-
Notifications
You must be signed in to change notification settings - Fork 190
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Change-Id: I90b8f141a6a4cd9deb7a3195fbe4b19dfeb789b7
- Loading branch information
1 parent
3336d29
commit 12b0bd5
Showing
8 changed files
with
246 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
# Deployment of a FortiGate-VM on the IBM Cloud | ||
## Introduction | ||
A Terraform script to deploy a FortiGate-VM on IBM Cloud | ||
|
||
## Requirements | ||
* [Terraform](https://learn.hashicorp.com/terraform/getting-started/install.html) >= 0.12.0 | ||
* Terraform Provider IBM >= 1.12.0 | ||
Needs to install the IBM Provider pluging following the link [IBM Setup](https://cloud.ibm.com/docs/terraform?topic=terraform-getting-started) | ||
* Terraform Provider Template >= 2.1.2 | ||
|
||
|
||
## Deployment overview | ||
Terraform deploys the following components: | ||
- IBM VPC with 2 subnets | ||
- One FortiGate-VM instance with 2 NICs | ||
- One security group with inbound and outbound rules | ||
|
||
## Deployment | ||
To deploy the FortiGate-VM to IBM cloud: | ||
1. Clone the repository. | ||
2. Customize variables in the `terraform.tfvars` and `variables.tf` file as needed. | ||
3. Initialize the providers and modules: | ||
```sh | ||
$ cd XXXXX | ||
$ terraform init | ||
``` | ||
4. Submit the Terraform plan: | ||
```sh | ||
$ terraform plan | ||
``` | ||
5. Verify output. | ||
6. Confirm and apply the plan: | ||
```sh | ||
$ terraform apply | ||
``` | ||
7. If output is satisfactory, type `yes`. | ||
|
||
Output will include the information necessary to log in to the FortiGate-VM instances: | ||
```sh | ||
Outputs: | ||
|
||
FGTPublicIP = <FGT Public IP> | ||
Password = <FGT Password> | ||
Username = admin | ||
|
||
``` | ||
|
||
## Destroy the instance | ||
To destroy the instance, use the command: | ||
```sh | ||
$ terraform destroy | ||
``` | ||
|
||
# Support | ||
Fortinet-provided scripts in this and other GitHub projects do not fall under the regular Fortinet technical support scope and are not supported by FortiCare Support Services. | ||
For direct issues, please refer to the [Issues](https://github.com/fortinet/fortigate-terraform-deploy/issues) tab of this GitHub project. | ||
For other questions related to this project, contact [[email protected]](mailto:[email protected]). | ||
|
||
## License | ||
[License](https://github.com/fortinet/fortigate-terraform-deploy/blob/master/LICENSE) © Fortinet Technologies. All rights reserved. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
Content-Type: multipart/mixed; boundary="==IBM==" | ||
MIME-Version: 1.0 | ||
|
||
--==IBM== | ||
Content-Type: text/x-shellscript; charset="us-ascii" | ||
MIME-Version: 1.0 | ||
|
||
config system global | ||
set hostname FGT-IBM | ||
end | ||
config system interface | ||
edit port1 | ||
set alias untrust | ||
set allowaccess https ssh ping | ||
next | ||
edit port2 | ||
set alias trust | ||
set allowaccess https ssh ping | ||
next | ||
end | ||
|
||
--==IBM== | ||
Content-Type: text/plain; charset="us-ascii" | ||
MIME-Version: 1.0 | ||
Content-Transfer-Encoding: 7bit | ||
Content-Disposition: attachment; filename="license" | ||
|
||
${license_file} | ||
|
||
--==IBM==-- | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
resource "ibm_is_ssh_key" "sshkey" { | ||
name = "ssh1" | ||
public_key = file(var.ssh_public_key) | ||
} | ||
|
||
resource "ibm_is_volume" "testacc_volume" { | ||
name = "logdisk" | ||
profile = "10iops-tier" | ||
zone = var.zone1 | ||
} | ||
|
||
resource "ibm_is_floating_ip" "publicip" { | ||
name = "publicip" | ||
target = ibm_is_instance.fgt1.primary_network_interface[0].id | ||
} | ||
|
||
resource "ibm_is_instance" "fgt1" { | ||
name = "fgt1" | ||
image = var.image | ||
