](#input\_name\_suffix) | A sufix added to all resource names created by this module | `string` | `""` | no |
+| <a name="input_region"></a> [region](#input\_region) | AWS region used to deploy whole infrastructure | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | Optional map of arbitrary tags to apply to all the created resources. | `map(string)` | `{}` | no |
+| <a name="input_transit_gateway_associate_route_table_id"></a> [transit\_gateway\_associate\_route\_table\_id](#input\_transit\_gateway\_associate\_route\_table\_id) | TGW route table ID used to associate VPN attachments created by VPN connections | `string` | n/a | yes |
+| <a name="input_transit_gateway_id"></a> [transit\_gateway\_id](#input\_transit\_gateway\_id) | TGW's ID used by VPN connection | `string` | n/a | yes |
+| <a name="input_transit_gateway_propagate_route_table_id"></a> [transit\_gateway\_propagate\_route\_table\_id](#input\_transit\_gateway\_propagate\_route\_table\_id) | TGW route table ID into which VPN attachment will propagate routes received by BGP | `string` | n/a | yes |
+| <a name="input_vpn_connection"></a> [vpn\_connection](#input\_vpn\_connection) | VPN connection defined by attributes:<br />- customer\_gateway\_id - (Required) The ID of the customer gateway.<br />- type - (Required) The type of VPN connection. The only type AWS supports at this time is "ipsec.1".<br />- transit\_gateway\_id - (Optional) The ID of the EC2 Transit Gateway.<br />- static\_routes\_only - (Optional, Default false) Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.<br />- enable\_acceleration - (Optional, Default false) Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.<br />- tags - (Optional) Tags to apply to the connection. If configured with a provider default\_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.<br />- local\_ipv4\_network\_cidr - (Optional, Default 0.0.0.0/0) The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.<br />- local\_ipv6\_network\_cidr - (Optional, Default ::/0) The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.<br />- outside\_ip\_address\_type - (Optional, Default PublicIpv4) Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are PublicIpv4 \| PrivateIpv4<br />- remote\_ipv4\_network\_cidr - (Optional, Default 0.0.0.0/0) The IPv4 CIDR on the AWS side of the VPN connection.<br />- remote\_ipv6\_network\_cidr - (Optional, Default ::/0) The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.<br />- transport\_transit\_gateway\_attachment\_id - (Required when outside\_ip\_address\_type is set to PrivateIpv4). The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.<br />- tunnel\_inside\_ip\_version - (Optional, Default ipv4) Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are ipv4 \| ipv6. ipv6 Supports only EC2 Transit Gateway.<br />- tunnel1\_inside\_cidr - (Optional) The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.<br />- tunnel2\_inside\_cidr - (Optional) The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.<br />- tunnel1\_inside\_ipv6\_cidr - (Optional) The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.<br />- tunnel2\_inside\_ipv6\_cidr - (Optional) The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.<br />- tunnel1\_preshared\_key - (Optional) The preshared key of the first VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(\_).<br />- tunnel2\_preshared\_key - (Optional) The preshared key of the second VPN tunnel. The preshared key must be between 8 and 64 characters in length and cannot start with zero(0). Allowed characters are alphanumeric characters, periods(.) and underscores(\_).<br />- tunnel1\_dpd\_timeout\_action - (Optional, Default clear) The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear \| none \| restart.<br />- tunnel2\_dpd\_timeout\_action - (Optional, Default clear) The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear \| none \| restart.<br />- tunnel1\_dpd\_timeout\_seconds - (Optional, Default 30) The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than 30.<br />- tunnel2\_dpd\_timeout\_seconds - (Optional, Default 30) The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than 30.<br />- tunnel1\_enable\_tunnel\_lifecycle\_control - (Optional, Default false) Turn on or off tunnel endpoint lifecycle control feature for the first VPN tunnel. Valid values are true \| false.<br />- tunnel2\_enable\_tunnel\_lifecycle\_control - (Optional, Default false) Turn on or off tunnel endpoint lifecycle control feature for the second VPN tunnel. Valid values are true \| false.<br />- tunnel1\_ike\_versions - (Optional) The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 \| ikev2.<br />- tunnel2\_ike\_versions - (Optional) The IKE versions that are permitted for the second VPN tunnel. Valid values are ikev1 \| ikev2.<br />- tunnel1\_log\_options - (Required) Options for logging VPN tunnel activity:<br />  - enabled - (Required) true if logs need to stored in CloudWatch logs<br />  - log\_group - (Required) The name of the log group.<br />  - retention\_in\_days - (Required) Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653.<br />  - encrypted - (Required) true if logs need to be encrypted<br />- tunnel2\_log\_options - (Required) Options for logging VPN tunnel activity:<br />  - enabled - (Required) Required if logs need to stored in CloudWatch logs<br />  - log\_group - (Required) The name of the log group.<br />  - retention\_in\_days - (Required) Specifies the number of days you want to retain log events in the specified log group. Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653.<br />  - encrypted - (Required) true if logs need to be encrypted<br />- tunnel1\_phase1\_dh\_group\_numbers - (Optional) List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are 2 \| 14 \| 15 \| 16 \| 17 \| 18 \| 19 \| 20 \| 21 \| 22 \| 23 \| 24.<br />- tunnel2\_phase1\_dh\_group\_numbers - (Optional) List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are 2 \| 14 \| 15 \| 16 \| 17 \| 18 \| 19 \| 20 \| 21 \| 22 \| 23 \| 24.<br />- tunnel1\_phase1\_encryption\_algorithms - (Optional) List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 \| AES256 \| AES128-GCM-16 \| AES256-GCM-16.<br />- tunnel2\_phase1\_encryption\_algorithms - (Optional) List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 \| AES256 \| AES128-GCM-16 \| AES256-GCM-16.<br />- tunnel1\_phase1\_integrity\_algorithms - (Optional) One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 \| SHA2-256 \| SHA2-384 \| SHA2-512.<br />- tunnel2\_phase1\_integrity\_algorithms - (Optional) One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 \| SHA2-256 \| SHA2-384 \| SHA2-512.<br />- tunnel1\_phase1\_lifetime\_seconds - (Optional, Default 28800) The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 28800.<br />- tunnel2\_phase1\_lifetime\_seconds - (Optional, Default 28800) The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 28800.<br />- tunnel1\_phase2\_dh\_group\_numbers - (Optional) List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are 2 \| 5 \| 14 \| 15 \| 16 \| 17 \| 18 \| 19 \| 20 \| 21 \| 22 \| 23 \| 24.<br />- tunnel2\_phase2\_dh\_group\_numbers - (Optional) List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are 2 \| 5 \| 14 \| 15 \| 16 \| 17 \| 18 \| 19 \| 20 \| 21 \| 22 \| 23 \| 24.<br />- tunnel1\_phase2\_encryption\_algorithms - (Optional) List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 \| AES256 \| AES128-GCM-16 \| AES256-GCM-16.<br />- tunnel2\_phase2\_encryption\_algorithms - (Optional) List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 \| AES256 \| AES128-GCM-16 \| AES256-GCM-16.<br />- tunnel1\_phase2\_integrity\_algorithms - (Optional) List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 \| SHA2-256 \| SHA2-384 \| SHA2-512.<br />- tunnel2\_phase2\_integrity\_algorithms - (Optional) List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 \| SHA2-256 \| SHA2-384 \| SHA2-512.<br />- tunnel1\_phase2\_lifetime\_seconds - (Optional, Default 3600) The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 3600.<br />- tunnel2\_phase2\_lifetime\_seconds - (Optional, Default 3600) The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 3600.<br />- tunnel1\_rekey\_fuzz\_percentage - (Optional, Default 100) The percentage of the rekey window for the first VPN tunnel (determined by tunnel1\_rekey\_margin\_time\_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.<br />- tunnel2\_rekey\_fuzz\_percentage - (Optional, Default 100) The percentage of the rekey window for the second VPN tunnel (determined by tunnel2\_rekey\_margin\_time\_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.<br />- tunnel1\_rekey\_margin\_time\_seconds - (Optional, Default 540) The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel1\_rekey\_fuzz\_percentage. Valid value is between 60 and half of tunnel1\_phase2\_lifetime\_seconds.<br />- tunnel2\_rekey\_margin\_time\_seconds - (Optional, Default 540) The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel2\_rekey\_fuzz\_percentage. Valid value is between 60 and half of tunnel2\_phase2\_lifetime\_seconds.<br />- tunnel1\_replay\_window\_size - (Optional, Default 1024) The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between 64 and 2048.<br />- tunnel2\_replay\_window\_size - (Optional, Default 1024) The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between 64 and 2048.<br />- tunnel1\_startup\_action - (Optional, Default add) The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add \| start.<br />- tunnel2\_startup\_action - (Optional, Default add) The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add \| start. | `any` | n/a | yes |
+| <a name="input_vpn_gateway_id"></a> [vpn\_gateway\_id](#input\_vpn\_gateway\_id) | Virtual Private Gateway's ID used by VPN connection | `string` | n/a | yes |
+
+### Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_customer_gateway"></a> [customer\_gateway](#output\_customer\_gateway) | Object describing created customer gateway |
+| <a name="output_tunnel1"></a> [tunnel1](#output\_tunnel1) | Tunnel 1 details (public IP address, inside IP addresses, BGP ASN) |
+| <a name="output_tunnel2"></a> [tunnel2](#output\_tunnel2) | Tunnel 2 details (public IP address, inside IP addresses, BGP ASN) |
+| <a name="output_vpn_connection"></a> [vpn\_connection](#output\_vpn\_connection) | Object describing created Site-to-Site VPN connection |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
\ No newline at end of file
diff --git a/products/terraform/docs/swfw/aws/vmseries/reference-architectures/centralized_design.md b/products/terraform/docs/swfw/aws/vmseries/reference-architectures/centralized_design.md
index 213c59932..ddb27294c 100644
--- a/products/terraform/docs/swfw/aws/vmseries/reference-architectures/centralized_design.md
+++ b/products/terraform/docs/swfw/aws/vmseries/reference-architectures/centralized_design.md
@@ -70,14 +70,14 @@ In example VM-Series are licensed using [Panorama-Based Software Firewall Licens
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.25 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | ~> 2.4.0 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.25 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
 
 ### Modules
 
@@ -110,8 +110,10 @@ In example VM-Series are licensed using [Panorama-Based Software Firewall Licens
 | [aws_instance.spoke_vms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
 | [aws_lb_target_group_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment) | resource |
 | [aws_ami.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
+| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
 | [aws_kms_alias.current_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
+| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ### Inputs
 
