From 5b670032f287603f594ed795ee6388205d7a53a5 Mon Sep 17 00:00:00 2001 From: Daniel Chao Date: Thu, 3 Dec 2020 10:15:00 -0800 Subject: [PATCH] add byol license support for azure on 6.4 and update version Change-Id: I31e8e97653e2d0e6b020426eceb19eb9f0dd571c --- azure/6.4/ha-port1-mgmt/README.md | 4 +- azure/6.4/ha-port1-mgmt/active.tf | 6 +- azure/6.4/ha-port1-mgmt/config-active.conf | 21 +++++++ azure/6.4/ha-port1-mgmt/config-passive.conf | 21 +++++++ azure/6.4/ha-port1-mgmt/passive.tf | 6 +- azure/6.4/ha-port1-mgmt/variables.tf | 37 +++++++++-- azure/6.4/ha/README.md | 4 +- azure/6.4/ha/active.tf | 6 +- azure/6.4/ha/config-active.conf | 25 +++++++- azure/6.4/ha/config-passive.conf | 25 +++++++- azure/6.4/ha/passive.tf | 6 +- azure/6.4/ha/variables.tf | 68 ++++++++++++++------- azure/6.4/single/README.md | 6 +- azure/6.4/single/fgtvm.conf | 19 ++++++ azure/6.4/single/fgtvm.tf | 8 ++- azure/6.4/single/variables.tf | 26 ++++++-- 16 files changed, 236 insertions(+), 52 deletions(-) diff --git a/azure/6.4/ha-port1-mgmt/README.md b/azure/6.4/ha-port1-mgmt/README.md index af5bc95..64be4c5 100644 --- a/azure/6.4/ha-port1-mgmt/README.md +++ b/azure/6.4/ha-port1-mgmt/README.md @@ -1,4 +1,4 @@ -# Deployment of a FortiGate-VM (PAYG) Cluster on the Azure +# Deployment of a FortiGate-VM (BYOL/PAYG) Cluster on the Azure ## Introduction ## This topology is only recommended for using with FOS 6.4.2 and later. ## port1 - hamgmt @@ -17,7 +17,7 @@ A Terraform script to deploy a FortiGate-VM Cluster on Azure ## Deployment overview Terraform deploys the following components: - Azure Virtual Network with 4 subnets - - Two FortiGate-VM (PAYG) instances with four NICs. + - Two FortiGate-VM (BYOL/PAYG) instances with four NICs. - Two firewall rules. - A Ubuntu Client instance. diff --git a/azure/6.4/ha-port1-mgmt/active.tf b/azure/6.4/ha-port1-mgmt/active.tf index 21ff8c9..a789dbc 100644 --- a/azure/6.4/ha-port1-mgmt/active.tf +++ b/azure/6.4/ha-port1-mgmt/active.tf @@ -75,13 +75,13 @@ resource "azurerm_virtual_machine" "activefgtvm" { storage_image_reference { publisher = var.custom ? null : var.publisher offer = var.custom ? null : var.fgtoffer - sku = var.custom ? null : var.fgtsku + sku = var.license_type == "byol" ? var.fgtsku["byol"] : var.fgtsku["payg"] version = var.custom ? null : var.fgtversion id = var.custom ? element(azurerm_image.custom.*.id, 0) : null } plan { - name = var.fgtsku + name = var.license_type == "byol" ? var.fgtsku["byol"] : var.fgtsku["payg"] publisher = var.publisher product = var.fgtoffer } @@ -127,6 +127,8 @@ resource "azurerm_virtual_machine" "activefgtvm" { data "template_file" "activeFortiGate" { template = "${file("${var.bootstrap-active}")}" vars = { + type = "${var.license_type}" + license_file = "${var.license}" port1_ip = "${var.activeport1}" port1_mask = "${var.activeport1mask}" port2_ip = "${var.activeport2}" diff --git a/azure/6.4/ha-port1-mgmt/config-active.conf b/azure/6.4/ha-port1-mgmt/config-active.conf index fa64364..7e4553c 100644 --- a/azure/6.4/ha-port1-mgmt/config-active.conf +++ b/azure/6.4/ha-port1-mgmt/config-active.conf @@ -1,3 +1,10 @@ +Content-Type: multipart/mixed; boundary="==AZURE==" +MIME-Version: 1.0 + +--==AZURE== +Content-Type: text/x-shellscript; charset="us-ascii" +MIME-Version: 1.0 + config system global set hostname Azure-HA-Active set admin-sport ${adminsport} @@ -34,6 +41,8 @@ set priority 255 