profile = var.profile | ||
|
||
primary_network_interface { | ||
name = "port1" | ||
subnet = ibm_is_subnet.subnet1.id | ||
security_groups = [ibm_is_security_group.fgt_security_group.id] | ||
} | ||
|
||
network_interfaces { | ||
name = "port2" | ||
subnet = ibm_is_subnet.subnet2.id | ||
security_groups = [ibm_is_security_group.fgt_security_group.id] | ||
} | ||
|
||
volumes = [ibm_is_volume.testacc_volume.id] | ||
|
||
vpc = ibm_is_vpc.vpc1.id | ||
zone = var.zone1 | ||
user_data = data.template_file.userdata.rendered | ||
keys = [ibm_is_ssh_key.sshkey.id] | ||
} | ||
|
||
|
||
// Use for bootstrapping cloud-init | ||
data "template_file" "userdata" { | ||
template = "${file("${var.bootstrap}")}" | ||
|
||
vars = { | ||
license_file = "${file("${var.license}")}" | ||
} | ||
|
||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
output "FGTPublicIP" { | ||
value = ibm_is_floating_ip.publicip.address | ||
} | ||
|
||
output "Username" { | ||
value = "admin" | ||
} | ||
|
||
output "Password" { | ||
value = ibm_is_instance.fgt1.id | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
variable "ibmcloud_api_key" {} | ||
variable "iaas_classic_username" {} | ||
variable "iaas_classic_api_key" {} | ||
|
||
provider "ibm" { | ||
ibmcloud_api_key = var.ibmcloud_api_key | ||
generation = 2 | ||
region = var.region | ||
iaas_classic_username = var.iaas_classic_username | ||
iaas_classic_api_key = var.iaas_classic_api_key | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
ibmcloud_api_key = "<IBM cloud API Key>" | ||
iaas_classic_username = "<IBM classic username> | ||
iaas_classic_api_key = "<IBM classic API Key>" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
variable "ssh_public_key" { | ||
default = "~/.ssh/id_rsa.pub" | ||
} | ||
|
||
// IBM Regions | ||
variable "region" { | ||
type = string | ||
default = "us-south" | ||
} | ||
// IBM availability zones | ||
variable "zone1" { | ||
type = string | ||
default = "us-south-1" | ||
} | ||
|
||
// Total number of IPV4 addresses for each subnet | ||
variable "subnetipv4count" { | ||
type = string | ||
default = 256 | ||
} | ||
|
||
// FortiOS Custom Image ID | ||
// https://docs.fortinet.com/vm/ibm/fortigate/6.4/ibm-cloud-cookbook/6.4.2/992669/deploying-fortigate-vm-on-ibm-cloud | ||
variable "image" { | ||
default = "r006-4a3919d2-3cb8-4039-92fc-9660e838ba71" | ||
} | ||
|
||
// IBM Cloud instance profile | ||
// https://cloud.ibm.com/docs/vpc?topic=vpc-profiles | ||
variable "profile" { | ||
default = "cx2-2x4" | ||
} | ||
|
||
// Bootstrap configuration file | ||
variable "bootstrap" { | ||
type = string | ||
default = "config.conf" | ||
} | ||
|
||
// License file for the FortiGate | ||
variable "license" { | ||
type = string | ||
default = "license.lic" | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
resource "ibm_is_vpc" "vpc1" { | ||
name = "terraform-vpc1" | ||
} | ||
|
||
resource "ibm_is_subnet" "subnet1" { | ||
name = "terraform-vpc1-subnet1" | ||
vpc = ibm_is_vpc.vpc1.id | ||
zone = var.zone1 | ||
total_ipv4_address_count = var.subnetipv4count | ||
} | ||
|
||
resource "ibm_is_subnet" "subnet2" { | ||
name = "terraform-vpc1-subnet2" | ||
vpc = ibm_is_vpc.vpc1.id | ||
zone = var.zone1 | ||
total_ipv4_address_count = var.subnetipv4count | ||
} | ||
|
||
resource "ibm_is_security_group" "fgt_security_group" { | ||
name = "fgt-sg" | ||
vpc = ibm_is_vpc.vpc1.id | ||
} | ||
|
||
resource "ibm_is_security_group_rule" "fgt_security_group_rule_inbound_all" { | ||
group = ibm_is_security_group.fgt_security_group.id | ||
direction = "inbound" | ||
remote = "0.0.0.0/0" | ||
} | ||
|
||
resource "ibm_is_security_group_rule" "fgt_security_group_rule_outbound_all" { | ||
group = ibm_is_security_group.fgt_security_group.id | ||
direction = "outbound" | ||
remote = "0.0.0.0/0" | ||
} |