add gateway load balancer for single vm deployment

Change-Id: I3b3f537209027dff989a98508fd64653bd65d763

aws/6.4/gwlb/README.md

@@ -0,0 +1,94 @@
+# Deployment of a FortiGate-VM (BYOL/PAYG) on the AWS with GWLB integration
+## Introduction
+A Terraform script to deploy a FortiGate-VM on AWS with Gateway Load Balancer intergration.
+
+## Requirements
+* [Terraform](https://learn.hashicorp.com/terraform/getting-started/install.html) >= 0.13.5
+* Terraform Provider AWS >= 3.22.0
+* Terraform Provider Template >= 2.2.0
+* FOS Version >= 6.4.4
+
+## Deployment overview
+Terraform deploys the following components:
+ - 2 AWS VPCs
+ - Customer VPC with 2 public subnets and 2 private subnets split two different AZs
+ - 1 Internet Gateway
+ - 1 Route table with edge association with Internet Gateway, and 2 internal route with target to Gateway Load Balancer Endpoint.
+ - 1 Route table with private subnet association, and default route with target to Gateway Load Balancer Endpoint.
+ - 1 Route table with public subnet association, and default route with target to Internet Gateway.
+ - FGT VPC with 1 public and 1 private subnet in one AZ.
+ - 1 Internet Gateway
+ - 1 Route table with private subnet association, and default route with target to FortiGate private port.
+ - 1 Route table with public subnet association, and default route with target to Internet Gateway.
+ - One FortiGate-VM instance with 2 NICs : port1 on public subnet and port2 on private subnet
+ - port2 will be in its own FG-traffic vdom.
+ - A geneve interface will be created base on port2 during bootstrap and this will be the interface where traffic will received from the Gateway Load Balancer.
+ - Two Network Security Group rules: one for external, one for internal.
+ - One Gateway Load Balancer with single target to one FortiGate.
+
+## Topology overview
+Customer VPC (20.1.0.0/16)
+ public-az1 (20.1.0.0/24)
+ private-az1 (20.1.1.0/24)
+ public-az2 (20.1.2.0/24)
+ private-az2 (20.1.3.0/24)
+Security VPC (10.1.0.0/16)
+ public (10.1.0.0/24)
+ private (10.1.1.0/24)
+
+FortiGate VM is deployed in Security VPC on both public and private subnet
+Server(s) are deployed in the private subnet in the Customer VPC in different AZ.
+
+Ingress traffic to the Server(s) located in the private subnet in Customer VPC will be routed to GWLB, redirect to FortiGate-VM's geneve interface and send back out to GWLB endpoint.
+Egress traffic from the Server(s) located in the private subnet in Customer VPC will be routed to GWLB and redirect to FortiGate-VM's geneve interface and send back out to GWLB endpoint.
+
+![gateway-load-balancer-architecture](./gwlb-vpc.png?raw=true "Gateway Load Balancer Architecture")
+
+## Deployment
+To deploy the FortiGate-VM to AWS:
+1. Clone the repository.
+2. Customize variables in the `terraform.tfvars` and `variables.tf` file as needed.
+3. Initialize the providers and modules:
+ ```sh
+ $ cd XXXXX
+ $ terraform init
+ ```
+4. Submit the Terraform plan:
+ ```sh
+ $ terraform plan
+ ```
+5. Verify output.
+6. Confirm and apply the plan:
+ ```sh
+ $ terraform apply
+ ```
+7. If output is satisfactory, type `yes`.
+
+Output will include the information necessary to log in to the FortiGate-VM instances:
+```sh
+Outputs:
+
+CustomerVPC = <Customer VPC>
+FGTPublicIP = <FGT Public IP>
+FGTVPC = <FGT VPC>
+LoadBalancerPrivateIP = <Private Load Balancer IP>
+Password = <FGT Password>
+Username = <FGT Username>
+```
+
+## Destroy the instance
+To destroy the instance, use the command:
+```sh
+$ terraform destroy
+```
+
+# Support
+Fortinet-provided scripts in this and other GitHub projects do not fall under the regular Fortinet technical support scope and are not supported by FortiCare Support Services.
+For direct issues, please refer to the [Issues](https://github.com/fortinet/fortigate-terraform-deploy/issues) tab of this GitHub project.
+For other questions related to this project, contact [[email protected]](mailto:[email protected]).
+
+## License
+[License](https://github.com/fortinet/fortigate-terraform-deploy/blob/master/LICENSE) © Fortinet Technologies. All rights reserved.
+
+
+

