diff --git a/FortiGate/Active-Passive/New-VCN/terraform/block.tf b/FortiGate/Active-Passive/New-VCN/terraform/block.tf new file mode 100644 index 0000000..1cf9830 --- /dev/null +++ b/FortiGate/Active-Passive/New-VCN/terraform/block.tf @@ -0,0 +1,26 @@ +resource "oci_core_volume" "vm_volume-a" { + availability_domain = lookup(data.oci_identity_availability_domains.ads.availability_domains[var.availability_domain_a - 1], "name") + compartment_id = var.compartment_ocid + display_name = "vm_volume-a" + size_in_gbs = var.volume_size +} + +resource "oci_core_volume_attachment" "vm_volume_attach-a" { + attachment_type = "paravirtualized" + instance_id = oci_core_instance.FortiGate-A.id + volume_id = oci_core_volume.vm_volume-a.id +} + + +resource "oci_core_volume" "vm_volume-b" { + availability_domain = lookup(data.oci_identity_availability_domains.ads.availability_domains[var.availability_domain_b - 1], "name") + compartment_id = var.compartment_ocid + display_name = "vm_volume-b" + size_in_gbs = var.volume_size +} + +resource "oci_core_volume_attachment" "vm_volume_attach-b" { + attachment_type = "paravirtualized" + instance_id = oci_core_instance.FortiGate-B.id + volume_id = oci_core_volume.vm_volume-b.id +} diff --git a/FortiGate/Active-Passive/New-VCN/terraform/compute-a.tf b/FortiGate/Active-Passive/New-VCN/terraform/compute-a.tf new file mode 100644 index 0000000..62911db --- /dev/null +++ b/FortiGate/Active-Passive/New-VCN/terraform/compute-a.tf @@ -0,0 +1,152 @@ +resource "oci_core_instance" "FortiGate-A" { + availability_domain = lookup(data.oci_identity_availability_domains.ads.availability_domains[var.availability_domain_a - 1], "name") + compartment_id = var.compartment_ocid + display_name = "FortiGate-A" + shape = var.instance_shape + + // Uncomment and addapt if you are yousing newer instance types like VM.Standard.E3.Flex + # shape_config { + # memory_in_gbs = "16" + # ocpus = "4" + # } + + create_vnic_details { + subnet_id = oci_core_subnet.mgmt_subnet.id + display_name = "FortiGate-A" + assign_public_ip = true + hostname_label = "vma" + private_ip = var.mgmt_private_ip_primary_a + } + + source_details { + source_type = "image" + source_id = var.vm_image_ocid + + //for PIC image: source_id = var.vm_image_ocid + + # Apply this to set the size of the boot volume that's created for this instance. + # Otherwise, the default boot volume size of the image is used. + # This should only be specified when source_type is set to "image". + #boot_volume_size_in_gbs = "60" + } + + # Apply the following flag only if you wish to preserve the attached boot volume upon destroying this instance + # Setting this and destroying the instance will result in a boot volume that should be managed outside of this config. + # When changing this value, make sure to run 'terraform apply' so that it takes effect before the resource is destroyed. + #preserve_boot_volume = true + + + //required for metadata setup via cloud-init + metadata = { + // ssh_authorized_keys = var.ssh_public_key + user_data = base64encode(data.template_file.FortiGate-A_userdata.rendered) + } + + timeouts { + create = "60m" + } +} + +resource "oci_core_vnic_attachment" "vnic_attach_untrust_a" { + depends_on = [oci_core_instance.FortiGate-A] + instance_id = oci_core_instance.FortiGate-A.id + display_name = "vnic_untrust_a" + + create_vnic_details { + subnet_id = oci_core_subnet.untrust_subnet.id + display_name = "vnic_untrust_a" + assign_public_ip = false + skip_source_dest_check = false + private_ip = var.untrust_private_ip_primary_a + } +} + +resource "oci_core_private_ip" "untrust_private_ip" { + #Get Primary VNIC id + vnic_id = element(oci_core_vnic_attachment.vnic_attach_untrust_a.