@@ -129,7 +131,7 @@ In example VM-Series are licensed using [Panorama-Based Software Firewall Licens
 | <a name="input_ssh_key_name"></a> [ssh\_key\_name](#input\_ssh\_key\_name) | Name of the SSH key pair existing in AWS key pairs and used to authenticate to VM-Series or test boxes | `string` | n/a | yes |
 | <a name="input_tgw"></a> [tgw](#input\_tgw) | A object defining Transit Gateway.<br /><br />Following properties are available:<br />- `create`: set to false, if existing TGW needs to be reused<br />- `id`:  id of existing TGW or null<br />- `name`: name of TGW to create or use<br />- `asn`: ASN number<br />- `route_tables`: map of route tables<br />- `attachments`: map of TGW attachments<br /><br />Example:<pre>tgw = {<br />  create = true<br />  id     = null<br />  name   = "tgw"<br />  asn    = "64512"<br />  route\_tables = {<br />    "from\_security\_vpc" = {<br />      create = true<br />      name   = "from\_security"<br />    }<br />  }<br />  attachments = {<br />    security = {<br />      name                = "vmseries"<br />      vpc\_subnet          = "security\_vpc-tgw\_attach"<br />      route\_table         = "from\_security\_vpc"<br />      propagate\_routes\_to = "from\_spoke\_vpc"<br />    }<br />  }<br />}</pre> | <pre>object({<br />    create = bool<br />    id     = string<br />    name   = string<br />    asn    = string<br />    route\_tables = map(object({<br />      create = bool<br />      name   = string<br />    }))<br />    attachments = map(object({<br />      name                = string<br />      vpc\_subnet          = string<br />      route\_table         = string<br />      propagate\_routes\_to = string<br />    }))<br />  })</pre> | `null` | no |
 | <a name="input_vmseries"></a> [vmseries](#input\_vmseries) | A map defining VM-Series instances<br /><br />Following properties are available:<br />- `instances`: map of VM-Series instances<br />- `bootstrap_options`: VM-Seriess bootstrap options used to connect to Panorama<br />- `panos_version`: PAN-OS version used for VM-Series<br />- `ebs_kms_id`: alias for AWS KMS used for EBS encryption in VM-Series<br />- `vpc`: key of VPC<br />- `gwlb`: key of GWLB<br />- `subinterfaces`: configuration of network subinterfaces used to map with GWLB endpoints<br />- `system_services`: map of system services<br />- `application_lb`: ALB placed in front of the Firewalls' public interfaces<br />- `network_lb`: NLB placed in front of the Firewalls' public interfaces<br /><br />Example:<pre>vmseries = {<br />  vmseries = {<br />    instances = {<br />      "01" = { az = "eu-central-1a" }<br />      "02" = { az = "eu-central-1b" }<br />    }<br /><br />    # Value of `panorama-server`, `auth-key`, `dgname`, `tplname` can be taken from plugin `sw\_fw\_license`<br />    bootstrap\_options = {<br />      mgmt-interface-swap         = "enable"<br />      plugin-op-commands          = "panorama-licensing-mode-on,aws-gwlb-inspect:enable,aws-gwlb-overlay-routing:enable"<br />      dhcp-send-hostname          = "yes"<br />      dhcp-send-client-id         = "yes"<br />      dhcp-accept-server-hostname = "yes"<br />      dhcp-accept-server-domain   = "yes"<br />    }<br /><br />    panos\_version = "10.2.3"        # TODO: update here<br />    ebs\_kms\_id    = "alias/aws/ebs" # TODO: update here<br /><br />    # Value of `vpc` must match key of objects stored in `vpcs`<br />    vpc = "security\_vpc"<br /><br />    # Value of `gwlb` must match key of objects stored in `gwlbs`<br />    gwlb = "security\_gwlb"<br /><br />    interfaces = {<br />      private = {<br />        device\_index      = 0<br />        security\_group    = "vmseries\_private"<br />        vpc\_subnet        = "security\_vpc-private"<br />        create\_public\_ip  = false<br />        source\_dest\_check = false<br />      }<br />      mgmt = {<br />        device\_index      = 1<br />        security\_group    = "vmseries\_mgmt"<br />        vpc\_subnet        = "security\_vpc-mgmt"<br />        create\_public\_ip  = true<br />        source\_dest\_check = true<br />      }<br />      public = {<br />        device\_index      = 2<br />        security\_group    = "vmseries\_public"<br />        vpc\_subnet        = "security\_vpc-public"<br />        create\_public\_ip  = true<br />        source\_dest\_check = false<br />      }<br />    }<br /><br />    # Value of `gwlb\_endpoint` must match key of objects stored in `gwlb\_endpoints`<br />    subinterfaces = {<br />      inbound = {<br />        app1 = {<br />          gwlb\_endpoint = "app1\_inbound"<br />          subinterface  = "ethernet1/1.11"<br />        }<br />        app2 = {<br />          gwlb\_endpoint = "app2\_inbound"<br />          subinterface  = "ethernet1/1.12"<br />        }<br />      }<br />      outbound = {<br />        only\_1\_outbound = {<br />          gwlb\_endpoint = "security\_gwlb\_outbound"<br />          subinterface  = "ethernet1/1.20"<br />        }<br />      }<br />      eastwest = {<br />        only\_1\_eastwest = {<br />          gwlb\_endpoint = "security\_gwlb\_eastwest"<br />          subinterface  = "ethernet1/1.30"<br />        }<br />      }<br />    }<br /><br />    system\_services = {<br />      dns\_primary = "4.2.2.2"      # TODO: update here<br />      dns\_secondy = null           # TODO: update here<br />      ntp\_primary = "pool.ntp.org" # TODO: update here<br />      ntp\_secondy = null           # TODO: update here<br />    }<br /><br />    application\_lb = null<br />    network\_lb     = null<br />  }<br />}</pre> | <pre>map(object({<br />    instances = map(object({<br />      az = string<br />    }))<br /><br />    bootstrap\_options = object({<br />      mgmt-interface-swap         = string<br />      plugin-op-commands          = string<br />      panorama-server             = string<br />      auth-key                    = string<br />      dgname                      = string<br />      tplname                     = string<br />      dhcp-send-hostname          = string<br />      dhcp-send-client-id         = string<br />      dhcp-accept-server-hostname = string<br />      dhcp-accept-server-domain   = string<br />    })<br /><br />    panos\_version = string<br />    ebs\_kms\_id    = string<br /><br />    vpc  = string<br />    gwlb = string<br /><br />    interfaces = map(object({<br />      device\_index      = number<br />      security\_group    = string<br />      vpc\_subnet        = string<br />      create\_public\_ip  = bool<br />      source\_dest\_check = bool<br />    }))<br /><br />    subinterfaces = map(map(object({<br />      gwlb\_endpoint = string<br />      subinterface  = string<br />    })))<br /><br />    system\_services = object({<br />      dns\_primary = string<br />      dns\_secondy = string<br />      ntp\_primary = string<br />      ntp\_secondy = string<br />    })<br /><br />    application\_lb = object({<br />      name  = string<br />      rules = any<br />    })<br /><br />    network\_lb = object({<br />      name  = string<br />      rules = any<br />    })<br />  }))</pre> | `{}` | no |
-| <a name="input_vpcs"></a> [vpcs](#input\_vpcs) | A map defining VPCs with security groups and subnets.<br /><br />Following properties are available:<br />- `name`: VPC name<br />- `cidr`: CIDR for VPC<br />- `security_groups`: map of security groups<br />- `subnets`: map of subnets with properties:<br />   - `az`: availability zone<br />   - `set`: internal identifier referenced by main.tf<br />- `routes`: map of routes with properties:<br />   - `vpc_subnet` - built from key of VPCs concatenate with `-` and key of subnet in format: `VPCKEY-SUBNETKEY`<br />   - `next_hop_key` - must match keys use to create TGW attachment, IGW, GWLB endpoint or other resources<br />   - `next_hop_type` - internet\_gateway, nat\_gateway, transit\_gateway\_attachment or gwlbe\_endpoint<br /><br />Example:<pre>vpcs = {<br />  example\_vpc = {<br />    name = "example-spoke-vpc"<br />    cidr = "10.104.0.0/16"<br />    nacls = {<br />      trusted\_path\_monitoring = {<br />        name               = "trusted-path-monitoring"<br />        rules = {<br />          allow\_inbound = {<br />            rule\_number = 300<br />            egress      = false<br />            protocol    = "-1"<br />            rule\_action = "allow"<br />            cidr\_block  = "0.0.0.0/0"<br />            from\_port   = null<br />            to\_port     = null<br />          }<br />        }<br />      }<br />    }<br />    security\_groups = {<br />      example\_vm = {<br />        name = "example\_vm"<br />        rules = {<br />          all\_outbound = {<br />            description = "Permit All traffic outbound"<br />            type        = "egress", from\_port = "0", to\_port = "0", protocol = "-1"<br />            cidr\_blocks = ["0.0.0.0/0"]<br />          }<br />        }<br />      }<br />    }<br />    subnets = {<br />      "10.104.0.0/24"   = { az = "eu-central-1a", set = "vm", nacl = null }<br />      "10.104.128.0/24" = { az = "eu-central-1b", set = "vm", nacl = null }<br />    }<br />    routes = {<br />      vm\_default = {<br />        vpc\_subnet    = "app1\_vpc-app1\_vm"<br />        to\_cidr       = "0.0.0.0/0"<br />        next\_hop\_key  = "app1"<br />        next\_hop\_type = "transit\_gateway\_attachment"<br />      }<br />    }<br />  }<br />}</pre> | <pre>map(object({<br />    name = string<br />    cidr = string<br />    nacls = map(object({<br />      name = string<br />      rules = map(object({<br />        rule\_number = number<br />        egress      = bool<br />        protocol    = string<br />        rule\_action = string<br />        cidr\_block  = string<br />        from\_port   = string<br />        to\_port     = string<br />      }))<br />    }))<br />    security\_groups = map(object({<br />      name = string<br />      rules = map(object({<br />        description = string<br />        type        = string,<br />        from\_port   = string<br />        to\_port     = string,<br />        protocol    = string<br />        cidr\_blocks = list(string)<br />      }))<br />    }))<br />    subnets = map(object({<br />      az   = string<br />      set  = string<br />      nacl = string<br />    }))<br />    routes = map(object({<br />      vpc\_subnet    = string<br />      to\_cidr       = string<br />      next\_hop\_key  = string<br />      next\_hop\_type = string<br />    }))<br />  }))</pre> | `{}` | no |
+| <a name="input_vpcs"></a> [vpcs](#input\_vpcs) | A map defining VPCs with security groups and subnets.<br /><br />Following properties are available:<br />- `name`: VPC name<br />- `cidr`: CIDR for VPC<br />- `security_groups`: map of security groups<br />- `subnets`: map of subnets with properties:<br />   - `az`: availability zone<br />   - `set`: internal identifier referenced by main.tf<br />- `routes`: map of routes with properties:<br />   - `vpc_subnet` - built from key of VPCs concatenate with `-` and key of subnet in format: `VPCKEY-SUBNETKEY`<br />   - `next_hop_key` - must match keys use to create TGW attachment, IGW, GWLB endpoint or other resources<br />   - `next_hop_type` - internet\_gateway, nat\_gateway, transit\_gateway\_attachment or gwlbe\_endpoint<br /><br />Example:<pre>vpcs = {<br />  example\_vpc = {<br />    name = "example-spoke-vpc"<br />    cidr = "10.104.0.0/16"<br />    nacls = {<br />      trusted\_path\_monitoring = {<br />        name               = "trusted-path-monitoring"<br />        rules = {<br />          allow\_inbound = {<br />            rule\_number = 300<br />            egress      = false<br />            protocol    = "-1"<br />            rule\_action = "allow"<br />            cidr\_block  = "0.0.0.0/0"<br />            from\_port   = null<br />            to\_port     = null<br />          }<br />        }<br />      }<br />    }<br />    security\_groups = {<br />      example\_vm = {<br />        name = "example\_vm"<br />        rules = {<br />          all\_outbound = {<br />            description = "Permit All traffic outbound"<br />            type        = "egress", from\_port = "0", to\_port = "0", protocol = "-1"<br />            cidr\_blocks = ["0.0.0.0/0"]<br />          }<br />        }<br />      }<br />    }<br />    subnets = {<br />      "10.104.0.0/24"   = { az = "eu-central-1a", set = "vm", nacl = null }<br />      "10.104.128.0/24" = { az = "eu-central-1b", set = "vm", nacl = null }<br />    }<br />    routes = {<br />      vm\_default = {<br />        vpc\_subnet    = "app1\_vpc-app1\_vm"<br />        to\_cidr       = "0.0.0.0/0"<br />        next\_hop\_key  = "app1"<br />        next\_hop\_type = "transit\_gateway\_attachment"<br />      }<br />    }<br />  }<br />}</pre> | <pre>map(object({<br />    name = string<br />    cidr = string<br />    nacls = map(object({<br />      name = string<br />      rules = map(object({<br />        rule\_number = number<br />        egress      = bool<br />        protocol    = string<br />        rule\_action = string<br />        cidr\_block  = string<br />        from\_port   = string<br />        to\_port     = string<br />      }))<br />    }))<br />    security\_groups = any<br />    subnets = map(object({<br />      az   = string<br />      set  = string<br />      nacl = string<br />    }))<br />    routes = map(object({<br />      vpc\_subnet    = string<br />      to\_cidr       = string<br />      next\_hop\_key  = string<br />      next\_hop\_type = string<br />    }))<br />  }))</pre> | `{}` | no |
 
 ### Outputs
 
diff --git a/products/terraform/docs/swfw/aws/vmseries/reference-architectures/centralized_design_autoscale.md b/products/terraform/docs/swfw/aws/vmseries/reference-architectures/centralized_design_autoscale.md
index b893042fc..1a9896bec 100644
--- a/products/terraform/docs/swfw/aws/vmseries/reference-architectures/centralized_design_autoscale.md
+++ b/products/terraform/docs/swfw/aws/vmseries/reference-architectures/centralized_design_autoscale.md
@@ -151,14 +151,14 @@ statistic    = "Maximum"
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.25 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | ~> 2.4.0 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.25 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
 
 ### Modules
 
@@ -190,8 +190,10 @@ statistic    = "Maximum"
 | [aws_iam_role_policy.vm_series_ec2_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_instance.spoke_vms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
 | [aws_ami.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
+| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
 | [aws_kms_alias.current_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
+| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ### Inputs
 