set mode a-p set hbdev port4 100 set session-pickup enable +set hb-interval 20 +set hb-lost-threshold 60 set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 @@ -81,3 +90,15 @@ end next end end + +%{ if type == "byol" } +--==AZURE== +Content-Type: text/plain; charset="us-ascii" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Content-Disposition: attachment; filename="license" + +${file(license_file)} + +%{ endif } +--==AZURE==-- diff --git a/azure/6.4/ha-port1-mgmt/config-passive.conf b/azure/6.4/ha-port1-mgmt/config-passive.conf index c2ed79a..9806f7f 100644 --- a/azure/6.4/ha-port1-mgmt/config-passive.conf +++ b/azure/6.4/ha-port1-mgmt/config-passive.conf @@ -1,3 +1,10 @@ +Content-Type: multipart/mixed; boundary="==AZURE==" +MIME-Version: 1.0 + +--==AZURE== +Content-Type: text/x-shellscript; charset="us-ascii" +MIME-Version: 1.0 + config system global set hostname Azure-HA-Passive set admin-sport ${adminsport} @@ -33,6 +40,8 @@ set group-name Azure-HA set mode a-p set hbdev port4 100 set session-pickup enable +set hb-interval 20 +set hb-lost-threshold 60 set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 @@ -80,3 +89,15 @@ end next end end + +%{ if type == "byol" } +--==AZURE== +Content-Type: text/plain; charset="us-ascii" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Content-Disposition: attachment; filename="license" + +${file(license_file)} + +%{ endif } +--==AZURE==-- diff --git a/azure/6.4/ha-port1-mgmt/passive.tf b/azure/6.4/ha-port1-mgmt/passive.tf index 10eadb8..088a5a9 100644 --- a/azure/6.4/ha-port1-mgmt/passive.tf +++ b/azure/6.4/ha-port1-mgmt/passive.tf @@ -63,13 +63,13 @@ resource "azurerm_virtual_machine" "passivefgtvm" { storage_image_reference { publisher = var.custom ? null : var.publisher offer = var.custom ? null : var.fgtoffer - sku = var.custom ? null : var.fgtsku + sku = var.license_type == "byol" ? var.fgtsku["byol"] : var.fgtsku["payg"] version = var.custom ? null : var.fgtversion id = var.custom ? element(azurerm_image.custom.*.id, 0) : null } plan { - name = var.fgtsku + name = var.license_type == "byol" ? var.fgtsku["byol"] : var.fgtsku["payg"] publisher = var.publisher product = var.fgtoffer } @@ -115,6 +115,8 @@ data "template_file" "passiveFortiGate" { template = "${file("${var.bootstrap-passive}")}" vars = { + type = "${var.license_type}" + license_file = "${var.license2}" port1_ip = "${var.passiveport1}" port1_mask = "${var.passiveport1mask}" port2_ip = "${var.passiveport2}" diff --git a/azure/6.4/ha-port1-mgmt/variables.tf b/azure/6.4/ha-port1-mgmt/variables.tf index 1bf23bf..b4919e3 100644 --- a/azure/6.4/ha-port1-mgmt/variables.tf +++ b/azure/6.4/ha-port1-mgmt/variables.tf @@ -4,6 +4,7 @@ variable client_id {} variable client_secret {} variable tenant_id {} + // For HA, choose instance size that support 4 nics at least // Check : https://docs.microsoft.com/en-us/azure/virtual-machines/linux/sizes variable "size" { @@ -16,7 +17,7 @@ variable "location" { default = "westus2" } -// To use custom image +// To use custom image // by default is false variable "custom" { default = false @@ -25,7 +26,7 @@ variable "custom" { // Custom image blob uri variable "customuri" { type = string - default = "https://" + default = "" } variable "custom_image_name" { @@ -38,6 +39,12 @@ variable "custom_image_resource_group_name" { default = "" } +// License Type to create FortiGate-VM +// Provide the