*.vnic_id, 0) + + #Optional + display_name = "untrust_ip" + hostname_label = "untrust" + ip_address = var.untrust_floating_private_ip +} + +resource "oci_core_public_ip" "untrust_public_ip" { + #Required + compartment_id = var.compartment_ocid + lifetime = var.untrust_public_ip_lifetime + + #Optional + display_name = "vm-untrust" + private_ip_id = oci_core_private_ip.untrust_private_ip.id +} + +resource "oci_core_vnic_attachment" "vnic_attach_trust_a" { + depends_on = [oci_core_vnic_attachment.vnic_attach_untrust_a] + instance_id = oci_core_instance.FortiGate-A.id + display_name = "vnic_trust" + + create_vnic_details { + subnet_id = oci_core_subnet.trust_subnet.id + display_name = "vnic_trust_a" + assign_public_ip = false + skip_source_dest_check = true + private_ip = var.trust_private_ip_primary_a + } +} + +resource "oci_core_private_ip" "trust_private_ip" { + #Get Primary VNIC id + vnic_id = element(oci_core_vnic_attachment.vnic_attach_trust_a.*.vnic_id, 0) + + #Optional + display_name = "trust_ip" + hostname_label = "trust" + ip_address = var.trust_floating_private_ip +} + + +resource "oci_core_vnic_attachment" "vnic_attach_hb_a" { + depends_on = [oci_core_vnic_attachment.vnic_attach_trust_a] + instance_id = oci_core_instance.FortiGate-A.id + display_name = "vnic_hb_a" + + create_vnic_details { + subnet_id = oci_core_subnet.hb_subnet.id + display_name = "vnic_hb_a" + assign_public_ip = false + skip_source_dest_check = false + private_ip = var.hb_private_ip_primary_a + } +} + + +data "template_file" "FortiGate-A_userdata" { + + template = file(var.bootstrap_FortiGate-A) + + vars = { + mgmt_ip = var.mgmt_private_ip_primary_a + mgmt_ip_mask = "255.255.255.0" + untrust_ip = var.untrust_private_ip_primary_a + untrust_ip_mask = "255.255.255.0" + trust_ip = var.trust_private_ip_primary_a + trust_ip_mask = "255.255.255.0" + hb_ip = var.hb_private_ip_primary_a + hb_ip_mask = "255.255.255.0" + hb_peer_ip = var.hb_private_ip_primary_b + untrust_floating_private_ip = var.untrust_floating_private_ip + untrust_floating_private_ip_mask = "255.255.255.0" + trust_floating_private_ip = var.trust_floating_private_ip + trust_floating_private_ip_mask = "255.255.255.0" + untrust_subnet_gw = var.untrust_subnet_gateway + vcn_cidr = var.vcn_cidr + trust_subnet_gw = var.trust_subnet_gateway + mgmt_subnet_gw = var.mgmt_subnet_gateway + + tenancy_ocid = var.tenancy_ocid + //oci_user_ocid = var.oci_user_ocid + compartment_ocid = var.compartment_ocid + + } +} diff --git a/FortiGate/Active-Passive/New-VCN/terraform/compute-b.tf b/FortiGate/Active-Passive/New-VCN/terraform/compute-b.tf new file mode 100644 index 0000000..a2c5cc4 --- /dev/null +++ b/FortiGate/Active-Passive/New-VCN/terraform/compute-b.tf @@ -0,0 +1,123 @@ +resource "oci_core_instance" "FortiGate-B" { + depends_on = [oci_core_subnet.hb_subnet] + availability_domain = lookup(data.oci_identity_availability_domains.ads.availability_domains[var.availability_domain_b - 1], "name") + compartment_id = var.compartment_ocid + display_name = "FortiGate-B" + shape = var.instance_shape + // Uncomment and addapt if you are yousing newer instance types like VM.Standard.E3.Flex + # shape_config { + # memory_in_gbs = "16" + # ocpus = "4" + # } + + + create_vnic_details { + subnet_id = oci_core_subnet.mgmt_subnet.id + display_name = "FortiGate-B" + assign_public_ip = true + hostname_label = "vmb" + private_ip = var.mgmt_private_ip_primary_b + } + + source_details { + source_type = "image" + source_id = var.vm_image_ocid + + //for PIC image: source_id = var.vm_image_ocid + + # Apply this to set the size of the boot volume that's created for this