@@ -209,7 +211,7 @@ statistic    = "Maximum"
 | <a name="input_ssh_key_name"></a> [ssh\_key\_name](#input\_ssh\_key\_name) | Name of the SSH key pair existing in AWS key pairs and used to authenticate to VM-Series or test boxes | `string` | n/a | yes |
 | <a name="input_tgw"></a> [tgw](#input\_tgw) | A object defining Transit Gateway.<br /><br />Following properties are available:<br />- `create`: set to false, if existing TGW needs to be reused<br />- `id`:  id of existing TGW or null<br />- `name`: name of TGW to create or use<br />- `asn`: ASN number<br />- `route_tables`: map of route tables<br />- `attachments`: map of TGW attachments<br /><br />Example:<pre>tgw = {<br />  create = true<br />  id     = null<br />  name   = "tgw"<br />  asn    = "64512"<br />  route\_tables = {<br />    "from\_security\_vpc" = {<br />      create = true<br />      name   = "from\_security"<br />    }<br />  }<br />  attachments = {<br />    security = {<br />      name                = "vmseries"<br />      vpc\_subnet          = "security\_vpc-tgw\_attach"<br />      route\_table         = "from\_security\_vpc"<br />      propagate\_routes\_to = "from\_spoke\_vpc"<br />    }<br />  }<br />}</pre> | <pre>object({<br />    create = bool<br />    id     = string<br />    name   = string<br />    asn    = string<br />    route\_tables = map(object({<br />      create = bool<br />      name   = string<br />    }))<br />    attachments = map(object({<br />      name                = string<br />      vpc\_subnet          = string<br />      route\_table         = string<br />      propagate\_routes\_to = string<br />    }))<br />  })</pre> | `null` | no |
 | <a name="input_vmseries_asgs"></a> [vmseries\_asgs](#input\_vmseries\_asgs) | A map defining Autoscaling Groups with VM-Series instances.<br /><br />Following properties are available:<br />- `bootstrap_options`: VM-Seriess bootstrap options used to connect to Panorama<br />- `panos_version`: PAN-OS version used for VM-Series<br />- `ebs_kms_id`: alias for AWS KMS used for EBS encryption in VM-Series<br />- `vpc`: key of VPC<br />- `gwlb`: key of GWLB<br />- `interfaces`: configuration of network interfaces for VM-Series used by Lamdba while provisioning new VM-Series in autoscaling group<br />- `subinterfaces`: configuration of network subinterfaces used to map with GWLB endpoints<br />- `asg`: the number of Amazon EC2 instances that should be running in the group (desired, minimum, maximum)<br />- `scaling_plan`: scaling plan with attributes<br />  - `enabled`: `true` if automatic dynamic scaling policy should be created<br />  - `metric_name`: name of the metric used in dynamic scaling policy<br />  - `target_value`: target value for the metric used in dynamic scaling policy<br />  - `statistic`: statistic of the metric. Valid values: Average, Maximum, Minimum, SampleCount, Sum<br />  - `cloudwatch_namespace`: name of CloudWatch namespace, where metrics are available (it should be the same as namespace configured in VM-Series plugin in PAN-OS)<br />  - `tags`: tags configured for dynamic scaling policy<br /><br />Example:<pre>vmseries\_asgs = {<br />  main\_asg = {<br />    bootstrap\_options = {<br />      mgmt-interface-swap         = "enable"<br />      plugin-op-commands          = "panorama-licensing-mode-on,aws-gwlb-inspect:enable,aws-gwlb-overlay-routing:enable" # TODO: update here<br />      panorama-server             = ""                                                                                   # TODO: update here<br />      auth-key                    = ""                                                                                   # TODO: update here<br />      dgname                      = ""                                                                                   # TODO: update here<br />      tplname                     = ""                                                                                   # TODO: update here<br />      dhcp-send-hostname          = "yes"                                                                                # TODO: update here<br />      dhcp-send-client-id         = "yes"                                                                                # TODO: update here<br />      dhcp-accept-server-hostname = "yes"                                                                                # TODO: update here<br />      dhcp-accept-server-domain   = "yes"                                                                                # TODO: update here<br />    }<br /><br />    panos\_version = "10.2.3"        # TODO: update here<br />    ebs\_kms\_id    = "alias/aws/ebs" # TODO: update here<br /><br />    vpc               = "security\_vpc"<br />    gwlb              = "security\_gwlb"<br /><br />    interfaces = {<br />      private = {<br />        device\_index   = 0<br />        security\_group = "vmseries\_private"<br />        subnet = {<br />          "privatea" = "eu-central-1a",<br />          "privateb" = "eu-central-1b"<br />        }<br />        create\_public\_ip  = false<br />        source\_dest\_check = false<br />      }<br />      mgmt = {<br />        device\_index   = 1<br />        security\_group = "vmseries\_mgmt"<br />        subnet = {<br />          "mgmta" = "eu-central-1a",<br />          "mgmtb" = "eu-central-1b"<br />        }<br />        create\_public\_ip  = true<br />        source\_dest\_check = true<br />      }<br />      public = {<br />        device\_index   = 2<br />        security\_group = "vmseries\_public"<br />        subnet = {<br />          "publica" = "eu-central-1a",<br />          "publicb" = "eu-central-1b"<br />        }<br />        create\_public\_ip  = false<br />        source\_dest\_check = false<br />      }<br />    }<br /><br />    subinterfaces = {<br />      inbound = {<br />        app1 = {<br />          gwlb\_endpoint = "app1\_inbound"<br />          subinterface  = "ethernet1/1.11"<br />        }<br />        app2 = {<br />          gwlb\_endpoint = "app2\_inbound"<br />          subinterface  = "ethernet1/1.12"<br />        }<br />      }<br />      outbound = {<br />        only\_1\_outbound = {<br />          gwlb\_endpoint = "security\_gwlb\_outbound"<br />          subinterface  = "ethernet1/1.20"<br />        }<br />      }<br />      eastwest = {<br />        only\_1\_eastwest = {<br />          gwlb\_endpoint = "security\_gwlb\_eastwest"<br />          subinterface  = "ethernet1/1.30"<br />        }<br />      }<br />    }<br /><br />    asg = {<br />      desired\_cap = 2<br />      min\_size    = 2<br />      max\_size    = 4<br />    }<br /><br />    scaling\_plan = {<br />      enabled              = true               # TODO: update here<br />      metric\_name          = "panSessionActive" # TODO: update here<br />      target\_value         = 75                 # TODO: update here<br />      statistic            = "Average"          # TODO: update here<br />      cloudwatch\_namespace = "example-vmseries" # TODO: update here<br />      tags = {<br />        ManagedBy = "terraform"<br />      }<br />    }<br /><br />    application\_lb = null<br />    network\_lb     = null      <br />  }<br />}</pre> | <pre>map(object({<br />    bootstrap\_options = object({<br />      mgmt-interface-swap         = string<br />      plugin-op-commands          = string<br />      panorama-server             = string<br />      auth-key                    = string<br />      dgname                      = string<br />      tplname                     = string<br />      dhcp-send-hostname          = string<br />      dhcp-send-client-id         = string<br />      dhcp-accept-server-hostname = string<br />      dhcp-accept-server-domain   = string<br />    })<br /><br />    panos\_version = string<br />    ebs\_kms\_id    = string<br /><br />    vpc  = string<br />    gwlb = string<br /><br />    interfaces = map(object({<br />      device\_index      = number<br />      security\_group    = string<br />      subnet            = map(string)<br />      create\_public\_ip  = bool<br />      source\_dest\_check = bool<br />    }))<br /><br />    subinterfaces = map(map(object({<br />      gwlb\_endpoint = string<br />      subinterface  = string<br />    })))<br /><br />    asg = object({<br />      desired\_cap = number<br />      min\_size    = number<br />      max\_size    = number<br />    })<br /><br />    scaling\_plan = object({<br />      enabled              = bool<br />      metric\_name          = string<br />      target\_value         = number<br />      statistic            = string<br />      cloudwatch\_namespace = string<br />      tags                 = map(string)<br />    })<br /><br />    application\_lb = object({<br />      name  = string<br />      rules = any<br />    })<br /><br />    network\_lb = object({<br />      name  = string<br />      rules = any<br />    })<br />  }))</pre> | `{}` | no |
-| <a name="input_vpcs"></a> [vpcs](#input\_vpcs) | A map defining VPCs with security groups and subnets.<br /><br />Following properties are available:<br />- `name`: VPC name<br />- `cidr`: CIDR for VPC<br />- `security_groups`: map of security groups<br />- `subnets`: map of subnets with properties:<br />   - `az`: availability zone<br />   - `set`: internal identifier referenced by main.tf<br />- `routes`: map of routes with properties:<br />   - `vpc_subnet` - built from key of VPCs concatenate with `-` and key of subnet in format: `VPCKEY-SUBNETKEY`<br />   - `next_hop_key` - must match keys use to create TGW attachment, IGW, GWLB endpoint or other resources<br />   - `next_hop_type` - internet\_gateway, nat\_gateway, transit\_gateway\_attachment or gwlbe\_endpoint<br /><br />Example:<pre>vpcs = {<br />  example\_vpc = {<br />    name = "example-spoke-vpc"<br />    cidr = "10.104.0.0/16"<br />    nacls = {<br />      trusted\_path\_monitoring = {<br />        name               = "trusted-path-monitoring"<br />        rules = {<br />          allow\_inbound = {<br />            rule\_number = 300<br />            egress      = false<br />            protocol    = "-1"<br />            rule\_action = "allow"<br />            cidr\_block  = "0.0.0.0/0"<br />            from\_port   = null<br />            to\_port     = null<br />          }<br />        }<br />      }<br />    }<br />    security\_groups = {<br />      example\_vm = {<br />        name = "example\_vm"<br />        rules = {<br />          all\_outbound = {<br />            description = "Permit All traffic outbound"<br />            type        = "egress", from\_port = "0", to\_port = "0", protocol = "-1"<br />            cidr\_blocks = ["0.0.0.0/0"]<br />          }<br />        }<br />      }<br />    }<br />    subnets = {<br />      "10.104.0.0/24"   = { az = "eu-central-1a", set = "vm", nacl = null }<br />      "10.104.128.0/24" = { az = "eu-central-1b", set = "vm", nacl = null }<br />    }<br />    routes = {<br />      vm\_default = {<br />        vpc\_subnet    = "app1\_vpc-app1\_vm"<br />        to\_cidr       = "0.0.0.0/0"<br />        next\_hop\_key  = "app1"<br />        next\_hop\_type = "transit\_gateway\_attachment"<br />      }<br />    }<br />  }<br />}</pre> | <pre>map(object({<br />    name = string<br />    cidr = string<br />    nacls = map(object({<br />      name = string<br />      rules = map(object({<br />        rule\_number = number<br />        egress      = bool<br />        protocol    = string<br />        rule\_action = string<br />        cidr\_block  = string<br />        from\_port   = string<br />        to\_port     = string<br />      }))<br />    }))<br />    security\_groups = map(object({<br />      name = string<br />      rules = map(object({<br />        description = string<br />        type        = string,<br />        from\_port   = string<br />        to\_port     = string,<br />        protocol    = string<br />        cidr\_blocks = list(string)<br />      }))<br />    }))<br />    subnets = map(object({<br />      az   = string<br />      set  = string<br />      nacl = string<br />    }))<br />    routes = map(object({<br />      vpc\_subnet    = string<br />      to\_cidr       = string<br />      next\_hop\_key  = string<br />      next\_hop\_type = string<br />    }))<br />  }))</pre> | `{}` | no |
+| <a name="input_vpcs"></a> [vpcs](#input\_vpcs) | A map defining VPCs with security groups and subnets.<br /><br />Following properties are available:<br />- `name`: VPC name<br />- `cidr`: CIDR for VPC<br />- `security_groups`: map of security groups<br />- `subnets`: map of subnets with properties:<br />   - `az`: availability zone<br />   - `set`: internal identifier referenced by main.tf<br />- `routes`: map of routes with properties:<br />   - `vpc_subnet` - built from key of VPCs concatenate with `-` and key of subnet in format: `VPCKEY-SUBNETKEY`<br />   - `next_hop_key` - must match keys use to create TGW attachment, IGW, GWLB endpoint or other resources<br />   - `next_hop_type` - internet\_gateway, nat\_gateway, transit\_gateway\_attachment or gwlbe\_endpoint<br /><br />Example:<pre>vpcs = {<br />  example\_vpc = {<br />    name = "example-spoke-vpc"<br />    cidr = "10.104.0.0/16"<br />    nacls = {<br />      trusted\_path\_monitoring = {<br />        name               = "trusted-path-monitoring"<br />        rules = {<br />          allow\_inbound = {<br />            rule\_number = 300<br />            egress      = false<br />            protocol    = "-1"<br />            rule\_action = "allow"<br />            cidr\_block  = "0.0.0.0/0"<br />            from\_port   = null<br />            to\_port     = null<br />          }<br />        }<br />      }<br />    }<br />    security\_groups = {<br />      example\_vm = {<br />        name = "example\_vm"<br />        rules = {<br />          all\_outbound = {<br />            description = "Permit All traffic outbound"<br />            type        = "egress", from\_port = "0", to\_port = "0", protocol = "-1"<br />            cidr\_blocks = ["0.0.0.0/0"]<br />          }<br />        }<br />      }<br />    }<br />    subnets = {<br />      "10.104.0.0/24"   = { az = "eu-central-1a", set = "vm", nacl = null }<br />      "10.104.128.0/24" = { az = "eu-central-1b", set = "vm", nacl = null }<br />    }<br />    routes = {<br />      vm\_default = {<br />        vpc\_subnet    = "app1\_vpc-app1\_vm"<br />        to\_cidr       = "0.0.0.0/0"<br />        next\_hop\_key  = "app1"<br />        next\_hop\_type = "transit\_gateway\_attachment"<br />      }<br />    }<br />  }<br />}</pre> | <pre>map(object({<br />    name = string<br />    cidr = string<br />    nacls = map(object({<br />      name = string<br />      rules = map(object({<br />        rule\_number = number<br />        egress      = bool<br />        protocol    = string<br />        rule\_action = string<br />        cidr\_block  = string<br />        from\_port   = string<br />        to\_port     = string<br />      }))<br />    }))<br />    security\_groups = any<br />    subnets = map(object({<br />      az   = string<br />      set  = string<br />      nacl = string<br />    }))<br />    routes = map(object({<br />      vpc\_subnet    = string<br />      to\_cidr       = string<br />      next\_hop\_key  = string<br />      next\_hop\_type = string<br />    }))<br />  }))</pre> | `{}` | no |
 
