From 3fd91c7296a4a53d926fde7d1db00cb4cc5571a5 Mon Sep 17 00:00:00 2001 From: Joeri Van Hoof Date: Fri, 19 Jul 2024 12:25:21 +0200 Subject: [PATCH] FGT IPSEC test: Add AWS internal deployment --- .../terraform-aws-internal/00-general.tf | 262 ++++++++++++++++++ .../terraform-aws-internal/01-network.tf | 232 ++++++++++++++++ .../terraform-aws-internal/02-a-fortigate.tf | 109 ++++++++ .../terraform-aws-internal/02-b-fortigate.tf | 109 ++++++++ .../terraform-aws-internal/03-a-protected.tf | 59 ++++ .../terraform-aws-internal/03-b-protected.tf | 59 ++++ .../terraform-aws-internal/04-output.tf | 29 ++ 7 files changed, 859 insertions(+) create mode 100644 FortiGate/Playground/IPSEC-test/terraform-aws-internal/00-general.tf create mode 100644 FortiGate/Playground/IPSEC-test/terraform-aws-internal/01-network.tf create mode 100644 FortiGate/Playground/IPSEC-test/terraform-aws-internal/02-a-fortigate.tf create mode 100644 FortiGate/Playground/IPSEC-test/terraform-aws-internal/02-b-fortigate.tf create mode 100644 FortiGate/Playground/IPSEC-test/terraform-aws-internal/03-a-protected.tf create mode 100644 FortiGate/Playground/IPSEC-test/terraform-aws-internal/03-b-protected.tf create mode 100644 FortiGate/Playground/IPSEC-test/terraform-aws-internal/04-output.tf diff --git a/FortiGate/Playground/IPSEC-test/terraform-aws-internal/00-general.tf b/FortiGate/Playground/IPSEC-test/terraform-aws-internal/00-general.tf new file mode 100644 index 00000000..7b77c91b --- /dev/null +++ b/FortiGate/Playground/IPSEC-test/terraform-aws-internal/00-general.tf @@ -0,0 +1,262 @@ +############################################################################################################## +# +# Fortinet FortiGate Terraform deployment template to deploy a IPSEC test setup +# +############################################################################################################## + +# Prefix for all resources created for this deployment in Microsoft Azure +variable "PREFIX" { + description = "Added name to each deployed resource" +} + +variable "REGION" { + description = "AWS region" +} + +variable "USERNAME" { + description = "Default username for FortiGate-VM in AWS is admin" + default = "admin" +} + +variable "PASSWORD" { + description = "Default password for admin user is the instance id" + default = "" +} + +//AWS Configuration +variable "AWS_ACCESS_KEY_ID" { + description = "Your AWS Access Key ID" + type = string + sensitive = true +} + +variable "AWS_SECRET_ACCESS_KEY" { + description = "Your AWS Secret Key" + type = string + sensitive = true +} + +// Existing SSH Key on the AWS +variable "KEY_PAIR" { +} + +############################################################################################################## +# FortiGate license type +############################################################################################################## + +variable VERSION { + default = "7.4.4" +} + +variable "FGT_BYOL_LICENSE_FILE_A" { + default = "" +} + +variable "FGT_BYOL_LICENSE_FILE_B" { + default = "" +} + +variable "FGT_BYOL_FORTIFLEX_LICENSE_TOKEN_A" { + default = "" +} + +variable "FGT_BYOL_FORTIFLEX_LICENSE_TOKEN_B" { + default = "" +} + +variable "FGT_SSH_PUBLIC_KEY_FILE" { + default = "" +} + +// License Type to create FortiGate-VM +// Provide the license type for FortiGate-VM Instances, either byol or payg. +variable "license_type" { + default = "byol" +} + +// instance architect +// Either arm64 or x86_64 +variable "arch" { + default = "x86_64" +} + +variable "fgtlocator" { + type = map(any) + default = { + payg = { + arm64 = "FortiGate-VMARM64-AWSONDEMAND " + x86_64 = "FortiGate-VM64-AWSONDEMAND " + }, + byol = { + arm64 = "FortiGate-VMARM64-AWS " + x86_64 = "FortiGate-VM64-AWS " + } + } +} + +data "aws_ami" "fgt_ami" { + most_recent = true + owners = ["679593333241"] # Fortinet + + filter { + name = "name" + values = ["${var.fgtlocator[var.license_type][var.arch]}*${var.VERSION}*"] + } + + filter { + name = "architecture" + values = [var.arch] + } +} + +data "aws_ami" "lnx_ami" { + most_recent = true + owners = ["099720109477"] # Canonical + + filter { + name = "name" + values = ["ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*"] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } +} + +############################################################################################################## +# Deployment in AWS +############################################################################################################## +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4.0" + } + } +} + +provider "aws" { + region = var.REGION + access_key = var.AWS_ACCESS_KEY_ID + secret_key = var.AWS_SECRET_ACCESS_KEY + + default_tags { + tags = var.fortinet_tags + } +} + +// Availability zones for the region +locals { + az1 = "${var.REGION}a" +} + +############################################################################################################## +# Static variables +############################################################################################################## + +variable "vpc" { + default = "172.16.136.0/22" + description = "" +} + +variable "subnet_fgt_external" { + type = map(string) + description = "" + + default = { + "a" = "172.16.136.0/26" + "b" = "172.16.137.0/26" + } +} + +variable "subnet_fgt_internal" { + type = map(string) + description = "" + + default = { + "a" = "172.16.136.64/26" + "b" = "172.16.137.64/26" + } +} + +variable "subnet_protected" { + type = map(string) + description = "" + + default = { + "a" = "172.16.136.128/26" + "b" = "172.16.137.128/26" + } +} + +############################################################################################################## +# Virtual Machines sizes +############################################################################################################## + +// instance type needs to match the architect +// c5n.xlarge is x86_64 +// c6g.xlarge is arm +// For detail, refer to https://aws.amazon.com/ec2/instance-types/ +variable "fgt_a_vmsize" { + default = "c5n.xlarge" +} + +variable "fgt_b_vmsize" { + default = "c5n.xlarge" +} + +# Change cpumask depending on instance type: +# 4 core = f +# 8 core = ff +# 16 core = ffff +variable "fgt_a_cpumask" { + default = "ffff" +} + +variable "fgt_b_cpumask" { + default = "ffff" +} + +variable "lnx_count" { + default = 2 +} + +variable "lnx_vmsize" { + default = "c5n.xlarge" +} + +############################################################################################################## +# Generate IPSEC PSK key for VPN tunnel between FGT A and B +############################################################################################################## + +resource "random_string" "ipsec_psk" { + length = 16 + special = true +} +############################################################################################################## + +locals { + fgt_external_ipcount = 32 + fgt_a_prefix = "${var.PREFIX}-fgt-a" + fgt_a_vm_name = "${local.fgt_a_prefix}-vm" + fgt_a_private_ip_address_ext = cidrhost(var.subnet_fgt_external["a"], 5) + fgt_a_private_ip_address_int = cidrhost(var.subnet_fgt_internal["a"], 5) + fgt_b_prefix = "${var.PREFIX}-fgt-b" + fgt_b_vm_name = "${local.fgt_b_prefix}-vm" + fgt_b_private_ip_address_ext = cidrhost(var.subnet_fgt_external["b"], 5) + fgt_b_private_ip_address_int = cidrhost(var.subnet_fgt_internal["b"], 5) +} + +############################################################################################################## + +variable "fortinet_tags" { + type = map(string) + default = { + publisher : "Fortinet", + template : "IPSEC-test", + provider : "7EB3B02F-50E5-4A3E-8CB8-2E129258IPSECTUNNELS" + } +} + +############################################################################################################## diff --git a/FortiGate/Playground/IPSEC-test/terraform-aws-internal/01-network.tf b/FortiGate/Playground/IPSEC-test/terraform-aws-internal/01-network.tf new file mode 100644 index 00000000..b5e26134 --- /dev/null +++ b/FortiGate/Playground/IPSEC-test/terraform-aws-internal/01-network.tf @@ -0,0 +1,232 @@ +############################################################################################################## +# +# Fortinet FortiGate Terraform deployment template to deploy a IPSEC test setup +# +############################################################################################################## + +// AWS VPC +resource "aws_vpc" "vpc" { + cidr_block = var.vpc + enable_dns_support = true + enable_dns_hostnames = true + instance_tenancy = "default" + tags = { + Name = "${var.PREFIX}-vpc" + } +} + +resource "aws_subnet" "subnet1a" { + vpc_id = aws_vpc.vpc.id + cidr_block = var.subnet_fgt_external["a"] + availability_zone = local.az1 + tags = { + Name = "${var.PREFIX}-subnet-fgt-external-a" + } +} + +resource "aws_subnet" "subnet2a" { + vpc_id = aws_vpc.vpc.id + cidr_block = var.subnet_fgt_internal["a"] + availability_zone = local.az1 + tags = { + Name = "${var.PREFIX}-subnet-fgt-internal-a" + } +} + +resource "aws_subnet" "subnet3a" { + vpc_id = aws_vpc.vpc.id + cidr_block = var.subnet_protected["a"] + availability_zone = local.az1 + tags = { + Name = "${var.PREFIX}-subnet-protected-a" + } +} + +resource "aws_subnet" "subnet1b" { + vpc_id = aws_vpc.vpc.id + cidr_block = var.subnet_fgt_external["b"] + availability_zone = local.az1 + tags = { + Name = "${var.PREFIX}-subnet-fgt-external-b" + } +} + +resource "aws_subnet" "subnet2b" { + vpc_id = aws_vpc.vpc.id + cidr_block = var.subnet_fgt_internal["b"] + availability_zone = local.az1 + tags = { + Name = "${var.PREFIX}-subnet-fgt-internal-b" + } +} + +resource "aws_subnet" "subnet3b" { + vpc_id = aws_vpc.vpc.id + cidr_block = var.subnet_protected["b"] + availability_zone = local.az1 + tags = { + Name = "${var.PREFIX}-subnet-protected-b" + } +} + +// Creating Internet Gateway +resource "aws_internet_gateway" "igw" { + vpc_id = aws_vpc.vpc.id + tags = { + Name = "${var.PREFIX}-igw" + } +} + +// Route Table +resource "aws_route_table" "subnet1art" { + vpc_id = aws_vpc.vpc.id + + tags = { + Name = "${var.PREFIX}-subnet-fgt-external-a-rt" + } +} +resource "aws_route" "subnet1atointernet" { + route_table_id = aws_route_table.subnet1art.id + destination_cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.igw.id +} +resource "aws_route_table_association" "subnet1artassociate" { + subnet_id = aws_subnet.subnet1a.id + route_table_id = aws_route_table.subnet1art.id +} + +resource "aws_route_table" "subnet3art" { + vpc_id = aws_vpc.vpc.id + + tags = { + Name = "${var.PREFIX}-subnet-protected-a-rt" + } +} +resource "aws_route" "subnet3aroutetob" { + depends_on = [aws_instance.fgtavm] + route_table_id = aws_route_table.subnet3art.id + destination_cidr_block = var.subnet_protected["b"] + network_interface_id = aws_network_interface.fgtaifcint.id +} +resource "aws_route" "subnet3atointernet" { + route_table_id = aws_route_table.subnet3art.id + destination_cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.igw.id +} +resource "aws_route_table_association" "subnet3artassociate" { + subnet_id = aws_subnet.subnet3a.id + route_table_id = aws_route_table.subnet3art.id +} + +resource "aws_route_table" "subnet1brt" { + vpc_id = aws_vpc.vpc.id + + tags = { + Name = "${var.PREFIX}-subnet-fgt-external-b-rt" + } +} +resource "aws_route" "subnet1btointernet" { + route_table_id = aws_route_table.subnet1brt.id + destination_cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.igw.id +} +resource "aws_route_table_association" "subnet1brtassociate" { + subnet_id = aws_subnet.subnet1b.id + route_table_id = aws_route_table.subnet1brt.id +} + +resource "aws_route_table" "subnet3brt" { + vpc_id = aws_vpc.vpc.id + + tags = { + Name = "${var.PREFIX}-subnet-protected-b-rt" + } +} +resource "aws_route" "subnet3broutetoa" { + depends_on = [aws_instance.fgtbvm] + route_table_id = aws_route_table.subnet3brt.id + destination_cidr_block = var.subnet_protected["a"] + network_interface_id = aws_network_interface.fgtbifcint.id +} +resource "aws_route" "subnet3btointernet" { + route_table_id = aws_route_table.subnet3brt.id + destination_cidr_block = "0.0.0.0/0" + gateway_id = aws_internet_gateway.igw.id +} +resource "aws_route_table_association" "subnet3brtassociate" { + subnet_id = aws_subnet.subnet3b.id + route_table_id = aws_route_table.subnet3brt.id +} + +// Security Group + +resource "aws_security_group" "public_allow" { + name = "${var.PREFIX}-public-allow" + description = "Public Allow traffic" + vpc_id = aws_vpc.vpc.id + + ingress { + from_port = 22 + to_port = 22 + protocol = "6" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 80 + to_port = 80 + protocol = "6" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 443 + to_port = 443 + protocol = "6" + cidr_blocks = ["0.0.0.0/0"] + } + + ingress { + from_port = 8443 + to_port = 8443 + protocol = "6" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "${var.PREFIX}-public-allow" + } +} + +resource "aws_security_group" "allow_all" { + name = "${var.PREFIX}-allow-all" + description = "Allow all traffic" + vpc_id = aws_vpc.vpc.id + + ingress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } + + tags = { + Name = "${var.PREFIX}-allow-all" + } +} + +############################################################################################################## diff --git a/FortiGate/Playground/IPSEC-test/terraform-aws-internal/02-a-fortigate.tf b/FortiGate/Playground/IPSEC-test/terraform-aws-internal/02-a-fortigate.tf new file mode 100644 index 00000000..7238c2dd --- /dev/null +++ b/FortiGate/Playground/IPSEC-test/terraform-aws-internal/02-a-fortigate.tf @@ -0,0 +1,109 @@ +############################################################################################################## +# +# Fortinet FortiGate Terraform deployment template to deploy a IPSEC test setup +# +############################################################################################################## + +resource "aws_eip" "fgtapip" { + depends_on = [aws_instance.fgtavm] + vpc = true + network_interface = aws_network_interface.fgtaifcext.id + tags = { + Name = "${local.fgt_a_prefix}-fgt-pip" + } +} + +resource "aws_network_interface" "fgtaifcext" { + description = "${local.fgt_a_prefix}-ifc-ext" + subnet_id = aws_subnet.subnet1a.id + private_ips = [local.fgt_a_private_ip_address_ext] + source_dest_check = false + tags = { + Name = "${local.fgt_a_prefix}-ifc-ext" + } +} + +resource "aws_network_interface" "fgtaifcint" { + description = "${local.fgt_a_prefix}-ifc-int" + subnet_id = aws_subnet.subnet2a.id + private_ips = [local.fgt_a_private_ip_address_int] + source_dest_check = false + tags = { + Name = "${local.fgt_a_prefix}-ifc-int" + } +} + +resource "aws_network_interface_sg_attachment" "fgtaifcextsg" { + depends_on = [aws_network_interface.fgtaifcext] + security_group_id = aws_security_group.allow_all.id + network_interface_id = aws_network_interface.fgtaifcext.id +} + +resource "aws_network_interface_sg_attachment" "fgtaifcintsg" { + depends_on = [aws_network_interface.fgtaifcint] + security_group_id = aws_security_group.allow_all.id + network_interface_id = aws_network_interface.fgtaifcint.id +} + +resource "aws_instance" "fgtavm" { + //it will use region, architect, and license type to decide which ami to use for deployment + ami = data.aws_ami.fgt_ami.id + instance_type = var.fgt_a_vmsize + availability_zone = local.az1 + key_name = var.KEY_PAIR + user_data = templatefile("${path.module}/../templates/customdata-fgt.tftpl", { + fgt_vm_name = "${local.fgt_a_vm_name}" + fgt_license_file = var.FGT_BYOL_LICENSE_FILE_A + fgt_license_fortiflex = var.FGT_BYOL_FORTIFLEX_LICENSE_TOKEN_A + fgt_username = var.USERNAME + fgt_password = var.PASSWORD + fgt_cpumask = var.fgt_a_cpumask + fgt_ssh_public_key = var.FGT_SSH_PUBLIC_KEY_FILE + fgt_external_network = var.subnet_fgt_external["a"] + fgt_external_ipaddress = local.fgt_a_private_ip_address_ext + fgt_external_ipcount = local.fgt_external_ipcount + fgt_external_mask = "${cidrnetmask(var.subnet_fgt_external["a"])}" + fgt_external_gateway = "${cidrhost(var.subnet_fgt_external["a"], 1)}" + fgt_internal_ipaddress = local.fgt_a_private_ip_address_int + fgt_internal_mask = "${cidrnetmask(var.subnet_fgt_internal["a"])}" + fgt_internal_gateway = "${cidrhost(var.subnet_fgt_internal["a"], 1)}" + fgt_protected_network = var.subnet_protected["a"] + vnet_network = var.vpc + remote_protected_network = var.subnet_protected["b"] + remote_public_ip = local.fgt_b_private_ip_address_ext + ipsec_psk = random_string.ipsec_psk.result + }) + + root_block_device { + volume_type = "standard" + volume_size = "2" + } + + ebs_block_device { + device_name = "/dev/sdb" + volume_size = "30" + volume_type = "standard" + } + + network_interface { + network_interface_id = aws_network_interface.fgtaifcext.id + device_index = 0 + } + + network_interface { + network_interface_id = aws_network_interface.fgtaifcint.id + device_index = 1 + } + + tags = { + Name = local.fgt_a_vm_name + } +} + +data "aws_network_interface" "fgtaifcext" { + id = aws_network_interface.fgtaifcext.id +} + +data "aws_network_interface" "fgtaifcint" { + id = aws_network_interface.fgtaifcint.id +} diff --git a/FortiGate/Playground/IPSEC-test/terraform-aws-internal/02-b-fortigate.tf b/FortiGate/Playground/IPSEC-test/terraform-aws-internal/02-b-fortigate.tf new file mode 100644 index 00000000..4b26e468 --- /dev/null +++ b/FortiGate/Playground/IPSEC-test/terraform-aws-internal/02-b-fortigate.tf @@ -0,0 +1,109 @@ +############################################################################################################## +# +# Fortinet FortiGate Terraform deployment template to deploy a IPSEC test setup +# +############################################################################################################## + +resource "aws_eip" "fgtbpip" { + depends_on = [aws_instance.fgtbvm] + vpc = true + network_interface = aws_network_interface.fgtbifcext.id + tags = { + Name = "${local.fgt_b_prefix}-fgt-pip" + } +} + +resource "aws_network_interface" "fgtbifcext" { + description = "${local.fgt_b_prefix}-ifc-ext" + subnet_id = aws_subnet.subnet1b.id + private_ips = [local.fgt_b_private_ip_address_ext] + source_dest_check = false + tags = { + Name = "${local.fgt_b_prefix}-ifc-ext" + } +} + +resource "aws_network_interface" "fgtbifcint" { + description = "${local.fgt_b_prefix}-ifc-int" + subnet_id = aws_subnet.subnet2b.id + private_ips = [local.fgt_b_private_ip_address_int] + source_dest_check = false + tags = { + Name = "${local.fgt_b_prefix}-ifc-int" + } +} + +resource "aws_network_interface_sg_attachment" "fgtbifcextsg" { + depends_on = [aws_network_interface.fgtbifcext] + security_group_id = aws_security_group.allow_all.id + network_interface_id = aws_network_interface.fgtbifcext.id +} + +resource "aws_network_interface_sg_attachment" "fgtbifcintsg" { + depends_on = [aws_network_interface.fgtbifcint] + security_group_id = aws_security_group.allow_all.id + network_interface_id = aws_network_interface.fgtbifcint.id +} + +resource "aws_instance" "fgtbvm" { + //it will use region, architect, and license type to decide which ami to use for deployment + ami = data.aws_ami.fgt_ami.id + instance_type = var.fgt_b_vmsize + availability_zone = local.az1 + key_name = var.KEY_PAIR + user_data = templatefile("${path.module}/../templates/customdata-fgt.tftpl", { + fgt_vm_name = "${local.fgt_b_vm_name}" + fgt_license_file = var.FGT_BYOL_LICENSE_FILE_B + fgt_license_fortiflex = var.FGT_BYOL_FORTIFLEX_LICENSE_TOKEN_B + fgt_username = var.USERNAME + fgt_password = var.PASSWORD + fgt_cpumask = var.fgt_b_cpumask + fgt_ssh_public_key = var.FGT_SSH_PUBLIC_KEY_FILE + fgt_external_network = var.subnet_fgt_external["b"] + fgt_external_ipaddress = local.fgt_b_private_ip_address_ext + fgt_external_ipcount = local.fgt_external_ipcount + fgt_external_mask = "${cidrnetmask(var.subnet_fgt_external["b"])}" + fgt_external_gateway = "${cidrhost(var.subnet_fgt_external["b"], 1)}" + fgt_internal_ipaddress = local.fgt_b_private_ip_address_int + fgt_internal_mask = "${cidrnetmask(var.subnet_fgt_internal["b"])}" + fgt_internal_gateway = "${cidrhost(var.subnet_fgt_internal["b"], 1)}" + fgt_protected_network = var.subnet_protected["b"] + vnet_network = var.vpc + remote_protected_network = var.subnet_protected["a"] + remote_public_ip = local.fgt_a_private_ip_address_ext + ipsec_psk = random_string.ipsec_psk.result + }) + + root_block_device { + volume_type = "standard" + volume_size = "2" + } + + ebs_block_device { + device_name = "/dev/sdb" + volume_size = "30" + volume_type = "standard" + } + + network_interface { + network_interface_id = aws_network_interface.fgtbifcext.id + device_index = 0 + } + + network_interface { + network_interface_id = aws_network_interface.fgtbifcint.id + device_index = 1 + } + + tags = { + Name = local.fgt_b_vm_name + } +} + +data "aws_network_interface" "fgtbifcext" { + id = aws_network_interface.fgtbifcext.id +} + +data "aws_network_interface" "fgtbifcint" { + id = aws_network_interface.fgtbifcint.id +} diff --git a/FortiGate/Playground/IPSEC-test/terraform-aws-internal/03-a-protected.tf b/FortiGate/Playground/IPSEC-test/terraform-aws-internal/03-a-protected.tf new file mode 100644 index 00000000..191e80c4 --- /dev/null +++ b/FortiGate/Playground/IPSEC-test/terraform-aws-internal/03-a-protected.tf @@ -0,0 +1,59 @@ +############################################################################################################## +# +# Fortinet FortiGate Terraform deployment template to deploy a IPSEC test setup +# +############################################################################################################## + +############################################################################################################## +# Linux VM +############################################################################################################## + +resource "aws_eip" "lnxapip" { + count = var.lnx_count + depends_on = [aws_instance.lnxavm] + vpc = true + network_interface = aws_network_interface.lnxaifc[count.index].id + tags = { + Name = "${local.fgt_a_vm_name}-pip" + } +} + +resource "aws_network_interface" "lnxaifc" { + count = var.lnx_count + description = "${local.fgt_a_vm_name}-${count.index}" + subnet_id = aws_subnet.subnet3a.id + tags = { + Name = "${local.fgt_a_vm_name}-ifc-${count.index}" + } +} + +resource "aws_network_interface_sg_attachment" "lnxaifcsg" { + count = var.lnx_count + depends_on = [aws_network_interface.lnxaifc] + security_group_id = aws_security_group.public_allow.id + network_interface_id = aws_network_interface.lnxaifc[count.index].id +} + +resource "aws_instance" "lnxavm" { + count = var.lnx_count + //it will use region, architect, and license type to decide which ami to use for deployment + ami = data.aws_ami.lnx_ami.id + instance_type = var.lnx_vmsize + availability_zone = local.az1 + key_name = var.KEY_PAIR + user_data = templatefile("${path.module}/../templates/customdata-lnx.tftpl", {}) + + root_block_device { + volume_type = "gp2" + volume_size = "50" + } + + network_interface { + network_interface_id = aws_network_interface.lnxaifc[count.index].id + device_index = 0 + } + + tags = { + Name = "${local.fgt_a_vm_name}-${count.index}" + } +} diff --git a/FortiGate/Playground/IPSEC-test/terraform-aws-internal/03-b-protected.tf b/FortiGate/Playground/IPSEC-test/terraform-aws-internal/03-b-protected.tf new file mode 100644 index 00000000..940e3940 --- /dev/null +++ b/FortiGate/Playground/IPSEC-test/terraform-aws-internal/03-b-protected.tf @@ -0,0 +1,59 @@ +############################################################################################################## +# +# Fortinet FortiGate Terraform deployment template to deploy a IPSEC test setup +# +############################################################################################################## + +############################################################################################################## +# Linux VM +############################################################################################################## + +resource "aws_eip" "lnxbpip" { + count = var.lnx_count + depends_on = [aws_instance.lnxbvm] + vpc = true + network_interface = aws_network_interface.lnxbifc[count.index].id + tags = { + Name = "${local.fgt_b_vm_name}-pip-${count.index}" + } +} + +resource "aws_network_interface" "lnxbifc" { + count = var.lnx_count + description = "${local.fgt_b_vm_name}-ifc-${count.index}" + subnet_id = aws_subnet.subnet3b.id + tags = { + Name = "${local.fgt_b_vm_name}-ifc-${count.index}" + } +} + +resource "aws_network_interface_sg_attachment" "lnxbifcsg" { + count = var.lnx_count + depends_on = [aws_network_interface.lnxbifc] + security_group_id = aws_security_group.public_allow.id + network_interface_id = aws_network_interface.lnxbifc[count.index].id +} + +resource "aws_instance" "lnxbvm" { + count = var.lnx_count + //it will use region, architect, and license type to decide which ami to use for deployment + ami = data.aws_ami.lnx_ami.id + instance_type = var.lnx_vmsize + availability_zone = local.az1 + key_name = var.KEY_PAIR + user_data = templatefile("${path.module}/../templates/customdata-lnx.tftpl", {}) + + root_block_device { + volume_type = "gp2" + volume_size = "50" + } + + network_interface { + network_interface_id = aws_network_interface.lnxbifc[count.index].id + device_index = 0 + } + + tags = { + Name = "${local.fgt_b_vm_name}-${count.index}" + } +} diff --git a/FortiGate/Playground/IPSEC-test/terraform-aws-internal/04-output.tf b/FortiGate/Playground/IPSEC-test/terraform-aws-internal/04-output.tf new file mode 100644 index 00000000..2be73303 --- /dev/null +++ b/FortiGate/Playground/IPSEC-test/terraform-aws-internal/04-output.tf @@ -0,0 +1,29 @@ +############################################################################################################## +# +# FortiTester VM +# Terraform deployment template for AWS +# +############################################################################################################## +# +# Output summary of deployment +# +############################################################################################################## + +output "deployment_summary" { + value = templatefile( + "${path.module}/../templates/summary.tftpl", + { + location = var.REGION + fgt_a_private_ip_address_ext = data.aws_network_interface.fgtaifcext.private_ip + fgt_a_private_ip_address_int = data.aws_network_interface.fgtaifcint.private_ip + fgt_a_public_ip_address = aws_eip.fgtapip.public_ip + lnx_a_public_ip_address = "${join(",", aws_eip.lnxapip.*.public_ip)}" + lnx_a_private_ip_address = "${join(",", aws_network_interface.lnxaifc.*.private_ip)}" + fgt_b_private_ip_address_ext = data.aws_network_interface.fgtbifcext.private_ip + fgt_b_private_ip_address_int = data.aws_network_interface.fgtaifcint.private_ip + fgt_b_public_ip_address = aws_eip.fgtbpip.public_ip + lnx_b_public_ip_address = "${join(",", aws_eip.lnxbpip.*.public_ip)}" + lnx_b_private_ip_address = "${join(",", aws_network_interface.lnxbifc.*.private_ip)}" + } + ) +}