instance. + # Otherwise, the default boot volume size of the image is used. + # This should only be specified when source_type is set to "image". + #boot_volume_size_in_gbs = "60" + } + + # Apply the following flag only if you wish to preserve the attached boot volume upon destroying this instance + # Setting this and destroying the instance will result in a boot volume that should be managed outside of this config. + # When changing this value, make sure to run 'terraform apply' so that it takes effect before the resource is destroyed. + #preserve_boot_volume = true + + + //required for metadata setup via cloud-init + metadata = { + // ssh_authorized_keys = var.ssh_public_key + user_data = base64encode(data.template_file.FortiGate-B_userdata.rendered) + } + + timeouts { + create = "60m" + } +} + +resource "oci_core_vnic_attachment" "vnic_attach_untrust_b" { + depends_on = [oci_core_instance.FortiGate-B] + instance_id = oci_core_instance.FortiGate-B.id + display_name = "vnic_untrust_b" + + create_vnic_details { + subnet_id = oci_core_subnet.untrust_subnet.id + display_name = "vnic_untrust_b" + assign_public_ip = false + skip_source_dest_check = false + private_ip = var.untrust_private_ip_primary_b + } +} + + +resource "oci_core_vnic_attachment" "vnic_attach_trust_b" { + depends_on = [oci_core_vnic_attachment.vnic_attach_untrust_b] + instance_id = oci_core_instance.FortiGate-B.id + display_name = "vnic_trust" + + create_vnic_details { + subnet_id = oci_core_subnet.trust_subnet.id + display_name = "vnic_trust_b" + assign_public_ip = false + skip_source_dest_check = true + private_ip = var.trust_private_ip_primary_b + } +} + + +resource "oci_core_vnic_attachment" "vnic_attach_hb_b" { + depends_on = [oci_core_vnic_attachment.vnic_attach_trust_b] + instance_id = oci_core_instance.FortiGate-B.id + display_name = "vnic_hb_b" + + create_vnic_details { + subnet_id = oci_core_subnet.hb_subnet.id + display_name = "vnic_hb_b" + assign_public_ip = false + skip_source_dest_check = false + private_ip = var.hb_private_ip_primary_b + } +} + + +data "template_file" "FortiGate-B_userdata" { + template = file(var.bootstrap_FortiGate-B) + + vars = { + mgmt_ip = var.mgmt_private_ip_primary_b + mgmt_ip_mask = "255.255.255.0" + untrust_ip = var.untrust_private_ip_primary_b + untrust_ip_mask = "255.255.255.0" + trust_ip = var.trust_private_ip_primary_b + trust_ip_mask = "255.255.255.0" + hb_ip = var.hb_private_ip_primary_b + hb_ip_mask = "255.255.255.0" + hb_peer_ip = var.hb_private_ip_primary_a + untrust_floating_private_ip = var.untrust_floating_private_ip + untrust_floating_private_ip_mask = "255.255.255.0" + trust_floating_private_ip = var.trust_floating_private_ip + trust_floating_private_ip_mask = "255.255.255.0" + untrust_subnet_gw = var.untrust_subnet_gateway + vcn_cidr = var.vcn_cidr + trust_subnet_gw = var.trust_subnet_gateway + mgmt_subnet_gw = var.mgmt_subnet_gateway + + tenancy_ocid = var.tenancy_ocid + //oci_user_ocid = var.oci_user_ocid + compartment_ocid = var.compartment_ocid + + } +} diff --git a/FortiGate/Active-Passive/New-VCN/terraform/datasources.tf b/FortiGate/Active-Passive/New-VCN/terraform/datasources.tf new file mode 100644 index 0000000..6a7d366 --- /dev/null +++ b/FortiGate/Active-Passive/New-VCN/terraform/datasources.tf @@ -0,0 +1,20 @@ +# Gets a list of Availability Domains + +data "oci_identity_availability_domains" "ads" { + compartment_id = var.tenancy_ocid +} + +# Gets the boot volume attachments for each instance +data "oci_core_boot_volume_attachments" "block_attach-a" { + depends_on = [oci_core_instance.FortiGate-A] + availability_domain = oci_core_instance.FortiGate-A.availability_domain + compartment_id = var.compartment_ocid + instance_id = oci_core_instance.FortiGate-A.id +} + +data "oci_core_boot_volume_attachments" "block_attach-b" { + depends_on = [oci_core_instance.FortiGate-B] + availability_domain = oci_core_instance.FortiGate-B.availability_domain + compartment_id = var.compartment_ocid + instance_id = oci_core_instance.FortiGate-B.id +} diff --git a/FortiGate/Active-Passive/New-VCN/terraform/image_subscription.tf b/FortiGate/Active-Passive/New-VCN/terraform/image_subscription.tf new file mode 100644 index 0000000..cc205b1 --- /dev/null +++ b/FortiGate/Active-Passive/New-VCN/terraform/image_subscription.tf @@ -0,0 +1,38 @@ +//Local variables pointing to the Marketplace catalog resource +locals { + mp_listing_id = var.mp_listing_id + mp_listing_resource_id = var.vm_image_ocid + mp_listing_resource_version = var.mp_listing_resource_version +} + +//Get Image Agreement +resource "oci_core_app_catalog_listing_resource_version_agreement" "mp_image_agreement" { + listing_id = local.mp_listing_id + listing_resource_version = local.mp_listing_resource_version +} + +//Accept Terms and Subscribe to the image, placing the image in a particular compartment +resource "oci_core_app_catalog_subscription" "mp_image_subscription" { + compartment_id = var.compartment_ocid + eula_link = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.eula_link + listing_id = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.listing_id + listing_resource_version = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.listing_resource_version + oracle_terms_of_use_link = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.oracle_terms_of_use_link + signature = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.signature + time_retrieved = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.time_retrieved + + timeouts { + create = "30m" + } +} + +// Gets the partner image subscription +data "oci_core_app_catalog_subscriptions" "mp_image_subscription" { + #Required + compartment_id = var.compartment_ocid + listing_id = local.mp_listing_id + filter { + name = "listing_resource_version" + values = ["${local.mp_listing_resource_version}"] + } +} \ No newline at end of file diff --git a/FortiGate/Active-Passive/New-VCN/terraform/network.tf b/FortiGate/Active-Passive/New-VCN/terraform/network.tf new file mode 100644 index 0000000..c293998 --- /dev/null +++ b/FortiGate/Active-Passive/New-VCN/terraform/network.tf @@ -0,0 +1,259 @@ +resource "oci_core_virtual_network" "my_vcn" { + cidr_block = var.vcn_cidr + compartment_id = var.compartment_ocid + display_name = "my-vcn" + dns_label = "myvcn" +} + +//if you want to point to an existing vcn, use data source +// data "oci_core_virtual_networks" "my_vcn" { +// compartment_id = var.compartment_ocid +// } + +resource "oci_core_internet_gateway" "igw" { + compartment_id = var.compartment_ocid + display_name = "igw" + vcn_id = oci_core_virtual_network.my_vcn.id +} + +#################################### +## MANAGEMENT NETWORK SETTINGS ## +################################### + +resource "oci_core_route_table" "mgmt_routetable" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_virtual_network.my_vcn.id + display_name = "mgmt-rt" + + route_rules { + destination = "0.0.0.0/0" + network_entity_id = oci_core_internet_gateway.igw.id + } +} + +resource "oci_core_subnet" "mgmt_subnet" { + cidr_block = var.mgmt_subnet_cidr + display_name = "management" + compartment_id = var.compartment_ocid + vcn_id = oci_core_virtual_network.my_vcn.id + route_table_id = oci_core_route_table.mgmt_routetable.id + security_list_ids = [oci_core_virtual_network.my_vcn.default_security_list_id, oci_core_security_list.mgmt_security_list.id] + dhcp_options_id = oci_core_virtual_network.my_vcn.default_dhcp_options_id + dns_label = "mgmt" +} + +# Protocols are specified as protocol numbers. +# http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml +resource "oci_core_security_list" "mgmt_security_list" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_virtual_network.my_vcn.id + display_name = "mgmt-security-list" + + // allow outbound tcp traffic on all ports + egress_security_rules { + destination = "0.0.0.0/0" + protocol = "6" //tcp + } + + // allow inbound http (port 80) traffic + ingress_security_rules { + protocol = "6" // tcp + source = "0.0.0.0/0" + stateless = false + + tcp_options { + min = 80 + max = 80 + } + } + + // allow inbound http (port 443) traffic + ingress_security_rules { + protocol = "6" // tcp + source = "0.0.0.0/0" + stateless = false + + tcp_options { + min = 443 + max = 443 + } + } + + // allow inbound traffic to port 5901 (vnc) + ingress_security_rules { + protocol = "6" // tcp + source = "0.0.0.0/0" + stateless = false + + tcp_options { + min = 5901 + max = 5901 + } + } + + // allow inbound ssh traffic + ingress_security_rules { + protocol = "6" // tcp + source = "0.0.0.0/0" + stateless = false + + tcp_options { + min = 22 + max = 22 + } + } + + // allow inbound icmp traffic of a specific type + ingress_security_rules { + protocol = 1 + source = "0.0.0.0/0" + stateless = false + + icmp_options { + type = 3 + code = 4 + } + } +} + +############################### +## TRUST NETWORK SETTINGS ## +############################### + +resource "oci_core_subnet" "trust_subnet" { + cidr_block = var.trust_subnet_cidr + display_name = "trust" + compartment_id = var.compartment_ocid + vcn_id = oci_core_virtual_network.my_vcn.id + route_table_id = oci_core_route_table.trust_routetable.id + security_list_ids = [oci_core_virtual_network.my_vcn.default_security_list_id, oci_core_security_list.trust_security_list.id] + dhcp_options_id = oci_core_virtual_network.my_vcn.default_dhcp_options_id + dns_label = "trust" + prohibit_public_ip_on_vnic = "true" +} + +resource "oci_core_route_table" "trust_routetable" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_virtual_network.my_vcn.id + display_name = "trust-routetable" +} + +# Protocols are specified as protocol numbers. +# http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml +resource "oci_core_security_list" "trust_security_list" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_virtual_network.my_vcn.id + display_name = "trust-security-list" + + + // allow outbound traffic on all ports + egress_security_rules { + destination = "0.0.0.0/0" + protocol = "all" + stateless = false + } + + // allow inbound traffic on all ports from network + ingress_security_rules { + protocol = "all" + source = var.vcn_cidr + stateless = false + } +} + +############################### +## UNTRUST NETWORK SETTINGS ## +############################### + +# outbound traffic flows via untrust vnic +resource "oci_core_route_table" "untrust_routetable" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_virtual_network.my_vcn.id + display_name = "untrust-routetable" + + route_rules { + destination = "0.0.0.0/0" + network_entity_id = oci_core_internet_gateway.igw.id + } +} + +resource "oci_core_subnet" "untrust_subnet" { + cidr_block = var.untrust_subnet_cidr + display_name = "untrust" + compartment_id = var.compartment_ocid + vcn_id = oci_core_virtual_network.my_vcn.id + route_table_id = oci_core_route_table.untrust_routetable.id + security_list_ids = [oci_core_virtual_network.my_vcn.default_security_list_id, oci_core_security_list.untrust-security_list.id] + dhcp_options_id = oci_core_virtual_network.my_vcn.default_dhcp_options_id + dns_label = "untrust" +} + +# Protocols are specified as protocol numbers. +# http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml +resource "oci_core_security_list" "untrust-security_list" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_virtual_network.my_vcn.id + display_name = "untrust-security-list" + + + // allow outbound traffic on all ports + egress_security_rules { + destination = "0.0.0.0/0" + protocol = "all" + stateless = false + } + + // allow inbound traffic on all ports from network + ingress_security_rules { + protocol = "all" + source = "0.0.0.0/0" + stateless = false + } +} + + + +############################### +## HB NETWORK SETTINGS ## +############################### + +resource "oci_core_subnet" "hb_subnet" { + cidr_block = var.hb_subnet_cidr + display_name = "hb" + compartment_id = var.compartment_ocid + vcn_id = oci_core_virtual_network.my_vcn.id + route_table_id = oci_core_route_table.hb_routetable.id + security_list_ids = [oci_core_virtual_network.my_vcn.default_security_list_id, oci_core_security_list.hb_security_list.id] + dhcp_options_id = oci_core_virtual_network.my_vcn.default_dhcp_options_id + dns_label = "hb" + prohibit_public_ip_on_vnic = "true" +} + +resource "oci_core_route_table" "hb_routetable" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_virtual_network.my_vcn.id + display_name = "hb-routetable" +} + +# Protocols are specified as protocol numbers. +# http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml +resource "oci_core_security_list" "hb_security_list" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_virtual_network.my_vcn.id + display_name = "hb-security-list" + + // allow outbound traffic on all ports within subnet + egress_security_rules { + destination = var.hb_subnet_cidr + protocol = "all" + stateless = false + } + + // allow inbound traffic on all ports within subnet + ingress_security_rules { + protocol = "all" + source = var.hb_subnet_cidr + stateless = false + } + +} diff --git a/FortiGate/Active-Passive/New-VCN/terraform/output.tf b/FortiGate/Active-Passive/New-VCN/terraform/output.tf new file mode 100644 index 0000000..89e9a87 --- /dev/null +++ b/FortiGate/Active-Passive/New-VCN/terraform/output.tf @@ -0,0 +1,17 @@ +# Output the private and public IPs of the instance + +output "Mgmt-FortiGate-A-PublicIP" { + value = [oci_core_instance.FortiGate-A.*.public_ip] +} + +output "FortiGate-A-ID" { + value = [oci_core_instance.FortiGate-A.id] +} + +output "Mgmt-FortiGate-B-PublicIP" { + value = [oci_core_instance.FortiGate-B.*.public_ip] +} + +output "FortiGate-B-ID" { + value = [oci_core_instance.FortiGate-B.id] +} \ No newline at end of file diff --git a/FortiGate/Active-Passive/New-VCN/terraform/provider.tf b/FortiGate/Active-Passive/New-VCN/terraform/provider.tf new file mode 100644 index 0000000..9b7ef59 --- /dev/null +++ b/FortiGate/Active-Passive/New-VCN/terraform/provider.tf @@ -0,0 +1,18 @@ +provider "oci" { + tenancy_ocid = var.tenancy_ocid + user_ocid = var.user_ocid + fingerprint = var.fingerprint + private_key_path = var.private_key_path + region = var.region +} + +terraform { + required_version = ">=1.0" + required_providers { + oci = { + source = "oracle/oci" + version = ">=5.17.0" + } + template = ">=2.2.0" + } +} \ No newline at end of file diff --git a/FortiGate/Active-Passive/New-VCN/terraform/userdata/bootstrap_FortiGate-A.tpl b/FortiGate/Active-Passive/New-VCN/terraform/userdata/bootstrap_FortiGate-A.tpl new file mode 100644 index 0000000..6230cb2 --- /dev/null +++ b/FortiGate/Active-Passive/New-VCN/terraform/userdata/bootstrap_FortiGate-A.tpl @@ -0,0 +1,106 @@ +Content-Type: multipart/mixed; boundary="==OCI==" +MIME-Version: 1.0 + +--==OCI== +Content-Type: text/x-shellscript; charset="us-ascii" +MIME-Version: 1.0 + +config system global + set hostname "FortiGate-A" + set admintimeout 60 +end + +config system interface + edit port1 + set ip ${mgmt_ip} ${mgmt_ip_mask} + set allowaccess ping https ssh http fgfm + set type physical + set alias mgmt + set description "mgmt" + set mtu-override enable + set mtu 9000 + next +end +config system interface + edit port2 + set mode static + set vdom "root" + set ip ${untrust_floating_private_ip} ${untrust_floating_private_ip_mask} + set type physical + set description "Untrust" + set alias untrust + set mtu-override enable + set mtu 9000 + set secondary-IP enable + next +end +config system interface + edit port3 + set mode static + set vdom "root" + set ip ${trust_floating_private_ip} ${trust_floating_private_ip_mask} + set type physical + set description "Trust" + set alias trust + set mtu-override enable + set mtu 9000 + next +end +config system interface + edit port4 + set mode static + set ip ${hb_ip} ${hb_ip_mask} + set allowaccess ping https ssh http fgfm + set type physical + set description "HA" + set alias hb + set mtu-override enable + set mtu 9000 + next +end + +config system ha + set group-id 30 + set group-name "ha-cluster" + set mode a-p + set hbdev "port4" 50 + set session-pickup enable + set session-pickup-connectionless enable + set ha-mgmt-status enable + config ha-mgmt-interfaces + edit 1 + set interface "port1" + set gateway ${mgmt_subnet_gw} + next + end + set override disable + set priority 200 + set unicast-hb enable + set unicast-hb-peerip ${hb_peer_ip} +end +config system sdn-connector + edit "oci-sdn" + set type oci + set ha-status enable + set tenant-id ${tenancy_ocid} + set compartment-id ${compartment_ocid} + next +end +config router static + edit 1 + set gateway ${untrust_subnet_gw} + set device port2 + next + edit 2 + set dst ${vcn_cidr} + set gateway ${trust_subnet_gw} + set device port3 + next +end +--==OCI== +Content-Type: text/plain; charset="us-ascii" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit + +--==OCI==-- + diff --git a/FortiGate/Active-Passive/New-VCN/terraform/userdata/bootstrap_FortiGate-B.tpl b/FortiGate/Active-Passive/New-VCN/terraform/userdata/bootstrap_FortiGate-B.tpl new file mode 100644 index 0000000..b1a98de --- /dev/null +++ b/FortiGate/Active-Passive/New-VCN/terraform/userdata/bootstrap_FortiGate-B.tpl @@ -0,0 +1,95 @@ +Content-Type: multipart/mixed; boundary="==OCI==" +MIME-Version: 1.0 + +--==OCI== +Content-Type: text/x-shellscript; charset="us-ascii" +MIME-Version: 1.0 + +config system global + set hostname "FortiGate-B" + set admintimeout 60 +end + +config system interface + edit port1 + set ip ${mgmt_ip} ${mgmt_ip_mask} + set allowaccess ping https ssh http fgfm + set type physical + set alias mgmt + set description "mgmt" + set mtu-override enable + set mtu 9000 + next +end +config system interface + edit port2 + set mode static + set vdom "root" + set ip ${untrust_floating_private_ip} ${untrust_floating_private_ip_mask} + set type physical + set description "Untrust" + set alias untrust + set mtu-override enable + set mtu 9000 + set secondary-IP enable + next +end +config system interface + edit port3 + set mode static + set vdom "root" + set ip ${trust_floating_private_ip} ${trust_floating_private_ip_mask} + set type physical + set description "Trust" + set alias trust + set mtu-override enable + set mtu 9000 + next +end +config system interface + edit port4 + set mode static + set ip ${hb_ip} ${hb_ip_mask} + set