 ### Outputs
 
diff --git a/products/terraform/docs/swfw/aws/vmseries/reference-architectures/combined_design.md b/products/terraform/docs/swfw/aws/vmseries/reference-architectures/combined_design.md
index ba413ac8f..785798fa0 100644
--- a/products/terraform/docs/swfw/aws/vmseries/reference-architectures/combined_design.md
+++ b/products/terraform/docs/swfw/aws/vmseries/reference-architectures/combined_design.md
@@ -105,13 +105,13 @@ If no errors occurred during deployment, configure the VM-Series machines as exp
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.25 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.25 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
 
 ### Modules
 
@@ -143,8 +143,10 @@ If no errors occurred during deployment, configure the VM-Series machines as exp
 | [aws_instance.spoke_vms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
 | [aws_lb_target_group_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment) | resource |
 | [aws_ami.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
+| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
 | [aws_kms_alias.current_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
+| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ### Inputs
 
@@ -163,7 +165,7 @@ If no errors occurred during deployment, configure the VM-Series machines as exp
 | <a name="input_ssh_key_name"></a> [ssh\_key\_name](#input\_ssh\_key\_name) | Name of the SSH key pair existing in AWS key pairs and used to authenticate to VM-Series or test boxes | `string` | n/a | yes |
 | <a name="input_tgw"></a> [tgw](#input\_tgw) | A object defining Transit Gateway.<br /><br />Following properties are available:<br />- `create`: set to false, if existing TGW needs to be reused<br />- `id`:  id of existing TGW or null<br />- `name`: name of TGW to create or use<br />- `asn`: ASN number<br />- `route_tables`: map of route tables<br />- `attachments`: map of TGW attachments<br /><br />Example:<pre>tgw = {<br />  create = true<br />  id     = null<br />  name   = "tgw"<br />  asn    = "64512"<br />  route\_tables = {<br />    "from\_security\_vpc" = {<br />      create = true<br />      name   = "from\_security"<br />    }<br />  }<br />  attachments = {<br />    security = {<br />      name                = "vmseries"<br />      vpc\_subnet          = "security\_vpc-tgw\_attach"<br />      route\_table         = "from\_security\_vpc"<br />      propagate\_routes\_to = "from\_spoke\_vpc"<br />    }<br />  }<br />}</pre> | <pre>object({<br />    create = bool<br />    id     = string<br />    name   = string<br />    asn    = string<br />    route\_tables = map(object({<br />      create = bool<br />      name   = string<br />    }))<br />    attachments = map(object({<br />      name                = string<br />      vpc\_subnet          = string<br />      route\_table         = string<br />      propagate\_routes\_to = string<br />    }))<br />  })</pre> | `null` | no |
 | <a name="input_vmseries"></a> [vmseries](#input\_vmseries) | A map defining VM-Series instances<br />Following properties are available:<br />- `instances`: map of VM-Series instances<br />- `bootstrap_options`: VM-Seriess bootstrap options used to connect to Panorama<br />- `panos_version`: PAN-OS version used for VM-Series<br />- `ebs_kms_id`: alias for AWS KMS used for EBS encryption in VM-Series<br />- `vpc`: key of VPC<br />- `gwlb`: key of GWLB<br />- `subinterfaces`: configuration of network subinterfaces used to map with GWLB endpoints<br />- `system_services`: map of system services<br />- `application_lb`: ALB placed in front of the Firewalls' public interfaces<br />- `network_lb`: NLB placed in front of the Firewalls' public interfaces<br />Example:<pre>vmseries = {<br />  vmseries = {<br />    instances = {<br />      "01" = { az = "eu-central-1a" }<br />      "02" = { az = "eu-central-1b" }<br />    }<br />    # Value of `panorama-server`, `auth-key`, `dgname`, `tplname` can be taken from plugin `sw\_fw\_license`<br />    bootstrap\_options = {<br />      mgmt-interface-swap         = "enable"<br />      plugin-op-commands          = "panorama-licensing-mode-on,aws-gwlb-inspect:enable,aws-gwlb-overlay-routing:enable"<br />      dhcp-send-hostname          = "yes"<br />      dhcp-send-client-id         = "yes"<br />      dhcp-accept-server-hostname = "yes"<br />      dhcp-accept-server-domain   = "yes"<br />    }<br />    panos\_version = "10.2.3"        # TODO: update here<br />    ebs\_kms\_id    = "alias/aws/ebs" # TODO: update here<br />    # Value of `vpc` must match key of objects stored in `vpcs`<br />    vpc = "security\_vpc"<br />    # Value of `gwlb` must match key of objects stored in `gwlbs`<br />    gwlb = "security\_gwlb"<br />    interfaces = {<br />      private = {<br />        device\_index      = 0<br />        security\_group    = "vmseries\_private"<br />        vpc\_subnet        = "security\_vpc-private"<br />        create\_public\_ip  = false<br />        source\_dest\_check = false<br />      }<br />      mgmt = {<br />        device\_index      = 1<br />        security\_group    = "vmseries\_mgmt"<br />        vpc\_subnet        = "security\_vpc-mgmt"<br />        create\_public\_ip  = true<br />        source\_dest\_check = true<br />      }<br />      public = {<br />        device\_index      = 2<br />        security\_group    = "vmseries\_public"<br />        vpc\_subnet        = "security\_vpc-public"<br />        create\_public\_ip  = true<br />        source\_dest\_check = false<br />      }<br />    }<br />    # Value of `gwlb\_endpoint` must match key of objects stored in `gwlb\_endpoints`<br />    subinterfaces = {<br />      inbound = {<br />        app1 = {<br />          gwlb\_endpoint = "app1\_inbound"<br />          subinterface  = "ethernet1/1.11"<br />        }<br />        app2 = {<br />          gwlb\_endpoint = "app2\_inbound"<br />          subinterface  = "ethernet1/1.12"<br />        }<br />      }<br />      outbound = {<br />        only\_1\_outbound = {<br />          gwlb\_endpoint = "security\_gwlb\_outbound"<br />          subinterface  = "ethernet1/1.20"<br />        }<br />      }<br />      eastwest = {<br />        only\_1\_eastwest = {<br />          gwlb\_endpoint = "security\_gwlb\_eastwest"<br />          subinterface  = "ethernet1/1.30"<br />        }<br />      }<br />    }<br />    system\_services = {<br />      dns\_primary = "4.2.2.2"      # TODO: update here<br />      dns\_secondy = null           # TODO: update here<br />      ntp\_primary = "pool.ntp.org" # TODO: update here<br />      ntp\_secondy = null           # TODO: update here<br />    }<br />    application\_lb = null<br />    network\_lb     = null<br />  }<br />}</pre> | <pre>map(object({<br />    instances = map(object({<br />      az = string<br />    }))<br /><br />    bootstrap\_options = object({<br />      mgmt-interface-swap         = string<br />      plugin-op-commands          = string<br />      panorama-server             = string<br />      auth-key                    = string<br />      dgname                      = string<br />      tplname                     = string<br />      dhcp-send-hostname          = string<br />      dhcp-send-client-id         = string<br />      dhcp-accept-server-hostname = string<br />      dhcp-accept-server-domain   = string<br />    })<br /><br />    panos\_version = string<br />    ebs\_kms\_id    = string<br /><br />    vpc  = string<br />    gwlb = string<br /><br />    interfaces = map(object({<br />      device\_index      = number<br />      security\_group    = string<br />      vpc\_subnet        = string<br />      create\_public\_ip  = bool<br />      source\_dest\_check = bool<br />    }))<br /><br />    subinterfaces = map(map(object({<br />      gwlb\_endpoint = string<br />      subinterface  = string<br />    })))<br /><br />    system\_services = object({<br />      dns\_primary = string<br />      dns\_secondy = string<br />      ntp\_primary = string<br />      ntp\_secondy = string<br />    })<br /><br />    application\_lb = object({<br />      name  = string<br />      rules = any<br />    })<br /><br />    network\_lb = object({<br />      name  = string<br />      rules = any<br />    })<br />  }))</pre> | `{}` | no |
-| <a name="input_vpcs"></a> [vpcs](#input\_vpcs) | A map defining VPCs with security groups and subnets.<br /><br />Following properties are available:<br />- `name`: VPC name<br />- `cidr`: CIDR for VPC<br />- `nacls`: map of network ACLs<br />- `security_groups`: map of security groups<br />- `subnets`: map of subnets with properties:<br />   - `az`: availability zone<br />   - `set`: internal identifier referenced by main.tf<br />   - `nacl`: key of NACL (can be null)<br />- `routes`: map of routes with properties:<br />   - `vpc_subnet` - built from key of VPCs concatenate with `-` and key of subnet in format: `VPCKEY-SUBNETKEY`<br />   - `next_hop_key` - must match keys use to create TGW attachment, IGW, GWLB endpoint or other resources<br />   - `next_hop_type` - internet\_gateway, nat\_gateway, transit\_gateway\_attachment or gwlbe\_endpoint<br /><br />Example:<pre>vpcs = {<br />  example\_vpc = {<br />    name = "example-spoke-vpc"<br />    cidr = "10.104.0.0/16"<br />    nacls = {<br />      trusted\_path\_monitoring = {<br />        name               = "trusted-path-monitoring"<br />        rules = {<br />          allow\_inbound = {<br />            rule\_number = 300<br />            egress      = false<br />            protocol    = "-1"<br />            rule\_action = "allow"<br />            cidr\_block  = "0.0.0.0/0"<br />            from\_port   = null<br />            to\_port     = null<br />          }<br />        }<br />      }<br />    }<br />    security\_groups = {<br />      example\_vm = {<br />        name = "example\_vm"<br />        rules = {<br />          all\_outbound = {<br />            description = "Permit All traffic outbound"<br />            type        = "egress", from\_port = "0", to\_port = "0", protocol = "-1"<br />            cidr\_blocks = ["0.0.0.0/0"]<br />          }<br />        }<br />      }<br />    }<br />    subnets = {<br />      "10.104.0.0/24"   = { az = "eu-central-1a", set = "vm", nacl = null }<br />      "10.104.128.0/24" = { az = "eu-central-1b", set = "vm", nacl = null }<br />    }<br />    routes = {<br />      vm\_default = {<br />        vpc\_subnet    = "app1\_vpc-app1\_vm"<br />        to\_cidr       = "0.0.0.0/0"<br />        next\_hop\_key  = "app1"<br />        next\_hop\_type = "transit\_gateway\_attachment"<br />      }<br />    }<br />  }<br />}</pre> | <pre>map(object({<br />    name = string<br />    cidr = string<br />    nacls = map(object({<br />      name = string<br />      rules = map(object({<br />        rule\_number = number<br />        egress      = bool<br />        protocol    = string<br />        rule\_action = string<br />        cidr\_block  = string<br />        from\_port   = string<br />        to\_port     = string<br />      }))<br />    }))<br />    security\_groups = map(object({<br />      name = string<br />      rules = map(object({<br />        description = string<br />        type        = string,<br />        from\_port   = string<br />        to\_port     = string,<br />        protocol    = string<br />        cidr\_blocks = list(string)<br />      }))<br />    }))<br />    subnets = map(object({<br />      az   = string<br />      set  = string<br />      nacl = string<br />    }))<br />    routes = map(object({<br />      vpc\_subnet    = string<br />      to\_cidr       = string<br />      next\_hop\_key  = string<br />      next\_hop\_type = string<br />    }))<br />  }))</pre> | `{}` | no |
+| <a name="input_vpcs"></a> [vpcs](#input\_vpcs) | A map defining VPCs with security groups and subnets.<br /><br />Following properties are available:<br />- `name`: VPC name<br />- `cidr`: CIDR for VPC<br />- `nacls`: map of network ACLs<br />- `security_groups`: map of security groups<br />- `subnets`: map of subnets with properties:<br />   - `az`: availability zone<br />   - `set`: internal identifier referenced by main.tf<br />   - `nacl`: key of NACL (can be null)<br />- `routes`: map of routes with properties:<br />   - `vpc_subnet` - built from key of VPCs concatenate with `-` and key of subnet in format: `VPCKEY-SUBNETKEY`<br />   - `next_hop_key` - must match keys use to create TGW attachment, IGW, GWLB endpoint or other resources<br />   - `next_hop_type` - internet\_gateway, nat\_gateway, transit\_gateway\_attachment or gwlbe\_endpoint<br /><br />Example:<pre>vpcs = {<br />  example\_vpc = {<br />    name = "example-spoke-vpc"<br />    cidr = "10.104.0.0/16"<br />    nacls = {<br />      trusted\_path\_monitoring = {<br />        name               = "trusted-path-monitoring"<br />        rules = {<br />          allow\_inbound = {<br />            rule\_number = 300<br />            egress      = false<br />            protocol    = "-1"<br />            rule\_action = "allow"<br />            cidr\_block  = "0.0.0.0/0"<br />            from\_port   = null<br />            to\_port     = null<br />          }<br />        }<br />      }<br />    }<br />    security\_groups = {<br />      example\_vm = {<br />        name = "example\_vm"<br />        rules = {<br />          all\_outbound = {<br />            description = "Permit All traffic outbound"<br />            type        = "egress", from\_port = "0", to\_port = "0", protocol = "-1"<br />            cidr\_blocks = ["0.0.0.0/0"]<br />          }<br />        }<br />      }<br />    }<br />    subnets = {<br />      "10.104.0.0/24"   = { az = "eu-central-1a", set = "vm", nacl = null }<br />      "10.104.128.0/24" = { az = "eu-central-1b", set = "vm", nacl = null }<br />    }<br />    routes = {<br />      vm\_default = {<br />        vpc\_subnet    = "app1\_vpc-app1\_vm"<br />        to\_cidr       = "0.0.0.0/0"<br />        next\_hop\_key  = "app1"<br />        next\_hop\_type = "transit\_gateway\_attachment"<br />      }<br />    }<br />  }<br />}</pre> | <pre>map(object({<br />    name = string<br />    cidr = string<br />    nacls = map(object({<br />      name = string<br />      rules = map(object({<br />        rule\_number = number<br />        egress      = bool<br />        protocol    = string<br />        rule\_action = string<br />        cidr\_block  = string<br />        from\_port   = string<br />        to\_port     = string<br />      }))<br />    }))<br />    security\_groups = any<br />    subnets = map(object({<br />      az   = string<br />      set  = string<br />      nacl = string<br />    }))<br />    routes = map(object({<br />      vpc\_subnet    = string<br />      to\_cidr       = string<br />      next\_hop\_key  = string<br />      next\_hop\_type = string<br />    }))<br />  }))</pre> | `{}` | no |
 