license type for FortiGate-VM Instances, either byol or payg. +variable "license_type" { + default = "payg" +} + variable "publisher" { type = string default = "fortinet" @@ -48,14 +55,19 @@ variable "fgtoffer" { default = "fortinet_fortigate-vm_v5" } +// BYOL sku: fortinet_fg-vm +// PAYG sku: fortinet_fg-vm_payg_20190624 variable "fgtsku" { - type = string - default = "fortinet_fg-vm_payg_20190624" + type = map + default = { + byol = "fortinet_fg-vm" + payg = "fortinet_fg-vm_payg_20190624" + } } variable "fgtversion" { type = string - default = "6.4.2" + default = "6.4.3" } @@ -179,3 +191,18 @@ variable "bootstrap-passive" { default = "config-passive.conf" } + +// license file for the active fgt +variable "license" { + // Change to your own byol license file, license.lic + type = string + default = "license.txt" +} + +// license file for the passive fgt +variable "license2" { + // Change to your own byol license file, license2.lic + type = string + default = "license2.txt" +} + diff --git a/azure/6.4/ha/README.md b/azure/6.4/ha/README.md index 3450c90..95b7d48 100644 --- a/azure/6.4/ha/README.md +++ b/azure/6.4/ha/README.md @@ -1,4 +1,4 @@ -# Deployment of a FortiGate-VM (PAYG) Cluster on the Azure +# Deployment of a FortiGate-VM (BYOL/PAYG) Cluster on the Azure ## Introduction A Terraform script to deploy a FortiGate-VM Cluster on Azure @@ -12,7 +12,7 @@ A Terraform script to deploy a FortiGate-VM Cluster on Azure ## Deployment overview Terraform deploys the following components: - Azure Virtual Network with 4 subnets - - Two FortiGate-VM (PAYG) instances with four NICs. + - Two FortiGate-VM (BYOL/PAYG) instances with four NICs. - Two firewall rules. - A Ubuntu Client instance. diff --git a/azure/6.4/ha/active.tf b/azure/6.4/ha/active.tf index cbc15a0..105e0f1 100644 --- a/azure/6.4/ha/active.tf +++ b/azure/6.4/ha/active.tf @@ -75,13 +75,13 @@ resource "azurerm_virtual_machine" "activefgtvm" { storage_image_reference { publisher = var.custom ? null : var.publisher offer = var.custom ? null : var.fgtoffer - sku = var.custom ? null : var.fgtsku + sku = var.license_type == "byol" ? var.fgtsku["byol"] : var.fgtsku["payg"] version = var.custom ? null : var.fgtversion id = var.custom ? element(azurerm_image.custom.*.id, 0) : null } plan { - name = var.fgtsku + name = var.license_type == "byol" ? var.fgtsku["byol"] : var.fgtsku["payg"] publisher = var.publisher product = var.fgtoffer } @@ -127,6 +127,8 @@ resource "azurerm_virtual_machine" "activefgtvm" { data "template_file" "activeFortiGate" { template = "${file("${var.bootstrap-active}")}" vars = { + type = "${var.license_type}" + license_file = "${var.license}" port1_ip = "${var.activeport1}" port1_mask = "${var.activeport1mask}" port2_ip = "${var.activeport2}" diff --git a/azure/6.4/ha/config-active.conf b/azure/6.4/ha/config-active.conf index 5e7ad16..f9b4aee 100644 --- a/azure/6.4/ha/config-active.conf +++ b/azure/6.4/ha/config-active.conf @@ -1,16 +1,23 @@ +Content-Type: multipart/mixed; boundary="==AZURE==" +MIME-Version: 1.0 + +--==AZURE== +Content-Type: text/x-shellscript; charset="us-ascii" +MIME-Version: 1.0 + config system global set hostname Azure-HA-Active set admin-sport ${adminsport} end config system interface edit port1 -set alias public +set alias untrust set mode static set ip ${port1_ip} ${port1_mask} set allowaccess ping https ssh fgfm next edit port2 -set alias private +set alias trust set mode static set ip ${port2_ip} ${port2_mask} set allowaccess ping https ssh fgfm @@ -35,6 +42,8 @@ set mode a-p set hbdev port3 100 set session-pickup enable set ha-mgmt-status enable +set hb-interval 20 +set hb-lost-threshold 60 config ha-mgmt-interfaces edit 1 set interface port4 @@ -81,3 +90,15 @@ end next end end + +%{ if type == "byol" } +--==AZURE== +Content-Type: text/plain; charset="us-ascii" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Content-Disposition: attachment; filename="license" + +${file(license_file)} + +%{ endif } +--==AZURE==-- diff --git a/azure/6.4/ha/config-passive.conf b/azure/6.4/ha/config-passive.conf index 22bbf05..250b434 100644 --- a/azure/6.4/ha/config-passive.conf +++ b/azure/6.4/ha/config-passive.conf @@ -1,16 +1,23 @@ +Content-Type: multipart/mixed; boundary="==AZURE==" +MIME-Version: 1.0 + +--==AZURE== +Content-Type: text/x-shellscript; charset="us-ascii" +MIME-Version: 1.0 + config system global set hostname Azure-HA-Passive set admin-sport ${adminsport} end config system interface edit port1 -set alias public +set alias untrust set mode static set ip ${port1_ip} ${port1_mask} set allowaccess ping https ssh fgfm next edit port2 -set alias private +set alias trust set mode static set ip ${port2_ip} ${port2_mask} set allowaccess ping https ssh fgfm @@ -33,6 +40,8 @@ set group-name Azure-HA set mode a-p set hbdev port3 100 set session-pickup enable +set hb-interval 20 +set hb-lost-threshold 60 set ha-mgmt-status enable config ha-mgmt-interfaces edit 1 @@ -80,3 +89,15 @@ end next end end + +%{ if type == "byol" } +--==AZURE== +Content-Type: text/plain; charset="us-ascii" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Content-Disposition: attachment; filename="license" + +${file(license_file)} + +%{ endif } +--==AZURE==-- diff --git a/azure/6.4/ha/passive.tf b/azure/6.4/ha/passive.tf index 4a3bd76..5b67d88 100644 --- a/azure/6.4/ha/passive.tf +++ b/azure/6.4/ha/passive.tf @@ -63,13 +63,13 @@ resource "azurerm_virtual_machine" "passivefgtvm" { storage_image_reference { publisher = var.custom ? null : var.publisher offer = var.custom ? null : var.fgtoffer - sku = var.custom ? null : var.fgtsku + sku = var.license_type == "byol" ? var.fgtsku["byol"] : var.fgtsku["payg"] version = var.custom ? null : var.fgtversion id = var.custom ? element(azurerm_image.custom.*.id, 0) : null } plan { - name = var.fgtsku + name = var.license_type == "byol" ? var.fgtsku["byol"] : var.fgtsku["payg"] publisher = var.publisher product = var.fgtoffer } @@ -115,6 +115,8 @@ data "template_file" "passiveFortiGate" { template = "${file("${var.bootstrap-passive}")}" vars = { + type = "${var.license_type}" + license_file = "${var.license2}" port1_ip = "${var.passiveport1}" port1_mask = "${var.passiveport1mask}" port2_ip = "${var.passiveport2}" diff --git a/azure/6.4/ha/variables.tf b/azure/6.4/ha/variables.tf index 4a28f78..93b029b 100644 --- a/azure/6.4/ha/variables.tf +++ b/azure/6.4/ha/variables.tf @@ -9,15 +9,15 @@ variable tenant_id {} // Check : https://docs.microsoft.com/en-us/azure/virtual-machines/linux/sizes variable "size" { type = string - default = "Standard_F4" + default = "Standard_D3_v2" } variable "location" { type = string - default = "westus2" + default = "westus" } -// To use custom image +// To use custom image // by default is false variable "custom" { default = false @@ -39,6 +39,12 @@ variable "custom_image_resource_group_name" { default = "" } +// License Type to create FortiGate-VM +// Provide the license type for FortiGate-VM Instances, either byol or payg. +variable "license_type" { + default = "payg" +} + variable "publisher" { type = string default = "fortinet" @@ -49,17 +55,21 @@ variable "fgtoffer" { default = "fortinet_fortigate-vm_v5" } +// BYOL sku: fortinet_fg-vm +// PAYG sku: fortinet_fg-vm_payg_20190624 variable "fgtsku" { - type = string - default = "fortinet_fg-vm_payg_20190624" + type = map + default = { + byol = "fortinet_fg-vm" + payg = "fortinet_fg-vm_payg_20190624" + } } variable "fgtversion" { type = string - default = "6.4.1" + default = "6.4.3" } - variable "adminusername" { type = string default = "azureadmin" @@ -77,27 +87,27 @@ variable "adminsport" { } variable "vnetcidr" { - default = "10.1.0.0/16" + default = "172.1.0.0/16" } variable "publiccidr" { - default = "10.1.0.0/24" + default = "172.1.0.0/24" } variable "privatecidr" { - default = "10.1.1.0/24" + default = "172.1.1.0/24" } variable "hasynccidr" { - default = "10.1.2.0/24" + default = "172.1.2.0/24" } variable "hamgmtcidr" { - default = "10.1.3.0/24" + default = "172.1.3.0/24" } variable "activeport1" { - default = "10.1.0.10" + default = "172.1.0.10" } variable "activeport1mask" { @@ -105,7 +115,7 @@ variable "activeport1mask" { } variable "activeport2" { - default = "10.1.1.10" + default = "172.1.1.10" } variable "activeport2mask" { @@ -113,7 +123,7 @@ variable "activeport2mask" { } variable "activeport3" { - default = "10.1.2.10" + default = "172.1.2.10" } variable "activeport3mask" { @@ -121,7 +131,7 @@ variable "activeport3mask" { } variable "activeport4" { - default = "10.1.3.10" + default = "172.1.3.10" } variable "activeport4mask" { @@ -129,7 +139,7 @@ variable "activeport4mask" { } variable "passiveport1" { - default = "10.1.0.11" + default = "172.1.0.11" } variable "passiveport1mask" { @@ -137,7 +147,7 @@ variable "passiveport1mask" { } variable "passiveport2" { - default = "10.1.1.11" + default = "172.1.1.11" } variable "passiveport2mask" { @@ -145,7 +155,7 @@ variable "passiveport2mask" { } variable "passiveport3" { - default = "10.1.2.11" + default = "172.1.2.11" } variable "passiveport3mask" { @@ -153,7 +163,7 @@ variable "passiveport3mask" { } variable "passiveport4" { - default = "10.1.3.11" + default = "172.1.3.11" } variable "passiveport4mask" { @@ -161,11 +171,11 @@ variable "passiveport4mask" { } variable "port1gateway" { - default = "10.1.0.1" + default = "172.1.0.1" } variable "port4gateway" { - default = "10.1.3.1" + default = "172.1.3.1" } variable "bootstrap-active" { @@ -180,3 +190,17 @@ variable "bootstrap-passive" { default = "config-passive.conf" } +// license file for the active fgt +variable "license" { + // Change to your own byol license file, license.lic + type = string + default = "license.txt" +} + +// license file for the passive fgt +variable "license2" { + // Change to your own byol license file, license2.lic + type = string + default = "license2.txt" +} + diff --git a/azure/6.4/single/README.md b/azure/6.4/single/README.md index bc4ecc1..eecdb88 100644 --- a/azure/6.4/single/README.md +++ b/azure/6.4/single/README.md @@ -1,6 +1,6 @@ -# Deployment of a FortiGate-VM on the Azure +# Deployment of a FortiGate-VM(BYOL/PAYG) on the Azure ## Introduction -A Terraform script to deploy a FortiGate-VM