Add files via upload

40net-cloud · Dec 11, 2023 · 297de35 · 297de35
1 parent 942fd40
commit 297de35
Show file tree

Hide file tree

Showing 10 changed files with 499 additions and 0 deletions.
diff --git a/FortiGate/Standalone/Existing-VCN/terraform/block.tf b/FortiGate/Standalone/Existing-VCN/terraform/block.tf
@@ -0,0 +1,12 @@
+resource "oci_core_volume" "vm_volume" {
+ availability_domain = data.oci_identity_availability_domain.ad.name
+ compartment_id = var.compartment_ocid
+ display_name = "vm_volume"
+ size_in_gbs = var.volume_size
+}
+
+resource "oci_core_volume_attachment" "vm_volume_attach" {
+ attachment_type = "paravirtualized"
+ instance_id = oci_core_instance.FortiGate.id
+ volume_id = oci_core_volume.vm_volume.id
+}
diff --git a/FortiGate/Standalone/Existing-VCN/terraform/compute.tf b/FortiGate/Standalone/Existing-VCN/terraform/compute.tf
@@ -0,0 +1,93 @@
+resource "oci_core_instance" "FortiGate" {
+ availability_domain = data.oci_identity_availability_domain.ad.name
+ compartment_id = var.compartment_ocid
+ display_name = "FortiGate"
+ shape = var.instance_shape
+
+ // Uncomment and addapt if you are yousing newer instance types like VM.Standard.E3.Flex
+ # shape_config {
+ # memory_in_gbs = "16"
+ # ocpus = "4"
+ # }
+
+ create_vnic_details {
+ subnet_id = oci_core_subnet.untrust_subnet.id
+ display_name = "FortiGate"
+ assign_public_ip = true
+ hostname_label = "vma"
+ private_ip = var.untrust_private_ip
+ }
+
+ source_details {
+ source_type = "image"
+ source_id = var.vm_image_ocid
+
+ //for PIC image: source_id = var.vm_image_ocid
+
+ # Apply this to set the size of the boot volume that's created for this instance.
+ # Otherwise, the default boot volume size of the image is used.
+ # This should only be specified when source_type is set to "image".
+ #boot_volume_size_in_gbs = "60"
+ }
+
+ # Apply the following flag only if you wish to preserve the attached boot volume upon destroying this instance
+ # Setting this and destroying the instance will result in a boot volume that should be managed outside of this config.
+ # When changing this value, make sure to run 'terraform apply' so that it takes effect before the resource is destroyed.
+ #preserve_boot_volume = true
+
+
+ //required for metadata setup via cloud-init
+ metadata = {
+ // ssh_authorized_keys = var.ssh_public_key
+ user_data = base64encode(data.template_file.FortiGate_userdata.rendered)
+ }
+
+ timeouts {
+ create = "60m"
+ }
+}
+
+resource "oci_core_public_ip" "untrust_public_ip" {
+ #Required
+ compartment_id = var.compartment_ocid
+ lifetime = var.untrust_public_ip_lifetime
+
+}
+
+resource "oci_core_vnic_attachment" "vnic_attach_trust" {
+ depends_on = [oci_core_instance.FortiGate]
+ instance_id = oci_core_instance.FortiGate.id
+ display_name = "vnic_trust"
+
+ create_vnic_details {
+ subnet_id = oci_core_subnet.trust_subnet.id
+ display_name = "vnic_trust"
+ assign_public_ip = false
+ skip_source_dest_check = true
+ private_ip = var.trust_private_ip
+ }
+}
+
+resource "oci_core_private_ip" "trust_private_ip" {
+ #Get Primary VNIC id
+ vnic_id = element(oci_core_vnic_attachment.vnic_attach_trust.*.vnic_id, 0)
+
+}
+
+data "template_file" "FortiGate_userdata" {
+
+ template = file(var.bootstrap_FortiGate)
+
+ vars = {
+ untrust_ip = var.untrust_private_ip
+ untrust_ip_mask = "255.255.255.0"
+ trust_ip = var.trust_private_ip
+ trust_ip_mask = "255.255.255.0"
+ untrust_subnet_gw = var.untrust_subnet_gateway
+ trust_subnet_gw = var.trust_subnet_gateway
+ vcn_cidr = var.vcn_cidr
+
+ tenancy_ocid = var.tenancy_ocid
+ compartment_ocid = var.compartment_ocid
+ }
+}
diff --git a/FortiGate/Standalone/Existing-VCN/terraform/datasources.tf b/FortiGate/Standalone/Existing-VCN/terraform/datasources.tf