 ### Outputs
 
diff --git a/products/terraform/docs/swfw/aws/vmseries/reference-architectures/combined_design_autoscale.md b/products/terraform/docs/swfw/aws/vmseries/reference-architectures/combined_design_autoscale.md
index 9a1aa17c3..fb2ab7b93 100644
--- a/products/terraform/docs/swfw/aws/vmseries/reference-architectures/combined_design_autoscale.md
+++ b/products/terraform/docs/swfw/aws/vmseries/reference-architectures/combined_design_autoscale.md
@@ -61,7 +61,9 @@ The following steps should be followed before deploying the Terraform code prese
 7. Configure interface management profile to enable health checks from GWLB
 8. Configure network interfaces and subinterfaces, zones and virtual router in template
 9. Configure [static routes with path monitoring](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/static-routes/configure-path-monitoring-for-a-static-route)
-Details
+10. Configure VPC peering between VPC with Panorama and VPC with VM-Series in autoscaling group (after deploying that example)
+
+### Details - static routes with path monitoring
 
 Using multiple template stacks, one for each AZ complicates autoscaling and the Panorama Licensing plugin configuration. The virtual router (VR) configuration combined with path monitoring outlined below avoids using AZ-specific template stacks and variables.
 
@@ -93,8 +95,6 @@ An example XML configuration snippet (for PANOS 10.2.3) of the described configu
 load config partial mode merge from-xpath /config/devices/entry/template/entry[@name='asg'] to-xpath /config/devices/entry/template/entry[@name='asg'] from template-asg-path-monitoring.xml
 ```
 
-10. Configure VPC peering between VPC with Panorama and VPC with VM-Series in autoscaling group (after deploying that example)
-
 ## Usage
 
 ### NAT Gateway Option
@@ -226,13 +226,13 @@ statistic    = "Maximum"
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.25 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.25 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
 
 ### Modules
 
@@ -262,8 +262,10 @@ statistic    = "Maximum"
 | [aws_iam_role_policy.vm_series_ec2_iam_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy) | resource |
 | [aws_instance.spoke_vms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
 | [aws_ami.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
+| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
 | [aws_kms_alias.current_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
+| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ### Inputs
 
@@ -281,7 +283,7 @@ statistic    = "Maximum"
 | <a name="input_ssh_key_name"></a> [ssh\_key\_name](#input\_ssh\_key\_name) | Name of the SSH key pair existing in AWS key pairs and used to authenticate to VM-Series or test boxes | `string` | n/a | yes |
 | <a name="input_tgw"></a> [tgw](#input\_tgw) | A object defining Transit Gateway.<br /><br />Following properties are available:<br />- `create`: set to false, if existing TGW needs to be reused<br />- `id`:  id of existing TGW or null<br />- `name`: name of TGW to create or use<br />- `asn`: ASN number<br />- `route_tables`: map of route tables<br />- `attachments`: map of TGW attachments<br /><br />Example:<pre>tgw = {<br />  create = true<br />  id     = null<br />  name   = "tgw"<br />  asn    = "64512"<br />  route\_tables = {<br />    "from\_security\_vpc" = {<br />      create = true<br />      name   = "from\_security"<br />    }<br />  }<br />  attachments = {<br />    security = {<br />      name                = "vmseries"<br />      vpc\_subnet          = "security\_vpc-tgw\_attach"<br />      route\_table         = "from\_security\_vpc"<br />      propagate\_routes\_to = "from\_spoke\_vpc"<br />    }<br />  }<br />}</pre> | <pre>object({<br />    create = bool<br />    id     = string<br />    name   = string<br />    asn    = string<br />    route\_tables = map(object({<br />      create = bool<br />      name   = string<br />    }))<br />    attachments = map(object({<br />      name                = string<br />      vpc\_subnet          = string<br />      route\_table         = string<br />      propagate\_routes\_to = string<br />    }))<br />  })</pre> | `null` | no |
 | <a name="input_vmseries_asgs"></a> [vmseries\_asgs](#input\_vmseries\_asgs) | A map defining Autoscaling Groups with VM-Series instances.<br /><br />Following properties are available:<br />- `bootstrap_options`: VM-Seriess bootstrap options used to connect to Panorama<br />- `panos_version`: PAN-OS version used for VM-Series<br />- `ebs_kms_id`: alias for AWS KMS used for EBS encryption in VM-Series<br />- `vpc`: key of VPC<br />- `gwlb`: key of GWLB<br />- `interfaces`: configuration of network interfaces for VM-Series used by Lamdba while provisioning new VM-Series in autoscaling group<br />- `subinterfaces`: configuration of network subinterfaces used to map with GWLB endpoints<br />- `asg`: the number of Amazon EC2 instances that should be running in the group (desired, minimum, maximum)<br />- `scaling_plan`: scaling plan with attributes<br />  - `enabled`: `true` if automatic dynamic scaling policy should be created<br />  - `metric_name`: name of the metric used in dynamic scaling policy<br />  - `target_value`: target value for the metric used in dynamic scaling policy<br />  - `statistic`: statistic of the metric. Valid values: Average, Maximum, Minimum, SampleCount, Sum<br />  - `cloudwatch_namespace`: name of CloudWatch namespace, where metrics are available (it should be the same as namespace configured in VM-Series plugin in PAN-OS)<br />  - `tags`: tags configured for dynamic scaling policy<br /><br />Example:<pre>vmseries\_asgs = {<br />  main\_asg = {<br />    bootstrap\_options = {<br />      mgmt-interface-swap         = "enable"<br />      plugin-op-commands          = "panorama-licensing-mode-on,aws-gwlb-inspect:enable,aws-gwlb-overlay-routing:enable" # TODO: update here<br />      panorama-server             = ""                                                                                   # TODO: update here<br />      auth-key                    = ""                                                                                   # TODO: update here<br />      dgname                      = ""                                                                                   # TODO: update here<br />      tplname                     = ""                                                                                   # TODO: update here<br />      dhcp-send-hostname          = "yes"                                                                                # TODO: update here<br />      dhcp-send-client-id         = "yes"                                                                                # TODO: update here<br />      dhcp-accept-server-hostname = "yes"                                                                                # TODO: update here<br />      dhcp-accept-server-domain   = "yes"                                                                                # TODO: update here<br />    }<br /><br />    panos\_version = "10.2.3"        # TODO: update here<br />    ebs\_kms\_id    = "alias/aws/ebs" # TODO: update here<br /><br />    vpc               = "security\_vpc"<br />    gwlb              = "security\_gwlb"<br /><br />    interfaces = {<br />      private = {<br />        device\_index   = 0<br />        security\_group = "vmseries\_private"<br />        subnet = {<br />          "privatea" = "eu-central-1a",<br />          "privateb" = "eu-central-1b"<br />        }<br />        create\_public\_ip  = false<br />        source\_dest\_check = false<br />      }<br />      mgmt = {<br />        device\_index   = 1<br />        security\_group = "vmseries\_mgmt"<br />        subnet = {<br />          "mgmta" = "eu-central-1a",<br />          "mgmtb" = "eu-central-1b"<br />        }<br />        create\_public\_ip  = true<br />        source\_dest\_check = true<br />      }<br />      public = {<br />        device\_index   = 2<br />        security\_group = "vmseries\_public"<br />        subnet = {<br />          "publica" = "eu-central-1a",<br />          "publicb" = "eu-central-1b"<br />        }<br />        create\_public\_ip  = false<br />        source\_dest\_check = false<br />      }<br />    }<br /><br />    subinterfaces = {<br />      inbound = {<br />        app1 = {<br />          gwlb\_endpoint = "app1\_inbound"<br />          subinterface  = "ethernet1/1.11"<br />        }<br />        app2 = {<br />          gwlb\_endpoint = "app2\_inbound"<br />          subinterface  = "ethernet1/1.12"<br />        }<br />      }<br />      outbound = {<br />        only\_1\_outbound = {<br />          gwlb\_endpoint = "security\_gwlb\_outbound"<br />          subinterface  = "ethernet1/1.20"<br />        }<br />      }<br />      eastwest = {<br />        only\_1\_eastwest = {<br />          gwlb\_endpoint = "security\_gwlb\_eastwest"<br />          subinterface  = "ethernet1/1.30"<br />        }<br />      }<br />    }<br /><br />    asg = {<br />      desired\_cap = 2<br />      min\_size    = 2<br />      max\_size    = 4<br />    }<br /><br />    scaling\_plan = {<br />      enabled              = true               # TODO: update here<br />      metric\_name          = "panSessionActive" # TODO: update here<br />      target\_value         = 75                 # TODO: update here<br />      statistic            = "Average"          # TODO: update here<br />      cloudwatch\_namespace = "example-vmseries" # TODO: update here<br />      tags = {<br />        ManagedBy = "terraform"<br />      }<br />    }<br /><br />    delicense = {<br />      enabled = true<br />      ssm\_param\_name = "example\_param\_store\_delicense" # TODO: update here<br />    }<br />  }<br />}</pre> | <pre>map(object({<br />    bootstrap\_options = object({<br />      mgmt-interface-swap         = string<br />      plugin-op-commands          = string<br />      panorama-server             = string<br />      auth-key                    = string<br />      dgname                      = string<br />      tplname                     = string<br />      dhcp-send-hostname          = string<br />      dhcp-send-client-id         = string<br />      dhcp-accept-server-hostname = string<br />      dhcp-accept-server-domain   = string<br />    })<br /><br />    panos\_version = string<br />    ebs\_kms\_id    = string<br /><br />    vpc  = string<br />    gwlb = string<br /><br />    interfaces = map(object({<br />      device\_index      = number<br />      security\_group    = string<br />      subnet            = map(string)<br />      create\_public\_ip  = bool<br />      source\_dest\_check = bool<br />    }))<br /><br />    subinterfaces = map(map(object({<br />      gwlb\_endpoint = string<br />      subinterface  = string<br />    })))<br /><br />    asg = object({<br />      desired\_cap = number<br />      min\_size    = number<br />      max\_size    = number<br />    })<br /><br />    scaling\_plan = object({<br />      enabled              = bool<br />      metric\_name          = string<br />      target\_value         = number<br />      statistic            = string<br />      cloudwatch\_namespace = string<br />      tags                 = map(string)<br />    })<br /><br />    delicense = object({<br />      enabled        = bool<br />      ssm\_param\_name = string<br />    })<br />  }))</pre> | `{}` | no |