aws/6.4/gwlb/fgtvm.conf

@@ -0,0 +1,77 @@
+Content-Type: multipart/mixed; boundary="==AWS=="
+MIME-Version: 1.0
+
+--==AWS==
+Content-Type: text/x-shellscript; charset="us-ascii"
+MIME-Version: 1.0
+
+config system global
+set hostname FGTVM-GWLB
+set admin-sport ${adminsport}
+end
+config system interface
+edit port1
+set alias public
+set mode dhcp
+set allowaccess ping https ssh fgfm
+next
+edit port2
+set alias private
+set mode dhcp
+set allowaccess ping https ssh fgfm probe-response
+set defaultgw disable
+next
+end
+config system probe-response
+set mode http-probe
+end
+config system global
+set vdom-mode split-vdom
+end
+config global
+config system interface
+edit port2
+set vdom FG-traffic
+next
+end
+end
+config vdom
+edit FG-traffic
+config system geneve
+edit "awsgeneve"
+set interface "port2"
+set type ppp
+set remote-ip ${endpointip}
+next
+end
+config firewall policy
+edit 1
+set name "test"
+set srcintf "awsgeneve"
+set dstintf "awsgeneve"
+set srcaddr "all"
+set dstaddr "all"
+set action accept
+set schedule "always"
+set service "ALL"
+set logtraffic all
+next
+end
+config router static
+edit 1
+set device awsgeneve
+next
+end
+
+
+%{ if type == "byol" }
+--==AWS==
+Content-Type: text/plain; charset="us-ascii"
+MIME-Version: 1.0
+Content-Transfer-Encoding: 7bit
+Content-Disposition: attachment; filename="license"
+
+${file(license_file)}
+
+%{ endif }
+--==AWS==--

aws/6.4/gwlb/fgtvm.tf

@@ -0,0 +1,91 @@
+// FGTVM instance
+
+resource "aws_network_interface" "eth0" {
+ description = "fgtvm-port1"
+ subnet_id = aws_subnet.publicsubnetaz1.id
+}
+
+resource "aws_network_interface" "eth1" {
+ description = "fgtvm-port2"
+ subnet_id = aws_subnet.privatesubnetaz1.id
+ source_dest_check = false
+}
+
+data "aws_network_interface" "eth1" {
+ id = aws_network_interface.eth1.id
+}
+
+//
+data "aws_network_interface" "vpcendpointip" {
+ depends_on = [aws_vpc_endpoint.gwlbendpoint]
+ filter {
+ name = "vpc-id"
+ values = ["${aws_vpc.fgtvm-vpc.id}"]
+ }
+ filter {
+ name = "status"
+ values = ["in-use"]
+ }
+ filter {
+ name = "description"
+ values = ["*ELB*"]
+ }
+}
+
+resource "aws_network_interface_sg_attachment" "publicattachment" {
+ depends_on = [aws_network_interface.eth0]
+ security_group_id = aws_security_group.public_allow.id
+ network_interface_id = aws_network_interface.eth0.id
+}
+
+resource "aws_network_interface_sg_attachment" "internalattachment" {
+ depends_on = [aws_network_interface.eth1]
+ security_group_id = aws_security_group.allow_all.id
+ network_interface_id = aws_network_interface.eth1.id
+}
+
+
+resource "aws_instance" "fgtvm" {
+ ami = var.license_type == "byol" ? var.fgtvmbyolami[var.region] : var.fgtvmami[var.region]
+ instance_type = var.size
+ availability_zone = var.az1
+ key_name = var.keyname
+ user_data = data.template_file.FortiGate.rendered
+
+ root_block_device {
+ volume_type = "standard"
+ volume_size = "2"
+ }
+
+ ebs_block_device {
+ device_name = "/dev/sdb"
+ volume_size = "30"
+ volume_type = "standard"
+ }
+
+ network_interface {
+ network_interface_id = aws_network_interface.eth0.id
+ device_index = 0
+ }
+
+ network_interface {
+ network_interface_id = aws_network_interface.eth1.id
+ device_index = 1
+ }
+
+ tags = {
+ Name = "FortiGateVM"
+ }
+}
+
+
+data "template_file" "FortiGate" {
+ template = "${file("${var.bootstrap-fgtvm}")}"
+ vars = {
+ type = "${var.license_type}"
+ license_file = "${var.license}"
+ adminsport = "${var.adminsport}"
+ endpointip = "${data.aws_network_interface.vpcendpointip.private_ip}"
+ }
+}
+