@@ -0,0 +1,13 @@
+# Gets a list of Availability Domains
+data "oci_identity_availability_domain" "ad" {
+ compartment_id = var.tenancy_ocid
+ ad_number = var.availability_domain
+}
+
+# Gets the boot volume attachments for each instance
+data "oci_core_boot_volume_attachments" "block_attach" {
+ depends_on = [oci_core_instance.FortiGate]
+ availability_domain = data.oci_identity_availability_domain.ad.name
+ compartment_id = var.compartment_ocid
+ instance_id = oci_core_instance.FortiGate.id
+}
diff --git a/FortiGate/Standalone/Existing-VCN/terraform/image_subscription.tf b/FortiGate/Standalone/Existing-VCN/terraform/image_subscription.tf
@@ -0,0 +1,38 @@
+//Local variables pointing to the Marketplace catalog resource
+locals {
+ mp_listing_id = var.mp_listing_id
+ mp_listing_resource_id = var.vm_image_ocid
+ mp_listing_resource_version = var.mp_listing_resource_version
+}
+
+//Get Image Agreement
+resource "oci_core_app_catalog_listing_resource_version_agreement" "mp_image_agreement" {
+ listing_id = local.mp_listing_id
+ listing_resource_version = local.mp_listing_resource_version
+}
+
+//Accept Terms and Subscribe to the image, placing the image in a particular compartment
+resource "oci_core_app_catalog_subscription" "mp_image_subscription" {
+ compartment_id = var.compartment_ocid
+ eula_link = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.eula_link
+ listing_id = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.listing_id
+ listing_resource_version = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.listing_resource_version
+ oracle_terms_of_use_link = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.oracle_terms_of_use_link
+ signature = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.signature
+ time_retrieved = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.time_retrieved
+
+ timeouts {
+ create = "30m"
+ }
+}
+
+// Gets the partner image subscription
+data "oci_core_app_catalog_subscriptions" "mp_image_subscription" {
+ #Required
+ compartment_id = var.compartment_ocid
+ listing_id = local.mp_listing_id
+ filter {
+ name = "listing_resource_version"
+ values = ["${local.mp_listing_resource_version}"]
+ }
+}
diff --git a/FortiGate/Standalone/Existing-VCN/terraform/network.tf b/FortiGate/Standalone/Existing-VCN/terraform/network.tf
@@ -0,0 +1,160 @@
+#######################################
+# VCN & IGW SETTINGS #
+#######################################
+// Pointing to existing VCN
+data "oci_core_vcn" "my_vcn" {
+ vcn_id = var.vcn_ocid
+}
+
+// Pointing to existing Internet Gateway
+data "oci_core_internet_gateways" "igw" {
+ compartment_id = var.compartment_ocid
+ vcn_id = data.oci_core_vcn.my_vcn.id
+}
+#######################################
+# UNTRUST NETWORK SETTINGS #
+#######################################
+// Untrust Route Table
+resource "oci_core_route_table" "untrust_routetable" {
+ compartment_id = var.compartment_ocid
+ vcn_id = data.oci_core_vcn.my_vcn.id
+ display_name = "untrust-rt"
+
+ route_rules {
+ destination = "0.0.0.0/0"
+ network_entity_id = var.igw_ocid
+ }
+}
+// Untrust Subnet
+resource "oci_core_subnet" "untrust_subnet" {
+ cidr_block = var.untrust_subnet_cidr
+ display_name = "untrust"
+ compartment_id = var.compartment_ocid
+ vcn_id = data.oci_core_vcn.my_vcn.id
+ route_table_id = oci_core_route_table.untrust_routetable.id
+ security_list_ids = [data.oci_core_vcn.my_vcn.default_security_list_id, oci_core_security_list.untrust_security_list.id]
+ dhcp_options_id = data.oci_core_vcn.my_vcn.default_dhcp_options_id
+ dns_label = "untrust"
+}
+
+// Untrust Security List
+# Protocols are specified as protocol numbers.