-| <a name="input_vpcs"></a> [vpcs](#input\_vpcs) | A map defining VPCs with security groups and subnets.<br /><br />Following properties are available:<br />- `name`: VPC name<br />- `cidr`: CIDR for VPC<br />- `nacls`: map of network ACLs<br />- `security_groups`: map of security groups<br />- `subnets`: map of subnets with properties:<br />   - `az`: availability zone<br />   - `set`: internal identifier referenced by main.tf<br />   - `nacl`: key of NACL (can be null)<br />- `routes`: map of routes with properties:<br />   - `vpc_subnet` - built from key of VPCs concatenate with `-` and key of subnet in format: `VPCKEY-SUBNETKEY`<br />   - `next_hop_key` - must match keys use to create TGW attachment, IGW, GWLB endpoint or other resources<br />   - `next_hop_type` - internet\_gateway, nat\_gateway, transit\_gateway\_attachment or gwlbe\_endpoint<br /><br />Example:<pre>vpcs = {<br />  example\_vpc = {<br />    name = "example-spoke-vpc"<br />    cidr = "10.104.0.0/16"<br />    nacls = {<br />      trusted\_path\_monitoring = {<br />        name               = "trusted-path-monitoring"<br />        rules = {<br />          allow\_inbound = {<br />            rule\_number = 300<br />            egress      = false<br />            protocol    = "-1"<br />            rule\_action = "allow"<br />            cidr\_block  = "0.0.0.0/0"<br />            from\_port   = null<br />            to\_port     = null<br />          }<br />        }<br />      }<br />    }<br />    security\_groups = {<br />      example\_vm = {<br />        name = "example\_vm"<br />        rules = {<br />          all\_outbound = {<br />            description = "Permit All traffic outbound"<br />            type        = "egress", from\_port = "0", to\_port = "0", protocol = "-1"<br />            cidr\_blocks = ["0.0.0.0/0"]<br />          }<br />        }<br />      }<br />    }<br />    subnets = {<br />      "10.104.0.0/24"   = { az = "eu-central-1a", set = "vm", nacl = null }<br />      "10.104.128.0/24" = { az = "eu-central-1b", set = "vm", nacl = null }<br />    }<br />    routes = {<br />      vm\_default = {<br />        vpc\_subnet    = "app1\_vpc-app1\_vm"<br />        to\_cidr       = "0.0.0.0/0"<br />        next\_hop\_key  = "app1"<br />        next\_hop\_type = "transit\_gateway\_attachment"<br />      }<br />    }<br />  }<br />}</pre> | <pre>map(object({<br />    name = string<br />    cidr = string<br />    nacls = map(object({<br />      name = string<br />      rules = map(object({<br />        rule\_number = number<br />        egress      = bool<br />        protocol    = string<br />        rule\_action = string<br />        cidr\_block  = string<br />        from\_port   = string<br />        to\_port     = string<br />      }))<br />    }))<br />    security\_groups = map(object({<br />      name = string<br />      rules = map(object({<br />        description = string<br />        type        = string,<br />        from\_port   = string<br />        to\_port     = string,<br />        protocol    = string<br />        cidr\_blocks = list(string)<br />      }))<br />    }))<br />    subnets = map(object({<br />      az   = string<br />      set  = string<br />      nacl = string<br />    }))<br />    routes = map(object({<br />      vpc\_subnet    = string<br />      to\_cidr       = string<br />      next\_hop\_key  = string<br />      next\_hop\_type = string<br />    }))<br />  }))</pre> | `{}` | no |
+| <a name="input_vpcs"></a> [vpcs](#input\_vpcs) | A map defining VPCs with security groups and subnets.<br /><br />Following properties are available:<br />- `name`: VPC name<br />- `cidr`: CIDR for VPC<br />- `nacls`: map of network ACLs<br />- `security_groups`: map of security groups<br />- `subnets`: map of subnets with properties:<br />   - `az`: availability zone<br />   - `set`: internal identifier referenced by main.tf<br />   - `nacl`: key of NACL (can be null)<br />- `routes`: map of routes with properties:<br />   - `vpc_subnet` - built from key of VPCs concatenate with `-` and key of subnet in format: `VPCKEY-SUBNETKEY`<br />   - `next_hop_key` - must match keys use to create TGW attachment, IGW, GWLB endpoint or other resources<br />   - `next_hop_type` - internet\_gateway, nat\_gateway, transit\_gateway\_attachment or gwlbe\_endpoint<br /><br />Example:<pre>vpcs = {<br />  example\_vpc = {<br />    name = "example-spoke-vpc"<br />    cidr = "10.104.0.0/16"<br />    nacls = {<br />      trusted\_path\_monitoring = {<br />        name               = "trusted-path-monitoring"<br />        rules = {<br />          allow\_inbound = {<br />            rule\_number = 300<br />            egress      = false<br />            protocol    = "-1"<br />            rule\_action = "allow"<br />            cidr\_block  = "0.0.0.0/0"<br />            from\_port   = null<br />            to\_port     = null<br />          }<br />        }<br />      }<br />    }<br />    security\_groups = {<br />      example\_vm = {<br />        name = "example\_vm"<br />        rules = {<br />          all\_outbound = {<br />            description = "Permit All traffic outbound"<br />            type        = "egress", from\_port = "0", to\_port = "0", protocol = "-1"<br />            cidr\_blocks = ["0.0.0.0/0"]<br />          }<br />        }<br />      }<br />    }<br />    subnets = {<br />      "10.104.0.0/24"   = { az = "eu-central-1a", set = "vm", nacl = null }<br />      "10.104.128.0/24" = { az = "eu-central-1b", set = "vm", nacl = null }<br />    }<br />    routes = {<br />      vm\_default = {<br />        vpc\_subnet    = "app1\_vpc-app1\_vm"<br />        to\_cidr       = "0.0.0.0/0"<br />        next\_hop\_key  = "app1"<br />        next\_hop\_type = "transit\_gateway\_attachment"<br />      }<br />    }<br />  }<br />}</pre> | <pre>map(object({<br />    name = string<br />    cidr = string<br />    nacls = map(object({<br />      name = string<br />      rules = map(object({<br />        rule\_number = number<br />        egress      = bool<br />        protocol    = string<br />        rule\_action = string<br />        cidr\_block  = string<br />        from\_port   = string<br />        to\_port     = string<br />      }))<br />    }))<br />    security\_groups = any<br />    subnets = map(object({<br />      az   = string<br />      set  = string<br />      nacl = string<br />    }))<br />    routes = map(object({<br />      vpc\_subnet    = string<br />      to\_cidr       = string<br />      next\_hop\_key  = string<br />      next\_hop\_type = string<br />    }))<br />  }))</pre> | `{}` | no |
 
 ### Outputs
 
diff --git a/products/terraform/docs/swfw/aws/vmseries/reference-architectures/isolated_design.md b/products/terraform/docs/swfw/aws/vmseries/reference-architectures/isolated_design.md
index 8f2b24c0f..0bdf95828 100644
--- a/products/terraform/docs/swfw/aws/vmseries/reference-architectures/isolated_design.md
+++ b/products/terraform/docs/swfw/aws/vmseries/reference-architectures/isolated_design.md
@@ -76,13 +76,13 @@ In example VM-Series are licensed using [Panorama-Based Software Firewall Licens
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.25 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.25 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
 
 ### Modules
 
@@ -110,8 +110,10 @@ In example VM-Series are licensed using [Panorama-Based Software Firewall Licens
 | [aws_lb_target_group_attachment.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb_target_group_attachment) | resource |
 | [aws_vpc_peering_connection.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_peering_connection) | resource |
 | [aws_ami.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
+| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
 | [aws_kms_alias.current_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
+| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ### Inputs
 
@@ -128,7 +130,7 @@ In example VM-Series are licensed using [Panorama-Based Software Firewall Licens
 | <a name="input_spoke_vms"></a> [spoke\_vms](#input\_spoke\_vms) | A map defining VMs in spoke VPCs.<br /><br />Following properties are available:<br />- `az`: name of the Availability Zone<br />- `vpc`: name of the VPC (needs to be one of the keys in map `vpcs`)<br />- `vpc_subnet`: key of the VPC and subnet connected by '-' character<br />- `security_group`: security group assigned to ENI used by VM<br />- `type`: EC2 type VM<br /><br />Example:<pre>spoke\_vms = {<br />  "app1\_vm01" = {<br />    az             = "eu-central-1a"<br />    vpc            = "app1\_vpc"<br />    vpc\_subnet     = "app1\_vpc-app1\_vm"<br />    security\_group = "app1\_vm"<br />    type           = "t2.micro"<br />  }<br />}</pre> | <pre>map(object({<br />    az             = string<br />    vpc            = string<br />    vpc\_subnet     = string<br />    security\_group = string<br />    type           = string<br />  }))</pre> | `{}` | no |
 | <a name="input_ssh_key_name"></a> [ssh\_key\_name](#input\_ssh\_key\_name) | Name of the SSH key pair existing in AWS key pairs and used to authenticate to VM-Series or test boxes | `string` | n/a | yes |
 | <a name="input_vmseries"></a> [vmseries](#input\_vmseries) | A map defining VM-Series instances<br />Following properties are available:<br />- `instances`: map of VM-Series instances<br />- `bootstrap_options`: VM-Seriess bootstrap options used to connect to Panorama<br />- `panos_version`: PAN-OS version used for VM-Series<br />- `ebs_kms_id`: alias for AWS KMS used for EBS encryption in VM-Series<br />- `vpc`: key of VPC<br />- `gwlb`: key of GWLB<br />- `subinterfaces`: configuration of network subinterfaces used to map with GWLB endpoints<br />- `system_services`: map of system services<br />- `application_lb`: ALB placed in front of the Firewalls' public interfaces<br />- `network_lb`: NLB placed in front of the Firewalls' public interfaces<br />Example:<pre>vmseries = {<br />  vmseries = {<br />    instances = {<br />      "01" = { az = "eu-central-1a" }<br />      "02" = { az = "eu-central-1b" }<br />    }<br />    # Value of `panorama-server`, `auth-key`, `dgname`, `tplname` can be taken from plugin `sw\_fw\_license`<br />    bootstrap\_options = {<br />      mgmt-interface-swap         = "enable"<br />      plugin-op-commands          = "panorama-licensing-mode-on,aws-gwlb-inspect:enable,aws-gwlb-overlay-routing:enable"<br />      dhcp-send-hostname          = "yes"<br />      dhcp-send-client-id         = "yes"<br />      dhcp-accept-server-hostname = "yes"<br />      dhcp-accept-server-domain   = "yes"<br />    }<br />    panos\_version = "10.2.3"        # TODO: update here<br />    ebs\_kms\_id    = "alias/aws/ebs" # TODO: update here<br />    # Value of `vpc` must match key of objects stored in `vpcs`<br />    vpc = "security\_vpc"<br />    # Value of `gwlb` must match key of objects stored in `gwlbs`<br />    gwlb = "security\_gwlb"<br />    interfaces = {<br />      private = {<br />        device\_index      = 0<br />        security\_group    = "vmseries\_private"<br />        vpc\_subnet        = "security\_vpc-private"<br />        create\_public\_ip  = false<br />        source\_dest\_check = false<br />      }<br />      mgmt = {<br />        device\_index      = 1<br />        security\_group    = "vmseries\_mgmt"<br />        vpc\_subnet        = "security\_vpc-mgmt"<br />        create\_public\_ip  = true<br />        source\_dest\_check = true<br />      }<br />      public = {<br />        device\_index      = 2<br />        security\_group    = "vmseries\_public"<br />        vpc\_subnet        = "security\_vpc-public"<br />        create\_public\_ip  = true<br />        source\_dest\_check = false<br />      }<br />    }<br />    # Value of `gwlb\_endpoint` must match key of objects stored in `gwlb\_endpoints`<br />    subinterfaces = {<br />      inbound = {<br />        app1 = {<br />          gwlb\_endpoint = "app1\_inbound"<br />          subinterface  = "ethernet1/1.11"<br />        }<br />        app2 = {<br />          gwlb\_endpoint = "app2\_inbound"<br />          subinterface  = "ethernet1/1.12"<br />        }<br />      }<br />      outbound = {<br />        only\_1\_outbound = {<br />          gwlb\_endpoint = "security\_gwlb\_outbound"<br />          subinterface  = "ethernet1/1.20"<br />        }<br />      }<br />      eastwest = {<br />        only\_1\_eastwest = {<br />          gwlb\_endpoint = "security\_gwlb\_eastwest"<br />          subinterface  = "ethernet1/1.30"<br />        }<br />      }<br />    }<br />    system\_services = {<br />      dns\_primary = "4.2.2.2"      # TODO: update here<br />      dns\_secondy = null           # TODO: update here<br />      ntp\_primary = "pool.ntp.org" # TODO: update here<br />      ntp\_secondy = null           # TODO: update here<br />    }<br />    application\_lb = null<br />    network\_lb     = null<br />  }<br />}</pre> | <pre>map(object({<br />    instances = map(object({<br />      az = string<br />    }))<br /><br />    bootstrap\_options = object({<br />      mgmt-interface-swap         = string<br />      plugin-op-commands          = string<br />      panorama-server             = string<br />      auth-key                    = string<br />      dgname                      = string<br />      tplname                     = string<br />      dhcp-send-hostname          = string<br />      dhcp-send-client-id         = string<br />      dhcp-accept-server-hostname = string<br />      dhcp-accept-server-domain   = string<br />    })<br /><br />    panos\_version = string<br />    ebs\_kms\_id    = string<br /><br />    vpc  = string<br />    gwlb = string<br /><br />    interfaces = map(object({<br />      device\_index      = number<br />      security\_group    = string<br />      vpc\_subnet        = string<br />      create\_public\_ip  = bool<br />      source\_dest\_check = bool<br />    }))<br /><br />    subinterfaces = map(map(object({<br />      gwlb\_endpoint = string<br />      subinterface  = string<br />    })))<br /><br />    system\_services = object({<br />      dns\_primary = string<br />      dns\_secondy = string<br />      ntp\_primary = string<br />      ntp\_secondy = string<br />    })<br /><br />    application\_lb = object({<br />      name  = string<br />      rules = any<br />    })<br /><br />    network\_lb = object({<br />      name  = string<br />      rules = any<br />    })<br />  }))</pre> | `{}` | no |
-| <a name="input_vpcs"></a> [vpcs](#input\_vpcs) | A map defining VPCs with security groups and subnets.<br /><br />Following properties are available:<br />- `name`: VPC name<br />- `cidr`: CIDR for VPC<br />- `nacls`: map of network ACLs<br />- `security_groups`: map of security groups<br />- `subnets`: map of subnets with properties:<br />   - `az`: availability zone<br />   - `set`: internal identifier referenced by main.tf<br />   - `nacl`: key of NACL (can be null)<br />- `routes`: map of routes with properties:<br />   - `vpc_subnet` - built from key of VPCs concatenate with `-` and key of subnet in format: `VPCKEY-SUBNETKEY`<br />   - `next_hop_key` - must match keys use to create TGW attachment, IGW, GWLB endpoint or other resources<br />   - `next_hop_type` - internet\_gateway, nat\_gateway, transit\_gateway\_attachment or gwlbe\_endpoint<br /><br />Example:<pre>vpcs = {<br />  example\_vpc = {<br />    name = "example-spoke-vpc"<br />    cidr = "10.104.0.0/16"<br />    nacls = {<br />      trusted\_path\_monitoring = {<br />        name               = "trusted-path-monitoring"<br />        rules = {<br />          allow\_inbound = {<br />            rule\_number = 300<br />            egress      = false<br />            protocol    = "-1"<br />            rule\_action = "allow"<br />            cidr\_block  = "0.0.0.0/0"<br />            from\_port   = null<br />            to\_port     = null<br />          }<br />        }<br />      }<br />    }<br />    security\_groups = {<br />      example\_vm = {<br />        name = "example\_vm"<br />        rules = {<br />          all\_outbound = {<br />            description = "Permit All traffic outbound"<br />            type        = "egress", from\_port = "0", to\_port = "0", protocol = "-1"<br />            cidr\_blocks = ["0.0.0.0/0"]<br />          }<br />        }<br />      }<br />    }<br />    subnets = {<br />      "10.104.0.0/24"   = { az = "eu-central-1a", set = "vm", nacl = null }<br />      "10.104.128.0/24" = { az = "eu-central-1b", set = "vm", nacl = null }<br />    }<br />    routes = {<br />      vm\_default = {<br />        vpc\_subnet    = "app1\_vpc-app1\_vm"<br />        to\_cidr       = "0.0.0.0/0"<br />        next\_hop\_key  = "app1"<br />        next\_hop\_type = "transit\_gateway\_attachment"<br />      }<br />    }<br />  }<br />}</pre> | <pre>map(object({<br />    name = string<br />    cidr = string<br />    nacls = map(object({<br />      name = string<br />      rules = map(object({<br />        rule\_number = number<br />        egress      = bool<br />        protocol    = string<br />        rule\_action = string<br />        cidr\_block  = string<br />        from\_port   = string<br />        to\_port     = string<br />      }))<br />    }))<br />    security\_groups = map(object({<br />      name = string<br />      rules = map(object({<br />        description = string<br />        type        = string,<br />        from\_port   = string<br />        to\_port     = string,<br />        protocol    = string<br />        cidr\_blocks = list(string)<br />      }))<br />    }))<br />    subnets = map(object({<br />      az   = string<br />      set  = string<br />      nacl = string<br />    }))<br />    routes = map(object({<br />      vpc\_subnet    = string<br />      to\_cidr       = string<br />      next\_hop\_key  = string<br />      next\_hop\_type = string<br />    }))<br />  }))</pre> | `{}` | no |
+| <a name="input_vpcs"></a> [vpcs](#input\_vpcs) | A map defining VPCs with security groups and subnets.<br /><br />Following properties are available:<br />- `name`: VPC name<br />- `cidr`: CIDR for VPC<br />- `nacls`: map of network ACLs<br />- `security_groups`: map of security groups<br />- `subnets`: map of subnets with properties:<br />   - `az`: availability zone<br />   - `set`: internal identifier referenced by main.tf<br />   - `nacl`: key of NACL (can be null)<br />- `routes`: map of routes with properties:<br />   - `vpc_subnet` - built from key of VPCs concatenate with `-` and key of subnet in format: `VPCKEY-SUBNETKEY`<br />   - `next_hop_key` - must match keys use to create TGW attachment, IGW, GWLB endpoint or other resources<br />   - `next_hop_type` - internet\_gateway, nat\_gateway, transit\_gateway\_attachment or gwlbe\_endpoint<br /><br />Example:<pre>vpcs = {<br />  example\_vpc = {<br />    name = "example-spoke-vpc"<br />    cidr = "10.104.0.0/16"<br />    nacls = {<br />      trusted\_path\_monitoring = {<br />        name               = "trusted-path-monitoring"<br />        rules = {<br />          allow\_inbound = {<br />            rule\_number = 300<br />            egress      = false<br />            protocol    = "-1"<br />            rule\_action = "allow"<br />            cidr\_block  = "0.0.0.0/0"<br />            from\_port   = null<br />            to\_port     = null<br />          }<br />        }<br />      }<br />    }<br />    security\_groups = {<br />      example\_vm = {<br />        name = "example\_vm"<br />        rules = {<br />          all\_outbound = {<br />            description = "Permit All traffic outbound"<br />            type        = "egress", from\_port = "0", to\_port = "0", protocol = "-1"<br />            cidr\_blocks = ["0.0.0.0/0"]<br />          }<br />        }<br />      }<br />    }<br />    subnets = {<br />      "10.104.0.0/24"   = { az = "eu-central-1a", set = "vm", nacl = null }<br />      "10.104.128.0/24" = { az = "eu-central-1b", set = "vm", nacl = null }<br />    }<br />    routes = {<br />      vm\_default = {<br />        vpc\_subnet    = "app1\_vpc-app1\_vm"<br />        to\_cidr       = "0.0.0.0/0"<br />        next\_hop\_key  = "app1"<br />        next\_hop\_type = "transit\_gateway\_attachment"<br />      }<br />    }<br />  }<br />}</pre> | <pre>map(object({<br />    name = string<br />    cidr = string<br />    nacls = map(object({<br />      name = string<br />      rules = map(object({<br />        rule\_number = number<br />        egress      = bool<br />        protocol    = string<br />        rule\_action = string<br />        cidr\_block  = string<br />        from\_port   = string<br />        to\_port     = string<br />      }))<br />    }))<br />    security\_groups = any<br />    subnets = map(object({<br />      az   = string<br />      set  = string<br />      nacl = string<br />    }))<br />    routes = map(object({<br />      vpc\_subnet    = string<br />      to\_cidr       = string<br />      next\_hop\_key  = string<br />      next\_hop\_type = string<br />    }))<br />  }))</pre> | `{}` | no |
 
 ### Outputs
 
diff --git a/products/terraform/docs/swfw/aws/vmseries/reference-architectures/isolated_design_autoscale.md b/products/terraform/docs/swfw/aws/vmseries/reference-architectures/isolated_design_autoscale.md
index 22d315838..d7b16478e 100644
--- a/products/terraform/docs/swfw/aws/vmseries/reference-architectures/isolated_design_autoscale.md
+++ b/products/terraform/docs/swfw/aws/vmseries/reference-architectures/isolated_design_autoscale.md
@@ -57,7 +57,9 @@ The following steps should be followed before deploying the Terraform code prese
 7. Configure interface management profile to enable health checks from GWLB
 8. Configure network interfaces and subinterfaces, zones and virtual router in template
 9. Configure [static routes with path monitoring](https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/static-routes/configure-path-monitoring-for-a-static-route)
-Details
+10. Configure VPC peering between VPC with Panorama and VPC with VM-Series in autoscaling group (after deploying that example)
+
+### Details - static routes with path monitoring
 
 Using multiple template stacks, one for each AZ complicates autoscaling and the Panorama Licensing plugin configuration. The virtual router (VR) configuration combined with path monitoring outlined below avoids using AZ-specific template stacks and variables.
 
@@ -89,8 +91,6 @@ An example XML configuration snippet (for PANOS 10.2.3) of the described configu
 load config partial mode merge from-xpath /config/devices/entry/template/entry[@name='asg'] to-xpath /config/devices/entry/template/entry[@name='asg'] from template-asg-path-monitoring.xml
 ```
 