on Azure +A Terraform script to deploy a FortiGate-VM(BYOL/PAYG) on Azure ## Requirements * [Terraform](https://learn.hashicorp.com/terraform/getting-started/install.html) >= 0.12.0 @@ -13,7 +13,7 @@ A Terraform script to deploy a FortiGate-VM on Azure Terraform deploys the following components: - Azure Virtual Network with 2 subnets - One FortiGate-VM instances with 2 NICs - - Two firewall rules: one for external, one for internal, one for sync, and one for HA management. + - Two firewall rules: one for external, one for internal. ## Deployment To deploy the FortiGate-VM to Azure: diff --git a/azure/6.4/single/fgtvm.conf b/azure/6.4/single/fgtvm.conf index 990ef9e..98d56c8 100644 --- a/azure/6.4/single/fgtvm.conf +++ b/azure/6.4/single/fgtvm.conf @@ -1,3 +1,10 @@ +Content-Type: multipart/mixed; boundary="==AZURE==" +MIME-Version: 1.0 + +--==AZURE== +Content-Type: text/x-shellscript; charset="us-ascii" +MIME-Version: 1.0 + config system global set hostname FGTVM end @@ -14,3 +21,15 @@ set allowaccess ping https ssh fgfm set defaultgw disable next end + +%{ if type == "byol" } +--==AZURE== +Content-Type: text/plain; charset="us-ascii" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Content-Disposition: attachment; filename="license" + +${file(license_file)} + +%{ endif } +--==AZURE==-- diff --git a/azure/6.4/single/fgtvm.tf b/azure/6.4/single/fgtvm.tf index 72e7bd7..2095555 100644 --- a/azure/6.4/single/fgtvm.tf +++ b/azure/6.4/single/fgtvm.tf @@ -74,12 +74,12 @@ resource "azurerm_virtual_machine" "fgtvm" { storage_image_reference { publisher = var.publisher offer = var.fgtoffer - sku = var.fgtsku + sku = var.license_type == "byol" ? var.fgtsku["byol"] : var.fgtsku["payg"] version = var.fgtversion } plan { - name = var.fgtsku + name = var.license_type == "byol" ? var.fgtsku["byol"] : var.fgtsku["payg"] publisher = var.publisher product = var.fgtoffer } @@ -123,4 +123,8 @@ resource "azurerm_virtual_machine" "fgtvm" { data "template_file" "fgtvm" { template = "${file("${var.bootstrap-fgtvm}")}" + vars = { + type = "${var.license_type}" + license_file = "${var.license}" + } } diff --git a/azure/6.4/single/variables.tf b/azure/6.4/single/variables.tf index 5aaa1f3..82582e6 100644 --- a/azure/6.4/single/variables.tf +++ b/azure/6.4/single/variables.tf @@ -1,4 +1,4 @@ -// Azure configu ation +// Azure configuration variable subscription_id {} variable client_id {} variable client_secret {} @@ -31,6 +31,12 @@ variable "custom_image_resource_group_name" { default = "" } +// License Type to create FortiGate-VM +// Provide the license type for FortiGate-VM Instances, either byol or payg. +variable "license_type" { + default = "byol" +} + variable "publisher" { type = string default = "fortinet" @@ -41,14 +47,19 @@ variable "fgtoffer" { default = "fortinet_fortigate-vm_v5" } +// BYOL sku: fortinet_fg-vm +// PAYG sku: fortinet_fg-vm_payg_20190624 variable "fgtsku" { - type = string - default = "fortinet_fg-vm_payg_20190624" + type = map + default = { + byol = "fortinet_fg-vm" + payg = "fortinet_fg-vm_payg_20190624" + } } variable "fgtversion" { type = string - default = "6.4.1" + default = "6.4.3" } variable "adminusername" { @@ -84,3 +95,10 @@ variable "bootstrap-fgtvm" { default = "fgtvm.conf" } +// license file for the fgt +variable "license" { + // Change to your own byol license file, license.lic + type = string + default = "license.txt" +} +