diff --git a/FortiManager/New-VCN/BYOL/terraform/block.tf b/FortiManager/New-VCN/BYOL/terraform/block.tf new file mode 100644 index 0000000..670fa7e --- /dev/null +++ b/FortiManager/New-VCN/BYOL/terraform/block.tf @@ -0,0 +1,12 @@ +resource "oci_core_volume" "vm_volume" { + availability_domain = data.oci_identity_availability_domain.ad.name + compartment_id = var.compartment_ocid + display_name = "vm_volume" + size_in_gbs = var.volume_size +} + +resource "oci_core_volume_attachment" "vm_volume_attach" { + attachment_type = "paravirtualized" + instance_id = oci_core_instance.FortiManager.id + volume_id = oci_core_volume.vm_volume.id +} \ No newline at end of file diff --git a/FortiManager/New-VCN/BYOL/terraform/compute.tf b/FortiManager/New-VCN/BYOL/terraform/compute.tf new file mode 100644 index 0000000..86148a6 --- /dev/null +++ b/FortiManager/New-VCN/BYOL/terraform/compute.tf @@ -0,0 +1,34 @@ +resource "oci_core_instance" "FortiManager" { + availability_domain = data.oci_identity_availability_domain.ad.name + compartment_id = var.compartment_ocid + display_name = "FortiManager" + shape = var.instance_shape + + // Uncomment and addapt if you are yousing newer instance types like VM.Standard.E3.Flex + # shape_config { + # memory_in_gbs = "16" + # ocpus = "4" + # } + + create_vnic_details { + subnet_id = oci_core_subnet.untrust_subnet.id + display_name = "FortiManager" + assign_public_ip = true + hostname_label = "vma" + private_ip = var.untrust_private_ip + } + + source_details { + source_type = "image" + source_id = var.vm_image_ocid + } + + # Apply the following flag only if you wish to preserve the attached boot volume upon destroying this instance + # Setting this and destroying the instance will result in a boot volume that should be managed outside of this config. + # When changing this value, make sure to run 'terraform apply' so that it takes effect before the resource is destroyed. + #preserve_boot_volume = true + + timeouts { + create = "60m" + } +} \ No newline at end of file diff --git a/FortiManager/New-VCN/BYOL/terraform/datasources.tf b/FortiManager/New-VCN/BYOL/terraform/datasources.tf new file mode 100644 index 0000000..52be3ff --- /dev/null +++ b/FortiManager/New-VCN/BYOL/terraform/datasources.tf @@ -0,0 +1,13 @@ +# Gets a list of Availability Domains +data "oci_identity_availability_domain" "ad" { + compartment_id = var.tenancy_ocid + ad_number = var.availability_domain +} + +# Gets the boot volume attachments for each instance +data "oci_core_boot_volume_attachments" "block_attach" { + depends_on = [oci_core_instance.FortiManager] + availability_domain = data.oci_identity_availability_domain.ad.name + compartment_id = var.compartment_ocid + instance_id = oci_core_instance.FortiManager.id +} \ No newline at end of file diff --git a/FortiManager/New-VCN/BYOL/terraform/image_subscription.tf b/FortiManager/New-VCN/BYOL/terraform/image_subscription.tf new file mode 100644 index 0000000..cc205b1 --- /dev/null +++ b/FortiManager/New-VCN/BYOL/terraform/image_subscription.tf @@ -0,0 +1,38 @@ +//Local variables pointing to the Marketplace catalog resource +locals { + mp_listing_id = var.mp_listing_id + mp_listing_resource_id = var.vm_image_ocid + mp_listing_resource_version = var.mp_listing_resource_version +} + +//Get Image Agreement +resource "oci_core_app_catalog_listing_resource_version_agreement" "mp_image_agreement" { + listing_id = local.mp_listing_id + listing_resource_version = local.mp_listing_resource_version +} + +//Accept Terms and Subscribe to the image, placing the image in a particular compartment +resource "oci_core_app_catalog_subscription" "mp_image_subscription" { + compartment_id = var.compartment_ocid + eula_link = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.eula_link + listing_id = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.listing_id + listing_resource_version = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.listing_resource_version + oracle_terms_of_use_link = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.oracle_terms_of_use_link + signature = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.signature + time_retrieved = oci_core_app_catalog_listing_resource_version_agreement.mp_image_agreement.time_retrieved + + timeouts { + create = "30m" + } +} + +// Gets the partner image subscription +data "oci_core_app_catalog_subscriptions" "mp_image_subscription" { + #Required + compartment_id = var.compartment_ocid + listing_id = local.mp_listing_id + filter { + name = "listing_resource_version" + values = ["${local.mp_listing_resource_version}"] + } +} \ No newline at end of file diff --git a/FortiManager/New-VCN/BYOL/terraform/network.tf b/FortiManager/New-VCN/BYOL/terraform/network.tf new file mode 100644 index 0000000..a7a3b65 --- /dev/null +++ b/FortiManager/New-VCN/BYOL/terraform/network.tf @@ -0,0 +1,116 @@ +####################################### +# VCN & IGW SETTINGS # +####################################### +// VCN CIDR config +resource "oci_core_virtual_network" "my_vcn" { + cidr_block = var.vcn_cidr + compartment_id = var.compartment_ocid + display_name = "my-vcn" + dns_label = "myvcn" +} +// Internet