-10. Configure VPC peering between VPC with Panorama and VPC with VM-Series in autoscaling group (after deploying that example)
-
 ## Usage
 
 1. Copy `example.tfvars` into `terraform.tfvars`
@@ -185,13 +185,13 @@ statistic    = "Maximum"
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.0, < 2.0.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.25 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.17 |
 
 ### Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 4.25 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.17 |
 
 ### Modules
 
@@ -218,8 +218,10 @@ statistic    = "Maximum"
 | [aws_instance.spoke_vms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/instance) | resource |
 | [aws_vpc_peering_connection.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/vpc_peering_connection) | resource |
 | [aws_ami.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ami) | data source |
+| [aws_caller_identity.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_ebs_default_kms_key.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ebs_default_kms_key) | data source |
 | [aws_kms_alias.current_arn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/kms_alias) | data source |
+| [aws_partition.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source |
 
 ### Inputs
 
@@ -236,7 +238,7 @@ statistic    = "Maximum"
 | <a name="input_spoke_vms"></a> [spoke\_vms](#input\_spoke\_vms) | A map defining VMs in spoke VPCs.<br /><br />Following properties are available:<br />- `az`: name of the Availability Zone<br />- `vpc`: name of the VPC (needs to be one of the keys in map `vpcs`)<br />- `vpc_subnet`: key of the VPC and subnet connected by '-' character<br />- `security_group`: security group assigned to ENI used by VM<br />- `type`: EC2 type VM<br /><br />Example:<pre>spoke\_vms = {<br />  "app1\_vm01" = {<br />    az             = "eu-central-1a"<br />    vpc            = "app1\_vpc"<br />    vpc\_subnet     = "app1\_vpc-app1\_vm"<br />    security\_group = "app1\_vm"<br />    type           = "t2.micro"<br />  }<br />}</pre> | <pre>map(object({<br />    az             = string<br />    vpc            = string<br />    vpc\_subnet     = string<br />    security\_group = string<br />    type           = string<br />  }))</pre> | `{}` | no |
 | <a name="input_ssh_key_name"></a> [ssh\_key\_name](#input\_ssh\_key\_name) | Name of the SSH key pair existing in AWS key pairs and used to authenticate to VM-Series or test boxes | `string` | n/a | yes |
 | <a name="input_vmseries_asgs"></a> [vmseries\_asgs](#input\_vmseries\_asgs) | A map defining Autoscaling Groups with VM-Series instances.<br /><br />Following properties are available:<br />- `bootstrap_options`: VM-Seriess bootstrap options used to connect to Panorama<br />- `panos_version`: PAN-OS version used for VM-Series<br />- `ebs_kms_id`: alias for AWS KMS used for EBS encryption in VM-Series<br />- `vpc`: key of VPC<br />- `gwlb`: key of GWLB<br />- `interfaces`: configuration of network interfaces for VM-Series used by Lamdba while provisioning new VM-Series in autoscaling group<br />- `subinterfaces`: configuration of network subinterfaces used to map with GWLB endpoints<br />- `asg`: the number of Amazon EC2 instances that should be running in the group (desired, minimum, maximum)<br />- `scaling_plan`: scaling plan with attributes<br />  - `enabled`: `true` if automatic dynamic scaling policy should be created<br />  - `metric_name`: name of the metric used in dynamic scaling policy<br />  - `target_value`: target value for the metric used in dynamic scaling policy<br />  - `statistic`: statistic of the metric. Valid values: Average, Maximum, Minimum, SampleCount, Sum<br />  - `cloudwatch_namespace`: name of CloudWatch namespace, where metrics are available (it should be the same as namespace configured in VM-Series plugin in PAN-OS)<br />  - `tags`: tags configured for dynamic scaling policy<br /><br />Example:<pre>vmseries\_asgs = {<br />  main\_asg = {<br />    bootstrap\_options = {<br />      mgmt-interface-swap         = "enable"<br />      plugin-op-commands          = "panorama-licensing-mode-on,aws-gwlb-inspect:enable,aws-gwlb-overlay-routing:enable" # TODO: update here<br />      panorama-server             = ""                                                                                   # TODO: update here<br />      auth-key                    = ""                                                                                   # TODO: update here<br />      dgname                      = ""                                                                                   # TODO: update here<br />      tplname                     = ""                                                                                   # TODO: update here<br />      dhcp-send-hostname          = "yes"                                                                                # TODO: update here<br />      dhcp-send-client-id         = "yes"                                                                                # TODO: update here<br />      dhcp-accept-server-hostname = "yes"                                                                                # TODO: update here<br />      dhcp-accept-server-domain   = "yes"                                                                                # TODO: update here<br />    }<br /><br />    panos\_version = "10.2.3"        # TODO: update here<br />    ebs\_kms\_id    = "alias/aws/ebs" # TODO: update here<br /><br />    vpc               = "security\_vpc"<br />    gwlb              = "security\_gwlb"<br /><br />    interfaces = {<br />      private = {<br />        device\_index   = 0<br />        security\_group = "vmseries\_private"<br />        subnet = {<br />          "privatea" = "eu-central-1a",<br />          "privateb" = "eu-central-1b"<br />        }<br />        create\_public\_ip  = false<br />        source\_dest\_check = false<br />      }<br />      mgmt = {<br />        device\_index   = 1<br />        security\_group = "vmseries\_mgmt"<br />        subnet = {<br />          "mgmta" = "eu-central-1a",<br />          "mgmtb" = "eu-central-1b"<br />        }<br />        create\_public\_ip  = true<br />        source\_dest\_check = true<br />      }<br />      public = {<br />        device\_index   = 2<br />        security\_group = "vmseries\_public"<br />        subnet = {<br />          "publica" = "eu-central-1a",<br />          "publicb" = "eu-central-1b"<br />        }<br />        create\_public\_ip  = false<br />        source\_dest\_check = false<br />      }<br />    }<br /><br />    subinterfaces = {<br />      inbound = {<br />        app1 = {<br />          gwlb\_endpoint = "app1\_inbound"<br />          subinterface  = "ethernet1/1.11"<br />        }<br />        app2 = {<br />          gwlb\_endpoint = "app2\_inbound"<br />          subinterface  = "ethernet1/1.12"<br />        }<br />      }<br />      outbound = {<br />        only\_1\_outbound = {<br />          gwlb\_endpoint = "security\_gwlb\_outbound"<br />          subinterface  = "ethernet1/1.20"<br />        }<br />      }<br />      eastwest = {<br />        only\_1\_eastwest = {<br />          gwlb\_endpoint = "security\_gwlb\_eastwest"<br />          subinterface  = "ethernet1/1.30"<br />        }<br />      }<br />    }<br /><br />    asg = {<br />      desired\_cap = 2<br />      min\_size    = 2<br />      max\_size    = 4<br />    }<br /><br />    scaling\_plan = {<br />      enabled              = true               # TODO: update here<br />      metric\_name          = "panSessionActive" # TODO: update here<br />      target\_value         = 75                 # TODO: update here<br />      statistic            = "Average"          # TODO: update here<br />      cloudwatch\_namespace = "example-vmseries" # TODO: update here<br />      tags = {<br />        ManagedBy = "terraform"<br />      }<br />    }<br />  }<br />}</pre> | <pre>map(object({<br />    bootstrap\_options = object({<br />      mgmt-interface-swap         = string<br />      plugin-op-commands          = string<br />      panorama-server             = string<br />      auth-key                    = string<br />      dgname                      = string<br />      tplname                     = string<br />      dhcp-send-hostname          = string<br />      dhcp-send-client-id         = string<br />      dhcp-accept-server-hostname = string<br />      dhcp-accept-server-domain   = string<br />    })<br /><br />    panos\_version = string<br />    ebs\_kms\_id    = string<br /><br />    vpc  = string<br />    gwlb = string<br /><br />    interfaces = map(object({<br />      device\_index      = number<br />      security\_group    = string<br />      subnet            = map(string)<br />      create\_public\_ip  = bool<br />      source\_dest\_check = bool<br />    }))<br /><br />    subinterfaces = map(map(object({<br />      gwlb\_endpoint = string<br />      subinterface  = string<br />    })))<br /><br />    asg = object({<br />      desired\_cap = number<br />      min\_size    = number<br />      max\_size    = number<br />    })<br /><br />    scaling\_plan = object({<br />      enabled              = bool<br />      metric\_name          = string<br />      target\_value         = number<br />      statistic            = string<br />      cloudwatch\_namespace = string<br />      tags                 = map(string)<br />    })<br />  }))</pre> | `{}` | no |
-| <a name="input_vpcs"></a> [vpcs](#input\_vpcs) | A map defining VPCs with security groups and subnets.<br /><br />Following properties are available:<br />- `name`: VPC name<br />- `cidr`: CIDR for VPC<br />- `nacls`: map of network ACLs<br />- `security_groups`: map of security groups<br />- `subnets`: map of subnets with properties:<br />   - `az`: availability zone<br />   - `set`: internal identifier referenced by main.tf<br />   - `nacl`: key of NACL (can be null)<br />- `routes`: map of routes with properties:<br />   - `vpc_subnet` - built from key of VPCs concatenate with `-` and key of subnet in format: `VPCKEY-SUBNETKEY`<br />   - `next_hop_key` - must match keys use to create TGW attachment, IGW, GWLB endpoint or other resources<br />   - `next_hop_type` - internet\_gateway, nat\_gateway, transit\_gateway\_attachment or gwlbe\_endpoint<br /><br />Example:<pre>vpcs = {<br />  example\_vpc = {<br />    name = "example-spoke-vpc"<br />    cidr = "10.104.0.0/16"<br />    nacls = {<br />      trusted\_path\_monitoring = {<br />        name               = "trusted-path-monitoring"<br />        rules = {<br />          allow\_inbound = {<br />            rule\_number = 300<br />            egress      = false<br />            protocol    = "-1"<br />            rule\_action = "allow"<br />            cidr\_block  = "0.0.0.0/0"<br />            from\_port   = null<br />            to\_port     = null<br />          }<br />        }<br />      }<br />    }<br />    security\_groups = {<br />      example\_vm = {<br />        name = "example\_vm"<br />        rules = {<br />          all\_outbound = {<br />            description = "Permit All traffic outbound"<br />            type        = "egress", from\_port = "0", to\_port = "0", protocol = "-1"<br />            cidr\_blocks = ["0.0.0.0/0"]<br />          }<br />        }<br />      }<br />    }<br />    subnets = {<br />      "10.104.0.0/24"   = { az = "eu-central-1a", set = "vm", nacl = null }<br />      "10.104.128.0/24" = { az = "eu-central-1b", set = "vm", nacl = null }<br />    }<br />    routes = {<br />      vm\_default = {<br />        vpc\_subnet    = "app1\_vpc-app1\_vm"<br />        to\_cidr       = "0.0.0.0/0"<br />        next\_hop\_key  = "app1"<br />        next\_hop\_type = "transit\_gateway\_attachment"<br />      }<br />    }<br />  }<br />}</pre> | <pre>map(object({<br />    name = string<br />    cidr = string<br />    nacls = map(object({<br />      name = string<br />      rules = map(object({<br />        rule\_number = number<br />        egress      = bool<br />        protocol    = string<br />        rule\_action = string<br />        cidr\_block  = string<br />        from\_port   = string<br />        to\_port     = string<br />      }))<br />    }))<br />    security\_groups = map(object({<br />      name = string<br />      rules = map(object({<br />        description = string<br />        type        = string,<br />        from\_port   = string<br />        to\_port     = string,<br />        protocol    = string<br />        cidr\_blocks = list(string)<br />      }))<br />    }))<br />    subnets = map(object({<br />      az   = string<br />      set  = string<br />      nacl = string<br />    }))<br />    routes = map(object({<br />      vpc\_subnet    = string<br />      to\_cidr       = string<br />      next\_hop\_key  = string<br />      next\_hop\_type = string<br />    }))<br />  }))</pre> | `{}` | no |
+| <a name="input_vpcs"></a> [vpcs](#input\_vpcs) | A map defining VPCs with security groups and subnets.<br /><br />Following properties are available:<br />- `name`: VPC name<br />- `cidr`: CIDR for VPC<br />- `nacls`: map of network ACLs<br />- `security_groups`: map of security groups<br />- `subnets`: map of subnets with properties:<br />   - `az`: availability zone<br />   - `set`: internal identifier referenced by main.tf<br />   - `nacl`: key of NACL (can be null)<br />- `routes`: map of routes with properties:<br />   - `vpc_subnet` - built from key of VPCs concatenate with `-` and key of subnet in format: `VPCKEY-SUBNETKEY`<br />   - `next_hop_key` - must match keys use to create TGW attachment, IGW, GWLB endpoint or other resources<br />   - `next_hop_type` - internet\_gateway, nat\_gateway, transit\_gateway\_attachment or gwlbe\_endpoint<br /><br />Example:<pre>vpcs = {<br />  example\_vpc = {<br />    name = "example-spoke-vpc"<br />    cidr = "10.104.0.0/16"<br />    nacls = {<br />      trusted\_path\_monitoring = {<br />        name               = "trusted-path-monitoring"<br />        rules = {<br />          allow\_inbound = {<br />            rule\_number = 300<br />            egress      = false<br />            protocol    = "-1"<br />            rule\_action = "allow"<br />            cidr\_block  = "0.0.0.0/0"<br />            from\_port   = null<br />            to\_port     = null<br />          }<br />        }<br />      }<br />    }<br />    security\_groups = {<br />      example\_vm = {<br />        name = "example\_vm"<br />        rules = {<br />          all\_outbound = {<br />            description = "Permit All traffic outbound"<br />            type        = "egress", from\_port = "0", to\_port = "0", protocol = "-1"<br />            cidr\_blocks = ["0.0.0.0/0"]<br />          }<br />        }<br />      }<br />    }<br />    subnets = {<br />      "10.104.0.0/24"   = { az = "eu-central-1a", set = "vm", nacl = null }<br />      "10.104.128.0/24" = { az = "eu-central-1b", set = "vm", nacl = null }<br />    }<br />    routes = {<br />      vm\_default = {<br />        vpc\_subnet    = "app1\_vpc-app1\_vm"<br />        to\_cidr       = "0.0.0.0/0"<br />        next\_hop\_key  = "app1"<br />        next\_hop\_type = "transit\_gateway\_attachment"<br />      }<br />    }<br />  }<br />}</pre> | <pre>map(object({<br />    name = string<br />    cidr = string<br />    nacls = map(object({<br />      name = string<br />      rules = map(object({<br />        rule\_number = number<br />        egress      = bool<br />        protocol    = string<br />        rule\_action = string<br />        cidr\_block  = string<br />        from\_port   = string<br />        to\_port     = string<br />      }))<br />    }))<br />    security\_groups = any<br />    subnets = map(object({<br />      az   = string<br />      set  = string<br />      nacl = string<br />    }))<br />    routes = map(object({<br />      vpc\_subnet    = string<br />      to\_cidr       = string<br />      next\_hop\_key  = string<br />      next\_hop\_type = string<br />    }))<br />  }))</pre> | `{}` | no |
 
 ### Outputs
 