allowaccess ping https ssh http fgfm + set type physical + set description "HA" + set alias hb + set mtu-override enable + set mtu 9000 + next +end + +config system ha + set group-id 30 + set group-name "ha-cluster" + set mode a-p + set hbdev "port4" 50 + set session-pickup enable + set session-pickup-connectionless enable + set ha-mgmt-status enable + config ha-mgmt-interfaces + edit 1 + set interface "port1" + set gateway ${mgmt_subnet_gw} + next + end + set override disable + set priority 100 + set unicast-hb enable + set unicast-hb-peerip ${hb_peer_ip} +end +config system sdn-connector + edit "oci-sdn" + set type oci + set ha-status enable + set tenant-id ${tenancy_ocid} + set compartment-id ${compartment_ocid} + next +end + +--==OCI== +Content-Type: text/plain; charset="us-ascii" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit + +--==OCI==-- \ No newline at end of file diff --git a/FortiGate/Active-Passive/New-VCN/terraform/variables.tf b/FortiGate/Active-Passive/New-VCN/terraform/variables.tf new file mode 100644 index 0000000..265abc4 --- /dev/null +++ b/FortiGate/Active-Passive/New-VCN/terraform/variables.tf @@ -0,0 +1,141 @@ +variable "tenancy_ocid" {} +variable "compartment_ocid" {} +variable "user_ocid" { + default = "" +} +variable "private_key_path" { + default = "" +} +variable "fingerprint" { + default = "" +} +variable "region" { + description = "Oracle Cloud region" +} + +##VCN and SUBNET ADDRESSESS +variable "vcn_cidr" { + default = "10.1.0.0/16" +} + +variable "mgmt_subnet_cidr" { + default = "10.1.1.0/24" +} + +variable "mgmt_subnet_gateway" { + default = "10.1.1.1" +} + + +variable "untrust_subnet_cidr" { + default = "10.1.10.0/24" +} + +variable "untrust_subnet_gateway" { + default = "10.1.10.1" +} + +variable "untrust_public_ip_lifetime" { + default = "RESERVED" + //or EPHEMERAL +} + +variable "trust_subnet_cidr" { + default = "10.1.100.0/24" +} + +variable "trust_subnet_gateway" { + default = "10.1.100.1" +} + +variable "hb_subnet_cidr" { + default = "10.1.200.0/24" +} + +#FIREWALL IPs + +#FLOATING/FAILOVER +variable "untrust_floating_private_ip" { + default = "10.1.10.10" +} + +variable "trust_floating_private_ip" { + default = "10.1.100.10" +} + + +#ACTIVE NODE +variable "mgmt_private_ip_primary_a" { + default = "10.1.1.2" +} + +variable "untrust_private_ip_primary_a" { + default = "10.1.10.2" +} + +variable "trust_private_ip_primary_a" { + default = "10.1.100.2" +} + +variable "hb_private_ip_primary_a" { + default = "10.1.200.2" +} + +#PASSIVE NODE +variable "mgmt_private_ip_primary_b" { + default = "10.1.1.20" +} + +variable "untrust_private_ip_primary_b" { + default = "10.1.10.20" +} + +variable "trust_private_ip_primary_b" { + default = "10.1.100.20" +} + +variable "hb_private_ip_primary_b" { + default = "10.1.200.20" +} + +variable "vm_image_ocid" { + default = "ocid1.image.oc1..aaaaaaaaukblxqsqei3fkhz22rtitean3rgs6wk6mujyxd57ilvpghi5q6ea" + //FortiOS 7.4.1 +} + +variable "mp_listing_id" { + default = "ocid1.appcataloglisting.oc1..aaaaaaaabepjdf2sw2jkr77a7zrbog7ukzxepoexzgkoyvbw2j2jn7l4y7lq" + //PAYG +} + +// Version +variable "mp_listing_resource_version" { + default = "7.4.1_(_X64_)" +} + +variable "instance_shape" { + default = "VM.Standard2.4" +} + +# Choose an Availability Domain (1,2,3) +variable "availability_domain_a" { + type = string + default = "1" +} + +variable "availability_domain_b" { + type = string + default = "2" +} + +variable "volume_size" { + default = "50" //GB +} + +variable "bootstrap_FortiGate-B" { + default = "./userdata/bootstrap_FortiGate-B.tpl" +} + +variable "bootstrap_FortiGate-A" { + default = "./userdata/bootstrap_FortiGate-A.tpl" +}