Gateway config +resource "oci_core_internet_gateway" "igw" { + compartment_id = var.compartment_ocid + display_name = "igw" + vcn_id = oci_core_virtual_network.my_vcn.id +} +####################################### +# UNTRUST NETWORK SETTINGS # +####################################### +// Untrust Route Table +resource "oci_core_route_table" "untrust_routetable" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_virtual_network.my_vcn.id + display_name = "untrust-rt" + + route_rules { + destination = "0.0.0.0/0" + network_entity_id = oci_core_internet_gateway.igw.id + } +} +// Untrust Subnet +resource "oci_core_subnet" "untrust_subnet" { + cidr_block = var.untrust_subnet_cidr + display_name = "untrust" + compartment_id = var.compartment_ocid + vcn_id = oci_core_virtual_network.my_vcn.id + route_table_id = oci_core_route_table.untrust_routetable.id + security_list_ids = [oci_core_virtual_network.my_vcn.default_security_list_id, oci_core_security_list.untrust_security_list.id] + dhcp_options_id = oci_core_virtual_network.my_vcn.default_dhcp_options_id + dns_label = "mgmt" +} + +// Untrust Security List +# Protocols are specified as protocol numbers. +# http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml +resource "oci_core_security_list" "untrust_security_list" { + compartment_id = var.compartment_ocid + vcn_id = oci_core_virtual_network.my_vcn.id + display_name = "untrust-security-list" + + // allow outbound tcp traffic on all ports + egress_security_rules { + destination = "0.0.0.0/0" + protocol = "6" //tcp + } + + // allow inbound http (port 80) traffic + ingress_security_rules { + protocol = "6" // tcp + source = "0.0.0.0/0" + stateless = false + + tcp_options { + min = 80 + max = 80 + } + } + + // allow inbound http (port 443) traffic + ingress_security_rules { + protocol = "6" // tcp + source = "0.0.0.0/0" + stateless = false + + tcp_options { + min = 443 + max = 443 + } + } + + // allow inbound traffic to port 5901 (vnc) + ingress_security_rules { + protocol = "6" // tcp + source = "0.0.0.0/0" + stateless = false + + tcp_options { + min = 5901 + max = 5901 + } + } + + // allow inbound ssh traffic + ingress_security_rules { + protocol = "6" // tcp + source = "0.0.0.0/0" + stateless = false + + tcp_options { + min = 22 + max = 22 + } + } + + // allow inbound icmp traffic of a specific type + ingress_security_rules { + protocol = 1 + source = "0.0.0.0/0" + stateless = false + + icmp_options { + type = 3 + code = 4 + } + } +} \ No newline at end of file diff --git a/FortiManager/New-VCN/BYOL/terraform/output.tf b/FortiManager/New-VCN/BYOL/terraform/output.tf new file mode 100644 index 0000000..df53abf --- /dev/null +++ b/FortiManager/New-VCN/BYOL/terraform/output.tf @@ -0,0 +1,9 @@ +# Output the private and public IPs of the instance + +output "Mgmt-FortiManager-PublicIP" { + value = [oci_core_instance.FortiManager.*.public_ip] +} + +output "FortiManager-ID" { + value = [oci_core_instance.FortiManager.id] +} \ No newline at end of file diff --git a/FortiManager/New-VCN/BYOL/terraform/provider.tf b/FortiManager/New-VCN/BYOL/terraform/provider.tf new file mode 100644 index 0000000..c6c6ba2 --- /dev/null +++ b/FortiManager/New-VCN/BYOL/terraform/provider.tf @@ -0,0 +1,18 @@ +provider "oci" { + tenancy_ocid = var.tenancy_ocid + user_ocid = var.user_ocid + fingerprint = var.fingerprint + private_key_path = var.private_key_path + region = var.region +} + +terraform { + required_version = ">=1.0" + required_providers { + oci = { + source = "oracle/oci" + version = ">=3.69.0" + } + template = ">=2.1.2" + } +} \ No newline at end of file diff --git a/FortiManager/New-VCN/BYOL/terraform/variables.tf b/FortiManager/New-VCN/BYOL/terraform/variables.tf new file mode 100644 index 0000000..6579494 --- /dev/null +++ b/FortiManager/New-VCN/BYOL/terraform/variables.tf @@ -0,0 +1,67 @@ +variable "tenancy_ocid" {} +variable "compartment_ocid" {} +variable "user_ocid" { + default = "" +} +variable "private_key_path" { + default = "" +} +variable "fingerprint" { + default = "" +} +variable "region" { + description = "Oracle Cloud region" +} + +##VCN and SUBNET ADDRESSESS +variable "vcn_cidr" { + default = "10.1.0.0/16" +} + +variable "untrust_subnet_cidr" { + default = "10.1.1.0/24" +} + +variable "untrust_subnet_gateway" { + default = "10.1.1.1" +} + +#FIREWALL IPs + +variable "untrust_private_ip" { + default = "10.1.1.10" +} + +variable "vm_image_ocid" { + default = "ocid1.image.oc1..aaaaaaaaqn5cldxcwqmebswez75wksr2brcbujzbapil4bztfope3fw7gika" +} + +variable "mp_listing_id" { + default = "ocid1.appcataloglisting.oc1..aaaaaaaawpkjzjrzqhd6m4q6j6qfkwsiqaqnv5f5juup6z2lvyg56wjbcbyq" //BYOL +} + +// Version +variable "mp_listing_resource_version" { + default = "7.4.0_Paravirtualized_Mode" +} +variable "instance_shape" { + default = "VM.Standard2.4" +} + +# Choose an Availability Domain (1,2,3) +variable "availability_domain" { + default = "1" +} + +variable "volume_size" { + default = "50" //GB +} + +variable "bootstrap_FortiGate" { + default = "./userdata/bootstrap_FortiGate.tpl" +} + +variable "untrust_public_ip_lifetime" { + default = "RESERVED" + //or EPHEMERAL +}