+# http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
+resource "oci_core_security_list" "untrust_security_list" {
+ compartment_id = var.compartment_ocid
+ vcn_id = data.oci_core_vcn.my_vcn.id
+ display_name = "untrust-security-list"
+
+ // allow outbound tcp traffic on all ports
+ egress_security_rules {
+ destination = "0.0.0.0/0"
+ protocol = "6" //tcp
+ }
+
+ // allow inbound http (port 80) traffic
+ ingress_security_rules {
+ protocol = "6" // tcp
+ source = "0.0.0.0/0"
+ stateless = false
+
+ tcp_options {
+ min = 80
+ max = 80
+ }
+ }
+
+ // allow inbound http (port 443) traffic
+ ingress_security_rules {
+ protocol = "6" // tcp
+ source = "0.0.0.0/0"
+ stateless = false
+
+ tcp_options {
+ min = 443
+ max = 443
+ }
+ }
+
+ // allow inbound traffic to port 5901 (vnc)
+ ingress_security_rules {
+ protocol = "6" // tcp
+ source = "0.0.0.0/0"
+ stateless = false
+
+ tcp_options {
+ min = 5901
+ max = 5901
+ }
+ }
+
+ // allow inbound ssh traffic
+ ingress_security_rules {
+ protocol = "6" // tcp
+ source = "0.0.0.0/0"
+ stateless = false
+
+ tcp_options {
+ min = 22
+ max = 22
+ }
+ }
+
+ // allow inbound icmp traffic of a specific type
+ ingress_security_rules {
+ protocol = 1
+ source = "0.0.0.0/0"
+ stateless = false
+
+ icmp_options {
+ type = 3
+ code = 4
+ }
+ }
+}
+
+#######################################
+# TRUST NETWORK SETTINGS #
+#######################################
+// Trust Subnet
+resource "oci_core_subnet" "trust_subnet" {
+ cidr_block = var.trust_subnet_cidr
+ display_name = "trust"
+ compartment_id = var.compartment_ocid
+ vcn_id = data.oci_core_vcn.my_vcn.id
+ route_table_id = oci_core_route_table.trust_routetable.id
+ security_list_ids = [data.oci_core_vcn.my_vcn.default_security_list_id, oci_core_security_list.trust_security_list.id]
+ dhcp_options_id = data.oci_core_vcn.my_vcn.default_dhcp_options_id
+ dns_label = "trust"
+ prohibit_public_ip_on_vnic = "true"
+}
+
+// Trust Route Table
+resource "oci_core_route_table" "trust_routetable" {
+ compartment_id = var.compartment_ocid
+ vcn_id = data.oci_core_vcn.my_vcn.id
+ display_name = "trust-routetable"
+}
+
+// Trust Security List
+# Protocols are specified as protocol numbers.
+# http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
+resource "oci_core_security_list" "trust_security_list" {
+ compartment_id = var.compartment_ocid
+ vcn_id = data.oci_core_vcn.my_vcn.id
+ display_name = "trust-security-list"
+
+
+ // allow outbound traffic on all ports
+ egress_security_rules {
+ destination = "0.0.0.0/0"
+ protocol = "all"
+ stateless = false
+ }
+
+ // allow inbound traffic on all ports from network
+ ingress_security_rules {
+ protocol = "all"
+ source = var.vcn_cidr
+ stateless = false
+ }
+}
diff --git a/FortiGate/Standalone/Existing-VCN/terraform/output.tf b/FortiGate/Standalone/Existing-VCN/terraform/output.tf
@@ -0,0 +1,9 @@
+# Output the private and public IPs of the instance
+
+output "Mgmt-FortiGate-PublicIP" {
+ value = [oci_core_instance.FortiGate.*.public_ip]
+}
+
+output "FortiGate-ID" {
+ value = [oci_core_instance.FortiGate.id]
+}
diff --git a/FortiGate/Standalone/Existing-VCN/terraform/provider.tf b/FortiGate/Standalone/Existing-VCN/terraform/provider.tf
@@ -0,0 +1,18 @@
+provider "oci" {
+ tenancy_ocid = var.tenancy_ocid
+ user_ocid = var.user_ocid
+ fingerprint = var.fingerprint
+ private_key_path = var.private_key_path
+ region = var.region
+}
+
+terraform {
+ required_version = ">=1.0"
+ required_providers {
+ oci = {
+ source = "oracle/oci"
+ version = ">=3.69.0"
+ }
+ template = ">=2.1.2"
+ }
+}
diff --git a/FortiGate/Standalone/Existing-VCN/terraform/terraform.tfvars b/FortiGate/Standalone/Existing-VCN/terraform/terraform.tfvars
@@ -0,0 +1,7 @@
+// Change to your own variables
+tenancy_ocid = "ocid1.tenancy.oc1..aaaaaaaambr3uzztoyhweohbzqqdo775h7d3t54zpmzkp4b2cf35vs55ck3a"
+compartment_ocid = "ocid1.compartment.oc1..aaaaaaaam6bypzy7et2h3xepldc7mjpaqdxp6a65mkbwvhrfnvphsz35r73a"
+user_ocid = "ocid1.user.oc1..aaaaaaaapbaqbra7ms64ti76bnoupkcuce7l3yiemgvqsucqv4ghf5qfrsta"
+fingerprint = "c7:32:ba:fa:d3:59:d0:9b:84:dc:0e:a0:ca:15:0f:d0"
+private_key_path = "/Users/ozanoguz/.oci/oraclekey.pem"
+region = "eu-frankfurt-1"